Risk management and internal control systems. Reference Framework

Transcription

1 Risk management and internal cntrl systems Reference Framewrk

2 FOREWORD This AMF Reference Framewrk fr French cmpanies whse securities are admitted t trading n a regulated market is a revised and enhanced new editin f the Reference Framewrk published in January The first editin was cmpiled by a grup that prduced remarkable wrk under the chairmanship f Jean Cedelle and Guillaume Gasztwtt. It was supplemented by an applicatin guide fr internal cntrl f accunting and financial infrmatin published by issuers prduced under the authrity f Michel Léger. It has prvided a genuine tl fr imprvement fr the many cmpanies that have adpted the reference framewrk ver the last three years. This new editin is presented in the same spirit as the riginal. It is a reference tl fr cmpanies t imprve versight f activities and t ensure that they achieve their bjectives. As in the case f the riginal framewrk, nthing is bligatry. It is a methdlgy that needs t be adapted t the infinite variety f individual circumstances resulting frm the business activities, size and rganisatinal structures f the cmpanies cncerned. Even thugh it is in the same vein as the riginal editin, the new editin includes several substantial imprvements t the 2007 reference framewrk. It als incrprates changes made t laws and regulatins since The Act f 3 July 2008 and the Order f 8 December 2008 transpsed int French law the Eurpean Directives that create new requirements fr listed cmpanies with regard t risk management and set ut the duties f audit cmmittees. This editin als incrprates changes in the main internatinal standards and, mre specifically, COSO II and ISO In January 2008, the AMF published an applicatin guide fr the 2007 reference framewrk that is adapted fr small cap and midcap cmpanies. This guide has als been updated and can be used as an aid fr small caps and midcaps, which are currently defined as cmpanies with a market capitalisatin f less than 1 billin eurs. The AMF is happy t make this cntributin t gd management and, cnsequently, t the prtectin f investrs in French cmpanies. It wuld like t express its heartfelt thanks t the members in the wrking grup that updated the reference framewrk that it publishes. Special mentin must be made f Gérard Lancner, Chairman f AMRAE, Bénédicte Hut de Luze, Scientific Directr f AMRAE, Luis Vaurs, f IFACI, and Michel Léger, Chairman f BDO, fr their utstanding cntributin. Etienne Cunin, Chief Accuntant s Deputy was the rapprteur fr the applicatin guide fr the 2007 editin and he played the same rle fr the 2010 editin f the reference framewrk. The Chairman f the wrking grup Olivier Pupart-Lafarge Member f the AMF Bard 1

3 CONTENTS FOREWORD... 1 CONTENTS... 2 I - INTRODUCTION The cntext Apprach... 3 II - GENERAL RISK MANAGEMENT AND INTERNAL CONTROL PRINCIPLES General risk management principles Crdinatin f risk management with internal cntrl General internal cntrl principles Scpe f risk management and internal cntrl Risk management and internal cntrl players Statutry auditrs rle Limitatins f risk management and internal cntrl III. QUESTIONNAIRES ON GENERAL PRINCIPLES Risk management questinnaire Internal cntrl questinnaire IV. APPLICATION GUIDE FOR INTERNAL CONTROL PROCEDURES RELATED TO THE ACCOUNTING AND FINANCIAL INFORMATION PUBLISHED BY THE ISSUERS

4 I - INTRODUCTION 1. The cntext Eurpean Directive 2006/46/EC n the annual accunts and cnslidated accunts f cmpanies amends the furth and seventh Eurpean Directives and stipulates, A cmpany whse securities are admitted t trading n a regulated market shall include a crprate gvernance statement in its annual reprt. That statement shall be included as a specific sectin f the annual reprt and shall cntain [ ] a descriptin f the main features f the cmpany's internal cntrl and risk management systems in relatin t the financial reprting prcess. The Act f 3 July 2008 transpsed this Directive int French law and supplemented the Financial Security Act f 1 August 2003 at the same time. This resulted in amendments t Articles L and L f the Cmmercial Cde that extend the scpe f the chairman s reprt n internal cntrl and risk management prcedures implemented by cmpanies making public fferings t include details abut prcedures relating t financial reprting fr the parent cmpany financial statements and, where apprpriate, the cnslidated financial statements. Article 41 f the Eurpean Directive 2006/43/EC n statutry audits (Eighth Directive) requires an audit cmmittee t be created with the fllwing duties: mnitring the financial reprting prcess; mnitring the effectiveness f the internal cntrl, internal audit and, where apprpriate, risk management systems; mnitring the statutry audit f the annual financial statements and the cnslidated financial statements; examining and mnitring the independence f the statutry auditr r the audit firm. The Order f 8 December 2008, which transpses the Eurpean Directive n statutry audits int French law, institutes specialised cmmittees, r audit cmmittees, fr entities issuing securities that are admitted t trading n a regulated market, as well as fr credit institutins, insurance and re-insurance cmpanies, mutual insurance cmpanies and prvident institutins. The Order mentins the fur specific duties in the Directive, but it des nt mentin mnitring the effectiveness f internal audits. Instead it stipulates that these duties are part f a general duty t ensure mnitring f matters relating t financial reprting and auditing. The cmmittees act under the exclusive and cllective respnsibility f the members f the administrative bdy r the supervisry bdy, as the case may be, and they act withut prejudice t the attributes f the administrative, management r supervisry bdies. The Order prvides fr exemptins when: persns and entities that have a bdy that perfrms the functins f the specialised cmmittee stipulated in Article L , prvided that this bdy, which may be the administrative bdy r the supervisry bdy, is identified and its membership is disclsed (4 f Article L f the Cmmercial Cde). Under these circumstances, in September 2009, the AMF charged a wrking grup t draft a guide n audit cmmittees and t adapt the 2007 AMF reference framewrk in rder t supplement the sectin n risk management. 2. Apprach The Wrking Grup initially tk a pragmatic apprach that fcused n recnciling: French regulatins, recmmendatins made in the reprts n crprate gvernance, changes in Eurpean Directives, and best practices bserved in ther cuntries. 3

