Upload
lamthuy
View
214
Download
0
Embed Size (px)
Citation preview
1
METHODOLOGICAL MODEL FOR THE REALIZATION OF PREVENTIVE TESTS
AND AUDIT INSPECTIONS ON NATIONAL SPORTS FEDERATIONS AND
ASSOCIATE SPORTS DISCIPLINES
2
Table of contents
1 Introduction .................................................................................................................................... 3
1.1 Purpose of this document ............................................................................................................................................... 3
1.2 Structure of the document ............................................................................................................................................... 4
2. Reference framework ..................................................................................................................... 4
2.1 COSO Enterprise Risk Management Framework-Integrating with Strategy and Performance ………………………………5
2.2 Basic Universal Principles of Good Governance of the Olympic and Sports Movement ……………………………………..6
2.3 ASOIF Governance Task Force Framework …………………………………………………………………………………..…..7
2.4 Capability Maturity Model Integration ……………………………………………………………………………………………….7
2.5 COSO Internal Control-Integrated Framework ……………………………………...……………………………………………8
2.6 Fraud triangle ………………………………………………………………..……………………………………………………….10
3 Governance assessment methodology ...................................................................................... 12
3.1 Aims and objectives ......................................................................................................................................................... 12
3.2 Logical structure .............................................................................................................................................................. 13
3.3 Detection mode of data and information .......................................................................................................................... 17
3.4 Measuring method ........................................................................................................................................................... 18
3.5 Representation of the results of the evaluation ................................................................................................................ 20
3.6 Procedural aspects............................................................................................................................................................ 20
4 Monitoring of the internal control and risk management system ............................................. 21
4.1 Aims and objectives. ..................................................................................................................................................... 21
4.2 Logical structure ............................................................................................................................................................ 22
4.3 Methods for assessment of the adequacy of control ..................................................................................................... 33
4.4 Representation of the assessment outcomes ............................................................................................................... 35
4.5 Procedural aspects ....................................................................................................................................................... 37
5 Audit inspections ......................................................................................................................... 39
3
1 Introduction
1.1 Purpose of this document
CONI's power/duty of supervision on National Sports Federations (NSF) and Associate Sport
Disciplines (ASD) is established by the Law and the Articles of Association of the Entity.
CONI exercises this power/duty through preventive tests and audit inspections.
In the context of preventive verifications, this document introduces the governance system assessment
and provides the most efficient and equally effective verifications on the internal control and risk
management system (hereinafter “SCIGR”) moving from a logic of “summary” to one “on-going”.
The assessment of the governance system shall be carried out at least once every four years, and in
replacement of the audits carried out on the SCIGR, which instead are performed annually.
***
The International Standards for Professional Internal Auditing Practices promoted by the IIA1 define
governance as: “The set of procedures and structures implemented by the organisation's governing
body to inform, instruct, direct, manage and control the activities of the organisation’s activities in
achieving its objectives”.
CONI pursues the principle of “good governance”2, promoting its dissemination and actual
implementation in the Italian sport system and with particular reference to the Code of Ethics and the
Basic Universal Principles of Good Governance of the Olympic and Sports Movement of the
International Olympic Committee.
1 The Institute of Internal Auditors .
2 Reference is made to the following documents:
“Recommendation Rec(2005)8 on the Principles of Good Governance” (2005), Council of Europe.
“White paper on Sport” (2007), European Commission Communities.
“Basic Universal Principles of good Governance of the Olympic and Sports Movement” (2008), International Olympic Committee.
“Principles of good governance in sport” (2013), European Commission Expert Group on Good Governance.
“Guide to Corporate Responsibility” (2014), Global Compact.
“Consolidated minimum requirements for the implementation of the Basic Principles of Good Governance for NOCs” (2016), International Olympic Committee.
“International Federation Self-Assessment Questionnaire” (2016), ASOIF Governance Task Force.
4
In this sense, CONI has joined the UN Global Compact initiative in 2016, a voluntary code that was
created to promote a sustainable global economy and requiring the companies and organizations that
belong to adopt proactive behaviour in the field of protecting human rights, the environment,
occupational safety, the fight against corruption and, more generally, to support the broader
development objectives set by the United Nations.
1.2 Structure of the document
Following this introduction, the second chapter describes the reference framework that inspired the
governance system evaluation and the audits of the internal control and risk management system. The
third chapter contains the methodology that was developed for prior audits. The last chapter describes
the methods for performing the audits.
2 Reference framework
The models underlying the developed methodology are:
With reference to the assessment of the Corporate Governance System:
o The "COSO Framework Enterprise Risk Management" (published in 2017 by the Committee
of Sponsoring organisations of the Treadway Commission3).
o The "Basic Universal Principles of Good Governance of the Olympic and Sport Movement"
(2008, International Olympic Committee)
o The "ASOIF Governance Task Force Framework - International Federation Self-Assessment
Questionnaire" (2016, ASOIF4)
o The "Capability Maturity Model Integration (CMMI) for Development" (published in 2010 by
the CMMI Product Team expert group5)
3 The Committee of Sponsoring Organizations of the Treadway Commission is a committee founded in America in 1992 on the initiative of 5 leading organizations (IMA, AAA, AICPA, IIA, FEI) to provide a thought leadership to the management of corporations and government agencies, developing frameworks and guidelines for the management of business risk, internal control and fraud. 4 The ASOIF, Association of Summer Olympic International Federations, is an association that groups together the International Sports Federations that are part of the International Olympic Committee and that govern the disciplines included in the program of the Summer Olympic Games 5 The CMMI Product Team is made up of representative members of the American industry sector and government and also of the Software Engineering Institute (SEI), a research centre at Carnegie Mellon University.
5
With reference to the assessment of the corporate Internal Control System:
o The "COSO Internal Control - Integrated Framework" (published in 2013 by the Committee
of Sponsoring organisations of the Treadway Commission).
o The "Fraud triangle” (from a study of Donald R. Cressey, Other People's Money, published
in 1973).
2.1 COSO Framework Enterprise Risk Management - Integrating with Strategy and
Performance
The “COSO ERM Framework”, published by the Committee of Sponsoring organisations of the
Treadway Commission in 2004 and most recently updated in 2017, contains instructions on
organisational principles to which the organisations can refer to create value for their own stakeholders
and to manage the challenges and connected risks.
