The guidelines for internal controls were defined by the Board of Directors on March 21, 2000, and subsequently updated and approved on March 25, 2009, and November 12, 2014.
As required by the Code, the company’s internal control and risk management system consists of a set of rules, procedures and organizational structures put in place to ensure business operations in line with the objectives defined by the Board of Directors, which is able to identify measure, manage and monitor the main risks. The objective is to ensure the safeguarding of the company’s assets, an efficient and effective operating system, reliable financial information and compliance with the laws and regulations as well as the Bylaws and internal procedures.
The internal control and risk management system is based on standards that require that business activities be based on applicable internal and external rules, can be traced and documented, that the allocation and exercise of powers as part of a decision-making process be matched to the positions of responsibility and/or with the size and/or significance of the underlying transactions, that those parties that take or implement decisions, that record transactions and those that are required to perform the controls over such transactions provided for by law and procedures envisaged by the internal control and risk management system be different parties and that confidentiality and compliance with the privacy legislation be ensured.
The parties involved in the internal control and risk management system are the Board of Directors, the CEO as the Director in charge of the internal control and risk management system, the control and risk committee, the chief internal auditor, the manager in charge of financial reporting, the Board of Statutory Auditors, the independent auditors and the integrity board, each by carrying out their duties and roles.
Following the merger between Impregilo and Salini changes were made to the organizational structure of the system; today it includes "second level" control functions, represented by the manager in charge of financial reporting, the compliance function, the risk management function and the quality, environment, health and safety function, which report to the Chief Executive Officer.
The company’s internal control and risk management system consist of the organizational structure, the proxies and delegation system, the Organization, Management and Control Model (pursuant to Legislative Decree 231/01), the group Code of Ethics, the organizational documents such as the organizational chart, the guidelines, the standard (or interfunctional) procedures, the organizational instructions, the organizational communications, the operating procedures, the manuals and executive instructions.
Main characteristics of the existing internal control and risk management system in relation to the financial reporting process, pursuant to Article 123-bis.2.b) of TUF
The scope of the internal control and risk management system in relation to the financial reporting process (hereinafter the “System”) is to ensure the credibility, accuracy, reliability and timeliness of financial reporting.
Salini Impregilo has designed, implemented, monitored and updated its system over time in accordance with guidelines based on international frameworks and best practices.
These guidelines have been specified to comply with the characteristics of the Issuer and its operating units that contribute to financial reporting (both those for the parent and the group). This process of integrating the general model with the Company’s specific model considered that the group is composed of entities that are separate in legal terms from the parent for the purposes of the financial reporting referred to herein. Specifically, the group is composed of legally separate entities (e.g. Italian and foreign companies) and entities that, although they are not legally separate from the parent under Italian law (e.g. foreign branches), have their own administrative and organizational structures and produce their financial reporting independently due to their industrial characteristics.
Accordingly and based on the logic underlying the reference model, the group defined the criteria to ensure the System’s actual application.
These criteria provide for the dissemination of the application procedures, the training of the personnel involved in the different stages of the process and a monitoring plan whereby the effective use of the application procedures is checked and any developments and integrations necessary due to the wide-ranging operating scope in which the group works are identified.
The model, with the appropriate adaptations, is currently being updated and implementation following the changes to the organizational structure made as a result of the merger.
II. Description of the main characteristics of the existing internal control and risk management system in relation to the financial reporting process
II.1The System’s main stages
The main stages of the System are:
- Identification of financial reporting risks: completion of this stage firstly entailed the analysis of all the more important internal processes in terms of their potential impact on the company’s financial reporting and, secondly, identification of the specific processes that are significant for the group as a whole due to the specific nature of the different business segments in which the group companies operate, even though they may not be applicable to the parent.
The analysis considered the criteria to identify risks of non-attainment of control objectives (“financial statements assertions”: existence and occurrence, completeness, measurement and recognition, presentation and disclosure, rights and obligations) for each financial statements item (separate and consolidated). The possible risks of error and fraud that could potentially impact financial reporting were also considered.
- Assessment of financial reporting risks: the assessment of the intrinsic risk (inherent risk assessed regardless of the related controls) for each financial statements item entails the analysis of: (i) the significance of the above financial statements objectives for each item, (ii) the importance of each individual item in its category (e.g., assets or liabilities, revenue, operating expense, financial income and expense and income taxes) in order to identify their significance; and (iii) the materiality of the item compared to the pre-tax profit and equity.
