Internal control over financial reporting is a system designed to provide reasonable assurances regarding the reliability, accuracy, fairness and timeliness of financial reporting and the preparation of financial statements for external purposes, in accordance with generally accepted accounting principles.
In accordance with the provisions of the law, the Officer responsible for the Company’s financial reporting (AO) is responsible for the internal control system with regard to financial reporting and, to this aim, establishes the administrative and accounting procedures necessary for drafting the periodic accounting documentation and any other financial notification; moreover, he/she certifies, together with the CEO, their adequacy and actual implementation during the period to which the aforementioned accounting documents refer, by means of an appropriate report on the annual financial statements, on the half-yearly financial statements and on the consolidated annual financial statements. Pursuant to the aforementioned Article 154-bis, the Board of Directors ascertains whether the AO has appropriate powers and means to perform the assigned duties, in addition to supervising the actual conformity to these procedures.
The ‘Guidelines on internal controls over financial reporting’ approved by the Board of Directors on October 29, 2007, and later amended by the Management System Guideline ‘Internal Controls over Corporate Reporting - Rules and Procedures’ approved by the Board of Directors on December 13, 2011, and the Management System Guideline ‘Internal Controls over Financial Reporting’ approved by the Board of Directors on July 30, 2012, are aimed at achieving healthy and fair business management; they define rules and methodologies on the design, implementation and maintenance of the internal control system over Saipem’s financial reporting, as well as on the evaluation of the system’s effectiveness.
These regulations and methodologies have been designed in accordance with the provisions of the aforementioned Article 154-bis of Law No. 58/1998 and of the US law Sarbanes-Oxley Act of 2002 (SOA) which Saipem is required to comply with as a subsidiary of Eni, whose securities are listed on the New York Stock Exchange (NYSE), and based on the CoSo Report (‘Internal Control - Integrated Framework’ published by the Committee of Sponsoring Organizations of the Treadway Commission - 1992).
In accordance with international accounting principles, the Management System Guideline ‘Internal Controls over Corporate Reporting’ is applicable to Saipem SpA and its direct and indirect subsidiaries, in consideration of their relevance for the preparation of financial reporting. All controlled companies, regardless of their relevance with respect to Saipem’s internal control system, use this Management System Guideline as a reference for the design and implementation of their own internal control system, in order to ensure its adequacy in relation to the size of the company and the nature of its business.
Main features of the risk assessment and internal control systems for the purposes of financial reporting
The internal control system was designed in accordance with two fundamental principles: to extend control to all levels of the organisational structure, consistent with operating responsibilities; and the sustainability of controls in the long term, so as to ensure that the performance of controls is increasingly integrated and compatible with operational requirements.
The design, implementation and maintenance of the internal control system are ensured through: risk assessment, control identification, evaluation and reporting.
The risk assessment process has a top-down approach aimed at identifying those organisational departments, processes and specific activities that bear the risk of unintentional errors and/or fraud, which could have a material impact on the financial statements.
The identification of companies that fall within the scope of the internal controls system is based both on their contribution to the consolidated financial statements (turnover, net debt, net revenues, profits before taxation) and their relevance in terms of processes and specific risks8. Among the companies identified as relevant for the purposes of internal controls, significant processes are then identified based on an analysis of quantitative factors (processes involved in the calculation of items featured in the financial statements which are greater than a certain percentage of profits before taxation), as well as qualitative factors (for instance: complexity of the accounting treatment used for an item; new items or significant changes in business conditions).
Risks are assessed for relevant processes and activities, i.e. potential events whose occurrence could compromise the achievement of the control objectives for financial reporting (for instance financial statements assertions). These risks are prioritised in terms of their potential impact and likelihood of occurrence, based on quantitative and qualitative parameters and assuming no controls. Saipem carries out a specific assessment on risks of fraud9, using a methodology based on the ‘Anti-fraud Programmes and Controls’ included in the Management System Guideline ‘Internal Controls over Financial Reporting’.
Controls are defined for the individual company, processes and associated risks deemed relevant. The control system comprises of entity level controls, which operate across the relevant entity (Group/individual company) and process level controls.
A checklist based on the model adopted in the CoSo Report divides entity level controls into five components (control environment, risk assessment, control activities, IT systems and information flows, and monitoring activities). The ‘control environment’ component includes all activities relating to the definition of time-frames for the preparation and publication of financial results (interim and annual financial statements and associated financial calendars); the ‘control activities’ component covers organisational and regulatory structures that guarantee the achievement of financial reporting objectives (for instance the review and updating by specific departments of rules relating to the preparation of financial statements and charts of accounts); the component ‘IT systems and information flows’ includes management controls over the consolidation process (Mastro).
