10. INTERNAL CONTROL SYSTEM
The Company's internal control system is a process - consisting of rules, procedures and organisational structures - designed to pursue values of substantial and procedural fairness, transparency and accountability, which are considered fundamental to the business of Telecom Italia Media S.p.A., as established by the Group's Code of Ethics and Conduct. This process is designed to ensure management efficiency, measurability and verifiability, reliability of accounting and management information, compliance with all applicable laws and regulations, and the protection of the Company's assets, preventing fraud at its own and the financial market's expense. The basic rules on which the system rests are:
The Board of Directors, insofar as it is responsible for the internal control system, sets the guidelines, verifying its adequacy, effectiveness and proper functioning, so that the main company risks (operational, compliance-related, economic and financial) are properly identified and managed over time.
During its meeting held on 23 February 2010, the Board of Directors expressed a positive opinion of the adequacy, effectiveness and efficient operation of the internal control system, noting the results reported by the Internal Control Committee based on the activities it carried out during the financial year.
The main features of the risk management and internal control systems in relation to the financial information process are set out in appendix 1.
Executive director in charge of the internal control system
The Board of Directors has identified the Vice Chairman and CEO as the Director responsible for overseeing the functioning of the internal control system. He is therefore assigned the task of designing tools and methods to adapt the system, and seeing to their adjustment to changes in operating conditions and the legislative and regulatory framework.
The Vice Chairman and CEO, working with the manager responsible for preparing corporate accounting documents and the head of internal control for aspects of specific expertise, using the tools and in compliance with the conditions set as above, ensures the overall adequacy of the system and its operation in practice, from a risk-based perspective, which is also considered in the definition of the agenda of the Board meetings.
Manager responsible for internal control
In addition to the Internal Control and Corporate Governance Committee, the Board also relies on a manager who has an adequate degree of independence and the appropriate resources needed to perform his function (as already referred to in the previous governance reports, this is the Telecom Italia Audit & Compliance Service consortium). The manager in charge of internal control is responsible for supporting the management bodies in assessing the adequacy and effectiveness of the system and consequently for proposing corrective measures in case of anomalies and malfunctions.
The Manager in charge of internal control:
During 2011, the limited liability consortium TI Audit & Compliance Services continued its oversight of the Telecom Italia Group's internal control system, in accordance with its Governance Control objectives, through the different organisational components of Audit, Compliance, IT Risk & Security Governance, which – in meeting their respective missions – ensured comprehensive oversight.
The findings of this oversight allow an assessment to be made in particular of the internal auditing system designed to verify – in terms of suitability, practicality and reasonable degree of certainty – the ability of the system to influence the actual achievement of the objectives assigned to individual business structures (effectiveness profile), considering the resources available for their achievement (efficiency profile) in light of the (qualitative/quantitative) risk factors present and their likelihood of influencing the achievement of those objectives.
The development of the internal control systems is pursued by TI Audit & Compliance Services in accordance with the Self-regulatory Codes of Telecom Italia Media and Borsa Italiana on the following main aspects that characterise and qualify the Corporate Governance of listed companies: business ethics, regulatory framework, procedural framework, corporate culture, organisational aspects, corporate information and communications, business processes to ensure operational effectiveness and efficiency.
For the purpose of an overall assessment of the internal control system, TI Audit & Compliance Services has considered, as a methodological reference for its own interventions, the following components of the COSO Report (control model developed by the Committee of Sponsoring Organisations (COSO) of the Treadway Commission): (i) Control environment and (ii) Information and Communication, which place a significant amount of emphasis on, among other things, oversight of the compliance and auditing methodologies, dissemination of the control culture and consolidation of the ethical values of business; (iii) Assessment of risks and (iv) Control activities, which require a process of identifying and managing auditing projects, as well as guaranteeing the compliance of processes and business operations with applicable laws and internal procedures of reference; (v) Monitoring, which requires the implementation of oversight activities for areas of the company at greatest risk, with auditing and compliance responsibility, designed to verify that the reported have been overcome.
In 2010, detailed activities were carried out that allowed for the organisational areas of the Group to be covered in accordance with the plan, with incremental steps taken to address situations that emerged during the year.
Corrective actions were taken that were judged to be reasonable for the elimination of weaknesses, and specific follow-ups were carried out, according to predetermined criteria and objectives, and continuous monitoring of the individual actions was introduced in a series of areas that were considered to be particularly sensitive.
Therefore, with reference to the specific operational contexts analysed in 2010 and the resulting corrective actions planned and implemented, the internal auditing system as a whole has been deemed appropriate to reduce the risk profiles to a level that is acceptable to enable the correct operation of its processes.