- Identification of controls for the identified risks: the intrinsic risk associated with each financial statements item as identified above was subsequently analyzed considering the existing control environment of each group company. Specifically, based on the analysis of the process generating the financial statements item, the collective or individual controls envisaged by the process to ensure compliance with the related financial statements objectives (“financial statements assertions”) were identified. These controls, which mitigate the intrinsic risk, determine the residual risk for each financial statements item.
- Assessment of controls for the identified risks: a specific monitoring process was carried out regularly to assess the effectiveness of the control’s mitigating actions and the actual working of the control as part of the analyzed process.
Its checks are carried out (pursuant to Law 262/05) every six months and are planned so as to involve the most significant operating units. Evaluation of the significance of an operating unit for the purposes of the controls considers its business volumes as a percentage of those of the parent and the group and any specific factors that, although not material in quantitative terms, are important with respect to their measurement or that are deemed worthy of analysis.
When issues arise or processes are identified that could be improved as a result of the above monitoring, they are described in the supporting documentation and a remedial plan is prepared. This plan is suitably illustrated in the report and monitored until the set objectives are achieved.
II.2 Roles and units involved
Starting from the year end, the internal audit unit was entrusted with the coordination of the control activities pursuant to Law 262/05, following a specific assignment given to the manager in charge of financial reporting. The internal audit department carries out checks on the implementation of key controls in accordance with the “Administrative, accounting and operational procedures model for drawing up the Group’s financial statements” and, in the performance of such activities, it can also use external specialist resources. It prepares documentation supporting its activities every six months and a report to be used by the manager in charge of financial reporting, who assesses its content and findings and then reports to the relevant internal bodies.
After approving the business and strategic plan, which sets out the new management team’s strategic objectives, on March 19, 2014, the Board of Directors commenced a procedure to define the nature and level of risk compatible with these objectives. It was assisted by the control and risk committee.
During the meeting to approve the 2014 financial statements, the control and risk committee expressed its favorable opinion of the adequacy and effectiveness of the internal controls and risk management system to the Board of Directors following its review of the reports drawn up by the chief internal auditor and the integrity board and based on interviews with them and the assistance provided by the Manager in charge of financial reporting and the independent auditors.
The Board of Directors agreed with and adopted this positive assessment.
The Board of Statutory Auditors also agreed with this positive assessment.
Operational Risks – Salini Impregilo Group
The Salini Impregilo Group has launched a project for the development and implementation of a Risk Management model that will be gradually extended to all operating companies and make it possible to address and manage the risks in accordance with the industry best practices.
The project is structured to involve all operating units in order to take into account the differences between the countries and the different economic, regulatory and socio-cultural environments in which Salini Impregilo operates.
Under this project a Chief Risk Officer will be appointed who, with the support of a work group that is already operating, aims to identify the main company risks and assess the effectiveness of the controls put in place by the structures of the operating units through a common method.
I Risk Assessment
A Risk Assessment was conducted in 2014, aimed to identify the risks that could affect the achievement of the Business Plan targets, with a special focus on the assessment of operating risks.
The Group’s Senior and Top Management involved therefore assessed both the level of exposure to a potentially negative event in terms of impact and probability of risk, and the suitability of the internal control system based on the effectiveness of existing controls.
The methods used for the Risk Assessment included the following stages:
- Identification of the risks
This phase was based on an initial mapping of business processes and the identification of significant risks associated to them and potentially impede the achievement of Group targets.
As a result of this activity, a catalogue of risks has been developed which is based on the sharing and integration of the combined experience of Salini and Impregilo Group over the years in risk management in the engineering and construction sector, as well as the contribution by relevant Management through interviewing them.
The catalogue of risks, through the interviews, resulted in a list of risks stemming from the experience of the two groups. New risks were identified during the process also by comparing the risks from external sources in the same sector.
- Risk assessment
The assessment of inherent risk, i.e. assessed independently of related controls, was performed by combining the probability of occurrence of the risk event and the potential impact on the targets generated by such risk.
- Identification and assessment of controls for the identified risks
The inherent risk was subsequently analyzed on the basis of the assessment of the effectiveness of the existing control system in the different company processes.
Specifically, using the initial mapping of processes as a basis, the level of effectiveness of the control activities was assessed. On the basis of the application of these controls to mitigate the risk, the residual level of each risk analyzed was determined.
