Risk management system and internal control over financial reporting

Internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability1, accuracy, fairness and timeliness of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.
In accordance with the provisions of the law, the Officer in charge of preparing financial reports (AO) is responsible for the internal control system with regard to financial reporting and, to this aim, establishes the necessary administrative and accounting procedures for drafting the periodic accounting documentation and any other financial notification; moreover, he/she certifies, together with the Deputy Chairman & CEO, their adequacy and actual implementation during the period to which the aforementioned accounting documents refer, by means of an appropriate report on the annual financial statements, on the half-yearly financial statements and on the consolidated annual financial statements. Pursuant to the aforementioned Article 154-bis, the Board of Directors supervises whether the AO has appropriate powers and means to perform the assigned duties, in addition to supervising the actual conformity to these procedures.
The guidelines on internal controls over financial reporting approved by the Board of Directors on October 29, 2007, and later amended by the Management System Guideline ‘Internal Control System over Financial Reporting - Rules and Procedures’ approved by the Board of Directors on December 13, 2011, are aimed at achieving healthy and fair business management; they define rules and methodologies on the design, implementation and maintenance of the internal control system over Saipem’s financial reporting, as well as on the evaluation of the system’s effectiveness.
These guidelines have been designed in accordance with the provisions of the aforementioned Article 154-bis of Law 58/1998 and of the US law Sarbanes-Oxley Act of 2002 (SOA) which Saipem is required to comply with as a subsidiary of Eni whose securities are listed on the New York Stock Exchange (NYSE), and based on the CoSo Report (‘Internal Control - Integrated Framework’ published by the Committee of Sponsoring Organizations of the Treadway Commission - 1992).
In accordance with international accounting principles, these guidelines are applicable to Saipem SpA and its direct and indirect subsidiaries, in consideration of their relevance for the preparation of financial reporting. All controlled companies, regardless of their relevance with respect to Saipem’s internal control system, use these guidelines as a reference for the design and implementation of their own internal control system in order to ensure its adequacy in relation to the size of the company and the nature of its business.

(1) Reliability (of reporting): ensuring that reporting is correct, in accordance with generally accepted accounting principles and in compliance with current laws and regulations.

Main features of the risk assessment and internal control systems for the purposes of financial reporting

