In 2012, the Board approved the “Guidelines for the Internal Control and Risk Management System”, which constituted a revision of the procedures established in 1999 and 2003, including adoption of changes introduced by the Corporate Governance Code in 2011.
The Internal Control and Risk Management System, based on the model provided by the COSO Report and the principles of the Corporate Governance Code, consists of a set of policies, procedures and organizational structures aimed at identifying, measuring, managing and monitoring the principal risks to which the Company is exposed. The system is integrated within the organizational and corporate governance framework adopted by the Company, and contributes to the protection of corporate assets, as well as ensuring the efficiency and effectiveness of business processes, reliability of financial information and compliance with laws and regulations, as well as the By-laws and internal procedures.
The system, which has been developed on the basis of international best practice, consists of the following 3 levels of control:
- Level 1: operating areas, which identify and assess risk and establish specific actions for management of that risk
- Level 2: departments responsible for risk control, which define methodologies and instruments for managing risk and monitor that risk
- Level 3: internal audit, which conducts independent evaluations of the System in its entirety. The head of Internal Audit is also assigned the role of Compliance Officer pursuant to Article 150 of Legislative Decree 58/1998
The Guidelines for the System of Risk Management and Internal Control provide a detailed description of the duties and responsibilities of the principal individuals and entities involved and set out the procedures for their coordination in order to ensure the effectiveness and efficiency of the system and reduce potential duplication of activities.
The Company has developed a system of internal control and risk management in relation to financial reporting based on the model provided by the COSO Framework aimed at ensuring the reliability, accuracy, completeness and timeliness of the information reported. The periodic evaluation of the system of internal control over financial reporting is designed to ensure the overall effectiveness of the components of the COSO Framework model (control environment, risk assessment, control activities, information and communication, monitoring) in achieving those objectives. As mentioned previously, the principal characteristics of the system of internal control and risk management in relation to financial reporting are provided in the Annual Report on Corporate Governance.
Fiat has administrative and accounting procedures in place that ensure a high degree of reliability in the system of internal control over financial reporting.
Documents and financial information regarding the Company are made public, including via the internet, in accordance with the provisions of the procedures for the internal management and public disclosure of confidential information adopted by the Board of Directors in 2006 and 2007.
Essential components of the Internal Control System are the Code of Conduct, adopted in 2002 to replace the Code of Ethics and subsequently revised in 2010, and the Compliance Program, adopted by the Board of Directors in implementation of regulations on the ‘Liability of Legal Persons’ pursuant to Legislative Decree 231/2001, as amended. The Code of Conduct sets out the ethics principles to which the Company adheres and which directors, statutory auditors, employees, consultants and partners are required to observe.
On 20 February 2013, the Board was presented Fiat S.p.A.’s revised Compliance Program and Guidelines for Adoption and Revision of the Compliance Program by Group companies in Italy, which incorporate new categories of offenses introduced in Italian legislation. With these amendments, new criminal offenses were included and the relevant sensitive processes were identified. Legislative Decree 109/2012 introduced as Article 25-duodecies of Legislative Decree 231/2001 the offense of “Employment of foreign nationals residing illegally in Italy” (Article 22 (12-bis) of Legislative Decree 286/1998, which addresses immigration and legal status of foreign nationals). Law 190/2012 introduced the offense of being induced to give a bribe as Article 25 (3) and the offense of bribery between private individuals as Article 25-ter (1)(S-bis) with direct reference to Article 2635 (3) of the Civil Code which establishes penalties for giving or promising financial or other advantage to directors, managers, statutory auditors or employees of a company. Additionally, the Guidelines were revised in July 2013 to reflect additional requirements placed on the Compliance Program Supervisory Body consistent with the strengthening of the Group’s corporate governance system.
The Compliance Program Supervisory Body is composed of the head of Internal Audit & Compliance, the General Counsel (head of the Legal Department), and an external advisor. It has its own Internal Policies and Procedures and operates on the basis of a specific supervisory program. It meets at least once per quarter and reports to the Board of Directors (including through the Internal Control and Risk Committee) and the Board of Statutory Auditors.
In application of the Compliance Program, the Code of Conduct, and the provisions of the Sarbanes-Oxley Act (to which the Company was subject while listed on the NYSE) on whistleblowing, the Whistleblowing Procedures were adopted on 1 January 2005, for the management of reports and claims filed by persons inside and outside the Company in relation to suspected or presumed violations of the code of conduct, fraud involving company assets or financial reporting, oppressive behavior towards employees or third parties, reports or claims regarding accounting, internal accounting controls and independent audits.
The Procedures for the Engagement of Independent Auditors regulate the engagement of audit firms and other related parties, by Fiat S.p.A. and its subsidiaries, in order to ensure the independence of firms engaged to audit the financial statements. Related parties of an audit firm are considered to be entities belonging to the same network, as well as equity partners, shareholders, directors, members of management and supervisory bodies and employees of the audit firm.
With reference to the “Conditions for the listing of shares of companies having control over companies incorporated and regulated under the laws of a non-EU member State”, pursuant to Articles 36 and 39 of the Market Rules, the accounting systems in place at the Company and its subsidiaries, as discussed in the Annual Report on Corporate Governance, enable public disclosure of certain accounting information prepared by companies included in the scope of application of the Regulation and used in preparation of the consolidated financial statements and are adequate for the regular provision to management and the Parent Company’s auditors of information necessary for preparation of the consolidated financial statements. In addition, there is an effective flow of information to the Parent Company’s auditors, including regular information on the composition of corporate bodies within all subsidiary companies and the position held by each member. The Company is also responsible for systematically maintaining and updating centralized records of formal documents related to the by-laws and delegation of powers to members of the corporate bodies.