1

Alessandra Rogina

Head of Forensic

Audit & Compliance

20 Novembre, 2010

Audit & Compliance integration in Fiat-Chrysler: Strategic Audit

AGENDA

2

• Corporate Governance framework• Audit and Compliance Structure• What is strategic for a sustainable Internal Audit Structure

2

3

Corporate Governance Framework

Group’s reorganization

3

Brand integration

5

Group Data

6* (in € million) Year 2011 - Includes Chrysler from June 2011

Net revenues 59,559 *

Profit/(loss) 1,651 *

Employees197,021

Plants155

Companies 472

4

Highest

score

FiatAverage

score for all

companies assessed

99

75Average score

99Highest score

Fiat

Economic 91

73

94

Average score

Highest score

Fiat

Social 92

68

92

Average score

Highest score

Fiat

Score by

dimension

Weighting of total score

35%

Weighting of total score

26%

Weighting of total score

39%

Environmental

DJSI World -

Automobiles sector

Eligible companies: 27

Admitted companies: 3

� BMW (leader)

� Fiat

� Volkswagen

9494

72

DJSI Europe -

Automobiles sector

Eligible companies: 7

Admitted companies: 2

� BMW

� Fiat

Corporate Governance Pillars: Sustainability

7

8

Corporate Governance Pillars: Code of Conduct

5

Corporate Governance Pillars: Whistleblowing Policy

9

Whistleblowings concern situations of suspected oralleged violations of business ethics as outlined inthe Code of Conduct, financial and accountingfraud, and harassment, intimidation ordiscriminatory behavior towards employees or thirdparties.……Group’s commitment to safeguarding the anonymityof the whistleblower (i.e., the person who files awritten or verbal whistleblowing regarding an ethicalbreach), and to guaranteeing that employees whoreport violations are not subject to adverse action orreprisal of any kind, regardless of whether or notthey identify themselves.

10

Annual Report onCorporate Governance

Foreword

Fiat Group adheres to the new CorporateGovernance Code for Italian Listed Companiesissued in December 2011, with the modificationsrelated to the specific characteristics of theGroup. In a series of meetings held in February2012, the Board of Directors, at the proposal ofthe Compensation Committee, established aCompensation Policy which incorporates therecommendations of the Corporate GovernanceCode and regulations issued by Consob whichtook effect on 31 December 2011.

6

“Risk” Centrality• Underlined the “risk” centrality in the control system

• Reinforced attention to risk management as a management tool to contribute to the company leadership, coherent with the objectives and assumption of conscious decisions

• Renamed the control system as System of Internal Control and Risk Management

• Renamed several figures (e.g. the ICC becomes the Internal Control and Risk Committee )

Unique and “Integrated” Control System• Reinforced the system’s principle of “uniqueness”, requiring:

• Opportune coordination methods among the different subjects in order to maximize the effectiveness of the System of Internal Control and Risk Management so as to reduce the duplication of activities

• Integration among the different components of the control system and among the organizational assets and corporate governance

IA Greater Independence – Internal Audit independence has been reinforced by introducing:

• The responsibility of the Board of Directors in the election/removal of the director responsible, ensuring that he/she be equipped with adequate resources and in defining the compensation

• I.A. reports to the Board of Directors

Corporate Governance: New Rules

11

Corporate Governance – structure

12

BoD Fiat S.p.A .

Internal Control & Risk Commitee

Internal Control Prepostoex art. 150 TUF /

Head of Audit & Compliance

Board Of Statutory Auditors

Fiat S.p.A .

Compliance Program Supervisory Bodyex D.Lgs 231/2001

Fiat S.p.A.

Director Responsible for the System of Internal Control and Risk Management

External Auditors

Compliance Program

supervisory body ex D.Lgs

231/2001(Head Sectors)

Board of Statutory Auditors

(Head Sectors)

Compliance Officer

(Sectors)

GEC

Functional

Hierarchical

References

7

From Annual Report on Corporate Governance, February 2012

Corporate Governance - BoD Responsibilities

13

The Board of Directors has ultimate responsibility for the Company’s Internal Control and RiskManagement System. In particular, through its Committees, the Board:

1. defines the nature and acceptable level of risk consistent with the Company’s strategic objectives

2. establishes guidelines for the System of Internal Control and Risk Management, […]

3. examines the risks identified by the Director responsible for the System of Internal Control and RiskManagement and evaluates whether the risks have been correctly identified and whether the Systemis adequate for management of those risks

4. evaluates, at least annually, the adequacy and effectiveness of the System of Internal Control andRisk Management in relation to the profile of the Company and the Group