The 5 components of the framework are detailed in principles that define different thematic areas and
that an organisation must consider when creating value:
Governance & Culture: this is the foundation of the other components and the cultural
atmosphere within which people belonging to an organisation perform their activities and carry
out their responsibilities. It is evidenced in: "tone at the top", the decision-making and
management philosophy, roles and responsibilities, skills and resource management, ethical
values, standards of conduct, etc.;
Strategy & Objective-Setting: the goal definition process in line with the organisation's mission
(ultimate goal of the organisation, what it wants to achieve and the very reason for its
existence), its vision (aspiration for the future, what the organisation is trying to achieve), the
core values of the organisation and its willingness to take risks;
Performance: the process of identifying events that may impact the organisational goals,
analysis and risk assessment and the determination of the management actions taking risk
tolerance into account;
Review & Revision: monitoring the processes of governance, setting goals and risk
management systems in order to understand the changes that can affect the efficiency and
effectiveness of the organisation's performance from a continuously adaptive viewpoint;
Information, Communication & Reporting: the process of identifying, collecting and transmitting
relevant and timely information that allows people to perform their assignments and make
informed decisions.
6
The principles of the framework can be adopted at different organisational levels (entire organisation/
"entity level", business unit, process, activity).
The figure below (fig. 1) shows the reference principles of each component of the framework:
Fig. 1 - COSO ERM Framework: components and principles (COSO, 2017)
2.2 Basic Universal Principles of Good Governance of the Olympic and Sports
Movement
The "Principles of Good Governance” (hereinafter also "PGG") represent the guidelines provided by the
International Olympic Committee to all the National Olympic Committees to implement a shared
approach to good governance and provide a means for identify possible weaknesses in its governance
system and the related necessary remediation.
The PGG identify the following 7 principles that all the Organisations belonging to the Olympic
Movement must take into account to design and assess their own governance model:
1. Vision, mission and Strategy.
2. Structures, regulations and democratic processes.
3. Highest level of competence, integrity and ethical standards.
4. Accountability, transparency and control.
5. Solidarity and development.
6. Athletes' involvement, participation and care.
7. Harmonious relations with governments while preserving autonomy.
The PGG has articulated another 38 topics that provide a representation of each principle.
7
2.3 ASOIF Governance Task Force Framework
The Governance Task Force of the ASOIF (Association of Summer Olympic International Federations)
has developed a methodology for detecting the governance status of the International Federations of
Summer Olympic Sports aimed at identifying the best practices and the priority areas for action to
promote a culture inspired by good governance and to support the Federations in achieving the highest
level of governance attainable in the reference context and in relation to the potential of each
Federation.
The Task Force used a Self-Assessment Questionnaire as a detecting tool which includes an
introductory section, which investigates the adoption of the Codes and the level of compliance in
relation to the main reference documents of the Olympic Movement, such as the Olympic Charter and
the Anti-Doping Code, and is divided into 50 clear and measurable indicators, organised in 5 sections:
1. Transparency.
2. Integrity.
3. Democracy.
4. Development/Solidariety.
5. Control Mechanism.
Each section listed above consists of a set of 10 indicators.
2.4 Capability Maturity Model Integration
The "Capability Maturity Model" was developed and first introduced by Watts Humphrey in the context
of his position in IBM for the U.S. Department of Defense. The model was acquired, developed and
sponsored by the Carnegie Mellon University Software Engineering Institute (SEI) and was formalised
in the book "Managing the software process" published in 1989.
Subsequently, the CMM has evolved into the "Capability Maturity Model Integration" (hereinafter
"CMMI") thanks to the cooperation of representatives from industry, government and the SEI. Today
the CMMI is administered by CMMI Institute, a subsidiary of ISACA (Information Systems Audit and
Control Association) internationally recognised for its expertise on topics of IT governance.
The CMMI is available in different versions, all oriented toward providing organisations with a guide to
improved performance.
Particular reference has been made to the version "CMMI for Development”, updated in 2010, that
pursues process optimisation for developing products and services in line with the needs and
8
expectations of its stakeholders, making better use of available resources and contributing to the
development of the relevant environment. This version is one of the most complete best-practices
recognised internationally in the field.
The Framework is based on 5 levels of maturity defining an evolutionary path of progressive
effectiveness in the organisation's processes, as shown in the following figure (fig. 2).
Fig 2 - CMMI: Levels of maturity (CMMI Institute, 2010)
Each level of maturity corresponds to a different scenario and a dynamic reading of the scenarios offers
a structured and systematic path for organisational development and improvement and the related
processes.
2.5 COSO Internal Control - Integrated Framework
The "COSO IC Framework", published by the Committee of Sponsoring Organisations of the Treadway
Commission in 1999 and subsequently updated in 2013, represents the internal control and risk
management system (SCIGR) through three dimensions, as shown below in fig. 3:
the objectives of the SCIGR — the objectives of effectiveness and efficiency in business
processes (operations), reliability of financial information management and reporting, internal
and external compliance with laws and regulations (compliance) ;
the various levels of the organisation in which the SCIGR is implemented (company, business
unit, business function, process, activity, etc.);
9
the 5 fundamental components of SCIGR:
1. Control Environment: represents the general context in which the company personnel
perform their activities and carry out their responsibilities. It includes the integrity and ethical
values of the company, the organisational structure, the system of attribution and the related
exercise of mandates and responsibilities, the segregation of functions, the management
policies and personnel incentives, staff expertise and, more generally, the "culture" of the
company;
2. Risk Assessment: consists of the process of identifying risks, analysing and assessing
potential impacts and defining prevention or containment actions;
3. Control Activities: this is the element implementing the corporate SCIGR. It is articulated in
the set of policies, procedures and practices defined to allow the organisation to achieve
corporate objectives and reduce the related risk to an acceptable level. Control activities
include, for example, the authorisation limits, controls to reduce exposure to losses and fraud,
the procedures to ensure data reliability and the integrity of information and the appropriate
procedures to ensure compliance with laws and regulations;
4. Information and Communication: this includes both systems suitable for collecting and
processing data and information relevant to the management of the business and the
appropriate mechanisms for ensuring effective communication thereof inside and outside the
organisation;
5. Monitoring Activities: this is the set of activities required to monitor and periodically evaluate
the adequacy, effectiveness and efficiency of internal controls, with a view to their improvement.
These activities are carried out both by the process managers/organisational structure, through
a systematic and continuous monitoring (level 2 control), and by independent internal structures
operating through specific evaluations (level 3 control).
10
Fig 3 - COSO Internal Control-Integrated Framework (COSO, 2013)
2.6 Fraud Triangle
For the purposes of the SCIGR verification, some of the major theories developed on the factors
affecting behaviour contrary to business ethics were taken as reference. One of the main
methodological reference standards is represented by the so-called "Fraud Triangle", taken from a
study by Donald R. Cressey, Other People's Money, published in 1973, identifying three variables that
underly the unacceptable or fraudulent act:
Incentives/pressures felt by the individual, such as revenge, personal economic difficulties but
also incorrect interpretation of the results expected from the organisation, etc.;
Rationalisation or normalisation, i.e., that psychological mechanism that triggers, before the
maturity of the individual’s choice, a violation in the regulations, which induces him to justify the
unethical and illegal scope, ascribing blame to other organisation members or to factors
extraneous to himself ("other people do worse, so do the bosses, etc.”) This mechanism
combines easily and a strong mitigation element can be found precisely by controlling the
environment, in exemplary executive management and diffusion of ethical values;
Opportunities linked to the person’s awareness of being able to exploit the weaknesses in the
system of internal controls. In fact, despite any number of circumstances that could take place
and trigger the variables "rationalisation" and "pressure/incentives" during a person’s working
life, no fraud could take place if there were no chance to take advantage of the deficiencies or
weaknesses in the control system. However, that element also involves communication,
11
because it is not enough to have an effective and efficient internal control system, it is
necessary also that that is how it is perceived by all the addressees.
