The guidelines for internal controls, defined by the Board of Directors on 21 March 2000 and subsequently updated and approved on 25 March 2009, are set out in the document “Guidelines for the internal controls of IMPREGILO S.p.A.”.
As required by the Code, the company’s internal controls and risk management system consists of a set of rules, procedures and organisational structures put in place to ensure business operations in line with the objectives defined by the Board of Directors, which is able to identify measure, manage and monitor the main risks. The objective is to ensure the safeguarding of the company’s assets, an efficient and effective operating system, reliable financial information and compliance with the laws and regulations as well as the Bylaws and internal procedures.
The internal controls and risk management system is based on standards that require that business activities be based on applicable internal and external rules, can be traced and documented, that the allocation and exercise of powers as part of a decision-making process be matched to the positions of responsibility and/or with the size and/or significance of the underlying transactions, that those parties that take or implement decisions, that record transactions and those that are required to perform the controls over such transactions provided for by law and procedures envisaged by the internal controls and risk management system be different parties and that confidentiality and compliance with the privacy legislation be ensured.
The parties that implement the internal controls and risk management system are the Board of Directors, the CEO as the Director in charge of internal controls and risk management, the risk and control committee, the internal audit head, the manager in charge of financial reporting, the Board of Statutory Auditors, the independent auditors and the supervisory board, each by carrying out their duties and roles.
The company’s internal controls and risk management system consist of the organisational structure, the proxies and delegation system, the Organisational, management and control model, the group Code of Ethics, the organisational documents such as the organisational chart, the guidelines, the standard (or interfunctional) procedures, the organisational instructions, the organisational communications, the operating procedures, the manuals and executive instructions.
Key characteristics of the ezisting risk management system and internal controls over financial reporting, pursuant to article 123-bis.2.b) of the Consolidated Finance Act
The scope of the risk management system and internal controls over financial reporting (the “System”) is to ensure the credibility, accuracy, reliability and timeliness of the financial reporting.
Impregilo has designed, implemented, monitored and updated its system over time in accordance with guidelines based on international frameworks and best practices , such as “COSO ERM”.
These guidelines have been specified to comply with the characteristics of the Issuer and its operating units that contribute to financial reporting (both those for the parent and the group). This process of integrating the general model with the Company's specific model considered that the group is composed of entities that are separate in legal terms from the parent for the purposes of the financial reporting referred to herein. Specifically, the group is composed of legally separate entities (e.g., Italian and foreign companies) and entities that, although they are not legally separate from the parent under Italian law (e.g., foreign branches, foreign joint ventures), have their own administrative and organisational structures and produce their financial reporting independently due to their industrial characteristics.
Accordingly and based on the logic underlying the reference model, the group defined the criteria to ensure the System’s actual application.
These criteria provide for the dissemination of the application procedures, the training of the personnel involved in the different stages of the process and a monitoring plan whereby the effective use of the application procedures is checked and any developments and integrations necessary due to the wide-ranging operating scope in which the group works are identified.
The model, with the appropriate adaptations, will be extended to the new Group companies resulting from the merger, in the first quarter of 2014.
Description of the key characteristics of the existing risk management system and internal controls over financial reporting
The System's main stage
The main stages of the System are:
- Identification of financial reporting risks: completion of this stage firstly entailed the analysis of all the more important internal processes in terms of their potential impact on the company’s financial reporting and, secondly, identification of the specific processes that are significant for the group as a whole due to the specific nature of the different business segments in which the group companies operate, even though they may not be applicable to the parent.
The analysis considered the criteria to identify risks of non-attainment of control objectives (“financial statements assertions”: existence and occurrence, completeness, measurement and recognition, presentation and disclosure, rights and obligations) for each financial statements item (separate and consolidated). The possible risks of error and fraud that could potentially impact financial reporting were also considered.
