The Company has in place a system of risk management and internal control over financial reporting based on the model provided in the COSO Framework, according to which the internal control system is defined as a set of rules, procedures and tools designed to provide reasonable assurance of the achievement of corporate objectives. In relation to the financial reporting process, reliability, accuracy, completeness and timeliness of the information contribute to the achievement of such corporate objectives. Risk management is an integral part of the internal control system. A periodic evaluation of the system of internal control over financial reporting is designed to ensure the overall effectiveness of the components of the COSO Framework (control environment, risk assessment, control activities, information and communication, and monitoring) in achieving those objectives.
The Company has a system of administrative and accounting procedures in place that ensure a high degree of reliability in the system of internal control over financial reporting.
The approach adopted by the Company for the evaluation, monitoring and continuous updating of the system of internal control over financial reporting, is based on a ‘top-down, risk-based’ process consistent with the COSO Framework. This enables focus on areas of higher risk and/or materiality, where there is risk of significant errors, including those attributable to fraud, in the elements of the financial statements and related documents. The key components of the process are:
- identification and evaluation of the source and probability of material errors in elements of financial reporting;
- assessment of the adequacy of key controls in enabling ex-ante or ex-post identification of potential misstatements in elements of financial reporting; and
- verification of the operating effectiveness of controls based on the assessment of the risk of misstatement in financial reporting, with testing focused on areas of higher risk.
Identification and evaluation of the risk of misstatements which could have material effects on financial reporting is carried out through a risk assessment process that uses a top-down approach to identify the organizational entities, processes and the related accounts, in addition to specific activities, which could potentially generate significant errors. Under the methodology adopted by the Company, risks and related controls are associated with the accounting and business processes upon which accounting information is based.
Significant risks identified through the assessment process require definition and evaluation of key controls that address those risks, thereby mitigating the possibility that financial reporting will contain any material misstatements.
In accordance with international best practices, the Group has two principal types of control in place:
- controls that operate at Group or subsidiary level, such as delegation of authorities and responsibilities, separation of duties, and assignment of access rights for IT systems; and
- controls that operate at process level, such as authorizations, reconciliations, verification of consistencies, etc. This category includes controls for operating processes, controls for closing processes and cross-sector controls carried out by captive service providers. These controls can be preventive (i.e., designed to prevent errors or fraud that could result in misstatements in financial reporting) or detective (i.e., designed to reveal errors or fraud that have already occurred). They may also be defined as manual or automatic, such as application-based controls relating to the technical characteristics and configuration of IT systems supporting business activities.
An assessment of the design and operating effectiveness of key controls is carried out through tests performed by internal audit functions, both at group and subsidiary level, using sampling techniques recognized as best practices internationally. Internal Audit also conducts a qualitative review of the tests performed by subsidiary companies.
The assessment of the controls may require the definition of compensating controls and plans for remediation and improvement. The results of monitoring are subject to periodic review by the manager responsible for of the Company’s financial reporting and communicated by him to senior management and to the Audit Committee (which in turn reports to the Board of Directors).