In addition to the above, recent studies have identified an additional variable represented by the ability
of the person to be able to take advantage of the weaknesses of the internal control system.
For the purpose of identifying potential fraud schemes, the taxonomy considered is that developed by
the Association of Certified Fraud Examiners (ACFE), which attributes all possible fraud schemes to
three main categories:
Financial statement fraud: this is manifested through the commission of one or more intentional
acts performed for the purpose of providing an altered and misleading representation of the
company’s economic, financial and equity situation. Generally, this category of fraud is
perpetrated by senior managers of the organisation, with the goal of obtaining undue
advantages. However, this also includes all forms of falsification in the accounting records, even
when instrumental in other violations (e.g., falsification of repayments);
Asset misappropriation: this includes all those illegal schemes involving forms of embezzlement
and misappropriation of corporate assets and resources. In particular the misappropriation may
involve money, tangible property assets other than cash and intangible assets. This category of
fraud represents, according to the ACFE, is the most widespread.
Corruption: covers all those behaviours of abuse of power, authority, and knowledge
implemented with the intent to award an illegal or unfair advantage or benefit or agent of certain
entities both external and internal to the organisation.
Finally another factor taken into consideration for identifying and investigating fraud is represented by
the fraud indicators (the so-called red flags or anomaly signals), representing those conditions,
symptomatic situations and clues that can be attributed to fraudulent or dishonest activities or an
attempt to conceal the tracking.
12
3 Description of the Governance System assessment methodology
The assessment methodology of the Governance System is described in the paragraphs below in
terms of:
Purposes and Goals.
Logical structure.
Methods for the collection of data and information.
Measurement logic.
Assessment outcome.
Procedural aspects
3.1 Purposes and Goals
The International Olympic Committee (IOC) regards "good governance" as an essential principle of the
Olympic Movement; the Olympic Charter establishes the responsibility of the organisations that are part
of the Movement to ensure that the principles of "good governance" are applied and the IOC Code of
Ethics requires that the "Basic Principles of Good Governance of the Olympic and Sports Movement"
(hereinafter also "PGG") are complied with by all the members of the Olympic Movement.
"Recommendation 27” of the Olympic Agenda 2020 reaffirms the essential nature of compliance with
the PGG by all the organisations that are part of the Olympic Movement.
"Good governance" in the sports sector has particular significance as it represents «the fundamental
basis to secure the Autonomy of Olympic and Sports organisations and to ensure that this Autonomy is
respected by […] stakeholders.» (EU White Paper on Sport, SEC (2007).
There are numerous international multi-stakeholder initiatives on governance and the fight against
corruption in the sports sector such as those promoted by the IPACS (Partnership against Corruption in
Sport6).
6The IPACS (Partnership Against Corruption in Sport) is the partnership set up during meeting held in Paris at the Council of
Europe (June 2017) which aims to bring together international sports organizations, governments and non-governmental
organizations as well as other relevant stakeholders in order to fight against and eliminate corruption in the world of sport,
promoting a culture of "good governance”. On this occasion the British Department for Culture, Communication and Sport, the
Council of Europe, the International Olympic Committee and the Organization for Economic Cooperation and Development
(OECD) were involved as guests and co-organizers - in addition to the ASOIF and other international organizations - to
discuss and identify the principles of "good governance" in sports.
13
***
The methodology for assessing the Governance System is to be viewed in this context and is aimed at
understanding the level of maturity and the opportunities that can support the creation of value for the
stakeholders of the sports system, identifying and promoting best-practices as well as defining and
implementing cross-actions for development and evolution.
3.2 Logical structure
This methodology refers exclusively to the "off-the-field" area of governance, that is the area relating to
the organisation and the "decision-making and administrative machine" and not to sports performance.
The following 4 “thematic areas” have been identified that characterise the FSN governance system:
1. Democracy.
2. Environment and ethical culture.
3. Goals, risks and controls.
4. Accountability and transparency.
***
Each area is developed:
vertically, in specific "themes" and "sub-themes" that reflect the fundamental points of the 5
components of the COSO ERM Framework, the 7 principles of the IOC and the 5 sections of
the ASOIF, adapting them to the global context of the FSN (the diagram represented in fig. 4
describes the 4 areas and their breakdown);
horizontally, in an evolutionary process of progressive decisional, organisational and
managerial effectiveness articulated in the following 4 standard maturity levels (as shown in
the diagram in fig. 5):
1. Initial.
2 Managed.
3. Defined.
4. Optimised.
14
Fig. 4- Diagram: areas, themes and aspects of detail
15
Level 1 - Initial Level 2 - Managed
A process of democratic participation is present at this level. There are no defined conflicts of interest with regard to eligible candidates. Candidates can be elected by acclamation and multiple votes can be cast as no balancing methods are present. No commissions are set up for the verification of voting rights, counting and checking of the polls. Candidates are not required to file programs and objectives for their mandate and no institutional information on the background of candidates is given.
Any resolutions that, during election time, might involve conflicts of interest, in particular any resolutions referring to the allocation of resources and advantages to stakeholders, are not published.
Ethical rules are not codified and there is no commitment on ethics-related issues. No tools for the management and investigation of alerts are in place.
Decision-makers use their own mental model for the representation of internal and external contexts, feeding on subjective experience and perceptions, and define the decisions to be made without a structured informative support process. There is no dedicated reflection on current issues and significant risks, including emerging risks, for the Federation.
The strategic reference is static and coincides with the mission provided for in the Articles
of Association. There is no process of defining and assigning objectives to the structures, which perform tasks and activities without a formal definition of roles and responsibilities.
No policies and procedures are present, activities and controls are based on individual initiative and experience with no methodological structure. There are no internal or external control bodies, nor second- or third-level internal assurance structures. There is no management of conflicts of interest on operational processes (procurement, treasury,...).
No forms of transparency are in place for the democratic process, the decision-making, management and performance processes.
The results are substantially represented in the financial statements, which are not published.
A process of democratic participation is present. The fundamental conflicts of interest in relation to eligible candidates are defined and managed. Elective mechanisms are traceable and objective, but multiple votes can be cast as no balancing methods are present. Commissions are set up for the verification of voting rights, counting and checking of the polls, but there are no rules on their independence nor rules on the possibility of making timely reports and appeals. Candidates are required to file programmatic statements but an actual mandate program is not present and no institutional information on the background of candidates is given.