- Measurement of financial reporting risks: measurement of the intrinsic risk (risk measured regardless of the related controls) for each financial statements item entailed the analysis of: (i) the significance of the above financial statements objectives for each item, (ii) the importance of each individual item in its category (e.g., assets or liabilities, revenue, operating expense, financial income and expense and income taxes) in order to identify their significance; and (iii) the materiality of the item compared to the pre-tax profit and equity.
- Identification of controls for the identified risks: the intrinsic risk associated with each financial statements item as identified above was subsequently analysed considering the existing control environment of each group company. Specifically, based on the analysis of the process generating the financial statements item, the collective or individual controls envisaged by the process to ensure compliance with the related financial statements objectives (“financial statements assertions”) were identified. These controls, which mitigate the intrinsic risk, determine the residual risk for each financial statements item.
- Assessment of controls for the identified risks: a specific monitoring process was carried out regularly to assess the effectiveness of the control’s mitigating actions and the actual working of the control as part of the analysed process.
The company was assisted by independent experts during the risk assessment, stage and the assessment of the effectiveness of the control designs as part of the development and preliminary implementation of the System. This stage was facilitated by the group’s existing control environment which already worked efficiently.
Once this stage had been completed, a Compliancy control unit was set up headed by the manager in charge of financial reporting (see section 11.5 of this report). The unit’s duties include the periodic checking of the System’s effectiveness. It prepares documentation supporting its activities every six months and a report to be used by the manager in charge of financial reporting, who assesses its content and findings and then reports to the relevant internal bodies.
When issues arise or processes are identified that could be improved as a result of the above monitoring, they are described in the supporting documentation and a remedial plan is prepared. This plan is suitably illustrated in the report and monitored until the set objectives are achieved.
Roles and units involved
In order to ensure the appropriate definition, implementation and ongoing maintenance of the System, the group firstly set up an inter-departmental team that, assisted by independent experts, mapped the existing processes and controls, analysed the risk factors, defined the guidelines to be implemented to ensure the effectiveness of the system and an intensive training programme for personnel involved in financial reporting.
The team mainly consisted of administration and organisational staff and its work was completed with the set up of the Compliancy control unit at the company headed by the manager in charge of financial reporting. This unit’s main duty is to monitor the system by checking the effective application of the controls required by the reference processes or, if requested, any alternative controls compared to the system’s standards.
Its checks are carried out every six months and are planned so as to involve the most significant operating units. Evaluation of the significance of an operating unit for the purposes of the controls considers its business volumes as a percentage of those of the parent and the group and any specific factors that, although not material in quantitative terms, are important with respect to their measurement or that are deemed worthy of analysis. When the unit’s analysis identifies elements to be developed as part of the controls or the processes in which the controls are included, the relevant units for the requested developments are identified and the system is updated with their assistance.
This risk management and control system, as described above for financial reporting purposes, is also backed up by a general risk identification and measurement procedure performed by the internal audit unit once a year based on an ERM (Enterprise Risk Management) standard of the COSO Framework. The unit reviews the internal controls and risk management system of the Issuer and those subsidiaries identified by the Board of Directors as being strategic.
Applying criteria and methods of the ERM methodology, specific activities to identify and assess the main risks persisting on the typical contract processes were carried out during the year as part of the individual audits at the operating units.
The above-mentioned risk management and control initiatives should be considered as part of the organisational integration and review process currently ongoing.
Finally, as part of the annual audit plan approved by the risk and control committee, the internal audit unit checks compliance of the processes with the System’s rules, considering the results of the risk assessment procedure and monitoring development of the programmes implementing improvements identified (and agreed) to the controls.
After approving the business and strategic plan, which sets out the new management team’s strategic objectives, on 6 December 2012, the Board of Directors commenced a procedure to define the nature and level of risk compatible with these objectives. It was assisted by the risk and control committee.
During the meeting to approve the annual financial statements, the risk and control committee expressed its favourable opinion of the adequacy, efficiency and effective working of the internal controls and risk management system to the Board of Directors following its review of the reports drawn up by the internal audit head and the supervisory board and based on interviews with them and the assistance provided by the manager in charge of financial reporting and the independent auditors.