Process level controls are divided into specific controls, which are all activities, both manual and automated, aimed at preventing, identifying and correcting errors and irregularities occurring during operating activities; and pervasive controls, which are structural elements of the internal control system aimed at establishing a general environment which promotes the correct execution and control of operational activities (for instance segregation of incompatible duties and general IT controls).
Specific controls are detailed in ad-hoc procedures which define Company processes and the ‘key controls’, whose absence or non-implementation entails the risk of significant error/fraud in the financial statements which cannot be detected by other controls.
Entity Level Controls and Process Level Controls are constantly monitored to evaluate their design and operating effectiveness; this is done by means of ongoing monitoring activities carried out by the managers in charge of the relevant processes/activities, and through separate evaluations carried out by the Internal Audit department in accordance with an audit plan provided by the Chief Financial and Compliance Officer/Manager responsible for financial reporting10 which defines the audit scope and objectives to be implemented through agreed-upon audit procedures.
Monitoring activities highlight possible deficiencies in the control system; these are evaluated in terms of probability of occurrence and impact on Saipem’s financial reporting and, based on their significance, are classed as ‘deficiencies’, ‘significant weaknesses’ and ‘material weaknesses’.
The findings of monitoring activities regarding the state of the internal control system are periodically reported using IT tools that ensure the traceability of information relating to the adequacy of design and the operational effectiveness of controls.
The work of the CFCO/Manager responsible for preparing financial reports is supported by various departments within Saipem, whose responsibilities and tasks are set out in the aforementioned Management System Guideline. Specifically, internal controls involve all levels of Saipem’s organisation, from operations and business managers to function and administrative managers. In this organisational context, a very important figure of the internal control system is the risk owner, who carries out line monitoring activities, evaluating the design and operating effectiveness of specific and pervasive controls and producing reports on monitoring activities.
(8) Companies subject to internal controls include those incorporated under and regulated by non-EU member state legislations, for which the provision of Article 36 of Consob Market Regulations apply.
(9) Fraud: for the purposes of the Internal Control System, this refers to any international act or omission that may result in false representation or misleading reporting. (10) Additional information on the Chief Financial and Compliance Officer/Manager responsible for preparing financial reports are provided under its dedicated section.
Bodies involved in the Internal Control and Risk Management System
Saipem is committed to promoting and maintaining an adequate internal control and risk management system consisting of a set of tools, organisational structures, Company rules and regulations aimed at safeguarding the Company’s assets, the efficiency and effectiveness of Company operations, the reliability of financial reporting and compliance with the laws and regulations, of the Articles of Association and Company procedures. The structure of Saipem’s internal control system constitutes an integral part of the Company’s organisational and management model; it involves – with different roles – administrative bodies, supervisory bodies, control bodies, the management and all personnel, and complies with the principles contained in the Code of Ethics and the Corporate Governance Code, the applicable regulations, the relevant ‘CoSO Report’ framework and national and international best practices.
The main industrial risks that Saipem faces and is actively monitoring and managing are as follows:
- the HSE risk associated with the potential occurrence of accidents, malfunctions, or failures with injury to persons and damage to the environment and impacts on operating and financial results;
- the country risk;
- the project risk associated with the execution phase of engineering and construction contracts undertaken by the Onshore and Offshore E&C Business Units.
Additional information regarding these risks are illustrated in the Annual Report 2013, under the section ‘Risk Management’.
The main responsibilities of the internal control and risk management system are entrusted to Saipem bodies and organs equipped with the necessary powers, tools and structures to pursue its objectives.
Saipem is aware that adequate processes for the identification, measurement, management and monitoring of main risks contributes towards ensuring sound and proper Company management in line with the strategic objectives set out by the Board of Directors. Saipem promotes a preventive approach to risk management whereby the management’s decisions and activities aim to reduce the probability of negative events occurring and their associated impact. To this end, Saipem adopts risk management strategies according to the nature and type of risk, such as mainly financial and industrial risks in addition to certain strategic and operational risks associated with the specific nature of the Company’s operations.