Any resolutions that, during election time, might involve conflicts of interest, in particular any resolutions referring to the allocation of resources and advantages to stakeholders, are not published.
Ethical rules are not codified, but there is commitment. The reports are managed and investigated even if through unstructured channels. The staff takes part in training and refresher courses and conferences on ethics-related issues.
Decision-makers define the decisions to be taken using data supplied by the structures, though mainly on the basis of historical series and without an adequate information process to support them. Decision-makers are informed, though not promptly and not in a structured way, of the significant risks for the Federation, especially in relation to compliance issues.
The strategic reference is static and coincides with the mission set out in the Articles of Association, but some of the objectives can be inferred from various documents (e.g. budget, management report,..). There is no process of definition and attribution of goals to the structures, but their roles and responsibilities are formalized.
The activities are carried out on the basis of established practices, with regulations that define the main aspects of the business cycles in a general way. Key controls are present and are performed - but their adequacy is not reassessed on a regular basis - and are focused on financial reporting. There is a Board of Auditors, but no second or third level internal assurance structures. Conflicts of interest on operational processes (procurement, treasury,...) are not managed.
The democratic process involves the publication of results. The decision-making process is characterized by the publication of the summaries of the most significant decisions. Management and performance are not subject to forms of publication.
The results are substantially represented in the financial statements, which are published.
16
3 - Defined 4 - Optimized
A process of democratic participation guarantees the participation of all the stakeholders and regulates the ways the main conflicts of interest with regard to eligible candidates are defined and managed. Elective methods are traceable, objective, regulated by rules that govern the mechanisms of delegating and balancing multiple voting. Commissions are set up for the verification of voting rights, counting and checking of the polls, and there are rules on the independence of the commissions and on the possibility of making timely reports and appeals. Mechanisms are in place for the handling of claims filed by entitled persons. Candidates are required to file specific programmes even if the information on the background of candidates is not published.
Any resolutions that, during election time, might involve conflicts of interest, in particular any resolutions referring to the allocation of resources and advantages to stakeholders, are published during the period of the elections.
There is a Code of Ethics and commitment is required on ethics-related issues. The staff participates in training and refresher courses, conferences and initiatives on ethics-related issues. There is a system for managing and investigating reports.
Decision-makers define the decisions to be made using reliable information promptly provided by identified process owners. Strategic objectives are defined and the structures achieve specific objectives with a certain degree of decision-making independence; however, performance is measured in terms of quality, as no specific targets are set.
There is commitment with regard to the identification and management of significant risks and on these issues decision-makers receive information provided by the persons in charge of the individual issues.
A formal organisational Chart and formal Job Descriptions are in place.
Activities are carried out on the basis of procedures and the adequacy of controls is assessed by the managers. Second level assurance structures (e.g. compliance) are present.
The democratic process requires the publication of the assigned voting rights and poll results. The decision-making process is characterized by the publication of the agenda and the syntheses of the decisions / resolutions. Management and performance are subject to various forms of transparency on certain issues, with the exception of the procurement process and the allocation of resources and benefits.
There is a Board of Auditors and financial statements are audited by independent auditors.
A process of democratic participation exists, is open to all the stakeholders and is respectful of genders. The main conflicts of interest in relation to eligible candidates are defined and managed. Elective methods are traceable, objective, regulated by rules for the management of proxies and balancing of multiple voting mechanisms. Independent commissions are set up for the verification of voting rights, the counting and checking of the polls, capable of ensuring that the rules defined are complied with. The commissions are open to external parties. There are mechanisms for handling the claims filed by anyone entitled, also outside the organisation. The information on the candidates, their background and the objectives of their programs are published on the institutional website on a fair and equal basis.
A Code of Ethics, an anti-corruption compliance Model and a related disciplinary system are present. The staff receives training on ethics-related topics. A management system for whistleblowing reports is in place which ensures the privacy of the whistleblower.
Decision-makers define measurable goals and take decisions within structured planning and control processes. The goals are assigned to the structures and their respective performances are measured through ad hoc indicators.
A process for the management of significant risk, based on an internationally recognized framework is present.
Organisational Chart and Job Descriptions are formalized and the relevant updates are approved and communicated promptly.
There is a structured process for the drafting, updating, issuance and dissemination of policies and procedures. There are second-level (e.g. compliance) and third level (internal audit) control structures, which provide assurance on the adequacy and effectiveness of governance, risk management and internal control processes.
The organisation is responsive to change. Democratic process, management and performance are transparent. Documents and decisions are widespread and accessible.
There is a Board of Auditors and financial statements are audited by independent auditors, whose reports/minutes are published on the institutional website.
A Sustainability Report is drawn up and published on the institutional website.
Fig. 5 - Standard maturity levels
17
3.3 Methods for the collection of data and information
The "data collection card" (fig. 6) is the tool used to collect data and information in relation to all the
aspects of detail that make up each thematic area to be assessed. The purpose of the data collection
card is to find out contingent and specific situations.
Fig. 6 - Format of the data collection card
Data and information can be acquired through the three procedures illustrated below (Illustration 6),
which can also be implemented in synergy with each other.
Procedure Description Control risk
Request for information
Interview
Survey
The request for information produces indirect evidence that in itself is not generally considered persuasive.
Observation Direct observation
Walk-throughs
The presence of a survey evaluator can influence the attitude of the persons subject to the survey.
Document verification Study of documents and transactions
Physical examination of tangible resources
Verification is influenced by the evaluator's ability to understand what he sees and examines.
Fig. 7 - Data and information acquisition procedures
The information collected must be:
sufficient: factual, adequate and convincing information, such that would lead a prudent and
informed person to reach the same conclusions as the evaluator;
reliable: the best information obtainable through the procedures that can be carried out and the
available sources;
relevant: information consistent with the objectives of the assessment and relevant to the
processes investigated.
18
3.4 Measuring method
The contingent situation recorded for each aspect of detail is assessed against the "scenarios" (fig. 8)
that represent decision-making, organisational and management situations based on the 4 levels of
maturity (fig.5).
The valuation is carried out on the basis of a prudential principle in such a way that, in the event of a
partial overlap, the lower level scenario is chosen.
Fig. 8 - Format of the collection card
Each scenario is attributed a score of 1 to 4 depending on the corresponding maturity level, as follows:
• Initial - score "1”; • Managed - score "2”; • Defined - score "3”; • Optimized - score "4”.
The maturity level of each thematic area is measured by calculating the simple arithmetic average of
the above scores.
The simple arithmetic average ( ), thus calculated, is normalized ( ) through an automatic algorithm
that operates the following function:
19
The normalized values ( ) are reallocated according to a normal distribution divided into 4 frequency
ranges corresponding respectively to the 25-th, 50-th, 75-th and last intervals, as shown below (fig. 9).