5 With respect t the reference framewrk fr internal cntrl, the wrking grup riginally examined tw renwned standards, which were COSO 1 and the Turnbull Guidance 2 in the United Kingdm. With respect t risk management, the wrking grup deemed it apprpriate t take advantage f the legislative amendments f July 2008 t develp the risk management prvisins and, fr this purpse, it based its wrk n majr internatinal standards, such as COSO II 3 and ISO 31000: The wrking grup als ensured that the reference framewrk is cmpliant with the Eurpean Directives, and the Eighth Directive n statutry audits in particular. * * * The wrking grup drafted this reference framewrk fr internal cntrl and risk management based n dmestic and Eurpean laws and regulatins, alng with gd gvernance practices that are already recgnised in France and the main internal cntrl and risk management mdels. It includes: general internal cntrl and risk management principles; a general questinnaire n internal cntrl fr accunting and financial reprting and anther general questinnaire n risk analysis and management, which is a key cmpnent f any internal cntrl system; an applicatin guide n internal cntrl and risk management with regard t accunting and financial infrmatin published by issuers. This guide culd be prvided t the relevant functins f a cmpany and used, as needed, fr drafting the chairman s reprt n internal cntrl and risk management prcedures relating t financial reprting. * * * * * * This reference framewrk is based n general principles and nt n binding rules. This framewrk is nt intended t be binding n cmpanies, nr is it intended t take the place f specific regulatins applying t certain business sectrs, such as banking and insurance. It can be used by cmpanies whse securities are admitted t trading n a regulated market t supervise and, as the case may be, develp their internal cntrl and risk management systems. Yet it des nt give directives n hw t design their rganisatinal structure. Each cmpany is respnsible fr its wn rganisatin and, cnsequently, fr its internal cntrl and risk management systems, which shuld be part f a gd gvernance framewrk as presented in the reprts by French industry rganisatins. Ultimately, it is a tl that shuld ensure greater unifrmity f the cncepts underpinning the drafting f chairmen s reprts n internal cntrl and risk management and the wrk f audit cmmittees. 1 COSO (Cmmittee f Spnsring Organizatins f the Treadway Cmmissin) published an Internal cntrl- Integrated Framewrk in Guide develped by ICAEW (Institute f Chartered Accuntants in England and Wales) and published in This guide was updated by the Financial Reprting Cuncil in COSO II published the Entreprise Risk Management Integrated Framewrk 4

6 II - GENERAL RISK MANAGEMENT AND INTERNAL CONTROL PRINCIPLES Risk-taking is an inherent trait f any enterprise. There can be n grwth r creatin f value in a cmpany withut risk-taking. Hwever, if risks are nt prperly managed and cntrlled, they can affect the cmpany s ability t attain its bjectives. Risk management and internal cntrl systems play a key rle in directing and guiding the cmpany s varius activities by cntinually preventing and managing risks. 1. General risk management principles A) Definitin Risk management is the business f every stakehlder in a cmpany. It shuld be cmprehensive and cver all f the cmpany s activities, prcesses and assets. Risk management is a dynamic system, defined and implemented under the cmpany s respnsibility. Risk management encmpasses a set f resurces, behaviurs, prcedures and actins that is adapted t the characteristics f each cmpany and that enables managers t keep risks at an acceptable level fr the cmpany. Risk represents the pssibility f an event ccurring that culd affect the cmpany s persnnel, assets, envirnment, bjectives r reputatin. B) Risk management gals Risk management is a lever fr managing the cmpany that helps: a) Create and preserve the cmpany s value, assets and reputatin: Risk management is used t identify and analyse the main ptential threats and pprtunities fr the cmpany. The aim is t anticipate risks instead f submitting t them passively, thus preserving the cmpany s value, assets and reputatin. b) Secure decisin-making and the cmpany s prcesses t attain its bjectives: Risk management aims t identify the main events and situatins that culd have a significant impact n the attainment f the cmpany s bjectives. Cntrlling these risks facilitates the attainment f these bjectives. Risk management is an integral part f the cmpany s decisin-making and perating prcesses. It is an versight and decisin-making aid. Risk management gives managers an bjective and cmprehensive utlk n the cmpany s ptential threats and pprtunities. It enables managers t take measured and infrmed risks and prvides a basis fr their decisins regarding the attributin f human and financial resurces. c) Prmte the cnsistency f the cmpany s actins with its values: Many risks reflect a lack f cnsistency between the cmpany s values and day-t-day decisin-making and actins. These risks mainly threaten the cmpany s credibility. d) Bring the cmpany s emplyees tgether behind a shared visin f the main risks and raise awareness f the risks inherent in their activity. 5

