6.7 Internal control and risk management system in relation to the financial reporting process
Introduction
The internal control and risk management system in relation to the financial reporting process of Snam and its Subsidiaries is an element of the same system (the Corporate Reporting Control System), aimed at ensuring the dependability43, accuracy44, reliability45 and timeliness of the Company’s financial reporting and the capacity of the main relevant corporate processes to produce such reporting in accordance with the accounting standards.
The reporting in question consists of all data and information contained in the periodic accounting documents required by law – the separate and consolidated annual financial report, half-year financial report and interim report on operations – as well as in any other accounting document or external communication – such as press releases and prospectuses prepared for specific transactions – covered by the statements provided for by Article 154-bis of the TUF.
This reporting includes both financial and non-financial data and information, where the latter aims to describe significant aspects of the business, comment on the financial results for the year and/or describe future prospects.
Snam has adopted a body of rules that defines the regulations, methodologies, roles and responsibilities for designing, establishing, maintaining and assessing the effectiveness of the Group’s Corporate Reporting Control System, which applies to Snam and its Subsidiaries, taking into account their significance.
The corporate reporting internal control and risk management model adopted by Snam and its Subsidiaries was defined in accordance with the provisions of the aforementioned Article 154-bis of the TUF, with which Snam is required to comply, and is based, in terms of methodology, on the “COSO Framework” (“Internal Control – Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission), which is the international benchmark model for the establishment, updating, analysis and assessment of internal control systems, an update to which was published in May 2013.
The Corporate Reporting Control System Project, which was launched in the second half of 2013, was completed in 2014. The project, which was carried out with the support of a leading consultancy firm, involved revising and updating the Snam Group’s Corporate Reporting Control System to help it to better meet the Group’s needs and peculiarities, in light of increasingly complex organisational structures and processes, and to strengthen its methodological aspects to allow the Group to seek ongoing improvements to its system in relation to the reliability, dependability, timeliness and accuracy of corporate reporting.
In relation to the activities carried out under the Corporate Reporting Control System Project, the procedure “The Snam Group Corporate Reporting Control System” was issued to replace the previous Management System Guidelines (MSGs), and defines, in light of the developments of the Project, the roles and responsibilities pertaining to the planning, establishment, application, maintenance, management and assessment of the effectiveness of the System as a whole. Detailed operating instructions governing the methodology, responsibilities and activities to be performed for the implementation of the various components of the Corporate Reporting Control System were also defined, concerning, in particular, the definition of the System’s scope of application (“scoping”), “Company/Entity Level Controls” (CELC), “Process Level Controls” (PLC), the “Segregation of Duties” (SoD), “Information Technology General Controls” (ITGC), the risk assessment for the Process Level Controls, the procedure for managing the control results and assessing their deficiencies, mapping significant Corporate Reporting Control System IT applications, and the line monitoring sampling method.
The project activities also involved revisiting and updating all risks and controls on individual components of the System, based on what was defined in terms of methodological planning and the revision of analysis and assessment processes.
Existing phases of the internal control and risk management system in relation to the financial reporting process
The design, establishment and maintenance of the Corporate Reporting Control System are carried out through scoping, identifying and assessing risks and controls (at corporate and process level, through risk assessment and monitoring activities), and the relevant information flows (reporting).
Identification and assessment of corporate reporting risks
Scoping and risk assessment for significant processes are carried out based on a top-down, risk-based approach.
The scoping activities are intended to identify both Snam Group companies within the scope of the Corporate Reporting Control System, defining the components to be applied for each one, and financial statement information and items that are significant for that purpose, as well as the associated processes.
The risk assessment activities for significant processes are aimed at identifying the specific activities likely to generate risks of unintentional error or fraud, which may have a significant impact on the financial statements.
The companies that fall within the scope of the Snam Group’s Corporate Reporting Control System are identified based on the contribution of the different entities to specific amounts in the consolidated financial statements (total assets, total financial debt, net revenue, profit before taxes), in consideration of their relevance for specific procedures and risks. For companies deemed important, significant processes are subsequently identified based on an analysis of quantitative factors (processes that contribute to forming financial statement items in amounts equal to 2.5% of profit before taxes and 0.5% of shareholders’ equity) and qualitative factors (significant estimates in defining the amount, complexity of accounting treatment, etc.).
For relevant procedures and activities, risks of error or fraud are identified, i.e. potential events which may compromise the achievement of the control objectives for corporate reporting. The risks are identified by assuming the absence of controls (“inherent risk assessment”).
Identification of controls for identified risks
For companies, processes and related risks considered significant, a control system has been defined based on two fundamental principles: disseminating controls to all levels of the organisational structure, in line with the operational responsibilities assigned, and sustaining the controls over time, so that they are integrated and compatible with operating requirements.