Fig. 9 - Distribution range
Each range is associated with a level of maturity from 1 to 4, as shown in the illustration below
(Illustration 9).
Range Interval Level of Maturity
R1 [ 0% - 25% ] 1 - Initial
R2 [ 25% - 50% ] 2 - Repeatable
R3 [ 50% - 75% ] 3 - Defined
R4 [ 75% - 100% ] 4 - Optimized
Fig 10 - Range, intervals and maturity levels
The maturity level of each thematic area corresponds to the maturity level associated with the range
which includes the normalized value of the simple arithmetic average of the scores of the aspects of
detail into which the thematic area is organized.
Range Interval
R1 [ 0% - 25% ]
R2 [ 25% - 50% ]
R3 [ 50% - 75% ]
R4 [ 75% - 100% ]
20
3.5 Results of the assessment
The overall results of the assessment are formally set out in a "summary dashboard" that illustrates the
outcome of the assessment for each thematic area, specifying the level of maturity that results from the
aggregation of the scores referred to in the previous paragraph (fig 11):
Fig. 11 - Format of the summary dashboard
The combination of all the summary assessments allows to conduct an overall assessment of the
maturity level of the "system" governance and the identification of best practices to be promoted as
cross-actions to strengthen it.
3.6 Procedural aspects
The Supervisory Office proposes to the National Board to start the assessment of the NSF (National
Sport Federations) governance system. This assessment is carried out every four years and replaces,
in that year, the assessments carried out on the SCIGR (Sistema di Controllo Interno e di Gestione dei
Rischi - Internal Control and Risk Management System).
Following approval by the National Board, the Supervisory Office sends a communication to the all NSF
and defines the activities timetable.
In carrying out the activities the Office can request additional documentation and meetings.
Following the assessments, the Supervisory Office processes the summary dashboards sent to
individual FSNs and a summary report, also with the support of competent and independent third
parties, on the overall maturity level of the system which is sent to the CONI’s General Secretary and
National Board.
21
4 Monitoring of the internal control and risk management system
The assessment methodology is described in the following paragraphs in terms of:
Aims and objectives.
Logical structure.
Modality for measuring the adequacy of control measures.
Representation of the assessment outcomes.
Procedural aspects.
4.1 Aims and objectives.
The monitoring activity is carried out alongside and does not replace audit inspections and represents
an element of guarantee and prevention since, on the one hand, it is not open to any subjective
discretionary choice, given that is a simultaneous check on all the NSF/ASD (around 64 entities), and
on the other hand, it is aimed at identifying any shortcomings or points for improvement in the design of
federal controls, in order to mitigate the probability of the occurrence of events or situations that could
give rise to audit inspections.
The methodology is characterised as follows:
remote monitoring, without on-site visits to federal offices;
the checks are implemented by adopting an approach that requires reporting of on-going controls,
i.e. during operativity, rather than at the end of activities. This approach has the following main
benefits:
o the verification activities are more efficient and less burdensome for the NSF in terms of
documentation production, with such requests spaced out through the year;
o checks are focused on specific aspects of control design with respect to each Area being
examined in all NSF/ASD;
o controls are verified in a continuous manner, acquiring the documentary evidence that
complies with the timetable of the activities in examination;
o control failures and shortcomings can be quickly identified, ensuring the minimisation of
consequent risks;
search for synergies and dialogue with other control actors in order to avoid duplications and
overlaps.
22
In consideration of the characteristics described above, this method presents by its very nature a7
higher “control risk” than on-site audit “inspections” at the federal office. In this sense it is not possible
to exclude that tests carried out on site and with procedure other than those described in this document
may reveal different results. However, the advantages of the approach used are connected:
to the cost-benefit ratio, in terms of a control plan that annually impacts 64 different entities and
that, with different procedures, could only be implemented with a high expenditure of resources
both on the supervising entity and by the supervised subjects;
to the possibility of identifying cross-cutting issues and of providing uniform solutions in a
“system” perspective, generating possible economies of scale;
to the “deterrent” effect generated by a periodical and constant monitoring cycle.
4.2 Logical structure
The monitoring process is developed through the following logical and time phases:
identification of the management Areas to be monitored.
identification and assessment of the inherent risks for each Area in question.
identification of control measures.
assessment of the adequacy of control measures.
identification and communication of remedial actions.
The following paragraphs describe the operating methods of each phase.
***
Identification of management Areas to be monitored
The following are the management Areas identified as possible targets of the monitoring activity:
1. Fixed assets and Inventories.
2. Investments.
3. Receivables.
4. Treasury (Bank, cash, credit cards and advances).
7That is to say the risk that a failure of the internal federal control system may not be identified by the monitoring activity of the Supervisory
Office.
23
5. Potential Payables and Liabilities.
6. Purchasing cycle.
7. Personnel.
8. Consultations, professional appointments and technical sport services.
9. Travel expenses.
10. Entertainment expenses, gifts and benefits.
11. Local Territory Committees.
A management Area is a uniform set of processes that identify groups of transactions, recorded in
specific balance sheet accounts, which normally present the same information system, the same
sequence of activities and the same organisational functions.
The Supervisory Office reserves the right to review/integrate the list of the aforementioned Areas,
subject to the approval of CONI’s National Board.
The Supervisory Office annually selects from 1 to 3 Areas to be proposed to the CONI National Board.
The selection is made based on weighted average scores8 (value x weight) obtained from each Area in
relation to the following criteria:
a) nature of the accounting entries and complexity of processes;
b) regulatory changes;
c) distance in time from the last control/monitoring activities carried out;
d) outcome of previous control/monitoring activities;
e) presence of reports;
f) Area-related fraud risk.
8 The score is calculated as the weighted average of the assessments obtained from each criterion.
24
The value of each criterion can be weighted using weights defined on a yearly basis by the Supervisory
Office to reflect the relative significance of the criterion.
a) Nature of the accounting entries and complexity of processes
Assessment Description Score
High
The accounting entries that refer to this Area are normally estimates (e.g. risk fund, credit write-
downs funds) and/or processes referring to this Area are usually highly concentrated from an
organisational and decision-making point of view, i.e. the processes are, in most cases, not-
automatic.
3
Medium
The accounting entries referring to this Area are of a partially evaluative nature and/or the processes
referring to this Area are, as rule, characterised by a segregation that involves at least two
organisational structures in an equal way, or the processes, in most cases, are automated through
systems without interfaces and characterised by poorly structured control systems.
2
Low
The accounting entries referring to this Area are of a certain nature and/or the processes referring to
the Area are characterised by a segregation involving at least three organisational structures in an
equal way, or the processes, in most cases, are automated with integrated systems with structured
controls.
