6.7 Internal control and risk management system in relation to the financial reporting process

(i) Introduction

The internal control and risk management system in relation to the financial reporting process of Snam and its Subsidiaries is an element of the same system (the Corporate Reporting Control System), aimed at ensuring the dependability⁵⁶ , accuracy⁵⁷ , reliability⁵⁸ and timeliness of the Company’s financial reporting and the capacity of the main relevant corporate processes to produce such reporting in accordance with the accounting standards.

The reporting in question consists of all data and information contained in the periodic accounting documents required by law – the separate and consolidated annual financial report, half-year financial report and interim report on operations – as well as in any other accounting document or external communication – such as press releases and prospectuses prepared for specific transactions – covered by the statements provided for by Article 154-bis of the TUF.

This reporting includes both financial and non-financial data and information, where the latter aims to describe significant aspects of the business, comment on the financial results for the year and/or describe future prospects.

Snam has adopted a body of rules that defines the regulations, methodologies, roles and responsibilities for designing, establishing, maintaining and assessing the effectiveness of the Group’s Corporate Reporting Control System, which applies to Snam and its Subsidiaries, taking into account their significance.

The corporate reporting internal control and risk management model adopted by Snam and its Subsidiaries was defined in accordance with the provisions of the aforementioned Article 154-bis of the TUF, with which Snam is required to comply, and is based, in terms of methodology, on the “COSO Framework” (“Internal Control – Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission), which is the international benchmark model for the establishment, updating, analysis and assessment of internal control systems, an update to which was published in May 2013.

The Snam Group’s Corporate Reporting Control System is governed by internal regulations that aim to define:

1. the system’s principles, functioning logic and methodologies;
2. roles and responsibilities relating to the establishment, updating and evaluation of its ongoing effectiveness;
3. the activities that need to be put in place to ensure it continues to function well.

The regulations on the Corporate Reporting Control System provide for a procedure on the “Snam Group Corporate Reporting Control System”, and a series of operating instructions.

The procedure describes the overall structure of the system, from its prerequisites, purposes and benchmark model to the characteristics of the individual components, monitoring, evaluation and reporting methods, and key responsibilities.

For each aspect covered, the operating instructions set out in detail the figures involved and the specific activities and operational procedures to be put in place. The areas they cover are: “Scoping”, “Risk Assessment Process Level Controls”, “List of relevant applications”, “Gathering and management of information flows and results of controls and assessments on deficiencies”, “Samples in line monitoring”, “Company Entity Level Controls”, “Process Level Controls”, “Information Technology General Controls” and “Segregation of Duties”.

(ii) Existing phases of the internal control and risk management system in relation to the financial reporting process

The design, establishment and maintenance of the Corporate Reporting Control System are ensured through scoping, identifying and assessing risks and controls (at corporate and process level, through risk assessment and monitoring activities), and the relevant information flows (reporting).

(iii) Identification and assessment of corporate reporting risks

Scoping and risk assessment for significant processes are carried out based on a top-down, risk-based approach. The scoping activities are intended to identify both Snam Group companies within the scope of the Corporate Reporting Control System, defining the components to be applied for each one, and financial statement information and items that are significant for that purpose, as well as the associated processes.

The risk assessment activities for significant processes aim to identify the specific activities likely to generate risks of unintentional error or fraud, which may have a significant impact on the financial statements.

The companies that fall within the scope of the Snam Group’s Corporate Reporting Control System are identified based on the contribution of the different entities to specific amounts in the consolidated financial statements (total assets, total financial debt, net revenue, profit before taxes), in consideration of their relevance for specific procedures and risks. For companies deemed important, significant processes are subsequently identified based on an analysis of quantitative factors (processes that contribute to forming financial statement items in amounts equal to 2.5% of profit before taxes and 0.5% of shareholders’ equity) and qualitative factors (significant estimates in defining the amount, complexity of accounting treatment, etc.).

For relevant procedures and activities, risks of error or fraud are identified, i.e. potential events which may compromise the achievement of the control objectives for corporate reporting. The risks are identified by assuming the absence of controls (inherent risk assessment).

(iv) Identification of controls for identified risks

For companies, processes and related risks considered significant, a control system has been defined based on two fundamental principles: disseminating controls to all levels of the organisational structure, in line with the operational responsibilities assigned, and sustaining the controls over time, so that they are integrated and compatible with operating requirements.

The control system structure provides for entity-level controls, which apply across the entire entity in question (group/individual company), and process-level controls.

Entity-level controls are organised based on the model adopted in the COSO Framework, according to five components (control environment, risk assessment, control activity, information systems and communication flows, and monitoring activity).