The Board of Directors agreed with and adopted this positive assessment. The Board of Statutory Auditors also agreed with this positive assessment.
Director in charge of internal controls and risk management
As described in section 3 of this report, the Board of Directors appointed the CEO as “Executive director in charge of internal controls”, assisted by the internal control committee on 12 March 2007. The Board of Directors elected by the shareholders on 17 July 2012 confirmed the CEO as the “Director in charge of internal controls and risk management” with all the powers and duties envisaged therefor by article 7 of the Code.
Together with the internal audit head, this director:
- supervises identification of the key business risks (strategic, operating, financial and compliance), considering the activities carried out by the Issuer and its subsidiaries, and presents them regularly to the board;
- implements the guidelines established by the Board of Directors and manages the previously designed and created internal controls and risk management system, checking its overall adequacy, and effectiveness on an ongoing basis, assisted by the internal audit head;
- adapts the System to reflect operating conditions and the legislative and regulatory framework, again assisted by the internal audit head;
- requests the internal audit unit to perform checks of specific operating areas and the compliance with internal rules and procedures during business activities (when necessary); he informs the chairperson, the chairperson of the risk and control committee and the chairperson of the Board of Statutory Auditors thereon;
- reports to the Board of Directors promptly about the checks requested of the internal audit unit.
Internal audit head
The Issuer's internal audit head, Raffaele Manente, appointed by the Board of Directors on 12 September 2000, remained in office for all of 2013. He left the company on 31 December 2013.
Giacomo Galli is the current internal audit head. He was appointed by the Board of Directors on 14 January 2014, with the favourable opinion of the risk and control committee, after consulting the Board of Statutory Auditors, determining his remuneration.
The internal audit head reports to the Board of Directors alone and is not in charge of any business areas; the internal audit head is completely autonomous in terms of his actions and in operating and control terms.
The structure of the unit is composed of persons with different levels of experience necessary to carry out their duties. During the year, in consideration of the merger of Salini S.p.A. into Impregilo S.p.A., the unit gradually introduced resources from the relevant structure of Salini into its structure. The harmonisation process of the methods followed by these structures is currently ongoing.
Under the assigned budget, the unit engages external consultants when necessary to fulfil specific requirements of the audit plan.
The internal audit unit operated in 2013 within the remit of its mandate approved on 26 August 2011 by the Board of Directors, with the favourable opinion of the Board of Statutory Auditors.
The internal audit head checks that the internal controls and risk management system is operational and adequate. He performs this check using an audit plan, approved by the Board of Directors, based on a structured procedure to analyse and prioritise the key risks, integrated with specific tasks requested by the management and control bodies.
In performing the activities under his responsibility, the internal audit head had direct access to all information useful to carry out his duties, he prepared regular reports providing suitable information about his activities and the methods used to manage risk and compliance with risk containment plans. He also assessed the suitability of the internal controls and risk management system. The internal audit head provided timely reports upon the request of the Director in charge of internal controls and risk management and delivered them to the chairpersons of the Board of Statutory Auditors, the risk and control committee and the Board of Directors as well as to the Director in charge of internal controls and risk management. The Board of Statutory Auditors examines all reports during participation at the risk and control committee.
The internal audit unit checked the reliability of the IT systems based on an internationally accepted control-based framework.
The internal audit head is financially independent with his own budget approved each year by the Board of Directors after consulting the risk and control committee. The budget was €555,000 for 2013.
During the year, in addition to checking the adequacy and efficient working of internal controls and risk management system as part of the auditing and follow-up tasks, the internal audit head provided assistance to the Issuer's supervisory board (and the supervisory boards of 22 of its subsidiaries) in audits and in the review and update of the related models.
Auditing, verification and follow-up activities - including those of an operational nature on the contracts and processes, as well as those on the effective implementation of Model 231 - were carried out in accordance with the 2013 audit plan.