1
b) Regulatory changes9
Assessment Description Score
High
The Area has been subject to regulatory action in the last 3 financial years (introduction of new
provisions or amendments to previous ones) with significant operational/procedural/accounting
impacts on the NSF/ASD or from the point of view of the penalties to which the NSF/ASD can be
exposed to in the event of non-compliance.
3
Medium
The Area has been subject to regulatory action in the last 3 financial years (introduction of new
provisions or amendments to previous ones) with impact on the NSF/ASD that are not significant
from an operational/procedural/accounting point of view and from the point of view of the penalties to
which the NSF/ASD can be exposed to in the event of non-compliance.
2
Low The Area has not been subject to regulations actions in the last 3 financial years. 1
c) Distance in time from the last control/monitoring activities
Assessment Description Score
High The Area has not been monitored in the last 4 years. 3
Medium The Area has not been monitored in the last 2 to 4 years. 2
Low The Area has not been monitored in the last 2 years. 1
9 In this context, by variation to regulations we intend a variation to regulations brought about with reference to laws/regulations and/or applicable CONI circulars and procedures.
25
d) Outcome of previous control/monitoring activities10
Assessment Description Score
High In the last periodical monitoring activity the Area presented a percentage of control measures assessed as
inadequate and/or deficient in more than 30% of the total surveys carried out11.
3
Medium In the last periodical monitoring activity the Area presented a percentage of control measures assessed as
inadequate and/or deficient in between 15% and 30% of the total surveys carried out or even if it falls in the “High”
assessment cluster (above) the results of the follow-up activities have been such that the assessment has dropped
to “Medium”.
2
Low In the last periodical monitoring activity the Area presented a percentage of control measures assessed as
inadequate and/or deficient in up to 15% of the total surveys carried out or even if it falls in the “Medium”
assessment cluster (above) the results of the follow-up activities have been such that the assessment has dropped
to “Low”.
1
e) Presence of reports
Assessment Description Score
High In the last 3 years, the Area has received at least one report followed up by an audit inspection that ended with
denunciations/reports to the competent authorities or with the appointment of an external commissioner.
3
Medium In the last 3 years the Area has received reports followed up by audit inspections that ended with recommendations
regarding important aspects of the financial statements or of organisational procedures or was subject to detailed
reports for which the related investigations are still ongoing.
2
Low In the last 3 years the Area has received reports subject to an audit that concluded with suggestions for
improvement or has not received reports in the last 3 years.
1
f) Area-related fraud risk.
Assessment Description Score
High The Area is characterised by a high number of potential fraud schemes that can be empirically identified in the
context of the NSF/ASD.
The hypothetical fraud schemes are not complex (the activity/process involved is managed by a single structure)
and/or the event can potentially generate significant economic impacts at unit level.
3
Medium The Area is characterised by a high number of potential fraud schemes, even if empirically not identified in the
context of the NSF/ASD.
The hypothetical fraud schemes are fairly complex (the activity/process is managed by 2 structures) and/or even if it
does not generate significant economic impact at unit level, it is characterised by high frequency.
2
10 In the event that no monitoring activities have been carried out on the Area, this parameter will be excluded from the assessment. 11 The figure of “total of surveys carried out” is calculated as the product among the control measures relating to the Area under survey and the number of NSF/ASD for which the monitoring activity has been carried out.
26
Low The Area is not characterised by potential fraud schemes.
Fraud schemes are highly complex (the activity/process involves at least 3 subjects belonging to different
structures).
These are low-impact, low-frequency fraud schemes.
1
***
27
Identification and assessment of risks inherent to each area in question.
On the basis of professional judgement and empirical experience of the Supervisory Office, the typical
relevant risks are identified for each Area subject to annual monitoring with reference to the following
categories:
risks of reliability of financial reporting, these are events that may compromise the reliability of
financial statements;
compliance risks, these are events that may involve the application of penalties or reputational
damages as a consequence of violations of laws/regulations and/or CONI’s circulars and
regulations;
fraud risks, these are events that may involve:
o the maliciously altered and deceptive representation of the economic, financial and equity
situation;
o the misappropriation of federal goods and assets;
o the non-compliant or illegal assignment of advantages or benefits to external and/or internal
parties.
In order to identify typical and significant risks, we have applied a statistical derivation approach that
allows the formulation of reasonably valid conclusions, even if they cannot mathematically measured in
terms of risk exposure of the various management Areas.
In other words, it is a matter of planning repeated surveys of the processes that are connected to the
Area: observing the different implementations of a process at a given moment (t) we obtain a random
variable X(t) which includes the different values that the process could take at that precise moment (t).
These values, detected by the instant (t), will presumably be distributed at a normal (or Gauss) curve,
around the mean value. Therefore, for each time instant, the most probable value of the process can be
defined with the relative variance index or standard deviation. For the purpose of identifying a specific
risk, for each process of the Area, it is necessary to assess whether, among the possible values that
the process could take at any instant in time (t) (beyond the one which, on average and “normally”, it
assumes in that given moment) it is possible to identify a value that represents a typical and relevant
event/risk with reference to the aforementioned categories. Once identified a specific risk meaning as
hypothetical value that a process can take at a given moment (t) both a “probability” and an “impact”
must be associated.
The risk weighting has the sole purpose of establishing the priorities of the identified risks.
28
The weighting or assessment of the inherent risk is carried out by combining the following dimensions:
Probable occurrence, or the frequency of the occurrence of a risk event;
Potential impact, or the possible effect that the occurrence of the risk event may have on achieving
the goals of the NSF and ASD.
In relation to probable occurrence, the following elements are taken into consideration:
Assessment Risk category
Reliability of financial reporting Compliance Fraud
High The accounting records derive from
complex calculations or writings, consisting
of coordinated, connected and non-
automated surveys (i.e. managed by
specific management software).
Accounting entries are mainly estimates.
The specific process/activity is governed
by complex and highly structured
regulations and are subject to
numerous/frequent interpretations/case
studies
The specific process/activity has been
subject in the last 3 years to regulatory
actions with significant
operational/procedural/accounting
impacts
The advantage or the hypothetical interest
of the conduct is concrete, direct and
immediate.
The activity/process is managed by a
single structure.
The documentation supporting the
process presents highly technical
contents.
Accounting entries are mainly estimates.
There are historical cases/empirical evidence related to the manifestation of the risk event.
Medium The accounting records derive from
complex calculations or writings, consisting
of surveys connected to each other and of
automated coordinates (i.e. managed by
specific management software).
Accounting entries are partly of an estimate
nature.
The specific process/activity is governed
by specific technical legislation but with a
clear and systematic application
The specific process/activity has been
subject in the last 3 years to regulatory
actions with
operational/procedural/accounting
impacts that do not present particular
difficulties in management and
implementation.
The advantage or the interest of the
conduct is hypothetical but without strong
motivational elements.