7 C) Cmpnents f the risk management system It is up t each cmpany t create a risk management system that is apprpriate t its specific circumstances. The risk management system includes: 1) An rganisatinal framewrk with: a rganisatinal structure that defines rles and respnsibilities, sets ut the prcedures and clear and cnsistent standards fr the system, a risk management plicy that frmally sets ut the system bjectives in accrdance with the crprate culture, the cmmn language, the apprach t identifying, analysing and managing risks and, as the case may be, the risk limits that the cmpany sets (risk tlerance), an infrmatin system that disseminates risk infrmatin internally. 2) A three-stage risk management prcess in the cmpany s internal and external cntext: Risk identificatin: this stage indentifies and centralises the main risks threatening the attainment f the cmpany s bjectives. A risk is a threat r a missed pprtunity. It invlves an event, ne r mre surces and ne r mre cnsequences. Risk identificatin is part f an nging apprach. Risk analysis: in this stage, the ptential financial, persnal, legal and reputatinal cnsequences f the main risks are examined and the likelihd f their ccurrence is assessed. This is an nging apprach. Risk management prcedures: in this stage, the mst apprpriate actin plan r plans fr the cmpany are chsen. Several measures can be cnsidered t maintain acceptable risk levels: reducing, transferring, eliminating r accepting a risk. The chice is made by weighing the pprtunities against the cst f risk management measures, with due cnsideratin f their ptential effects n the ccurrence and/r cnsequences f the risk. 3) Onging versight f the risk management system: The risk management system is subject t supervisin and peridic reviews. Mnitring the system cntributes t nging imprvements. The bjective is t identify and analyse the main risks and t learn the lessns f risks that ccurred. A risk management questinnaire can be fund in Chapter III.1 Risk management questinnaire. 2. Crdinatin f risk management with internal cntrl Risk management and internal cntrl systems cmplement each ther in cntrlling the cmpany s activities. The risk management system aims t identify and analyse the cmpany s main risks. Risks that exceed the acceptable levels set by the cmpany are dealt with and, as the case may be, subject t plans f actin. These plans may call fr the implementatin f cntrls, a transfer f the financial cnsequences (thrugh insurance r an equivalent mechanism) r an adaptatin f the rganisatinal structure. The cntrls t be implemented are part f the internal cntrl system. In this way the internal cntrl system cntributes t the management f the risks incurred in the cmpany s activities. The internal cntrl system relies n the risk management system t identify the main risks that need t be cntrlled. In additin, the risk management system needs t include cntrls that are part f the internal cntrl system and aimed at ensuring the prper functining f the risk management system. 6

8 The crdinatin and balance between the tw systems depend n the cntrl envirnment, which cnstitutes their shared fundatin, and, mre specifically: the cmpany s wn risk and cntrl culture and its ethical values. 3. General internal cntrl principles A) Definitin Internal cntrl is a system that the cmpany defines and implements under its wn respnsibility. It encmpasses a set f resurces, behaviurs, prcedures and actins that are adapted t the individual circumstances f each cmpany that: cntribute t cntrl ver its activities, the efficiency f its peratins and efficient use f its resurces, and enable the cmpany t assess all significant peratinal, financial and cmpliance risks apprpriately. Mre specifically, the system aims t ensure: a) cmpliance with laws and regulatins; b) implementatin f the instructins and directins given by executive management r the executive bard; c) prper functining f the cmpany s internal prcesses, especially thse relating t the prtectin f its assets; d) reliability f financial infrmatin. Therefre, internal cntrl is nt limited t a set f prcedures r t accunting and financial prcesses. The definitin f internal cntrl des nt cver all f the initiatives taken by the executive r management bdies, such as defining the cmpany s strategy, setting bjectives, making management decisins, dealing with risks and mnitring perfrmance. Furthermre, internal cntrl cannt prvide an abslute guarantee that the cmpany s bjectives will be achieved. B) Internal cntrl bjectives The internal cntrl bjectives are aimed mre particularly at ensuring: a) Cmpliance with laws and regulatins This means cmpliance with the laws and regulatins applying t the cmpany. The laws and regulatins in frce set standards f cnduct that the cmpany incrprates int its cmpliance bjectives. Given the many areas cncerned, such as cmpany law, cmmercial law, envirnmental law and scial law, the cmpany needs an rganisatinal structure that enables it t: be aware f the varius rules applying t it; be infrmed in a timely manner f changes t these rules via a legislatin watch; transpse these rules int its internal prcedures; infrm emplyees and train them in the rules that cncern them. b) Implementatin f the instructins and directins given by executive management r the executive bard Instructins and directins frm executive management r the executive bard help emplyees understand what is expected f them and what scpe they have fr freedm f actin. These instructins and directins must be cmmunicated t the emplyees cncerned, based n the bjectives allcated t each f them, s as t prvide guidance n hw their activities shuld be cnducted. The instructins and directins must be defined in accrdance with the cmpany s verall bjectives and the risks incurred. c) Prper functining f the cmpany s internal prcesses, especially thse relating t the prtectin f its assets All peratinal, industrial, cmmercial and financial prcesses are cncerned. In rder fr prcesses t functin crrectly, standards r perating principles have t be established, alng with mnitring indicatrs. 7