Moreover, the head worked together with the other control bodies, as explained in section 11.6 below.
Organisation model pursuant to Legislative Decree no. 231/2001
On 29 January 2003, Impregilo adopted the “Organisational, management and control model” required by article 6 of Legislative Decree no. 231/01, based on the Confindustria guidelines, approved on 7 March 2002.
Following the legislative changes made after adoption of the first model, the Board of Directors revised the model on 30 March 2005 reflecting the update to the Confindustria guidelines of 18 May 2004, the code of conduct and the model drawn up by the National Association of Building Constructors (ANCE), approved on 31 March 2003 and subsequently revised on 1 September 2004.
On 12 September 2006, 21 July 2008, 25 March 2009, 28 August 2009, 25 March 2010, 26 August 2011, 26 March 2012, 16 October 2012 and 5 August 2013, following the extension of the offenses covered, the internal reorganisations that had taken place in the meantime, and the revision of the “Activities at risk” and in accordance with best practices, the Board of Directors approved the new “Organisational, management and control model” (the general section of which is available on the Internet site www.salini-impregilo.com, under the "Corporate Governance - Other corporate governance documents” section) and related updates.
In order to comply with the specific provisions of Legislative Decree no. 231/01 and considering the analysis of the company’s situation and activities potentially at risk, the offenses committed when dealing with the public administration, forgery of coins, public credit notes and duty stamps, corporate crimes, terrorist acts or subversion of democratic order, crimes against the individual, market abuse and international crimes, handling of stolen goods, laundering and use of money, assets or other illegally gained goods, crimes against safety in the workplace, cybercrimes and the unlawful processing of data, organised crime, induction to not make statements or to make false statements to judicial authorities, counterfeiting, crimes against industry and trade, copyright crimes, environmental crimes, employment of illegally staying third-country nationals, offences relating to undue incitement to give or promise anything of value and corruption between individuals.
On 12 September 2006, the Board of Directors set the number of members of the supervisory board as per article 6 of Legislative Decree no. 231/2001 as three, in line with that required by the new Organisational, management and control model and appointed them, consisting of the internal control supervisor (internal employee) and two external persons. Previously, the board had been monocratic (internal control supervisor). These appointments were confirmed by the Board of Directors on 28 August 2012 for three years and, therefore, until its approval of the interim financial report at 30 June 2015. As required by the model, the supervisory board’s chairperson is a member who is not an employee of the Issuer. The supervisory board’s members have specific expertise in inspections, analyses of control systems and legal issues (in particular, criminal proceedings) so that they can properly carry out their duties. The Board of Directors deemed it appropriate not to give the Board of Statutory Auditors the supervisory board functions.
The only Italian subsidiary of strategic importance, FISIA Italimpianti S.p.A., adopted its own “Organisational, management and control model” on 5 March 2004 and last updated it on 27 February 2014.
The Salini Impregilo Group Code of Ethics forms part of the Model (available on the Internet site www.salini-impregilo.com, under the "Corporate Governance - Code of Ethics” section). The present version was approved by the Salini Impregilo’s Board of Directors on 5 August 2013.
Salini Impregilo and its main subsidiaries have engaged independent auditors to perform the statutory audit of their financial statements and to check that their accounting records are kept correctly as required by Legislative Decree no. 58 of 24 February 1998. Their interim financial reports are reviewed.
The independent auditors perform an audit of Salini Impregilo, in accordance with the applicable legislation.
As part of the general audit plan for the group, the subsidiaries that do not exceed the thresholds set by Consob have nonetheless engaged the independent auditors on a voluntary basis.
The shareholders of Salini Impregilo S.p.A. resolved to engage PricewaterhouseCoopers to audit the company’s financial statements for the period from 2006 to 2011 in their meeting of 3 May. On 3 May 2007, they extended the independent auditors’ engagement for the period from 2012 to 2014, pursuant to article 8.7 of Legislative Decree no. 303 of 29 December 2006.