The activity/process is managed by 2
structures.
The documentation supporting the
process presents technical contents, but
on average understandable, or it is the
subject of communication.
Accounting entries are partly of an
estimate nature.
There are historical cases/empirical evidence related to the risk event, even if not directly attributable to the “sport” system.
Low Accounting entries are typical, frequent and
not complex and/or Accounting entries do
not present assessment elements.
The specific process/activity is not
governed by complex or technical
regulations and/or has been subject in the
last 3 years to regulatory actions.
The advantage or the hypothetical interest
of the conduct is difficult to postulate.
The activity/process involves at least 3
subjects belonging to different structures.
The supporting documentation/acts in
which the conduct is substantiated are
disseminated and the content easily
usable.
Accounting entries are certain.
There are no documented historical cases related to the manifestation of the risk event.
29
In relation to its potential impact, the following elements are taken into consideration:
Assessment Risk category
Reliability of financial reporting Compliance Fraud
High Event that affects the overall representation of
the financial statements, making them
unreliable.
Event involving economic,
administrative sanctions or
commissioning by the CONI.
Event that impacts on the continuity of the
NSF/ASD (e.g. the NSF/ASD is put under
administration of an external commissioner)
with widespread attention from the national and
international media.
Event that affects the performance of activities and processes with a significant impact on the pursuit of objectives.
Medium An event that does not affect the overall
reliability of the financial statements but which
generates the need to revise individual items.
An event that may result in
administrative sanctions or audits
by CONI.
An event that generates the need to report to
the authorities with ongoing attention over time
by the local media.
An event which, while having an impact on the smooth running of activities and processes, does not affect the pursuit of objectives.
Low An event that does not affect the overall
reliability of the financial statements but which
highlights the need to strengthen skills and
administrative-accounting processes.
An event that does not generate
sanctions but which necessitates
an in-depth and/or corrective
action.
An event that does not involve a formal
reporting to the authorities and generates a
marginal interest in the local media.
An event that does not compromise the activities and processes nor the pursuit of objectives, but which involves a significant review of the
activities and processes involved.
The assessment of inherent risk is carried out by combining the levels of probability of occurrence and
potential impact through the following matrix:
Inherent risk
30
Risk of high and medium value (respectively “red” and “yellow” in the matrix) are considered relevant
and therefore subject to subsequent monitoring phases.
***
31
Identification of control measures
Controls for the mitigation of significant risks (from 1 to n) are logically identified, then detected and
assessed at each NSF and ASD during the subsequent monitoring phases.
The set of controls associated with each risk is designated as a “control point”.
In particular, controls are identified taking into account the efficiency/cost efficiency principle12, as well
as the following reference criteria/parameters:
Relevance: the set of controls must be suitable to mitigate a risk (for example identifying potential
anomalies);
Optimisation: controls are identified avoiding duplications in the same Area;
Prevention: “preventive” controls are preferable to “investigative” controls as they aim to prevent the
occurrence of a risk event rather than detecting the event once it has occurred;
12 The assessment of the efficiency/cost efficiency of controls is based on the cost (not only in terms of necessary resources, but also of impact of the speed of decision-making processes) necessary to carry out a control, compared to its benefits (in terms of risk mitigation, i.e. reduction of the potential impact and probability of a risk occurring). In general, if the cost arising from carrying out a control is lower than the benefits deriving from the reduction of risks, a control can be considered efficient.
32
Automation: controls which can be carried out automatically are preferable to those which require
manual execution;
Reliability: controls must be based on reliable data, information and facts;
Independence: controls must not depend on other controls, discretionary elements or other factors
that may not be controlled.
Each identified control is defined in terms of attributes, which constitute its essential and objective
elements. Identifying these attributes has the effect of minimising the subjective element that is
necessarily part of an assessment.
In addition to controls, the risk of fraud can be monitored through specific indicators of anomalies
(known as red flags), consisting in symptomatic conditions, situations, clues that can be connected to
fraudulent activities or the relevant concealment strategies.
33
4.3 Assessment of the adequacy of control measures
During monitoring, each attribute of each control is associated with two variables:
the score (s),
the weight (w).
The score, during the assessment, can only take two values (0,1) depending on whether there is
sufficient documentary evidence for the identified attribute.
The weight, which is predefined, is a function of the relevance of an attribute or of a red flag with
respect to the other parts of the control.
In assessing the adequacy of each control point, the following steps are followed:
Step 1: definition of the top score hypothetically obtainable (Vm) by each control (C)
The score expresses the complete adequacy of the control to mitigate the risk and is expressed by the
following formula:
34
In other words, this score is achieved when all the expected attributes referring to the control are
present.
Step 2: calculation of he actual score (V) obtained by each control (during the assessment).
This score is expresses by the following formula:
In other words, this score indicates that the document verification has confirmed that each attribute
exists and/or is adequate.
Step 3: synthetic assessment of each control (VALcont).
The summary assessment of the control to which the attributes are referred is defined by the following
ranges:
VALcont Effective: if the ratio between V/Vm exceeds 0.8, i.e. 80% of the expected attributes are
confirmed to exist.
VALcont Partially effective: if the ratio between V/Vm is between 0.5 and 0.8, i.e. 50% and 80% of the
expected attributes are confirmed to exist.
VALcont Ineffective: if the ratio between V/Vm gives a result below 0.5, i.e. less than half of the
expected attributes are confirmed to exist.
Step 4a: assessment of control oversight (VALpres_a).
The summary assessment of the control point is carried out by assigning to the assessment range
obtained by individual controls (VALcont) the following scores:
VALcont Effective = 3
VALcont Partially effective = 2
VALcont Ineffective = 1
The assessment of the control point (VALpres_a) is defined by the average score associated with the
individual controls (C) that make up the control point:
The control point is synthetically assessed based on the following range:
35
Adequate, namely the control point is confirmed to be logically adequate to prevent risk events or to
promptly remove their consequences:
VALpres_a > 2.5
Inadequate, when the control point will presumably be unsuitable to prevent completely or
systematically the risk event or to remove promptly its consequences:
1.5 ≥ VALpres_a ≤ 2.5
Deficient, when the control point does not appear suitable to reduce the possibility of risk events
occurring at a remote level:
1 ≥ VALpres_a < 1.5
Step 4b: Assessment of control points in the event of red flags (VALpres_b).
In relation to the risks of fraud, specific red flags can be identified in addition to controls.
If the red flag, understood as an anomaly or “false positive” signal, shows, then the score obtained by
the control point (step 4a) is decreased in line with the relevance of the red flag and the scale of such
decrease is assessed by professional judgement.