9 The term assets refers nt nly t tangible assets, but als t intangible assets, such as knw-hw, image and reputatin. Theft, fraud, lack f prductivity, errrs, as well as pr management decisins and internal cntrl weakness, can make these assets disappear. The related prcesses require special attentin. The same is true fr prcesses relating t financial reprting. These prcesses include nt nly thse which deal directly with the preparatin f financial reprts, but als the peratinal prcesses which generate the accunting data. d) Reliability f financial infrmatin Reliability f financial infrmatin can nly be achieved by implementing internal cntrl prcedures that prmte faithful recrding f all the rganisatin s peratins. The quality f the internal cntrl system can be imprved by: segregatin f duties, fr a clear separatin between recrding duties, peratinal duties and recrd retentin duties; functin descriptins, which shuld make it pssible t identify the rigin f the infrmatin prduced and its recipients; an accunting internal cntrl system t ensure that the peratins have been perfrmed in accrdance with general and specific instructins, and that the accunting system prduces financial reprting that cmplies with generally accepted accunting principles. C) Internal cntrl cmpnents Intrductin The main directins fr internal cntrl are determined in accrdance with the cmpany s bjectives. These bjectives must be adapted t the cmpany and clearly cmmunicated t emplyees s that they can understand and adhere t the rganisatin s risk and cntrl plicy. Internal cntrl will be mre relevant if it is built n rules f cnduct and integrity upheld by the gvernance bdies and cmmunicated t all emplyees. It must nt be a purely frmal system where serius breaches in business ethics culd ccur n the sidelines. It is true that the internal cntrl system cannt, in itself, prevent cmpany persnnel frm cmmitting fraud, cntravening legal r regulatry prvisins, r cmmunicating misleading infrmatin utside the cmpany abut its situatin. In this cntext, leading by example (r Tne at the Tp ) is key t disseminating values within the cmpany. Cmpnents The internal cntrl system cnsists f five clsely related cmpnents. Althugh these cmpnents apply t all cmpanies, the way they are implemented will vary depending n the individual characteristics f each cmpany. These five cmpnents are: 1) An rganisatinal structure with a clear definitin f respnsibilities, suitable resurces and cmpetencies that is supprted by apprpriate infrmatin systems, prcedures r perating methds, tls and practices Implementatin f an internal cntrl system must be based n fundamental principles, as well as: a suitable rganisatinal structure that prvides the framewrk in which the activities implicit in meeting the bjectives are planned, carried ut, fllwed up and cntrlled; clearly defined respnsibilities and pwers that are granted t the right peple accrding t the cmpany s bjectives. They can be frmalised and cmmunicated by means f task r jb descriptins, staff and line rganisatin charts, delegatin f pwers, in accrdance with the principle f segregatin f duties; a human resurce management plicy that shuld enable the cmpany t emply peple with the apprpriate knwledge and cmpetencies t discharge their respnsibilities and t meet the current and future bjectives f the cmpany; 8

10 infrmatin systems that are adapted t the current bjectives f the rganisatin and designed t be able t respnd t its future bjectives. The IT systems n which these infrmatin systems depend must be effectively prtected, bth in terms f physical and lgical security, thereby ensuring that there is n lss f the infrmatin stred. Their peratinal cntinuity is guaranteed by back-up prcedures. Infrmatin n analyses, prgramming and prcessing functins must be dcumented; perating prcedures r methds that specify hw an actin r prcess shuld be carried ut (bjectives t be achieved within a given time-frame, definitins f functins and perating/reprting lines, plicy framewrk, decisin-making and assessment tls, cntrl frequency, persn respnsible fr cntrl, etc.), regardless f frmat and medium. Sectin III.2, Accunting and finance internal cntrl questinnaire lists sme questins that culd be asked abut the cmpany s accunting and financial prcedures. tls r wrk facilities (ffice autmatin, IT) that are adapted t everyne s needs and suitable training fr every user; practices which are cmmnly accepted within the cmpany. 2) In-huse disseminatin f relevant and reliable infrmatin that enables everyne t exercise their respnsibilities The cmpany s prcesses shuld ensure that all relevant and reliable infrmatin is cmmunicated in a timely manner t all relevant players within the cmpany, thereby enabling them t exercise their respnsibilities. 3) A risk management system t identify, analyse and manage the main risks identified with regard t the cmpany s bjectives. The risk management system is described in sectin II.1. General risk management principles. 4) Cntrl activities prprtinate t the implicatins f each individual prcess and designed t ensure that apprpriate measures are taken in rder t cntrl risks that culd affect the cmpany s ability t achieve its bjectives Cntrl activities can be fund everywhere in the rganisatin, at every level, and in every functin. They include cntrls fcusing n preventin r detectin, manual r cmputerised cntrls, and cntrls built int the reprting structure. In any event, cntrl activities are determined in the light f the nature f the bjectives with which they are assciated and are prprtinate t the implicatins f each prcess. In this cntext, particular attentin shuld be paid t the cntrls ver the prcesses invlved in the rganisatinal, human and technical aspects f designing and running infrmatin systems. 5) On-ging mnitring f the internal cntrl system tgether with regular review its peratin As fr any system, the internal cntrl system requires n-ging mnitring. The aim is t verify its relevance and apprpriateness t the cmpany s bjectives. Implemented by management, with versight by the executive management r the executive bard, this mnitring cnsists mainly f analysis f the main incidents that have been recrded, the result f cntrls perfrmed, tgether with wrk carried ut by the internal audit team, when there is ne. This mnitring als takes int cnsideratin the bservatins made by the statutry auditrs and by regulatry supervisry bdies. Keeping an active watch n internal cntrl best practices can be anther useful cmplement t the mnitring tls. Mnitring, tgether with the best practices watch, culminate, where required, in the implementatin f crrective actins and adjustments t the internal cntrl system. Executive management r the executive bard shuld assess the parameters fr infrming the bard f the main results f the mnitring and reviews thus perfrmed. 9