The internal control system was designed in accordance with two fundamental principles: to extend control to all levels of the organizational structure, consistent with operating responsibilities; and the sustainability of controls in the long-term, so as to ensure that the performance of controls is increasingly integrated and compatible with operational requirements. The design, implementation and maintenance of the internal control system are ensured through: risk assessment, control identification, evaluation and reporting.
The risk assessment process has a top-down approach aimed at identifying those organizational departments, processes and specific activities that bear the risk of unintentional errors and/or fraud, which could have a material impact on the financial statements.
The identification of companies that fall within the scope of the internal controls system is based both on their contribution to the consolidated financial statements (turnover, net revenues, profits before taxation) and their relevance in terms of processes and specific risks2. Among the companies identified as relevant for the purposes of internal controls, significant processes are then identified based on an analysis of quantitative factors (processes involved in the preparation of financial statements items greater than a certain percentage of profits before taxation) as well as qualitative factors (for instance: complexity of the accounting treatment used for an item; new items or significant changes in business conditions).
Risks are assessed for relevant processes and activities, i.e. potential events whose occurrence could compromise the achievement of the control objectives for financial reporting (for instance financial statements assertions). These risks are prioritised in terms of their potential impact and likelihood of occurrence, based on quantitative and qualitative parameters and assuming no controls. Saipem carries out a specific assessment on risks of fraud3, using a methodology based on the ‘Anti-fraud Programmes and Controls’ included in the guidelines on internal controls over financial reporting.
Controls are defined for the individual company, processes and associated risks deemed relevant. The control system comprises of entity level controls, which operate across the relevant entity (Group/individual company) and process level controls. A checklist based on the model adopted in the CoSo Report divides entity level controls into five components (control environment, risk assessment, control activities, IT systems and information flows, and monitoring activities). The ‘control environment’ component includes all activities relating to the definition of time-frames for the preparation and publication of financial results (interim and annual financial statements and associated financial calendars); the ‘control activities’ component covers organizational and regulatory structures that guarantee the achievement of financial reporting objectives (for instance the review and updating by specific departments of rules relating to the preparation of financial statements and charts of accounts); the component ‘IT systems and information flows’ includes management controls over the consolidation process (Mastro). Process level controls are divided into specific controls, which are all activities, both manual and automated, aimed at preventing, identifying and correcting errors and irregularities occurring during operating activities; and pervasive controls, which are structural elements of the internal control system aimed at establishing a general environment which promotes the correct execution and control of operational activities (for instance segregation of incompatible duties and general IT controls). Specific controls are detailed in ad-hoc procedures which define company processes and the ‘key controls’, whose absence or non-implementation entails the risk of significant error/fraud in the financial statements which cannot be detected by other controls.
Entity level controls and Process Level Controls are constantly monitored to evaluate their design and operating effectiveness; this is done by means of ongoing monitoring activities carried out by the managers in charge of the relevant processes/activities, and through separate evaluations carried out by the Internal Audit Department in accordance with an audit plan provided by the Chief Financial Officer/Manager responsible for preparing financial reports4 which defines the audit scope and objectives to be implemented through agreed- upon audit procedures. Monitoring activities highlight possible deficiencies in the control system; these are evaluated in terms of probability of occurrence and impact on Saipem’s financial reporting and, based on their significance, are classed as ‘deficiencies’, ‘significant weaknesses’ and ‘material weaknesses’.
The findings of monitoring activities regarding the state of the internal control system are periodically reported using IT tools that ensure the traceability of information relating to the adequacy of design and the operating effectiveness of controls. The work of the CFO/Manager responsible for preparing financial reports is supported by various departments within Saipem, whose responsibilities and tasks are set forth in the aforementioned guidelines. Specifically, internal controls involve all levels of Saipem’s organization, from operations and business managers to function and administrative managers. In this organizational context, a very important figure of the internal control system is the risk owner, who carries out line monitoring activities, evaluating the design and operating effectiveness of specific and pervasive controls and producing reports on monitoring activities.

(2) Companies subject to internal controls include those incorporated under and regulated by non-EU member state legislations, for which the provisions of Article 36 of Consob Market Regulations apply. (3) Fraud: for the purposes of the Internal Control System, this refers to any intentional act or omission that may result in false representation or misleading reporting. (4) Additional information on the Chief Financial Officer/Manager responsible for preparing financial reports are provided under its dedicated section.