Controls can also be associated to a weight (w) in relation to their “relative” significance with respect to
the control point. In this event, the assessment of the control point (VALpres) with reference to the risk in
question is defined by the following formula:
4.4 Representation of the assessment outcomes
The level of residual risk is determined by the relationship between the level of inherent risk and the
range of assessment of the control point (VALpres). However, this assessment range, calculated as
described above, may be subject to revisions depending on the identification of corrective, endogenous
and/or exogenous factors, which have an improving or deteriorating effect on the assessment of the
control point.
These are factors that cannot be foreseen during the logical processing of the assessment forms, but
emerged during verification and the subject of motivated professional judgement (for example:
presence of compensatory controls, presence of external controls, etc.)
The relationship between level of inherent risk, assessment of control points, level of residual risk is
expressed through the following correlation matrix:
36
The level of residual risk determines the forecast of the following actions:
Opportunity Area: The control system is considered satisfactory, as a whole, depending on its
suitability to mitigate the inherent risk; therefore the NSF/ASD are obliged to maintain and monitor
the state of their control systems and, in some cases, the NSF/ASD should consider the opportunity
to strengthen them further;
Area for improvement: The control system is considered partially effective in relation to its ability to
mitigate the “medium” inherent risk; therefore, the NSF/ASD are invited to constantly monitor the
activities at risk and carry out the suggested interventions over the medium term.
Intervention Area: The control system is considered partially effective in relation to its ability to
mitigate the “high” inherent risk; therefore, the NSF/ASD are invited to reinforce certain aspects
related to controls and provide feedback in the follow-up carried out by the Supervisory Office.
Priority Area: The control system is inadequate in relation to its ability to mitigate the level of
inherent risk; therefore, the NSF/ASD are obliged to give priority and act promptly to implement the
suggested controls and provide feedback in the follow-up checks by the Supervisory Office, which
may in certain cases require the National Board to carry out specific on-the-spot checks.
37
4.5 Procedural aspects
The Supervisory Office selects the respective separate areas for auditing FSNs and ASD to submit to
the Secretary General of CONI for approval by the National Board which normally takes place within
the first four months of the every year. After approval, the Supervisory Office:
prepares its own assessment form formats;
periodically, in accordance with an on-going logic arrangement, sends to the NSF/ASD requests for
information, data and document necessary for the implementation of tests, communicating the
relative deadlines.
In carrying out the tests, the Office may request additional documentation and meetings. The NSF/ASD
may ask for clarification and support. Upon justified request, the Supervisory Office may agree on one
or more extensions of the terms.
The Supervisory Office may send reminders in the event the requested information fails to be
transmitted or is delayed.
If it is not possible to receive the documentation within a reasonable period for the purposes of the
analysis, the NSF/ASD, upon notice, is excluded from monitoring activities and the Supervisory Office
will inform the National Board for the relevant assessments.
The operations described above can be carried out taking into account the following two possibilities:
1) Relations with the Auditors
Annually, the Supervisory Office assesses the possibility of involving the Board of Auditors of NSF
and/or ASD in the monitoring activity, also in relation to the Areas being analysed and taking into
account possible synergies on common control Areas. In this case, the Office:
a) requires the availability of each federal Board of Auditors,
b) if they accept, the Office informs the Federation and provides the Board with the procedures, the
formats and the list of documents to be used for the execution of the activities, agreeing the related
deadlines,
c) in the course of its activities, it may request each of the Boards (or they may request) to schedule
one or more meetings aimed at sharing the progress made and the content,
d) at the end of the activities, they conduct a closing meeting, during which the Board submits the
working documentation to the Office.
38
The Office may request further information, from the Board, on the activities carried out and request
access to the documentation and data analysed by the Board to carry out the monitoring.
The Office can always take over the activities assigned to the Board, upon communication to the
Federation and to the Board itself.
2) Relations with the NSF/ASD’ auditing companies
The Supervisory Office may request a review of the audit procedures implemented by the auditors and
the relevant report, identify within the management Areas subject to monitoring on a yearly basis any
common Areas and/or methods of intervention and exclude them from its activities by acknowledging
results of the auditing company, also in order to avoid double sets of controls at the NSF.
***
After the analysis, the Supervisory Office draws up:
a summary report to be transmitted to the Secretary General of the CONI and to the National
Board,
the audit forms, sent by the Secretary General and containing the specific actions suggested to
each NSF/ASD.
The Office can propose to the Secretary General of the CONI and to the National Board to carry out
actions in support of NSF/ASD on possible cross-cutting issues.
The Supervisory Office can, after sending the forms, also at the request of the NSF/ASD or their
Boards, carry out meetings to examine, share and possibly review the actions suggested in the forms.
The Office can also carry out a regular follow-up, with a view to gaining feedback on the state of the
implementation of the suggested actions, preparing a memorandum for the Secretary General of the
CONI and the National Board on the state of implementation of specific and cross-sectional actions.
39
5 Audit inspections
This chapter intends to illustrate some general aspects of the specific tests and inspections carried out
by the Supervisory Office in relation to the power/duty of direction and control over the National Sports
Federations (NSF), the Associate Sport Disciplines (ASD) and the Institutions for the Promotion of
Sports (IPS) established by the Law and the Articles of Association of CONI.
These audits are carried out by the Supervisory Office of CONI Servizi, which can also seek external
help, on behalf of the CONI National Board.
The Secretary of CONI must inform the Top Management of the Federation when audits are started.
By way of example and without limitation, audits of this type can be initiated as a result of:
anomalies and critical issues emerging from the remote monitoring of the NSF/ASD;
reports, including anonymous ones, provided they are adequately detailed;
findings and/or information contained in the minutes of the Boards of Auditors or communicated by
individual members;
requests from the NSF/ASD/IPS themselves;
investigations, inspections or other interventions carried out by external authorities;
news broadcast by the media or other specific situations or circumstances however known.
The audits may also concern companies directly or indirectly owned by the NSF/ASD/IPS.
CONI and CONI Servizi guarantee the confidentiality of the identity of the whistle-blower, the protection
of the data and of the identity of the reported person and of any third parties that my emerge in the
context of the reports and auditing activity, in compliance with the regulations in force for the protection
of personal data (Legislative Decree 196/03), the provisions of the National Anti-Corruption Authority
(ANAC) and the provisions of the Three-year Corruption Prevention Plan shared by CONI and CONI
Servizi.
CONI and CONI Servizi do not take into consideration reports that are unsubstantiated or abusive or
that exclusively regard the private life of people, and undertake to prosecute the authors of reports that
may prove to be libellous, defamatory or otherwise in bad faith, implementing the appropriate actions
after receiving them or upon their completion.
40
The operating procedures of the preventing tests (monitoring) and the specific test and inspections are
regulated, also in compliance with the principles defined in the CONI Policies and Guidelines and in the
procedures established in relation to the Three-year Corruption Prevention Plan shared by CONI and
CONI Servizi, approved by the CONI’s National Board and CONI Servizi’s Board of Directors.