Saipem is committed to guaranteeing the integrity, transparency, fairness and efficiency of its processes through the adoption of adequate tools, rules and regulations in performing activities and exercising powers, and promotes rules of conduct inspired by the general principles of traceability and segregation of activities. Indeed, Saipem’s management – also on the basis of the risks managed – established specific control activities and monitoring processes aimed at ensuring the internal control system’s efficacy and efficiency over time. In line with this approach, Saipem has long been committed to favouring the development and diffusion of awareness towards internal control issues amongst all the Company’s personnel. In this context, Saipem – through an appropriate internal regulation and in compliance with the provisions of the Sarbanes-Oxley Act – manages the receipt (through easily accessible information channels), analysis and processing of notifications it receives from its subsidiaries, even in confidential or anonymous form, relating to internal control issues, financial reporting, the Company’s administrative responsibility, fraud or other matters (so-called whistleblowing)11 . The internal control system is regularly verified and updated, so as to constantly guarantee its ability to monitor the main risk areas of the Company’s activities, in relation to the specific nature of the Company’s operational Divisions and organisational structure, and in response to possible changes in the legal and regulatory framework.
(11) Saipem fully guarantees the protection of persons that report any issues in good faith, and submits the results of the preliminary investigation to the Company’s management and to the relevant
control and supervisory bodies.
The Board of Directors
The Board of Directors plays a key role with regard to internal control matters, as it defines the guidelines of the organisational, management and accounting structure of the Company, its main subsidiaries and the Group as a whole; in this context, after analysing the proposals of the Audit and Risk Committee, the Board determines the nature and level of risk commensurate with the Company’s strategic objectives and the guidelines for the internal control and risk management system, so as to guarantee that the major risks affecting the Company and its subsidiaries are identified, measured, managed and monitored. In defining these guidelines, the Board applies the sector regulations and takes into due consideration the reference models and national/international best practices. At their meeting of February 13, 2012, the Board of Directors confirmed its role in guiding and evaluating the adequacy of the internal control and risk management system.
Lastly, the Board assesses – on an annual basis and with the assistance of the Audit and Risk Committee – the adequacy, effectiveness and actual functioning of the internal control and risk management system as a whole, in relation to Saipem’s characteristics. During the meeting held on March 14, 2014, the Board of Directors was presented with the following reports:
- Report by the Head of the Internal Audit function dated March 14, 2014 which closes by stating: ‘no situation emerged such that caused the Internal Control and Management System to be deemed altogether inadequate on the date of this Report’;
- Report by the Audit and Risk Committee dated March 14, 2014 which closes by stating: ‘from the bodies and functions responsible for Saipem’s internal control and the evidence reported..., no circumstance emerged such that caused the Internal Control and Management System to be deemed altogether unsuitable on the date of this Report’;
- Report by the Officer responsible for the preparation of the Company’s financial reporting on the evaluation at December 31, 2013 of the internal controls over financial reporting, which closes by stating: ‘the internal control system over financial reporting is adequate’.
The Board of Directors has noted the opinions expressed in the aforementioned reports and considered that ‘no circumstance emerged such that caused the Internal Control and Management System to be deemed altogether unsuitable’.
Director responsible for the Internal Control System
At their meeting of April 22, 2009, the Board of Directors had appointed the Deputy Chairman - CEO as the officer responsible for implementing and maintaining a functional internal control system, constantly monitoring its adequacy and operating effectiveness, supported by the Audit Committee, the Internal Audit Senior Vice President and the Head of the Internal Audit department. At their meeting of February 13, 2012, the Board of Directors re-confirmed the Deputy Chairman - CEO as the officer responsible for implementing and maintaining a functional internal control and Risk Management System.
Following the appointment of the new CEO, Umberto Vergine, on December 5, 2012, the Board of Directors, at their next meeting on January 8, 2013, appointed him as the officer responsible for maintaining a functional internal control system, with the support of the Audit and Risk Committee and the Head of Internal Audit.
The CEO identifies the Company’s main business risks, taking into account the characteristics of the activities carried out by the Issuer and its subsidiaries and periodically reporting his findings for review by the Board of Directors; implements the guidelines for the internal control and risk management system approved by the Board; and is responsible for amending this system to suit the dynamics of the operating conditions and legislative and regulatory frameworks; provides the Board of Directors with the necessary information to fulfil its responsibilities, explaining the system for the identification, monitoring and management of risks, the relevant procedures, standards and Company departments.
The CEO also has the power to request that the Internal Audit function carry out audits on specific operational areas and/or ascertain adherence to internal corporate procedures, reporting their findings to the Chairman of the Board of Directors, the Chairman of the Audit and Risk Committee and the Chairman of the Board of Statutory Auditors. The Internal Audit function also promptly informs the Board of Directors of problems and critical issues that may emerge while fulfilling its responsibilities or that it became aware of, so that the Board may take appropriate action.