- Verification of the effectiveness of the controls for the identified risks
As part of the Company’s organization and the requirements of the internal control and risk management system there are different bodies and company functions dedicated to the verification of the effective functioning of the System. Specifically, the internal audit function, as part of the annual audit plan approved by the control and risks Committee (the "Audit plan"), checks compliance of the company processes with respect to internal control and risk management system procedures, also considering the results of the risk assessment activities and by monitoring the development of the programs implementing improvements identified with reference to the design of the controls.
The results of the risk assessment are described below based on the nature of the risk and in order of the importance of the residual risk on the basis of management evaluations, including an overview of the most significant factors.
The main risks concern the changes in relationships with the Client during the tender process and during the operational management of the contract when it is awarded. These aspects are characterized by an external risk factor mainly linked to the structure, the competence and characteristics of the Customer.
Project management therefore requires, in all its phases, a strong coordination between the operating units and headquarters to identify and resolve any issues with the counterparty in a timely manner and in accordance with the contract.
These risks are associated with the Group’s operational processes, including the organization of the project management structures, planning production and completing the actual work. These risks concern both construction projects and concessions. The project kickoff, in particular, is a crucial phase of contract management that requires the timely definition of the organizational structure of the project and detailed knowledge of the country’s situation and the local production system.
This category includes risks related to business management, assessment of the competitive environment and the conditions of what the Group considers target countries from a social, political and economic standpoint. Moreover, this category also includes the risks associated with drawing up agreements with any partners and setting up Joint Ventures, also taking in to account the effect that some organizational choices could have at Group level.
Salini Impregilo is present in several countries that have a certain level of economic, political and social instability. This factor is assessed when developing the strategic plan and is carefully studied for each project.
During the project study phase, special attention is paid to the social and cultural context of the relevant country, the type of customer, the type of contract and the sources of funding to finance the projects.
These are the risks associated with regulatory compliance, whether based upon external factors, such as legislative, fiscal or contractual requirements in a broad sense, or internal factors, such as compliance with the Group Code of Ethics and company procedures.
Considering the size and complexity of the Company, the aspects related to completing the integration process between the two companies existing prior to the merger are very important, especially as concerns the dissemination and application of a common system of procedures, as well as the coordination and monitoring of intercompany transactions.
The risks associated with reporting activities specifically relate to the preparation and monitoring of the economic and financial information disclosed to the market.
Due to several recent changes in legislation concerning IFRS, management is now involved in the assessment, for reporting issues, of the aspects tied to the correct application of the accounting principles.
This category includes risks related to the ability to gain access to financial markets, treasury management, at both central and peripheral level, insurance and tax management, paying close attention to the different local laws of the countries where the Group operates.
Financial risk management is subject to strict controls in line with the company strategies covering a considerably longer timeframe, and with due regard for the short term needs of
the operating companies. As regards contract management with customers, verification indices are defined to protect against risks related to price variation. In general, it is also important to monitor the "foreign exchange balance", i.e. the alignment between the portion of contract work paid by the customer in local currency and the purchases in the country of reference. Headquarters, on a central basis, plays a significant role in the coordination of the peripheral facilities in order to ensure control of the financial resources available.
Legal risks refers to meeting requirements of a legislative nature, but especially concerns the aspects related to contract management in terms of accounts receivables for Customers and accounts payable to subcontractors and suppliers.
Management has emphasized the importance of monitoring contract management from the very first stages of a project, as well as defining a standard contract for supplies and subcontracting, which reduce counterparty default risks.
This category includes the risks associated with events that could tarnish the image of the Group, both nationally and internationally.
In assessing these risks, management has underlined the importance of having successfully achieved the integration process between the two companies that existed before the merger, nearing completion.
The Group has adopted a system of policies, procedures and controls, from the Code of Ethics to the Anti-corruption Model, designed to ensure a suitable internal control system to prevent fraud, both internal and external.
Finally, the internal audit unit, as part of the annual audit plan approved by the Board of Directors, checks compliance of the company processes with the rules of the internal control and risk management system, also considering the results of the risk assessment activities performed on an annual basis and by monitoring the development of the programs implementing improvements identified (and agreed) with reference to the design of the controls.
11.1. DIRECTOR IN CHARGE OF THE INTERNAL CONTROL AND RISK MANAGEMENT SYSTEM
As described in Section 3 of this report, the Board of Directors appointed the CEO as “Executive director in charge of internal controls”, assisted by the internal control committee on March 12, 2007.