Internal control and risk management system

Saipem is committed to promoting and maintaining an adequate internal control and risk management system consisting of a set of tools, organizational structures, Company rules and regulations aimed at safeguarding the Company’s assets, the efficiency and effectiveness of Company operations, the reliability of financial reporting and compliance with the laws and regulations, of the Articles of Association and Company procedures. The structure of Saipem’s internal control system constitutes an integral part of the Company’s organizational and management model; it involves – with different roles – administrative bodies, supervisory bodies, control bodies, the management and all personnel, and complies with the principles contained in the Code of Ethics and the Corporate Governance Code, the applicable regulations, the relevant ‘CoSO Report’ framework and the national and international best practices.
The main responsibilities of the internal control and risk management system are entrusted to Saipem bodies and organs equipped with the necessary powers, tools and structures to pursue its objectives.
Saipem is aware that the adequate process for the identification, measurement, management and monitoring of main risks contributes towards ensuring sound and proper Company management in line with the strategic objectives set out by the Board of Directors. Saipem promotes a preventive approach to risk management whereby the management’s decisions and activities aim to reduce the probability of negative events occurring and their relevant impact. To this end, Saipem adopts risk management strategies according to the nature and type of risk, such as mainly financial and industrial risks in addition to certain strategic and operational risk associated with specific nature of the Company’s operations.
Saipem is committed to guaranteeing the integrity, transparency, fairness and efficiency of its processes through the adoption of adequate tools, rules and regulations in performing activities and exercising powers, and promotes rules of conduct inspired by the general principles of traceability and segregation of activities. Indeed, Saipem’s management – also on the basis of the risks managed – established specific control activities and monitoring processes aimed at ensuring the internal control system’s efficacy and efficiency over time. In line with this approach, Saipem has long been committed to favouring the development and diffusion of awareness towards internal control issues amongst all the Company’s personnel. In this context, Saipem – through an appropriate internal regulation and in compliance with the provisions of the Sarbanes-Oxley Act – manages the receipt (through easily accessible information channels), analysis and processing of notifications it receives from its subsidiaries, even in confidential or anonymous form, relating to internal control issues, financial reporting, the Company’s administrative responsibility, fraud or other matters (so-called whistleblowing)5.
The internal control system is regularly verified and updated, so as to constantly guarantee its ability to monitor the main risk areas of the Company’s activities, in relation to the specific nature of the Company’s operational Divisions and organizational structure, and in response to possible changes in the legal and regulatory framework.

(5) Saipem fully guarantees the protection of persons that report any issues in good faith, and submits the results of the preliminary investigation to the Company’s management and to the relevant control and supervisory bodies.

The Board of Directors

The Board of Directors plays a key role with regard to internal control matters, as it defines the guidelines of the organizational, management and accounting structure of the Company, its main subsidiaries and the Group as a whole; in this context, after analysing the proposals of the Audit and Risk Committee (formerly the Audit Committee), the Board determines the nature and level of risk commensurate with the Company’s strategic objectives and the guidelines for the internal control and risk management system, so as to guarantee that the major risks affecting the Company and its subsidiaries are identified, measured, managed and monitored. In defining these guidelines, the Board applies the sector regulations and takes into due consideration the reference models and national/international best practices. At their meeting of February 13, 2012, the Board of Directors confirmed its role in guiding and evaluating the adequacy of the internal control and risk management system.
Lastly, the Board assesses – on an annual basis and with the assistance of the Audit and Risk Committee – the adequacy, effectiveness and actual functioning of the internal control and risk management system as a whole, in relation to Saipem’s characteristics. During the meeting held on March 13, 2012, after examining the 2011 Report of the Control and Risk Committee and its findings on Saipem’s internal control and risk management system, the Board of Directors assessed Saipem’s internal control and management system as being altogether adequate, effective and positively functional, also in the light of the current initiatives.

Director responsible for the internal control system

At their meeting of April 22, 2009, the Board of Directors had appointed the Deputy Chairman - CEO as the officer responsible for implementing and maintaining a functional internal control system, constantly monitoring its adequacy and operating effectiveness, supported by the Audit Committee, the Internal Audit Senior Vice President and the Head of the Internal Audit Department. At their meeting of February 13, 2012, the Board of Directors confirmed the Deputy Chairman - CEO as the officer responsible for implementing and maintaining a functional internal control and risk management system. The Deputy Chairman - CEO identified the Company’s main business risks, taking into account the characteristics of the activities carried out by the Issuer and its subsidiaries and periodically reporting his findings for review by the Board of Directors; implemented the guidelines for the internal control and risk management system approved by the Board; and was responsible for amending this system to suit the dynamics of the operating conditions and legislative and regulatory framework; provided the Board of Directors with the necessary information to fulfil its responsibilities, explaining the system for the identification, monitoring and management of risks, the relevant procedures, standards and Company departments.