The Board of Statutory Auditors
The Board of Statutory Auditors, given its role of ‘Committee for internal control and auditing’ pursuant to Italian Legislative Decree No. 39/2010, supervises:
- compliance with the law and Articles of Association;
- adherence to fair management principles;
- the adequacy of the Company’s organisational structure within each area of competence, the suitability of the internal control and risk management system, and the administrative/accounting system, as well as the keeping of accurate accounting records of the Company’s operations;
- the implementation of corporate governance regulations contained in the Corporate Governance Code issued by Borsa Italiana to which the Company adheres;
- the adequacy of directions given by the Company to its subsidiaries pursuant to Article 114, paragraph 2 of Legislative Decree No. 58/1998;
- the process of financial reporting;
- the efficiency of the internal control, internal audit and risk management systems;
- the legal audit of annual statutory and consolidated accounts;
- the independence of the external auditors, specifically for the provision of non-audit services to the audited company.
Audit and Risk Committee
The Audit and Risk Committee assists the Board of Directors in fulfilling its responsibilities vis-à-vis the internal control and risk management system. Specifically, it assists in setting guidelines for the internal control and risk management system and periodically checks that it is adequate and operates effectively. The Committee oversees Internal Audit activities and reviews any problems emerging from the internal control and risk management system, with the support of the functions, departments and bodies involved in managing and/or ensuring compliance with the system itself. It also supervises activities related to the approval of periodic financial reports.
Senior Vice President responsible for the Internal Audit department
The Senior Vice President of Internal Audit Gabriel Almandoz was appointed by the Board of Directors, at their meeting of May 29, 2013, at the proposal of the Audit and Risk Committee and based on the indication of the Chief Executive Officer and having consulted the Compensation and Nomination Committee and the Board of Statutory Auditors. The Board of Directors entrusted the CEO with the task of setting the remuneration of the Internal Audit Senior Vice President, in line with Company policy and at the recommendation of the Compensation and Nomination Committee. The Internal Audit Senior Vice President is responsible for overseeing that the Internal Control and Risk Management system is fully operational and effective; he is not responsible for any operative area. The Audit and Risk Committee oversees the functions of the Internal Audit department vis-à-vis the relevant Board of Directors’ responsibilities, monitoring and ensuring that these are fulfilled while maintaining the necessary conditions of independence, autonomy, adequacy, effectiveness and efficiency. The Senior Vice President of Internal Audit reports to the Board of Statutory Auditors in its capacity as ‘internal control and audit committee’ pursuant to Article 19 of Legislative Decree No. 39/2010.
The Internal Audit Senior Vice President has the powers to enter into contracts for consultancy and professional services, having access to adequate funds (up to €750,000 per transaction for contracts with juridical persons and up to €500,000 per transaction for contracts with physical persons – with no budget restrictions).
On March 14, 2014, the Internal Audit Senior Vice President released the annual report on the Internal Control and Risk Management System (covering the period January 1-December 31, 2013, containing information up to the date of issue) and expressed his opinion on its adequacy based on the monitoring activities carried out during the reference period.
In line with the ‘Standards for the Professional Practice of Internal Audit’ issued by the ‘Institute of Internal Auditors’, the Internal Audit department is responsible for providing independent and objective activities aimed at promoting efficiency and effectiveness improving measures in the internal control and risk management system and the Company’s organisation.
The Internal Audit department assists the Board of Directors, the Audit and Risk Committee and the Company’s management in pursuing the objectives of the organisation through a systematic professional approach, aimed at reviewing and improving processes of control, risk management and corporate governance.
Main responsibilities of the Internal Audit department are: (i) ensuring independent monitoring activities provided for by the control system over financial reporting and compliance, as per Law Decree No. 231/2001; (ii) ensuring the assessment and updating of the risk map detailing main company risks in order to plan integrated measures of audits and compliance; (iii) implementing planned and unplanned integrated audits, identifying gaps in the control system and proposing corrective measures; (iv) drawing up an integrated audit report and ensuring that follow-up corrective measures are properly monitored; (v) maintaining relations with the external auditors also for the purposes of managing their contract; (vi) maintaining relations and ensuring proper information flows with the Compliance Committee, the Audit and Risk Committee and the Board of Statutory Auditors; (vii) managing employee notifications and providing support in their evaluation by the relevant corporate bodies.
