Upload
doananh
View
219
Download
1
Embed Size (px)
Citation preview
1
Alessandra Rogina
Head of Forensic
Audit & Compliance
20 Novembre, 2010
Audit & Compliance integration in Fiat-Chrysler: Strategic Audit
AGENDA
2
• Corporate Governance framework• Audit and Compliance Structure• What is strategic for a sustainable Internal Audit Structure
2
3
Corporate Governance Framework
Group’s reorganization
3
Brand integration
5
Group Data
6* (in € million) Year 2011 - Includes Chrysler from June 2011
Net revenues 59,559 *
Profit/(loss) 1,651 *
Employees197,021
Plants155
Companies 472
4
Highest
score
FiatAverage
score for all
companies assessed
99
75Average score
99Highest score
Fiat
Economic 91
73
94
Average score
Highest score
Fiat
Social 92
68
92
Average score
Highest score
Fiat
Score by
dimension
Weighting of total score
35%
Weighting of total score
26%
Weighting of total score
39%
Environmental
DJSI World -
Automobiles sector
Eligible companies: 27
Admitted companies: 3
� BMW (leader)
� Fiat
� Volkswagen
9494
72
DJSI Europe -
Automobiles sector
Eligible companies: 7
Admitted companies: 2
� BMW
� Fiat
Corporate Governance Pillars: Sustainability
7
8
Corporate Governance Pillars: Code of Conduct
5
Corporate Governance Pillars: Whistleblowing Policy
9
Whistleblowings concern situations of suspected oralleged violations of business ethics as outlined inthe Code of Conduct, financial and accountingfraud, and harassment, intimidation ordiscriminatory behavior towards employees or thirdparties.……Group’s commitment to safeguarding the anonymityof the whistleblower (i.e., the person who files awritten or verbal whistleblowing regarding an ethicalbreach), and to guaranteeing that employees whoreport violations are not subject to adverse action orreprisal of any kind, regardless of whether or notthey identify themselves.
10
Annual Report onCorporate Governance
Foreword
Fiat Group adheres to the new CorporateGovernance Code for Italian Listed Companiesissued in December 2011, with the modificationsrelated to the specific characteristics of theGroup. In a series of meetings held in February2012, the Board of Directors, at the proposal ofthe Compensation Committee, established aCompensation Policy which incorporates therecommendations of the Corporate GovernanceCode and regulations issued by Consob whichtook effect on 31 December 2011.
6
“Risk” Centrality• Underlined the “risk” centrality in the control system
• Reinforced attention to risk management as a management tool to contribute to the company leadership, coherent with the objectives and assumption of conscious decisions
• Renamed the control system as System of Internal Control and Risk Management
• Renamed several figures (e.g. the ICC becomes the Internal Control and Risk Committee )
Unique and “Integrated” Control System• Reinforced the system’s principle of “uniqueness”, requiring:
• Opportune coordination methods among the different subjects in order to maximize the effectiveness of the System of Internal Control and Risk Management so as to reduce the duplication of activities
• Integration among the different components of the control system and among the organizational assets and corporate governance
IA Greater Independence – Internal Audit independence has been reinforced by introducing:
• The responsibility of the Board of Directors in the election/removal of the director responsible, ensuring that he/she be equipped with adequate resources and in defining the compensation
• I.A. reports to the Board of Directors
Corporate Governance: New Rules
11
Corporate Governance – structure
12
BoD Fiat S.p.A .
Internal Control & Risk Commitee
Internal Control Prepostoex art. 150 TUF /
Head of Audit & Compliance
Board Of Statutory Auditors
Fiat S.p.A .
Compliance Program Supervisory Bodyex D.Lgs 231/2001
Fiat S.p.A.