11 4. Scpe f risk management and internal cntrl It is up t each cmpany t implement risk management and internal cntrl systems that are apprpriate fr its situatin. In a grup, the parent cmpany shall ensure that its subsidiaries have risk management and internal cntrl systems. These systems must be adapted t the subsidiaries specific characteristics and t the relatins between them and the parent cmpany. When a parent cmpany has a substantial equity interest and significant influence ver an affiliate, it shuld take care t assess the pssibility f acquainting itself with and examining its affiliate s measures with regard t risk management and internal cntrl. 5. Risk management and internal cntrl players Risk management and internal cntrl are the business f entire cmpany, frm the gverning bdies t emplyees. a) Executive management r the executive bard Executive management is respnsible fr the quality f internal cntrl and risk management systems, whether it acts directly r delegates its tasks. It is als respnsible fr designing and implementing internal cntrl and risk management systems that are apprpriate fr the size f the cmpany, its business and its rganisatinal structure. This task includes defining the relevant rles and respnsibilities within the cmpany. Executive management ensures cnstant mnitring f internal cntrl and risk management systems with the aim f ensuring their integrity and imprving them thrugh adaptatins t changes in the rganisatin and envirnment f the cmpany. It initiates any remedial measures that becme necessary t crrect prblems identified and t stay within accepted risk limits. It als ensures that these measures are carried ut. Executive management ensures that apprpriate infrmatin is reprted in a timely manner t the bard f directrs r the supervisry bard and t the audit cmmittee. b) Bard f directrs r the supervisry bard The bard s invlvement in internal cntrl and risk management varies frm ne cmpany t the next. Hwever, Article L f the Cmmercial Cde requires the bard f directrs t give an accunt f risks in its management reprt, which must include: a descriptin f the main risks and uncertainties facing the cmpany, a descriptin f the main risks and uncertainties facing the cmpanies included in the cnslidated financial statements, infrmatin abut the cmpany s use f financial instruments. This infrmatin must deal with the cmpany s bjectives and plicies regarding financial risk management. It must als address the cmpany s expsure t price risk, credit risk, liquidity risk and cash flw risk. In practice, the bard is infrmed f the key characteristics f the internal cntrl and risk management systems chsen and implemented by executive management: rganisatinal structure, rles and functins f the main players, prcedures, risk reprting and cntrl system mnitring structure. Mre specifically, it btains a cmprehensive verview f financial reprting prcedures. Basically, the bard ensures that the majr risks incurred by the cmpany are in line with its strategies and its bjectives and that these majr risks are given due cnsideratin in the management f the cmpany. Under these circumstances, the bard is peridically infrmed f the perating results f these systems, the main prblems detected during the previus perid and the plans f actin decided by executive management. 10

12 Mre specifically, the bard checks with executive management t ensure that the mnitring, internal cntrl and risk management systems are adequate t ensure the reliability f the cmpany s financial reprting and t prvide a fair view f the cmpany s and the grup s earnings and financial situatins. The bard may use its general pwers as needed t have any audits r verificatins that it deems timely carried ut r t take any ther actin that it deems apprpriate in this regard. c) Audit cmmittee The audit cmmittee s rle and duties are dealt with in detail in the dcument entitled Audit Cmmittees: Wrking Grup Reprt. d) Risk manager When the psitin exists, the risk manager, r the persn in charge f risk management, is respnsible fr deplying and implementing the verall risk management prcess as defined by executive management. Fr this purpse, the risk manager establishes a structured system that is bth permanent and adaptable fr the purpse f identifying, analysing and managing the main risks. The risk manager runs the risk management system and prvides methdlgical supprt t the cmpany s line and staff divisins. e) Internal audit When there is ne, the internal audit department is respnsible, within the scpe f its duties, fr assessing the peratin f the internal cntrl system and fr making recmmendatins t imprve it. It helps raise awareness and train management persnnel in internal cntrl, but is nt directly invlved in the design r the day-t-day running f the system. As part f its wrk plan apprved by executive management, it examines cmpliance with laws and regulatins, ensures that executive management s instructins are prperly carried ut and verifies the prper functining f the cmpany s internal prcesses relating t the reliability f reprting channels and infrmatin systems. The internal audit manager draws up a wrk prgramme in light f the main risks incurred by the cmpany and reprts the significant findings f wrk carried ut t executive management and, in accrdance with the prcedures defined by each cmpany, t the bard. f) Emplyees Management in each entity ensures that the cmpany s risk management plicy is applied. It is respnsible fr applying this plicy and ensures that expsure t these risks cmplies with the executive management s risk management plicy. Risk management is the peratinal expressin f the risk versight system: it invlves the implementatin f the system fr identifying, analysing and managing risks at the business line level by the divisin managers, majr functins and by all emplyees. All emplyees cncerned shuld pssess the knwledge and infrmatin required fr creating, perating and mnitring risk management and internal cntrl systems in light f the bjectives assigned t them. This is particularly true f line managers dealing directly with the risk management and internal cntrl systems, as well as with the internal cntrllers. 11

13 6. Statutry auditrs rle Statutry auditrs legal duties d nt include participatin in risk management and internal cntrl systems. They learn abut the systems, rely n internal audit wrk, when internal audit exists, t btain a better understanding and frmulate an pinin abut the apprpriateness f this wrk cmpletely independently. They certify the financial statements and, as part f their task, they may identify material risks and majr internal cntrl weaknesses that culd have a significant impact n financial disclsures. They present their bservatins abut the chairman s reprt and abut internal cntrl prcedures relating t financial reprting, and they certify that ther infrmatin required by law has been prduced. 7. Limitatins f risk management and internal cntrl N matter hw well-cnceived and rigrusly applied risk management and internal cntrl systems are, they cannt prvide an abslute guarantee that the cmpany s bjectives will be reached. The prbability f reaching these gals depends n mre than just the cmpany s will. Every system and prcess has its limitatins. These limitatins stem frm many factrs, such as uncertainty abut the utside wrld, the use f sund judgment r prblems that may arise frm technical and human failures r frm rdinary errrs. Risk management chices are made by weighing the pprtunities against the cst f risk management measures, with due cnsideratin f their ptential effects n the ccurrence and/r cnsequences f the risk in rder t avid taking needlessly expensive actins. 12