During the year, the Internal Audit department carried out the Audit Plan approved by the Board of Directors and reported its progress to the Audit and Risk Committee and the Board of Statutory Auditors on a quarterly basis.
The Internal Audit Senior Vice President and the Internal Audit department have full access to data, documents and information required to carry out their duties.
Integrated Risk Management
Board of Directors of Saipem SpA at their meeting of July 30, 2013 approved, with the prior opinion of the Audit and Risk Committee, the ‘Integrated Risk Management Principles’. The Integrated Risk Management process (hereafter RMI) includes a systematic and structured risk prevention approach, which through the identification, assessment, management and monitoring process for major risks, contributes to supporting informed decision-making as well as, where possible, transforming the major risks into opportunities and competitive advantage for the Company. Saipem, on the basis of the principles approved by the Board of Directors, developed and implemented the Integrated Risk Management Model, which forms an integral part of the internal control and Risk Management System.
The Integrated Risk Management Model, developed in accordance with international principles and best practices12, is intended to provide both a comprehensive and summary vision of company risks, to ensure greater consistency in the methods and instruments supporting risk management and to strengthen awareness at all levels that adequate assessment and management of risks of different nature can influence the achievement of Company objectives and affects its value.
The Model comprises of the following elements:
- Risk Governance: the main framework of roles, responsibilities and information flows used in the management of main company risks; for these risks the reference model has roles and responsibilities over three levels of control13;
- Process: all activities through which the various actors identify, measure, represent and monitor main risks which could affect the achievement of Saipem’s objectives;
- Reporting: gathers Risk Assessment findings highlighting main risks in terms of probability and potential impact, and associated treatment plans.
Within the Risk Governance, are the following bodies:
- the Risk Committee, chaired by the CEO and comprised of Saipem’s top management, has a consultative role towards the CEO vis-à-vis main company risks;
- the Integrated Risk Management function, which reports directly to the CEO. Among other duties, it: (i) develops tools/methods for the Integrated Risk Management process to identify, measure, represent and monitor the main risks and the associated treatment plans; (ii) presents findings on the main risks and the associated risk treatment plans to the Audit and Risk Committee and, where requested, to other control and overseeing bodies; (iii) identifies, in cooperation with Saipem’s business areas and functions, proposals for updating the risk management systems.
The RMI process consists of three sub-processes:
- Guidance in Risk Management;
- Risk Assessment & Treatment;
- Monitoring & Reporting.
With reference to the ‘guidance for risk management ‘ sub-process, Saipem’s Board of Directors, with the prior opinion of the Audit and Risk Committee, defines the Risk and Internal Control Management System policies so that major risks are correctly identified, as well as correctly measured, managed and monitored. Moreover, Saipem’s Board of Directors, as part of its duties and management role, determines, with the prior opinion of the Audit and Risk Committee, the degree of compatibility of such risks with the strategic objectives of the Company. Accordingly, Saipem’s Board of Directors examines Saipem’s major risks at least every six months, as presented by the CEO, taking into account the characteristics of the Company and specific risk profile of each business area and single process, so as to implement an integrated risk governance policy.
The ‘risk assessment & treatment’ sub-process defines main risks and associated treatment actions. Depending on the strategic objectives/sub-objectives declined by the Business Area, functions/organisational units are identified that are expected to contribute significantly to their achievement of Saipem’s strategic objectives/sub-objectives. Hence, using a top-down approach, the so-called ‘Risk Owners’ are held responsible for identifying and assessing, managing and monitoring the major risks under their responsibility, as well as any related treatment actions.
Specifically, the risk assessment activity aims at identifying and describing the main events that could affect the achievement of business objectives. It assesses risks that have been identified and provides information on which strategies and measures that need to be implemented to treat them.
Finally, following the risk assessment process, the most appropriate strategies are defined on how to avoid, accept, reduce and share such risks. The sub-process ‘monitoring & reporting’ ensures the monitoring of major risks and the related treatment plans. It also ensures the availability of information regarding major risk management and monitoring at all Company levels.
Specifically, monitoring of risks allows the: (i) identification of the improvement areas and critical issues for the management of major risks; (ii) analysis of these risks trend and identification of any additional treatment, also considering the adjustment and development of risk management models; (iii) timely identification and communication of new risks. Performance of the monitoring activities is documented to ensure its traceability and checking the availability of information and data obtained, as well as their repeatability.