Director Responsible for the System of Internal Control and Risk Management
External Auditors
Compliance Program
supervisory body ex D.Lgs
231/2001(Head Sectors)
Board of Statutory Auditors
(Head Sectors)
Compliance Officer
(Sectors)
GEC
Functional
Hierarchical
References
7
From Annual Report on Corporate Governance, February 2012
Corporate Governance - BoD Responsibilities
13
The Board of Directors has ultimate responsibility for the Company’s Internal Control and RiskManagement System. In particular, through its Committees, the Board:
1. defines the nature and acceptable level of risk consistent with the Company’s strategic objectives
2. establishes guidelines for the System of Internal Control and Risk Management, […]
3. examines the risks identified by the Director responsible for the System of Internal Control and RiskManagement and evaluates whether the risks have been correctly identified and whether the Systemis adequate for management of those risks
4. evaluates, at least annually, the adequacy and effectiveness of the System of Internal Control andRisk Management in relation to the profile of the Company and the Group
5. approves, at least annually, the work plan prepared by the Head of Internal Audit […]
Corporate Governance - ICRC Responsibilities
14
The Internal Control and Risk Committee’s activities in support of the Board of Directors include:
• assisting the Board in defining and updating guidelines for the System• evaluating – in collaboration with the manager responsible for the Company’s financial reporting and after consultation with the
independent auditors and Board of Statutory Auditors – correct application of the accounting principles adopted and consistency withthe principles applied for the consolidated financial statements
• making recommendations on specific aspects relating to identification, measurement, management and monitoring of the principalcorporate risks, in addition to defining the nature and acceptable level of risk consistent with the Company’s strategic objectives
• reviewing periodic reports providing an evaluation of the System of Internal Control and Risk Management and other reports ofparticular significance from Internal Audit
• monitoring the independence, adequacy, efficiency and effectiveness of internal audit, including with reference to Legislative Decree231/01 on corporate liability
• reviewing, in consultation with the Board of Statutory Auditors, findings submitted by the independent auditors in their report andletter of recommendations
• reporting to the Board of Directors, at least every six months (on the occasion of the approval of the annual and halfyear financialreport), on the activities carried out, as well as on the adequacy of the System of Internal Control and Risk Management
• reviewing, with the support of the head of Internal Audit, whistleblowing reports received for the purpose of monitoring the adequacyof the System of Internal Control and Risk Management
• reviewing the work plan prepared by the head of Internal Audit• carrying out the functions of the committee for transactions with related parties, except where related to compensation• The Committee may request that Internal Audit perform audits of specific operational areas, at the same time informing the• Chairman of the Board of Statutory Auditors that such request has been made.
From Annual Report on Corporate Governance, February 2012
8
Corporate Governance – Director Responsibilities
15
The Director Responsible for the System of Internal Control and Risk Management• identifies and actively manages of the Company’s principal risks, submitting them periodically to the Board for
evaluation• implements guidelines for the System of Internal Control and Risk Management, reporting back to the Board in
relation to significant aspects• proposes candidates for the position of head of Internal Audit to the BoardThis Director may request that Internal Audit perform audits of specific operational areas.
The Head of Internal Audit:• verifies – both on a continuous basis and in relation to specific needs, and in conformity with international professional
standards – the adequacy and effective functioning of the System of Internal Control and Risk Management throughan audit plan, approved by the Board of Directors, that is based on a structured analysis and ranking of the principalrisks
• has direct access to all information necessary or appropriate to the execution of his responsibilities• prepares periodic reports containing adequate information on Internal Audits activities, and on the Company’s risk
management process, as well as adherence internally to plans established for risk mitigation. These periodic reportsare to include an evaluation of the adequacy of the System of Internal Control and Risk Management
• promptly reports events of particular significance• submits the above reports to the Chairmen of the Board of Statutory Auditors, the Internal Control and Risk
Committee and the Board of Directors, as well as to the Director responsible for the System of Internal Control andRisk Management
• verifies, as part of the audit plan, the reliability of information systems, including accounting systems
16
Corporate Governance - CAE Responsibilities
From Annual Report on Corporate Governance, February 2012
9
17
Audit & Compliance Structure
Audit & Compliance - Structure
P & M
FORENSIC
ICT
FINANCIAL BRASILBRANCH
CHINABRANCH
FRENCHBRANCH
POLANDBRANCH
HOLDING & SPECIAL AUDIT
OTHERSECTORS
INTERNATIONAL & LUXURY BRANDSEUROPE
AUTOMOTIVE COMPONENTS & CORPORATE AUDIT
FIAT SPA - AUDIT & COMPLIANCE
EMEA
LATAM
COMPONENTS
TEKSID/COMAU
FERRARI
MASERATI
FGP EUROPE
Holding & Others
FIAT SERVICES
FIAT FINANCE
APAC
ST
RA
TE
GIC
OP
ER
AT
ION
AL
CR
OS
S -
FU
NC
TIO
NA
L
COMPLIANCE OFFICERS
10
Audit & Compliance - Cross Functions
CROSSFUNCTIONAL
Ensuring quality assurance and independent testing of Fiat Group companies related to ICFR and coordinating with the Chrysler in relation toconvergence of SOX/ICFR methodologies.
Financial
ICT
Forensic
Planning & Methodology
Providing operational and methodological support for legal compliance specifically for corporate liability laws and data privacy; managing the Whistleblowing system based the specific Policy provision; implementing the Continuous Control Monitoring project.