The Board of Statutory Auditors

The Board of Statutory Auditors, given its role of ‘Committee for internal control and auditing’ pursuant to Italian Legislative Decree No. 39/2010, supervises:

  • compliance with the law and Articles of Association;
  • adherence to fair management principles;
  • the adequacy of the Company’s organizational structure within each area of competence, the suitability of the internal control and risk management system, and the administrative/accounting system, as well as the keeping of accurate accounting records of the Company’s operations;
  • the implementation of corporate governance regulations contained in the Codes of Borsa Italiana to which the Company adheres;
  • the adequacy of directions given by the Company to its subsidiaries to ensure full compliance with legal reporting requirements;
  • the process of financial reporting;
  • the efficiency of the internal control, internal audit and risk management systems;
  • the legal audit of annual statutory and consolidated accounts;
  • the independence of the external auditors, specifically for the provision of non-audit services to the audited company.

Audit and Risk Committee

The Audit and Risk Committee assists the Board of Directors in fulfilling its responsibilities vis-à-vis the internal control and risk management system. Specifically, it assists in setting guidelines for the internal control and risk management system and periodically checks that it is adequate and operates effectively. The Committee oversees Internal Audit activities and reviews any problems emerging from the internal control and risk management system, with the support of the functions, departments and bodies involved in managing and/or ensuring compliance with the system itself. It also supervises activities related to the approval of periodic financial reports.

Senior Vice President responsible for the Internal Audit department

The Senior Vice President of Internal Audit, formerly the Officer in charge of the internal control system, Mr Alessandro Riva, was confirmed by the Board of Directors, at their meeting of February 13, 2012, at the Deputy Chairman and CEO’s proposal, having received the opinion of the Audit and Risk Committee and of the Board of Statutory Auditors. The Board of Directors entrusted the Deputy Chairman - CEO with the task of setting the remuneration of the Internal Audit Senior Vice President, in line with Company policy and at the proposal of the Audit and Risk Committee, having also consulted the Board of Statutory Auditors. The Internal Audit Senior Vice President is responsible for ensuring that the internal control and risk management system is adequate, fully operational and effective at all times. He is not responsible for any operative area and reports to the Board of Directors, the Deputy Chairman - CEO, the Audit and Risk Committee and the Board of Statutory Auditors on the adequacy of the internal control and risk management system to achieve an acceptable overall risk profile. The Internal Audit Senior Vice President has the powers to enter into contracts for consultancy and professional services, having access to adequate funds (up to €750,000 per transaction for contracts with juridical persons and up to €500,000 per transaction for contracts with physical persons – with no budget restrictions).
On March 13, 2012, the Internal Audit Senior Vice President released the annual report on the internal control and risk management system (covering the period January 1-December 31, 2011, containing information up to the date of issue) and expressed his opinion on its adequacy based on the monitoring activities carried out during the reference period.
In line with the ‘Standards for the Professional Practice of Internal Audit’ issued by the ‘Institute of Internal Auditors’, the Internal Audit department is responsible for providing independent and objective activities aimed at promoting efficiency and effectiveness improving measures in the internal control and risk management system and the Company’s organization.
The Internal Audit Department assists the Board of Directors, the Audit and Risk Committee and the Company’s management in pursuing the objectives of the organization through a systematic professional approach, aimed at reviewing and improving processes of control, risk management and corporate governance. Main responsibilities of the Internal Audit Department are: (i) ensuring compliance with national and international regulations vis-à-vis: Law Decree 231/2001, independent monitoring of SAO, operational, financial, IT and fraud audit for the entire Saipem Group; (ii) updating the system for the assessment, classification and evaluation of risk areas (integrated risk assessment) in order to plan control measures; (iii) implementing planned and unplanned control audits, identifying gaps in existing models, proposing corrective measures and ensuring that followup activities are properly monitored; (iv) maintaining relations with the external audit company; (v) maintaining relations and ensuring proper information flows with the Compliance Committee, the Audit and Risk Committee and the Board of Statutory Auditors; (vi) managing employee notifications, including anonymous ones, in compliance with current corporate procedures, and providing support in their evaluation by the relevant corporate bodies.
During the year, the Internal Audit department carried out the Audit Plan approved by the Board of Directors and reported its progress to the Audit and Risk Committee and the Board of Statutory Auditors on a quarterly basis. The Internal Audit Senior Vice President and the Internal Audit department have full access to data, documents and information required to carry out their duties.