The Board of Directors elected by the shareholders on July 17, 2012, confirmed the CEO as the “Director in charge of the internal control and risk management system” with all the powers and duties envisaged in Article 7 of the Code.
The Director in charge of the internal control and risk management system:
- supervises identification of the key business risks (strategic, operating, financial and compliance), considering the activities carried out by the Issuer and its subsidiaries, and presents them regularly to the board;
- implements the guidelines established by the Board of Directors and manages the previously designed and created internal control and risk management system, checking its overall adequacy, and effectiveness on an ongoing basis, assisted by the chief internal auditor;
- adapts the System to reflect operating conditions and the legislative and regulatory framework, again assisted by the internal audit head;
- requests the internal audit unit to perform checks of specific operating areas and the compliance with internal rules and procedures during business activities (when necessary); he informs the chairperson, the chairperson of the control and risk committee and the chairperson of the Board of Statutory Auditors thereon;
- reports to the Board of Directors promptly about the checks requested by the internal audit unit.
11.2. CHIEF INTERNAL AUDITOR
Giacomo Galli, appointed by the Board of Directors on January 14, 2014, was the chief internal auditor until May 14, 2014. Subsequently, Francesco Albieri was appointed as chief internal auditor by resolution of the Board of Directors on May 14, 2014.
Giacomo Galli, a person external to the issuer, endowed with adequate professionalism, independence and organization, verified by the Board at the time of his appointment, held the office of internal office head for the time needed to identify a person qualified for the role to hire as an employee of the Issuer. The person so appointed was Francesco Albieri.
The Board of Directors also approved the remuneration to be paid for carrying out above mentioned position.
The above appointments and related remuneration, were approved, on proposal of the Director in charge of the internal control and risk management system , after receiving the favorable opinion of the control and risk committee and consulting the Board of Statutory Auditors.
The chief internal auditor reports to the Board of Directors alone and is not in charge of any business areas; the chief internal auditor is completely autonomous in terms of his actions and in operating and control terms.
The structure of the internal audit unit is composed of persons with different levels of experience necessary to carry out their duties. Under the assigned budget and subject to the approval of the Board of Directors, the above unit engages external consultants when necessary to fulfil specific requirements of the audit plan.
The internal audit unit operated in 2014 within the remit of its mandate approved on August 26, 2011, by the Board of Directors, with the favorable opinion of the Board of Statutory Auditors, and further updated on November 12, 2014.
The chief internal auditor checks that the internal controls and risk management system is operational and adequate. He/she performs this check using an audit plan, approved by the Board of Directors, based on a structured procedure to analyze and prioritize the key risks, integrated with specific tasks requested by the management and control bodies.
In performing the activities under his responsibility, the chief internal auditor had direct access to all information useful to carry out his duties, he prepared regular reports providing suitable information about his activities and the methods used to manage risk and compliance with risk containment plans. He also assessed the suitability of the internal controls and risk management system. The chief internal auditor provided timely reports upon the request of the Director in charge of the internal control and risk management system, and delivered them, as part of his remit, to the members of the control and risk committee, the Board of Statutory Auditors and the chairperson of the Board of Directors, as well as to the Director in charge of the internal control and risk management system.
During 2014, the internal audit unit checked the reliability of the information systems, including the accounting systems. It also monitored the integration process of the technology platforms which were subject to an assessment and found to be the most
appropriate for the intended purpose. As a result thereof, the unit can continue carrying out checks based on an internationally accepted control-based framework.
The chief internal auditor is financially independent with his own budget approved each year by the Board of Directors after consulting the control and risk committee.
The Board, on proposal of the Director in charge of the internal control and risk management system, following the favorable opinion of the control and risk committee and consulting with the Board of Statutory Auditors, defined the remuneration of the chief internal auditor in line with company policies and ensured that he would be provided with adequate resources for the fulfilment of his responsibilities, on January 14, 2014, for Giacomo Galli and on May 14, 2014, for Francesco Albieri.
Moreover, the chief internal auditor worked together with the other control bodies, as explained in Section 11.6 below.
11.3. ORGANISATION MODEL pursuant to Legislative Decree no. 231/2001
On January 29, 2003, the Company adopted the “Organization, Management and Control Model” required by Article 6 of Legislative Decree no. 231/01, based on the Confindustria guidelines, approved on March 7, 2002.