In order to support the Company’s decision-making process, periodic risk assessment findings and monitoring data are submitted to the Risk Committee, chaired by the CEO. The latter brings them to the attention of the Board of Directors, so that they may evaluate, at least once a year, the suitability of the Internal Control and Risk Management System based on Saipem’s characteristics, risk profile and compatibility with Company objectives, as well as its effectiveness. As part of the IRM process, the CEO, at the Board Meeting of December 23, 2013, presented in detail the main risks faced by Saipem, the outcome of the first risk assessment cycle, which allowed the finalisation of the workings of the new IRM system.
(12) Refer to the CoSO Report. (13) The first control level identifies, assesses, evaluates and manages risks within its remit, before identifying and implementing specific treatment measures; the second level monitors main risks to
ensure their effective and efficient treatment, it also monitors the adequacy and operations of controls against main risks; the third level provides independent and objective assurance on the adequacy
and effective operation of the first and second levels of control.
Organisational Model, pursuant to Law Decree No. 231/2001
On March 22, 2004, the Board of Directors approved for the first time the ‘Organisational, Management and Control model, pursuant to Law No. 231/2001’ and established a Compliance Committee. The Model comprises a comprehensive set of procedures and control processes aimed at preventing the offences detailed in the aforementioned law decree, and subsequent amendments.
In May 2008, the Deputy Chairman - CEO started the process to align Model 231 to the new corporate organisation, which led to the Board of Directors approving the new Organisation, Management and Control Model 231/2001 on July 14, 2008.
The new Organisation, Management and Control Model denominated ‘Model 231/2001 (includes the Code of Ethics)’ – hereafter Model 231 – now encloses the Code of Ethics, which replaces the Code of Practice and is a mandatory general principle of Model 231 itself14. Model 231 is continuously updated to implement new legislative provisions, as stated in Chapter 7 of the Model itself. Implementation programmes were launched by Team 231, specific multi-functional teams established by Saipem’s CEO. These focused on:
- July 14, 2008 - inclusion of the following offences: ‘manslaughter and serious or very serious injuries arising out of the breach of accident prevention laws and regulations as well as laws and regulations on health protection at work, pursuant to Article 25-septies of Legislative Decree No. 231/2001;
- October 27, 2010 - inclusion of the following offences: ‘computer crimes and unlawful data processing’ pursuant to Article 24-bis of Legislative Decree No. 231/2001;
- April 23, 2013 - inclusion of the following offences:
- so-called ‘offences 2009’: ‘organised crimes; forgery of money, credit cards, revenue stamps and tools or identifying marks; crimes against industry and commerce; infringements of copyright; induction not to make statements or to make false statements to judicial authorities’;
- ‘crimes against the environment’;
- ‘crimes of corruption, even between private individuals, and other crimes against Public Officials’
- ‘recruitment of illegally resident third-country nationals’;
- ‘protection against child prostitution and child labour exploitation’.
Besides updating the application scope of Model 23115, other activities were carried out: a risk assessment and gap analysis were performed in order to adjust the Model to reflect the adoption of the document ‘Sensitive Activities and Specific Control Standards of Model 231’ issued by Eni SpA.
In March 2013, the risk assessment and gap analysis activities relating to ‘crimes against the environment’ were completed, whilst those relating to the so-called ‘offences 2009’ are nearing completion. Furthermore, the Team 231 appointed on March 1, 2013, began sourcing a consulting company that will carry out the implementation project.
The Boards of Directors of all subsidiaries have adopted their own Organisational, Managerial and Control Models, containing the Code of Ethics, and also setting up their own Compliance Committee.
The Compliance Committee is also the Guarantor of the Code of Ethics and reports on the implementation of Model 231 and/or critical issues that may have arisen and informs on the outcome of activities carried out as part of their remit. The Compliance Committee reports as follows: on an ongoing basis to the CEO, who informs the Board of Directors as part of the duty of disclosure of delegate powers; six-monthly to the Board of Directors, to the Audit and Risk Committee and to the Board of Statutory Auditors; in this case a Six-Monthly Report is produced detailing activities and audits carried out during the period as well as new legislative provisions in matters concerning the administrative liability of legal entities.
In 2013, the Compliance Committee convened on twenty occasions and: (i) received constant updates on developments of ongoing proceedings against Saipem SpA, and 231 proceedings in particular; (ii) promoted and monitored all initiatives aimed at Saipem SpA employees to ensure adequate knowledge of the Model; (iii) it defined the Compliance Programme for the year and ensured that it was implemented alongside the scheduled and ad-hoc control activities; (iv) monitored the updating of Model 231; (v) co-ordinated and maintained communication channels with the Compliance Committee.