Organizational model, pursuant to Law Decree 231/2001

On March 22, 2004, the Board of Directors approved the Organizational, managerial and control model, pursuant to Law 231/2001 and established a Compliance Committee. The Model comprises a comprehensive set of procedures and control processes aimed at preventing the offences detailed in the aforementioned law decree, and subsequent amendments. The current scope of application of the Saipem Model, compliant with Legislative Decree No. 231 of 2001, provides for the following: (i) offences against public authorities and public faith, (ii) corporate crimes, (iii) crimes associated with the subversion of public order, and financing of terrorism, (iv) offences against the person, (v) market abuse (‘abuse of confidential information’ and ‘market manipulation’), (vi) offences against individuals, Law No. 7 of 2006, (vii) transnational crimes, (viii) manslaughter and serious or very serious personal injury committed in violation of industrial accident laws and of the protection of industrial hygiene and health, (ix) crimes related to receiving stolen goods, recycling, and unlawful usage of money and properties of illegal origins, (x) computer crimes and unlawful data processing.
The Chairman is responsible for devising and implementing initial activities, updating and upgrading the Model.
In May 2008, the Deputy Chairman - CEO started the process to align Model 231 to the new corporate organization, which led to the Board of Directors approving the new Organizational, managerial and control Model 231/2001 on July 14, 2008.
The new Organizational, managerial and control Model denominated ‘Model 231/2001 (includes the Code of Ethics)’ now encloses the Code of Ethics, which replaces the Code of Practice and is a mandatory general principle of Model 231 itself6.
In 2010, Saipem SpA and the Compliance Committee completed ‘Project 231’ aimed at updating all documentation supporting the Model and associated control procedures in terms of health and safety in the workplace, pursuant to the provisions of Law Decree 81/2008.
On October 27, 2010, pursuant to Article 7, paragraph 4 of Law Decree 231/2001, the Board of Directors of Saipem SpA updated the Model in order to be compliant with the new legal provisions introduced by Article 24-bis relating to computer crimes.
In 2010 and 2011, the Boards of Directors of all subsidiaries have managed to adopt their own Models, containing the Code of Ethics.

The three-year mandate of the Compliance Committee, originally set up in 2008, expired in 2011 and was renewed by the Board of Directors on July 27, 2011. At the proposal of the Audit Committee, the Committee is now comprised of: two external members, one of whom is appointed Chairman of the Committee, and three internal members, from the Company’s Legal, Human Resources and Internal Audit departments.
The current members of the Compliance Committee are Mr Luigi Rinaldi - Chairman (external member), Mr Marco Elefanti (external member), Mr Francesco Del Giudice (Legal), Mr Roberto D’Onofrio (HR) and Alessandro Riva (Internal Audit). The Compliance Committee’s independence is safeguarded by the position afforded to the aforementioned functions within the Company’s organization and their reporting lines, pursuant to Article 6, paragraph 1, letter b), of Law 231/2001.

The Compliance Committee, also in his capacity as Guarantor of the Code of Ethics, reports on the implementation of Model 231 and/or critical issues that may have arisen and informs on the outcome of activities carried out as part of their remit. The Compliance Committee reports as follows: on an ongoing basis to the Deputy Chairman - CEO, who informs the Board of Directors as part of the duty of disclosure of delegate powers; six-monthly to the Audit and Risk Committee and to the Board of Statutory Auditors; in this case a Six-Monthly Report is produced detailing activities and audits carried out during the period as well as new legislative provisions in matters concerning the administrative liability of legal entities; dedicated meetings are also arranged with the Audit and Risk Committee and the Board of Statutory Auditors; the Six-Monthly Report is also submitted to the attention of the Chairman and Deputy Chairman - CEO.