Manager in charge of financial reporting and other roles and functions
On 27 June 2007, the shareholders approved article 26, to be included in Salini Impregilo's Bylaws. This new article regulates the appointment and removal from office of the manager in charge of financial reporting, his term of office, related fee and relevant professional characteristics.
Article 26 requires that the board appoint, and remove from office, after consulting the Board of Statutory Auditors, a manager to be in charge of financial reporting, setting his term of office and fee. The candidates shall have at least three years’ experience in: (a) administration and finance or administration and control or management duties with responsibility for financial, accounting and control matters, with companies that have a share capital of at least €2 million or consortia of companies with a total share capital of not less than €2 million; or (b) legal, economic or financial aspects closely related to the company’s activities; or (c) management at a state body or public administration office active in the credit, financial or insurance sectors or in sectors closely related to that of the company.
Aspects and sectors closely related to the company’s activities are those set out in the last paragraph of article 29 (which states: “Pursuant to article 1.2.b) and c) and paragraph 3 of Ministerial decree no. 162 of 30 March 2000, aspects and sectors closely related to those of the company are those aspects (legal, economic, financial and technical-scientific) and business sectors tied to or related to the company’s activities and part of its business object”).
Rosario Fiumara held the position of manager in charge of financial reporting until 5 August 2013. He was appointed by the Board of Directors on 11 September 2007.
On 5 August 2013, after carrying out a careful analysis, considering the personal and professional characteristics that this position requires, the Board of Directors appointed the General Manager Group Finance and Corporate Massimo Ferrari as manager in charge of financial reporting, pursuant to article 154-bis of Legislative Decree no. 58 of 24 February 1998.
During the same meeting held on 5 August 2013, the board established that Massimo Ferrari's, position as manager in charge of financial reporting would have an open term, until otherwise determined by it; it gave the CEO mandate to propose to the Board of Directors, after consulting the remuneration and appointment committee, the remuneration to be attributed to the manager charged; The board also gave Mr. Ferrari all the powers and authority required to effectively carry out his functions and duties in his new position within the budget limits approved from time to time and which were provisionally fixed at €50,000.00.
The Board of Directors granted powers Massimo Ferrari specifically including
- direct access to all information required to produce accounting data;
- unlimited use of internal communication channels that ensure the correct intragroup exchange of information;
- a free hand in organising his unit in terms of both human and technical resources (materials, IT and any other resources);
- creation and adoption of administrative and accounting procedures independently, also by availing of the assistance of other company functions when necessary;
- assessment and modification of internal administrative and accounting procedures;
- participation at meetings of the board and executive committee, especially those which discuss issues related to his function and for which he is responsible;
- engaging external consultants, when necessary for specific issues;
- interacting with employees with control duties and exchanging information to ensure the ongoing mapping of risks and processes and the proper monitoring of the correct working of administrative and accounting procedures.
Massimo Ferrari accepted the position as manager in charge of financial reporting on the same date.
Section 11.2 describes the roles, appointment criteria, powers and tools of the internal audit head, who has specific responsibilities for internal controls and risk management.
Cooperation between parties involved in internal controls and risk management
In order to maximise the efficiency of the internal controls and risk management system and reduce duplication of activities, Impregilo has provided that:
- the Board of Directors acts as a guide and assesses the System’s adequacy using the information provided directly by the Director in charge of internal controls and risk management, the risk and control committee, the Board of Statutory Auditors, as the internal control and audit committee, and the manager in charge of financial reporting;
- the internal audit head and the supervisory board as per Legislative Decree no. 231/01 report on their activities to the risk and control committee so that it, in turn, can report to the Board of Directors;
- the internal audit head and the Board of Statutory Auditors participate in the risk and control committee meetings;
- the internal audit head sends his reports (both periodic and on special issues as requested by the Director in charge of the internal controls and risk management) to this Director, the chairpersons of the Board of Statutory Auditors, the risk and control committee and the Board of Directors.