5. approves, at least annually, the work plan prepared by the Head of Internal Audit […]

Corporate Governance - ICRC Responsibilities

14

The Internal Control and Risk Committee’s activities in support of the Board of Directors include:

• assisting the Board in defining and updating guidelines for the System• evaluating – in collaboration with the manager responsible for the Company’s financial reporting and after consultation with the

independent auditors and Board of Statutory Auditors – correct application of the accounting principles adopted and consistency withthe principles applied for the consolidated financial statements

• making recommendations on specific aspects relating to identification, measurement, management and monitoring of the principalcorporate risks, in addition to defining the nature and acceptable level of risk consistent with the Company’s strategic objectives

• reviewing periodic reports providing an evaluation of the System of Internal Control and Risk Management and other reports ofparticular significance from Internal Audit

• monitoring the independence, adequacy, efficiency and effectiveness of internal audit, including with reference to Legislative Decree231/01 on corporate liability

• reviewing, in consultation with the Board of Statutory Auditors, findings submitted by the independent auditors in their report andletter of recommendations

• reporting to the Board of Directors, at least every six months (on the occasion of the approval of the annual and halfyear financialreport), on the activities carried out, as well as on the adequacy of the System of Internal Control and Risk Management

• reviewing, with the support of the head of Internal Audit, whistleblowing reports received for the purpose of monitoring the adequacyof the System of Internal Control and Risk Management

• reviewing the work plan prepared by the head of Internal Audit• carrying out the functions of the committee for transactions with related parties, except where related to compensation• The Committee may request that Internal Audit perform audits of specific operational areas, at the same time informing the• Chairman of the Board of Statutory Auditors that such request has been made.

From Annual Report on Corporate Governance, February 2012

8

Corporate Governance – Director Responsibilities

15

The Director Responsible for the System of Internal Control and Risk Management• identifies and actively manages of the Company’s principal risks, submitting them periodically to the Board for

evaluation• implements guidelines for the System of Internal Control and Risk Management, reporting back to the Board in

relation to significant aspects• proposes candidates for the position of head of Internal Audit to the BoardThis Director may request that Internal Audit perform audits of specific operational areas.

The Head of Internal Audit:• verifies – both on a continuous basis and in relation to specific needs, and in conformity with international professional

standards – the adequacy and effective functioning of the System of Internal Control and Risk Management throughan audit plan, approved by the Board of Directors, that is based on a structured analysis and ranking of the principalrisks

• has direct access to all information necessary or appropriate to the execution of his responsibilities• prepares periodic reports containing adequate information on Internal Audits activities, and on the Company’s risk

management process, as well as adherence internally to plans established for risk mitigation. These periodic reportsare to include an evaluation of the adequacy of the System of Internal Control and Risk Management

• promptly reports events of particular significance• submits the above reports to the Chairmen of the Board of Statutory Auditors, the Internal Control and Risk

Committee and the Board of Directors, as well as to the Director responsible for the System of Internal Control andRisk Management

• verifies, as part of the audit plan, the reliability of information systems, including accounting systems

16

Corporate Governance - CAE Responsibilities

From Annual Report on Corporate Governance, February 2012

9

17

Audit & Compliance Structure

Audit & Compliance - Structure

P & M

FORENSIC

ICT

FINANCIAL BRASILBRANCH

CHINABRANCH

FRENCHBRANCH

POLANDBRANCH

HOLDING & SPECIAL AUDIT

OTHERSECTORS

INTERNATIONAL & LUXURY BRANDSEUROPE

AUTOMOTIVE COMPONENTS & CORPORATE AUDIT

FIAT SPA - AUDIT & COMPLIANCE

EMEA

LATAM

COMPONENTS

TEKSID/COMAU

FERRARI

MASERATI

FGP EUROPE

Holding & Others

FIAT SERVICES

FIAT FINANCE

APAC

ST

RA

TE

GIC

OP

ER

AT

ION

AL

CR

OS

S -

FU

NC

TIO

NA

L

COMPLIANCE OFFICERS

10

Audit & Compliance - Cross Functions

CROSSFUNCTIONAL

Ensuring quality assurance and independent testing of Fiat Group companies related to ICFR and coordinating with the Chrysler in relation toconvergence of SOX/ICFR methodologies.

Financial

ICT

Forensic

Planning & Methodology

Providing operational and methodological support for legal compliance specifically for corporate liability laws and data privacy; managing the Whistleblowing system based the specific Policy provision; implementing the Continuous Control Monitoring project.