In 2011, the Compliance Committee convened on fifteen occasions and: promoted and monitored all initiatives aimed at Saipem SpA employees to ensure adequate knowledge of the Model; it defined the Compliance Programme for the year and ensured that it was implemented alongside the scheduled and ad-hoc control activities; contributed to updating the new Model; coordinated and maintained communication channels with the Compliance Committee.

(6) The document ‘Model 231/2001 (includes the Code of Ethics)’ is published on Saipem’s website www.saipem.com in the ‘Corporate Governance’ section.

Anti-corruption procedures

In line with the values that underpin Saipem’s activities, namely its ability to conduct business ethically, with loyalty, fairness, transparency, honesty and integrity and its respect for, and compliance with the laws, the Board of Directors on February 10, 2010 approved the adoption of procedures aimed at preventing the corruption of both Italian and foreign public officials, by improving the current compliance system. Specifically, the Board of Directors approved the ‘Anti-Corruption Compliance Guideline’ and associated procedure entitled ‘Intermediary Agreements’ and ‘Joint Venture Agreements - Prevention of Illegal Activity’.
These documents are in line with international Best Practices.
Furthermore, an Anti-corruption Legal Support Unit was created to provide Saipem employees with legal support in matters of Anti-corruption. In 2010, it updated the corporate standard procedure for administrative liability, called ‘Standard Contractual Clauses Concerning the Administrative Liability of the Company for Unlawful Administrative Acts deriving from an offence’. In 2011 the following ancillary procedures were issued: ‘Entertainment expenses’, ‘Authorization and Control of Sales or Acquisitions of Participations’, and ‘Charity donations and sponsorship’.

Audit Firm

The legal audit of Saipem’s financial statements is entrusted – pursuant to the law – to an Audit Firm registered in the Consob special registry and appointed by the Shareholders’ Meeting, upon a reasoned proposal by the Board of Statutory Auditors. The current audit firm is Reconta Ernst & Young SpA, whose mandate was approved by the Shareholders’ Meeting of April 26, 2010, for the financial years 2010-2018.
The financial statements of subsidiary companies are also subject to audit; these are carried out mostly by Ernst & Young. With regard to the opinion on the consolidated financial statements, Ernst & Young is responsible for the audits carried out at subsidiary companies by other external auditors, which are immaterial in terms of consolidated assets and turnover.
The audit firm has full access to data, documents and information required to carry out their duties.

Officer in charge of preparing the Company’s financial reports

Pursuant to Article 21 of Articles of Association and Article 154-bis of Law 58/1998, the Board of Directors, having heard the opinion of the Board of Statutory Auditors and at the Chairman’s proposal, appoints an Officer in charge of preparing the Company’s financial reports, selected from individuals who have carried out the following for at least three years:

  1. administrative and control activities in a managerial capacity at listed companies with a share capital exceeding €1 million, in Italy, in other European Union or OCSE member states; or
  2. legal audits at the companies, under letter a) or
  3. having had a professional position in the field of or a university professor teaching finances or accounting; or
  4. a management position at public or private companies with financial, accounting or control responsibilities.

The Board of Directors ensures that the Officer in charge of preparing the Company’s financial reports is granted adequate powers and has sufficient means to carry out his/her duties; the Board also ascertains that the administrative and accounting procedures are adhered to. The Officer in charge of preparing the Company’s financial reports has the power to sign contracts, should he deem it necessary, for the provision of intellectual work and professional services up to the sum of €750,000 per contract, without budget restrictions.
Saipem’s CFO Mr Giulio Bozzini is the Officer in charge of preparing the Company’s financial reports, pursuant to Article 154-bis of Law 58/1998.
He was appointed by the Board of Directors on July 29, 2008, having first ascertained that he met the criteria of professional competence and good repute required by the Articles of Association, which are reviewed annually.