Process-level controls are broken down into:

• specific controls, understood as all manual or automated activities intended to prevent, identify and correct errors or irregularities which occur in carrying out operating activities (Process-level controls);
• pervasive controls, understood as structural elements of the control system intended to define a general environment that promotes the correct performance and control of operating activities. Pervasive controls include those related to the segregation of duties and IT general controls.

Specific process-level controls are identified in special procedures which define both the performance of corporate processes and the controls for which the absence or lack of implementation entails a significant risk of error/fraud on the financial statements, and which has no chance of being intercepted by other controls.

(v) Evaluation of controls for identified risks

Both entity-level and process-level controls are subject to regular evaluation (monitoring) in order to verify over time the adequacy of their design and their operational effectiveness. To this end, ongoing monitoring activities have been entrusted to the management responsible for significant processes/activities, and separate evaluations have been entrusted to the Internal Auditor, who operates in accordance with a plan agreed with the Executive Responsible for preparing corporate accounting documents that aims to define the scope and objectives of their actions via agreed audit procedures.

The Snam’s Board of Directors has also appointed Reconta Ernst & Young to examine the adequacy of the internal control system in relation to the preparation of financial reporting used to form the separate and consolidated financial statements of Snam S.p.A., through the performance of autonomous and independent checks on the functioning of the control system and the effectiveness of its design.

This appointment, which is allocated annually on a voluntary basis, reflects the need to constantly pay a great deal of attention to issues relating to the Corporate Reporting Control System, in accordance with the provisions of Article 154-bis of the TUF and with the best practices applied by leading companies.

The allocation of this appointment is provided for by the Group’s regulations and, in particular, by:

• the procedure “Allocation and management of appointments to the External Auditors”, which states that the appointment to carry out the “audit intended to verify the declaration of the CEO and the Executive Responsible for preparing corporate accounting documents on the Corporate Reporting Control System” should be able to be classified under those pertaining to verification, and therefore should be able to be assigned to the External Auditors;
• the Corporate Reporting Control System procedure, which provides, in line with international best practices, for the implementation of an additional component for evaluating the effectiveness of the design and operation of the Corporate Reporting Control System, represented by the outcome of the examination performed by an external party, to be independent of the organisation and identified within the External Auditors, which, based on the checks carried out, shall issue an annual report on the adequacy of the internal control system in relation to the preparation of the financial reporting for the creation of Snam’s separate and consolidated financial statements;
• the control standards pertaining to Snam’s Model 231 in relation to the Administration process, which provide for the External Auditors of Snam Group to perform checks on the adequacy of design and operation of the Corporate Reporting Control System.

The monitoring activities and the checks performed on controls and any other information or situation with a potential impact on corporate reporting are intended to identify any deficiencies in the Corporate Reporting Control System, which are classified separately depending on their significance and the identification of corrective measures to overcome them. The evaluation of the deficiencies considers them both individually and combined with financial statement items or significant information.

The results of the monitoring and checks on controls and the other information or situations significant to the Corporate Reporting Control System are subject to periodic reporting on the state of the control system, which is also carried out through the use of IT tools aimed at ensuring the traceability of the information concerning the adequacy of the design and the functioning of the controls.

Based on this reporting, the Executive Responsible for preparing corporate accounting documents draws up half-year and annual reports on the adequacy and effective application of the Corporate Reporting Control System, which, having been shown to the CEO and after having been informed the Control and Risk Committee and the Board of Statutory Auditors, are submitted to the Board of Directors on the occasion of the approval of the draft separate and consolidated financial statements, as well as of the consolidated half-year financial report, in order to enable the performance of the oversight functions of the Board of Directors, as well as its assessments of the Corporate Reporting Control System, based partly on the results of the verification procedures performed by the External Auditors in relation to the adequacy of the control system for the preparation of the separate and consolidated financial statements.

(vi) Positions and departments involved

The Executive Responsible for preparing corporate accounting documents is supported within Snam and its Subsidiaries by various parties, whose duties and responsibilities are defined in the aforementioned rules on the Corporate Reporting Control System.

Specifically, the control activities and assessments involve all levels of the organisational structure of Snam and its Subsidiaries.

In this organisational context, particular importance is assumed by the risk owner, who performs line monitoring for process-level controls and IT general controls, assessing the design and functioning of the controls and supplying information for reporting on monitoring activities and on any deficiencies identified, with a view to promptly identify suitable corrective measures. A fundamental role is also assigned to the department head, who is responsible for risk assessment, definition of the controls and the assessment of the results of the control system for the relevant processes, which is also carried out based on the results of the monitoring performed by the risk owners. Lastly, the senior managers and CEOs of the individual Group companies over time are responsible for establishing, designing and maintaining the Company’s control system; they receive the results of the checks performed on all the controls and draw up dedicated Company half-year and annual reports that they submit to their own Boards of Directors, having informed the Board of Statutory Auditors, and to the parent company.