Following the changes in legislation after adoption of the first model, the Board of Directors revised the model on March 30, 2005 reflecting the update to the Confindustria guidelines of May 18, 2004, the code of conduct and the model drawn up by the National Association of Building Constructors (ANCE), approved on March 31, 2003, and subsequently revised on September 1, 2004.
On September 12, 2006, July 21, 2008, March 25, 2009, August 28, 2009, March 25, 2010, August 26, 2011, March 26, 2012, October 16, 2012 , August 5, 2013, and May 14, 2014, following the extension of the offenses covered, the internal reorganizations that had taken place in the meantime, and the update of the “Activities at risk” and in accordance with best practices, the Board of Directors approved the new “Organization, Management and Control model” (the general section of which is available on the Internet site www.salini-impregilo.com, under the "Governance - Internal Control and Risk Management” section) and related updates.
In order to comply with the specific provisions of Legislative Decree no. 231/01 and considering the analysis of the company’s situation and activities potentially at risk, the offenses committed when dealing with the public administration, forgery of coins, public credit notes and duty stamps, corporate crimes, terrorist acts or subversion of democratic
order, crimes against the individual, market abuse and international crimes, handling of stolen goods, laundering and use of money, assets or other illegally gained goods, crimes against safety in the workplace, cybercrimes and the unlawful processing of data, organized crime, induction to not make statements or to make false statements to judicial authorities, counterfeiting, crimes against industry and trade, copyright crimes, environmental crimes, employment of illegally staying third-country nationals, offences relating to undue incitement to give or promise anything of value and corruption between individuals.
On September 12, 2006, the Board of Directors set the number of members of the integrity board as per Article 6 of Legislative Decree no. 231/2001 as three, in line with that required by the new Organization, Management and Control Model and appointed them, consisting of the internal control supervisor (internal employee) and two external persons. Previously, the board had been monocratic (internal control supervisor). These appointments were confirmed by the Board of Directors on May 14, 2014 for three years and, therefore, until its approval of the interim financial report at June 30, 2015. As required by the model, the integrity board’s chairperson is a member who is not an employee of the Issuer. The integrity board’s members have specific expertise in inspections, analyses of control systems and legal issues (in particular, criminal proceedings) so that they can properly carry out their duties. The Board of Directors deemed it appropriate not to give the Board of Statutory Auditors the integrity board functions.
The strategically significant subsidiary Impregilo International Infrastructures N.V. is a company under Dutch law and therefore it is not subject to the provisions of Italian Legislative Decree 231/2001.
The Salini Impregilo Group Code of Ethics forms part of the Model (available on the website www.salini-impregilo.com, under the “Governance – Governance system”) section. The present version was approved by the Salini Impregilo’s Board of Directors on May 14, 2014.
11.4. INDEPENDENT AUDITORS
Salini Impregilo and its main subsidiaries have engaged independent auditors to perform the statutory audit of their financial statements and to check that their accounting records are kept correctly as required by Legislative Decree no. 58 of February 24, 1998, and Legislative Decree no. 39 of January 27, 2010. Their interim financial reports are reviewed.
The independent auditors audit Salini Impregilo in accordance with the applicable legislation.
As part of the general audit plan for the group, the subsidiaries that do not exceed the thresholds set by Consob have nonetheless engaged the independent auditors on a voluntary basis.
The shareholders of Salini Impregilo S.p.A. appointed PricewaterhouseCoopers S.p.A. as independent auditors in their meeting on May 3, 2006 for the period from 2006 to 2011. On May 3, 2007, they extended the independent auditors’ engagement for the period from 2012 to 2014, pursuant to Article 8.7 of Legislative Decree no. 303 of December 29, 2006.
As a result of the above, the Board of Statutory Auditors initiated a tender process involving several of the leading players in the field of independent audits. At the end of this process, the control body identified the independent auditors that meet the requirements set out in Legislative Decree 39/10 to be submitted, with a reasoned opinion, for approval by the Shareholders’ Meeting.
The shareholders’ meeting called to approve the financial statements as at December 31, 2014, will also be called on to appoint the independent auditors for 2015-2023.
11.5. MANAGER IN CHARGE OF FINANCIAL REPORTING AND OTHER ROLES AND FUNCTIONS
On June 27, 2007, the shareholders approved Article 26, to be included in Salini Impregilo’s Bylaws. This new article regulates the appointment and removal from office of the manager in charge of financial reporting, his term of office, related fee and relevant professional characteristics.