The control system structure provides for entity-level controls, which apply across the entire entity in question (group/individual company), and process-level controls.
Entity-level controls are organised based on the model adopted in the COSO Framework, according to five components (control environment, risk assessment, control activity, information systems and communication flows, monitoring activity).
Process-level controls are broken down into:
- specific controls, understood as all manual or automated activities intended to prevent, identify and correct errors or irregularities which occur in carrying out operating activities;
- pervasive controls, understood as structural elements of the control system intended to define a general environment that promotes the correct performance and control of operating activities. Pervasive controls include those relating to the segregation of duties and IT general controls.
Specific process-level controls are identified in special procedures which define both the performance of corporate processes and the controls whose absence or lack of implementation entails a significant risk of error/fraud on the financial statements, and which has no chance of being intercepted by other controls.
Evaluation of controls for identified risks
Both entity-level and process-level controls are subject to regular evaluation (monitoring) in order to verify over time the adequacy of their design and their operational effectiveness. To this end, ongoing monitoring activities have been entrusted to the management responsible for significant processes/activities, and separate evaluations have been entrusted to the Internal Auditor, who operates in accordance with a plan agreed with the Executive Responsible for preparing corporate accounting document that aims to define the scope and objectives of his/her actions via agreed audit procedures.
The Board of Directors has also appointed Reconta Ernst & Young to examine the adequacy of the internal control system in relation to the preparation of financial reporting used to form the separate and consolidated financial statements of Snam S.p.A., through the performance of autonomous and independent checks on the functioning of the control system and the effectiveness of its design. This mandate, which is assigned annually on a voluntary basis, reflects the Company’s desire to continue paying close attention to matters relating to its internal control system for corporate reporting, even after the end of its obligation to comply with the Sarbanes-Oxley Act, with which Snam was required to comply when it was controlled by Eni, which is listed on the New York Stock Exchange.
The assignment of such a mandate is a best practice applied by leading companies and, as under the Sarbanes-Oxley Act in the US, provides for the issuance by the External Auditors of an annual report addressed to the Board of Directors concerning the checks performed and the adequacy of the Snam Group’s internal control system for the preparation of financial reporting.
The monitoring activities and the checks performed on controls and any other information or situation with a potential impact on corporate reporting are intended to identify any deficiencies in the Corporate Reporting Control System, which are classified separately depending on their significance and the identification of corrective measures to overcome them. The evaluation of the deficiencies considers them both individually and combined with financial statement items or significant information.
The results of the monitoring and checks on controls and the other information or situations significant to the Corporate Reporting Control System are subject to periodic reporting on the state of the control system, which is also carried out through the use of IT tools aimed at ensuring the traceability of the information concerning the adequacy of the design and the functioning of the controls.
Based on this reporting, the Executive Responsible for preparing corporate accounting document draws up half-year and annual reports on the adequacy and effective application of the Corporate Reporting Control System, which, having been shown to the CEO and the Control and Risk Committee, and the Board of Statutory Auditors having been informed, are submitted to the Board of Directors on the occasion of the approval of the draft separate and consolidated financial statements, as well as of the consolidated half-year financial report, in order to enable the performance of the oversight functions of the Board of Directors, as well as its assessments of the Corporate Reporting Control System, based partly on the results of the verification procedures performed by the External Auditors in relation to the adequacy of the control system for the preparation of the separate and consolidated financial statements.
Positions and departments involved
The Executive Responsible for preparing corporate accounting document is supported within Snam and its Subsidiaries by various parties, whose duties and responsibilities are defined in the aforementioned rules on the Corporate Reporting Control System.
Specifically, the control activities and assessments involve all levels of the organisational structure of Snam and the relevant Subsidiaries.
In this organisational context, particular importance is assumed by the risk owner, who performs line monitoring for process-level controls and IT general controls, assessing the design and functioning of the controls and supplying information for the reporting on monitoring activities and on any deficiencies identified, with a view to promptly identifying suitable corrective measures. A fundamental role is also assigned to the department head, who is responsible for risk assessment, definition of the controls and assessment of the results of the control system for the relevant processes, which is also carried out based on the results of the monitoring performed by the risk owners. Lastly, the senior managers and CEOs of the individual Group companies are responsible for establishing, designing and maintaining the company’s control system; they receive the results of the checks performed on all the controls and draw up dedicated company half-year and annual reports that they submit to their own Boards of Directors, having informed the Board of Statutory Auditors, and to the parent company.
43 Dependability (of the reporting): reporting that is correct, complies with generally accepted accounting standards and fulfils the requirements of the applicable laws and regulations.
44 Accuracy (of the reporting): reporting that does not contain any errors.
45 Reliability (of the reporting): reporting that is clear and complete, thereby allowing investors to make informed decisions.