(14) The document ‘Model 231/2001 (includes the Code of Ethics)’ is published on Saipem’s website www.saipem.com in the ‘Corporate Governance’ section.
(15) Please refer to note on page 4 of Model 231.
In line with the values that underpin Saipem’s activities, namely its ability to conduct business ethically, with loyalty, fairness, transparency, honesty and integrity and its respect for, and compliance with the laws, the Board of Directors on February 10, 2010 approved the adoption of additional detailed internal procedures aimed at preventing the corruption of both Italian and foreign public officials, by improving the current compliance system. Specifically, the Board adopted the ‘Anti-Corruption Compliance Guideline’ and associated procedures entitled ‘Intermediary Agreements’ and ‘Joint Venture Agreements - Prevention of Illegal Activity’. These documents refer to international conventions on anti-corruption and are also in line with international best practices. These procedures were approved by the Board of Directors of all Saipem subsidiaries; at associated companies, Saipem’s representatives on the Boards of Directors informed that these anti-corruption procedures had been adopted at corporate level and formally requested that the principles contained therein be adopted through similar ad-hoc procedures.
Furthermore, Saipem set up an internal Anti-corruption Legal Support Unit to provide Saipem employees with legal support in matters of Anti-corruption.
On April 23, 2012, following a review of internal existing regulation and the issue of new anti-corruption legislation, Saipem’s Board of Directors approved a new procedure, the Management System Guideline ‘Anti-corruption’, which annuls and replaces the aforementioned ‘Anti-Corruption Compliance Guideline’. The Management System Guideline ‘Anti-corruption’ has been adopted by all Saipem subsidiaries through a Board of Directors’ resolution.
As part of the updating process to achieve compliance vis-à-vis anti-corruption legislation, and following the adoption of the new Management System Guideline, the following Corporate Standards were also reviewed and updated ‘Intermediary Agreements’16 and ‘Joint Venture Agreements - Prevention of illegal activity’17, which contained new detailed procedures relating to the follow-up and renewal of due diligence processes.
Saipem’s compliance and corporate governance systems in terms of anti-corruption regulations also involves other procedures and regulatory tools (in addition to the ones mentioned above) relating to areas and subjects that are particularly prone to the risk of corruption. Specifically, the following procedures were issued and/or revisited:
- Management System Guideline - Legal;
- ‘Standard contractual clauses concerning the administrative liability of legal entities for unlawful administrative acts deriving from offences’;
- ‘Authorisation and control of sales or acquisitions of participations, companies or company branches’;
- ‘Entertainment expenses’;
- ‘Charitable donations and sponsorships’;
- ‘Notifications received by Saipem and its subsidiaries’;
- ‘Third-party consultancy, supply and professional services’;
- ‘General Accounting’;
- ‘Management of Relations with Local Authorities on Tax Matters and of Foreign Tax Disputes’;
- ‘Selection and appointment of Brokers and Insurance Companies’;
- ‘Human Resources’;
- ‘Labour Disputes in Italy: appointment of external legal representatives and management of disputes’;
- ‘Missions of management personnel’;
- ‘Missions of non-management personnel’.
Some of these procedures are currently being reviewed in light of the principles and updates contained in the aforementioned Anti-corruption Management System Guideline.
(16) Revision 4 issued on September 5, 2012.
(17) Revision 2 issued on July 31, 2012.
The legal audit of Saipem’s financial statements is entrusted – pursuant to the law – to an External Audit Company registered in the Consob special registry and appointed by the Shareholders’ Meeting, upon a reasoned proposal by the Board of Statutory Auditors. The current external auditors are Reconta Ernst & Young SpA, whose mandate was approved by the Shareholders’ Meeting of April 26, 2010, for the financial years 2010-2018.
The financial statements of subsidiary companies are also subject to audit; these are carried out mostly by Ernst & Young.
With regard to the opinion on the consolidated financial statements, Ernst & Young is responsible for the audits carried out at subsidiary companies by other external auditors, which are immaterial in terms of consolidated assets and turnover.
The external auditors have full access to data, documents and information required to carry out their duties.