Article 26 requires that the board appoint, and remove from office, after consulting the Board of Statutory Auditors, a manager to be in charge of financial reporting, setting his term of office and fee. The candidates shall have at least three years’ experience in: (a) administration and finance or administration and control or management duties with responsibility for financial, accounting and control matters, with companies that have a share capital of at least €2 million or consortia of companies with a total share capital of not less than €2 million; or (b) legal, economic or financial aspects closely related to the company’s activities; or (c) management at a state body or public administration office active in the credit, financial or insurance sectors or in sectors closely related to that of the company.
Aspects and sectors closely related to the company’s activities are those set out in the last paragraph of Article 29 (which states: “As required by Article 1.2.b) and c) and paragraph 3 of Ministerial Decree no. 162 of March 30, 2000, fields and sectors of activity closely connected with
those of the businesses operated by the Company shall be understood to mean the fields (legal, economic, financial and technical-scientific) and the sectors of activity connected with or relating to the activity carried out by the Company as set forth in the corporate purpose”).
On this point it should be noted that on March 19, 2015, the Board of Directors called an Extraordinary Shareholders’ Meeting for April 30, 2015, to approve the amendment of the last paragraph of Article 29 of the Bylaws, as shown in section 13 below.
The position of Manager in charge of financial reporting pursuant to Article 154-bis of Legislative Decree no. 58 of February 24, 1998, is currently held, with an open term, by General Director Group Finance & Corporate Massimo Ferrari, who was granted all the powers and authority required to effectively carry out his functions and duties, within the budget limits approved from time to time and which were provisionally fixed at €50,000.00.
The Board of Directors granted powers Massimo Ferrari specifically including
- direct access to all information required to produce accounting data;
- unlimited use of internal communication channels that ensure the correct intragroup exchange of information;
- a free hand in organizing his unit in terms of both human and technical resources (materials, IT and any other resources);
- creation and adoption of administrative and accounting procedures independently, also by availing of the assistance of other company functions when necessary;
- assessment and modification of internal administrative and accounting procedures;
- participation at meetings of the board and executive committee, especially those which discuss issues related to his function and for which he is responsible;
- engaging external consultants, when necessary for specific issues;
- interacting with employees with control duties and exchanging information to ensure the ongoing mapping of risks and processes and the proper monitoring of the correct working of administrative and accounting procedures.
Section 11.2 describes the roles, appointment criteria, powers and tools of the chief internal auditor, who has specific responsibilities for internal controls and risk management.
11.6. COOPERATION BETWEEN PARTIES INVOLVED IN THE INTERNAL CONTROL AND RISK MANAGEMENT SYSTEM
In order to maximize the efficiency of the internal control and risk management system and reduce duplication of activities, the Issuer has provided that:
- the Board of Directors acts as a guide and assesses the System’s adequacy using the information provided directly by the Director in charge of the internal control and risk management system, the control and risk committee, the Board of Statutory Auditors, as the internal control and audit committee, and the manager in charge of financial reporting;
- the chief internal auditor and the integrity board as per Legislative Decree no. 231/01 report on their activities to the control and risk committee so that it, in turn, can report to the Board of Directors;
- the chief internal auditor, the head of the compliance function and the Board of Statutory Auditors take part in the meetings of the control and risk committee;
- the chief internal auditor sends his reports (both periodic and on special issues as requested by the Director in charge of the internal control and risk management system) to this Director, the chairpersons of the Board of Statutory Auditors, the control and risk committee and the Board of Directors;
- the head of the compliance function as per Legislative Decree no. 231/01 reports on his activities to the Integrity Board;
- the head of the compliance function reports to the Director in charge of the internal control and risk management system, the control and risk committee and the Board of Statutory Auditors on his activities and on the progress of the Compliance Plan every six months;
- the head of the compliance function informs, whenever he considers it to be necessary, the Director in charge of the internal control and risk management system and the control and risk committee about significant facts and circumstances related to his work;
- the head of the compliance function sends his reports on the checks carried out to the Director in charge of the internal control and risk management system, top management and the control bodies. In the event critical issues or shortcomings come to light or it is determined that further analysis is required, the compliance function informs the internal audit unit, in order to assess whether any specific checks need to be carried out.