Providing audit to ensure adequacy and reliability of: information systems, system/program controls, infrastructure and network controls of Fiat SpA and subsidiaries in coordination with the Fiat SpA ICT Risk Management & Compliance function.

Ensuring training and professional development activities for the professional family, quality assurance of audit reports, monitoring the department’s operating performance and management of relationships with external Audit firms.

What is strategic from an IA prospective?ERM alignmentFiat-Chrysler convergenceTraditional audit vs. Continuous Control Monitoring (CCM)

22

11

2003. creation of simplified Risk Model (creation of personalized catalogue with 36 risks)

2004. Refinement of Risk Model. Single process approach, supporting software, development of methodology and procedure, diffusion of the E.R.M. process throughout the Group.

2005. III° Risk Report. Risk Model italian/ english (xls)

2006. Handover to Group Control

2010. 1°SemesterUpdate of Risk Drivers Subsequent revision of Manual & Guidelines

2010. 2°Semester 2010

Benchmark on the measurement of risk impact and consolidation of results

Although not a mandatory requirement in Italy, the Fiat Group since 2003-2004, decided to adopt a model for the management of risks based on the COSO Report. The project was initially managed by Internal Audit.In 2010, the Fiat Group started to update its risk model in order to guarantee a continuous alignment of the risk management process with International Standards, also to compare the experience gained with the best practices of other industries.

ERM alignment – Stepping stones

23

The reporting document contains the various aggregations of risk, with a description of the evaluations made for the risk assessment and, for the most significant risks, details of the current and future action plans formulated.

ERM alignment - Risk Reporting Flow

The purpose of risk reporting is to provide a complete and transparent picture of the portfolio ofrisks and risk management activities for both the Management and the Governing and Supervisorybodies of the enterprise.

CFO

The complete ERM process should encompass the following steps:1. Risk Identification at the various

levels2. Risk Assessment, Scoring and

Consolidation 3. Allocation in terms of risk

ownership4. Communication via Risk Reporting5. Monitoring

24

12

2525

• Non-integrated data: Internal Control System in Fiat divided among Internal Audit,Internal Control over Financial Reporting /SOX, Enterprise Risk Management �integrated framework

• Different ICS framework between the two groups� unique core data model• Different systems� unique GRC solution

• Because different drivers lead to develop/implement systematic and structuredprocesses of control and risk management to achieve a greater integration, FiatChrysler convergence is targeted to develop a common framework/approach onICFR/SOX, Audit&Compliance and ERM matters in order to get a strict connectionamong the different risks perspective and the potential impacts on financialreporting, supported by a unique GRC application tool.

• The target is to perform a 2013 joint risk assessment on GRC to develop the AuditPlan

Fiat-Chrysler convergence: Why?

26

Fiat-Chrysler convergence: ICFR/SOX/ERM

Fiat-Chrysler common framework is based on four main pillars, on which Fiat IA and ICFR are working together with Chrysler CA (Corporate Audit) and ICG (Internal Control Group) to achieve an integrated solution (a GRC system).

Process Model

Organizational Model

Risk Model Control Model

13

• CCM «is a management monitoring function […] Is a key component of theinternal control system […]

• Management identifies critical control points and implements automated teststo determine if these controls are working properly […] Identifies strategicKRI/KPI and other performance measurement activities to determine if theyachieve their target […]

• The continuous monitoring process typically involves the automated testing ofall transaction within a given business process area […]

• […] may also be tied to KPI and other performance measurementactivities….»

• Companies struggle to manage big volumes of data […] The possibility tomanage them rapidly and effectively giving a synthetic view which can bestrategic in control and risk managemnt monitoring….

• […] The technology is crucial […]

CCM: definitions

28

CCM in Fiat

Within the scope of the Fiat S.p.A. Audit & Compliance functi on, theForensic Department has also launched a CCM project that inv olves :

• Strengthening control system monitoring tools and Group risk management• Sharing KRIs and KPIs with Management that are relevant for reaching

business objectives and identifying possible process criticalities through anearly warning system and process mining tools

• Creating monitoring dashboards for risks and controls, process re-engineering, audit activity efficiency and support to Continuous RiskAssessment

29

14

CCM and Pilot Results

30

Analysis

Dashboard

Sources

Process benchmarkingProcess miningProcess discovery

KPI2 - Funds KPI3 – OrdertoCashKPI1 – Plant Movements

Interactive monitoring: From Hindsight & Ad Hoc Analysis to Real Time & Foresight

Synergy among information and audit planning activities

Capitalization of knowledge and methods of analysis

Information sources mapping