14 III. QUESTIONNAIRES ON GENERAL PRINCIPLES The questinnaires are a helpful additin t the general dcument derived frm the reference framewrk. In view f the specific features f each cmpany, their presentatin in n way suggests that all f the questins that they cntain need t be cnsidered when examining the risk management and internal cntrl systems, r that all f the elements mentined need t be present, r that the lack f any element needs t be explained. 1. Risk management questinnaire If the bard f directrs has set up an audit cmmittee, then the rle attributed t the bard in the fllwing questins culd just as easily be played by the audit cmmittee. Organisatinal framewrk fr risk management Has the cmpany established risk management bjectives? Have risk management respnsibilities been defined and ntified t the peple cncerned? Is the persn in charge f risk management adequately qualified and des he have the supprt and cnfidence f managers t perfrm his duties with regard t line and staff managers? Have plicies and prcedures fr managing the main risks been defined, apprved by executive management and implemented in the cmpany? Have the cmpany s acceptable risk limits (risk tlerance) been defined, by executive management, where apprpriate, and disseminated? Des the cmpany have a cmmn language fr dealing with risk (unifrm definitins, criteria fr risk identificatin, analysis and mnitring, etc.)? Has the cmpany identified its legal and regulatry bligatins with regard t risk disclsure? Des the cmpany prvide internal infrmatin t the peple cncerned: abut risk factrs? abut risk management systems? abut current actins and the peple in charge f them? Risk identificatin Is there a prcess fr identifying risks that threaten attainment f the cmpany s bjectives? Has an apprpriate structure been set up fr this purpse? Have ptential pprtunity csts als been cnsidered? Have systems been established t identify the main risks affecting the prcess f preparing the financial statements? Has the crrelatin f ptential knck-n risks been cnsidered? Risk analysis Des the cmpany analyse the ptential impact f the main risks identified (quantified r nt, financial r nnfinancial impact) and the estimated degree f risk cntrl? Has the cmpany s past experience with risks r that f similar entities been taken int cnsideratin? Are several functins in the cmpany invlved in analysing the ptential cnsequences and prbabilities? Des executive management share risk analysis with the persns cncerned? Des the risk analysis cnsider internal and external changes affecting the cmpany? Managing the main risks Are risks that exceed the acceptable limits defined by the cmpany dealt with first? Has a residual risk level been defined? D majr risks give rise t specific actins? Has the respnsibility fr such actins been defined? Where apprpriate, is implementatin f these actins mnitred? Des the cmpany have a crisis management plan? 13

15 Oversight and review f risk management Des management receive infrmatin abut the key characteristics f actins taken t manage the cmpany s main risks (type f actins taken r hedges established, insurance, exclusins and the amunt f cverage, etc.)? Have specific resurces been allcated t implementatin and supervisin f the risk management prcedures? Is there a mechanism that makes it pssible, when necessary, t adapt risk management prcedures t changes in risks and the external envirnment, as well as t changes in the cmpany s bjectives and business activities? Is there a system fr identifying and crrecting the main weaknesses in the risk management system used by the cmpany? Has the bard f directrs r, where apprpriate, the supervisry bard, been infrmed f the main thrust f the risk management plicies? Is the Bard updated peridically n the main risks identified and the key characteristics f the risk management system, including the resurces allcated and nging imprvements? Accunting and financial disclsure Has a schedule been established that summarises the grup s peridic market disclsure requirements fr accunting and financial infrmatin? Des this schedule specify: the nature and deadline fr each peridic disclsure requirement, the peple respnsible fr preparing the disclsures. Are there peple respnsible and prcedures in place fr identifying and meeting market disclsure requirements? Has a prcedure been established fr checking infrmatin prir t disclsure? 2. Internal cntrl questinnaire Rle f gvernance bdies 4 If the bard f directrs has set up an audit cmmittee, then the rle attributed t the bard in the fllwing questins culd just as easily be played by the audit cmmittee. Have the accunting principles that have a material impact n the presentatin f the cmpany s financial statements been frmally validated by executive management, reviewed by the statutry auditrs and presented t the bard f directrs r the supervisry bard? Has executive management explained and substantiated the main accunting ptins and chices made t the bard and have they been reviewed by the statutry auditrs? Has a prcess been established fr validating planned changes in accunting principles with due cnsideratin f the ecnmic aspects f the transactins? Des this prcess call fr cnsultatin with the statutry auditrs and ntificatin f the bard? Des the bard receive the statutry auditrs assurance that they had be given access t all the infrmatin necessary fr the perfrmance f their duties, especially in the case f cnslidated cmpanies? Des the Bard receive the statutry auditrs assurance that they have made enugh prgress n their wrk at the cut-ff date t be able t present all their material bservatins? Are the earnings cmpnents, balance-sheet presentatin, financial psitin presentatin and the ntes t the financial statements explained t the bard each time the published financial statements are prepared? Has the Bard been infrmed f the existence f a management cntrl functin, which prduces data that are peridically recnciled with the published financial infrmatin? Has management peridically infrmed the bard f cash psitin mnitring, especially at times f majr tensin? Are any restrictins n cash flws within the grup stemming frm special clauses r the percentage f equity held clearly stipulated t the bard? 4 Gvernance bdies, in the cntext f the questinnaire, means the bard f directrs r the supervisry bard. 14