Providing audit to ensure adequacy and reliability of: information systems, system/program controls, infrastructure and network controls of Fiat SpA and subsidiaries in coordination with the Fiat SpA ICT Risk Management & Compliance function.
Ensuring training and professional development activities for the professional family, quality assurance of audit reports, monitoring the department’s operating performance and management of relationships with external Audit firms.
What is strategic from an IA prospective?ERM alignmentFiat-Chrysler convergenceTraditional audit vs. Continuous Control Monitoring (CCM)
22
11
2003. creation of simplified Risk Model (creation of personalized catalogue with 36 risks)
2004. Refinement of Risk Model. Single process approach, supporting software, development of methodology and procedure, diffusion of the E.R.M. process throughout the Group.
2005. III° Risk Report. Risk Model italian/ english (xls)
2006. Handover to Group Control
2010. 1°SemesterUpdate of Risk Drivers Subsequent revision of Manual & Guidelines
2010. 2°Semester 2010
Benchmark on the measurement of risk impact and consolidation of results
Although not a mandatory requirement in Italy, the Fiat Group since 2003-2004, decided to adopt a model for the management of risks based on the COSO Report. The project was initially managed by Internal Audit.In 2010, the Fiat Group started to update its risk model in order to guarantee a continuous alignment of the risk management process with International Standards, also to compare the experience gained with the best practices of other industries.
ERM alignment – Stepping stones
23
The reporting document contains the various aggregations of risk, with a description of the evaluations made for the risk assessment and, for the most significant risks, details of the current and future action plans formulated.
ERM alignment - Risk Reporting Flow
The purpose of risk reporting is to provide a complete and transparent picture of the portfolio ofrisks and risk management activities for both the Management and the Governing and Supervisorybodies of the enterprise.
CFO
The complete ERM process should encompass the following steps:1. Risk Identification at the various
levels2. Risk Assessment, Scoring and
Consolidation 3. Allocation in terms of risk
ownership4. Communication via Risk Reporting5. Monitoring
24
12
2525
• Non-integrated data: Internal Control System in Fiat divided among Internal Audit,Internal Control over Financial Reporting /SOX, Enterprise Risk Management �integrated framework
• Different ICS framework between the two groups� unique core data model• Different systems� unique GRC solution
• Because different drivers lead to develop/implement systematic and structuredprocesses of control and risk management to achieve a greater integration, FiatChrysler convergence is targeted to develop a common framework/approach onICFR/SOX, Audit&Compliance and ERM matters in order to get a strict connectionamong the different risks perspective and the potential impacts on financialreporting, supported by a unique GRC application tool.
• The target is to perform a 2013 joint risk assessment on GRC to develop the AuditPlan
Fiat-Chrysler convergence: Why?
26
Fiat-Chrysler convergence: ICFR/SOX/ERM
Fiat-Chrysler common framework is based on four main pillars, on which Fiat IA and ICFR are working together with Chrysler CA (Corporate Audit) and ICG (Internal Control Group) to achieve an integrated solution (a GRC system).
Process Model
Organizational Model
Risk Model Control Model
13
• CCM «is a management monitoring function […] Is a key component of theinternal control system […]
• Management identifies critical control points and implements automated teststo determine if these controls are working properly […] Identifies strategicKRI/KPI and other performance measurement activities to determine if theyachieve their target […]
• The continuous monitoring process typically involves the automated testing ofall transaction within a given business process area […]
• […] may also be tied to KPI and other performance measurementactivities….»
• Companies struggle to manage big volumes of data […] The possibility tomanage them rapidly and effectively giving a synthetic view which can bestrategic in control and risk managemnt monitoring….
• […] The technology is crucial […]
CCM: definitions
28
CCM in Fiat
Within the scope of the Fiat S.p.A. Audit & Compliance functi on, theForensic Department has also launched a CCM project that inv olves :
• Strengthening control system monitoring tools and Group risk management• Sharing KRIs and KPIs with Management that are relevant for reaching
business objectives and identifying possible process criticalities through anearly warning system and process mining tools
• Creating monitoring dashboards for risks and controls, process re-engineering, audit activity efficiency and support to Continuous RiskAssessment
29
14
CCM and Pilot Results
30
Analysis
Dashboard
Sources
Process benchmarkingProcess miningProcess discovery
KPI2 - Funds KPI3 – OrdertoCashKPI1 – Plant Movements
Interactive monitoring: From Hindsight & Ad Hoc Analysis to Real Time & Foresight
Synergy among information and audit planning activities
Capitalization of knowledge and methods of analysis
Information sources mapping