Officer responsible for preparing the Company’s financial reports
Pursuant to Article 21 of Articles of Association and Article 154-bis of Law No. 58/1998, the Board of Directors, having heard the opinion of the Board of Statutory Auditors and at the Chairman’s proposal, appoints an Officer responsible for preparing the Company’s financial reports, selected from individuals who have carried out the following for at least three years:
- administrative and control activities in a managerial capacity at listed companies with a share capital exceeding €1 million, in Italy, in other European Union or OCSE member states; or
- legal audits at the companies, under letter a); or
- having had a professional position in the field of or a university professor teaching finances or accounting; or
- a management position at public or private companies with financial, accounting or control responsibilities.
The Board of Directors ensures that the Officer responsible for preparing the Company’s financial reports is granted adequate powers and has sufficient means to carry out his/her duties; the Board also ascertains that the administrative and accounting procedures are adhered to. The Officer responsible for preparing the Company’s financial reports has the power to sign contracts, should he deem it necessary, for the provision of intellectual work and professional services up to the sum of €750,000 per contract, without budget restrictions.
The Board of Directors at their meeting of December 6, 2013, having received the positive opinion of the Board of Statutory Auditors and positive assessment from the Compensation and Nomination Committee, appointed Alberto Chiarini, Saipem’s Chief Financial and Compliance Officer (CFCO), as the Officer responsible for preparing the Company’s financial reports, pursuant to Article 154-bis of Law No. 58/1998. He replaced Stefano Goberti. The Board of Directors ascertained that Mr. Chiarini met the criteria of professional competence and good repute required by the Articles of Association, which are reviewed annually.
Coordination of bodies involved in the Internal Control and Risk Management System
The Board of Directors appointed the CEO as the person responsible to set up, maintain and co-ordinate an efficient internal control system, and ensure its constant adequacy and efficiency with the support of the ‘Committee for internal control and auditing’ and the Senior Vice President for Internal Audit. The CEO implements the guidelines approved by the Board of Directors on matters concerning the Internal Control and Risk Management System.
The CEO has the power to request that the Internal Audit department carry out audits on specific areas of operation, and ensure adherence to internal regulations and procedures involving Company transactions and operations; of this, he notifies the Chairman of the Board of Directors, the Chairman of the Audit and Risk Committee and the Chairman of the Board of Statutory Auditors and reports promptly to the Board of Directors any critical issues or problems that emerged during this activity or that he has become aware of, so that the Board of Directors may take appropriate action.
The Senior Vice President for Internal Audit and the Audit and Risk Committee, made up of three non-executive independent members of the Board of Directors, have a pivotal role in the coordination of bodies involved in the Internal Control and Risk Management System.
Specifically, meetings of the Audit and Risk Committees are attended by the Chairman of the Board of Statutory Auditors, or other Statutory Auditor designated by the latter. The CEO may also attend these meetings. The Senior Vice President for Internal Audit acts as the Secretary and supports the Audit and Risk Committee in performing its duties.
To ensure that information is sent to the Committee and to allow it to carry out suitable preparatory activities and report directly to the Board of Directors:
- periodic meetings (at least half-yearly) are held with Saipem’s CEO, COO and Executive Committee; the CEO promptly notifies the Committee of any critical issues or problems that he may become aware of during his supervision of the Internal Control and Risk Management System;
- the CFCO (Officer responsible for the Company’s financial reporting) participates in all meetings;
- meetings are held with the COO and Saipem’s management, including the CFCO, during which information is provided regarding: (i) measures undertaken to address issues which have emerged from monitoring activities (carried out by the Management and the Internal Audit department), the status of progress for improvement measures, if any, implemented to the Internal Control and Risk Management System; (ii) specific aspects of the Internal Control and Risk Management System for relevant areas.
The Committee also ensures that information is promptly shared with the Board of Statutory Auditors so that work within their respective remit can be attended to and common work can be coordinated properly.
The Committee is informed of the implementation of Reports issued pursuant to Compliance and/or Governance Models, adopted on the basis of applicable laws and regulations. It also receives: risk reports, certificates attesting to the adequacy of the Regulation System issued by the Process Owners, reviews of the HSE model, and other documents provided for by the Company’s procedures, in addition to the overall evaluation of the Internal Control and Risk Management System from the Internal Audit department.
The Audit and Risk Committee reports to the Board of Directors, at least half-yearly, regarding the work performed and the adequacy of the Internal Control and Risk Management System.
The main duties of the Internal Audit department include maintaining relations with the external auditors and ensuring that information is shared with the Compliance Committee, the Audit and Risk Committee and the Board of Statutory Auditors. The Audit and Risk Committee oversees the Internal Audit department.