16 Accunting and financial reprting structure Des the accunting and financial reprting functin have access t the infrmatin needed t prepare the financial statements frm the entities cvered by the statements? Des the grup have an accunting principles manual that specifies the accunting treatment fr the mst significant transactins? If financial statements are published in accrdance with several sets f accunting standards at the individual cmpany r cnslidated level, have prcedures been established fr explaining the main restatements? Are there accunting prcedures manuals and instructins describing the divisin f respnsibilities fr executin and cntrl f accunting tasks, as well timetables fr executin? As part f the preparatin f the cnslidated financial statements, are there disseminatin prcedures t ensure that the manuals and instructins are fllwed by subsidiaries? Have the peple respnsible fr preparing the financial statements and financial infrmatin, and the varius players wh participate in the preparatin f the financial statements been identified? Has a prcess been established t identify the resurces required fr the smth peratin f the accunting functin? Des it give due cnsideratin t freseeable develpments? Infrmatin system Have infrmatin prcedures and systems been develped t meet requirements with regard t the security, reliability, availability and relevance f accunting and financial infrmatin? Have the rles and respnsibilities f the players been defined? Are line functins adequately invlved in defining new data prcessing tls? Befre, during and after the prject? Are dealings with IT prviders cvered by a cntract? Have perfrmance and quality indicatrs been defined and are they reviewed regularly? Has the cmpany s dependence n IT prviders been analysed? Des the cntract prvide fr n-site inspectins f prviders by the cmpany and have they been carried ut? Are infrmatin systems used fr accunting and financial infrmatin adapted as the cmpany s needs change? Has request and incident management been implemented? Are indicatrs used t measure quality f service (e.g. rejected data, abnrmal respnse times, service interruptins, etc.)? Are there plans fr analysis and implementatin f remedial actins? D authrisatins and access rights t systems, as well as the envirnments hsting these systems, give due cnsideratin t the segregatin f duties? Have user security principles been defined and disseminated (e.g. passwrd management, data transfers, Internet access, etc.)? Have physical security principles been defined and disseminated? Have lgical security principles been defined and disseminated? Have access t data and sftware been prtected by user prfiles? Can transactins be traced, analysed and verified? Are there plans fr an anti-virus system t prtect against attacks and intruders? Have data back-up systems been established? Are they tested peridically? Have cntinuity f service measures been established in cnjunctin with users needs? Are they tested peridically? Are recrd retentin requirements with respect t infrmatin, data and cmputer prcessing used directly r indirectly t prepare accunting recrds and financial statements met? Cntrl activities Are regular audits and spt checks cnducted t ensure cmpliance in practice with the manual f accunting principles and the manual f accunting prcedures? Have prcedures been established t identify and reslve new and unfreseen accunting prblems in the accunting principles manual and/r the accunting prcedures manual? D internal cntrl activities fr accunting and financial reprting include prcedures t prtect assets (risk f negligence, errrs and internal r external fraud)? Des the internal cntrl system fr accunting and financial reprting include specific audits f accunting aspects that are identified as critical, such as recgnitin f assets, recgnitin f earnings, accruals and inventry valuatin? Are the prcedures fr preparing the grup s financial statements applied in every cnslidated entity? If there are exceptins, are there adequate prcedures fr dealing with them? 15

17 APPLICATION GUIDE FOR INTERNAL CONTROL PROCEDURES RELATED TO THE ACCOUNTING AND FINANCIAL INFORMATION PUBLISHED BY THE ISSUERS 16

18 IV. APPLICATION GUIDE FOR INTERNAL CONTROL PROCEDURES RELATED TO THE ACCOUNTING AND FINANCIAL INFORMATION PUBLISHED BY THE ISSUERS Intrductin Mnitring prcesses fr the accunting and financial reprting structure Principles and key analytical pints General rganisatin Resurces management Enfrcement f accunting rules Cntrl f accunting rules Organisatin and security f infrmatin systems Rle f senir management Organisatin, pwers and resurces Mnitring and cntrl Preparing financial statements Cnsideratin f the statutry auditrs wrk Rle f the Bard r Directrs r the Supervisry Bard Cntrl and verificatin Apprving financial statements Relatins with statutry auditrs Prcesses invlved in preparing published accunting and financial infrmatin Quality criteria Identifying risks affecting the preparatin f published accunting and financial infrmatin Principles and key analytical pints Investment / Divestment / research and develpment Tangible and intangible assets, and gdwill Lng-term investments Purchases / Trade payables Csts / Inventries and wrks in prgress / Lng-term r cnstructin cntracts Ordinary incme / Trade receivables Cash / Financing and financial instruments Emplyee benefits Taxes Equity transactins Prvisins and bligatins Cnslidatin Management infrmatin required fr preparing accunting and financial infrmatin fr publicatin Management f external financial infrmatin Appendices 37 Annexe Annexe

19 Preamble This is an Applicatin Guide t the general principles gverning internal cntrl prcedures related t the preparatin and prcessing f accunting and financial infrmatin fr publicatin. The guide is nt a binding set f rules r standards; it is a tl t enable management bdies (senir management, management bards, financial departments, etc) and decisin-making bdies (bards f directrs, supervisry bard) t understand and imprve their internal cntrl system fr accunting and financial reprting. It is designed t help cmpanies and entities, especially thse that are publicly listed, that wish t analyse their accunting and financial internal cntrl prcedures. This Applicatin Guide cvers the principles and key analytical pints that apply in all business sectrs, except thse sectrs cvered by specific rules, such as banking and insurance. In view f the specific characteristics f each cmpany and the need fr internal cntrl arrangements t be flexible and tailred t existing rganisatinal structures, this presentatin des nt claim t be exhaustive. Neither des it insinuate that all the pints it cvers are applicable, that all f them need t be included, r that their absence must be explained. Pssible discrepancies between a cmpany s practices and these principles d nt necessarily indicate inadequate internal cntrl f accunting and financial reprting. The apprach fcuses n the factrs that cntribute t the preparing and prcessing f accunting and financial infrmatin fr publicatin. Definitins Internal cntrl f accunting and financial infrmatin is effected thrugh a system designed and implemented by a cmpany t ensure, as far as pssible, that the accunting and financial aspects f its business are rigrusly managed and mnitred s as t meet the bjectives set ut belw. Internal cntrl f accunting and financial infrmatin is a key cmpnent f internal cntrl. It cvers the prcesses fr prducing and disseminating cmpanies accunting and financial infrmatin and cntributes t the prductin f reliable infrmatin that cmplies with legal and regulatry requirements. As fr general internal cntrl, it relies n an verall system that includes the design and implementatin f the cmpany s infrmatin system, as well as the plicies and prcedures fr mnitring, supervisin and cntrl. Objectives Internal cntrl f accunting and financial reprting is intended t ensure that: accunting and financial infrmatin cmplies with applicable rules; the instructins and guidelines given by senir management r the Management Bard n the strength f this infrmatin are prperly implemented; the cmpany s assets are safeguarded; fraud and accunting and financial reprting prblems can be detected r prevented as far as pssible; the infrmatin disseminated and used internally fr the purpses f mnitring and cntrl is reliable, insfar as it is used in the preparatin and prcessing f published accunting and financial infrmatin; the financial statements and ther infrmatin prvided t the market are reliable. Scpe Internal cntrl f accunting and financial infrmatin cvers the parent cmpany and cnslidated cmpanies ( the grup ), if cnslidated financial statements are prduced. 18

20 Persns and bdies cncerned Internal cntrl f accunting and financial infrmatin invlves mst f the key players in the cmpany, wh have different respnsibilities and rles depending n the subjects being dealt with. Three crprate gvernance players are particularly clsely invlved: Senir management (r the Management Bard) is respnsible fr rganising and implementing internal cntrl f accunting and financial infrmatin, as well as fr cmpiling financial statements fr each accunting perid. T simplify matters, the term senir management will be used in the rest f this dcument t mean senir management r the Management Bard, The Bard f Directrs, r the Management Bard, which cmpiles the financial statements, and the Supervisry Bard, which, like the Bard f Directrs, carries ut such audits and verificatins f the financial statements as it deems apprpriate. T simplify matters, nly the term Bard f Directrs will be used hereafter. Preparatins fr these tasks can be made by the Audit Cmmittee, if the cmpany has ne; The Chairman f the Bard f Directrs (r the Chairman f the Supervisry Bard), wh is respnsible fr cmpiling the reprt n internal cntrl prcedures, including thse relating t the preparatin and prcessing f accunting and financial infrmatin. The internal audit functin, if ne exists, can help these players by making prpsals t imprve the quality f internal cntrl prcesses fr published accunting and financial infrmatin. Statutry auditrs are nt part f the internal cntrl system. They certify the financial statements and, as part f their task, they review internal cntrl prcedures t identify and assess the risk f material discrepancies in the financial statements, in rder t design and implement their audit prcedures. They present their remarks abut the Chairman s reprt n internal cntrl. In this area, they d nt replace the cmpany and their wrk des nt replace the wrk carried ut by the cmpany. Cntrl envirnment The internal cntrl system fr accunting and financial infrmatin must be mre than just a set f prcedural manuals and dcuments. The rganisatin and implementatin f internal cntrl hinges n the awareness and participatin f the peple cncerned. The cntrl envirnment thus encmpasses the actins f the peple and bdies invlved in the internal cntrl f accunting and financial infrmatin. In this respect, cnsideratin f the players ethical values, integrity and cmpetence (see reference framewrk) 5 is critical in the mre specific area f internal cntrl f accunting and financial infrmatin. Accunting prcesses The accunting prcesses at the heart f internal cntrl f accunting and financial infrmatin are a set f unifrm activities that transfrm business transactins all the basic events that make up the cmpany's business int accunting and financial infrmatin by putting them thrugh the accunting mechanism, cmpsed f accunting plicies and grund rules. They include an accunting prductin system, preparatin f financial statements and cmmunicatins. The diagram belw shws that the prcesses invlved in prducing the infrmatin are nt slely within the cnventinal scpe f the Accunts and Financial Reprting Department. 5 In view f the requirement in the Financial Security Act (Article f the Cmmercial Cde) that the Chairman f the Bard f Directrs r the Supervisry Bard draft a reprt n internal cntrl prcedures, the AMF set up a Wrking Grup in April 2005 t chse r adapt an Applicatin Guide fr internal cntrl. The Wrking Grup presented a reference framewrk n 9 May 2006 that takes int accunt French and Eurpean legal and regulatry prvisins, as well as accepted gd gvernance practices in France. 19