Organisational model pursuant to legislative decree 231/2001
The internal control system is complemented by the so-called "Organisational Model 231" which is divided into the Code of Ethics and Conduct of the Telecom Italia Group, containing the general principles (transparency, honesty, fairness) that inspire the Company in the performance and conduct of its business; the "general principles of internal control", that is, the set of tools designed to provide a guarantee that the aims of operational effectiveness and efficiency are achieved, that financial and management information is reliable, that laws and regulations are respected, and that the company's assets are safeguarded, also against possible fraud; the "principles of conduct", which consists of specific rules for relations with representatives of government agencies, and for the formalities and activities of a corporate nature; and the "internal control plans", describing the processes that are at risk of offences being committed, the offences that might be perpetrated in relation to these processes, and the preventive control activities designed to avoid the related risks. The internal control plans have been compiled in accordance with the following basic principles of control systems: (i) separation of roles in undertaking the principal activities involved in business processes; (ii) traceability of decisions, to allow for identification of specific points of responsibility and the motivations for the decisions themselves; and (iii) objectification of the decision-making processes, so that decisions are not based on purely subjective considerations, but based on pre-established criteria.
The Organisational Model is a dynamic instrument that influences the operation of the company, and which in turn must be constantly checked and updated in the light of feedback, as well as the evolution of the regulatory framework. The document has been updated and refined during 2011. In particular, the scheme designed to prevent the "231 risk" has been introduced following inclusion of criminal conspiracy and mafia-type conspiracy in the list of relevant offences. The adoption of the internal control plan was considered necessary because offences related to criminal conspiracy are instrumental to the "end-offences" defined in the Italian Criminal Code and special laws: hence the considerable expansion of the risk of offences under the terms of Legislative Decree No. 231/2001, since most business processes are potentially capable of generating offences (end-offences) committed by criminal association. A special working group (also supported by external legal counsel) has therefore identified the main types of "end-offences" relevant to the Company and the criminal association offences.
In order to guarantee an increasingly wide understanding of 231 related issues throughout the company, constant training was provided with the support of the Compliance Department of Telecom Italia Audit & Compliance Services.
A specific Supervisory Body has been appointed to supervise compliance with the Organisational Model 231. It consists of one member of the Board of Auditors (Chairman of the Body and a member of the Board of Auditors Michela Zeme), one independent Director who is a member of the Internal Control and Corporate Governance Committee (Director Zanone Poma) and the manager in charge of internal control (the Chairman of Telecom Italia Audit & Compliance Services).
The Supervisory Body was appointed by the Board of Directors on 11 April 2008 following its expiry after the end of the previous Board's mandate (shareholders' meeting of 10 April 2008). The Body reports to the Board of Directors, to the Internal Control and Corporate Governance Committee and to the Board of Auditors regarding the control activities carried out and their result.
At its meeting held on 3 November 2009, the Board of Directors, with the favourable opinion of the Internal Control and Corporate Governance Committee and the Board of Auditors, decided to supplement the Supervisory Body with an external member, subsequently identified as the lawyer Francesca Coppi.
In order to support the Supervisory Bodies of the Companies belonging to the Group, Telecom Italia Audit & Compliance Services has a specific department (Compliance 231) in charge of managing reports of violations of the Organisational Model and carrying out compliance action according to the evidence received via the information flows established within the Group.
The auditing assignment given by Telecom Italia Media S.p.A. to Reconta Ernst & Young at the Shareholders' Meeting of 12 April 2007 (third three-year mandate), was due to expire with the publication of the audit report on the financial statements as of 31 December 2010, which would therefore have been out of line with the term set for the parent company Telecom Italia, whose third and last mandate expired in the financial year 2009.
The assignment given to Reconta Ernst & Young to audit the financial statements of the subsidiaries of Telecom Italia Media S.p.A. was instead in line with that of Telecom Italia and therefore also expired with the audit report on the financial statements for 2009, as a result of which Reconta Ernst & Young would have lost its position as the principal auditor of Telecom Italia Media and the Group after having audited the financial statements for 2010.
Given that existing legislation did not allow the auditing assignment to be terminated by mutual agreement but only its revocation due to "just cause", a decision that has to be taken in an express resolution of the Shareholders' Meeting on a justified proposal from the Board of Auditors, it was decided that a just cause existed in the situation described and, as a result, on 8 April 2010, the Shareholders' Meeting approved the revocation of the assignment given to Reconta Ernst & Young S.p.A. for the rest of its duration.
As regards the assignment of the auditing task, the Shareholders' Meeting then approved the assignment of the auditing task to PricewaterhouseCoppers for the period 2010-2018, based on a reasoned proposal from the Board of Auditors.
The selection of the candidate company for the auditing task was made on the basis of a comparative analysis carried out under the supervision of the Board of Auditors, which availed itself for this purpose of the support of the relevant company departments, in agreement with the Board of Auditors of the parent company Telecom Italia. The offers received from the various auditors contacted for this purpose were examined with particular reference to (i) their skills and specific auditing experience in the telecommunications sector; (ii) the adequacy of the technical structure in terms of requirements due to the size and complexity of the Company and the Group to which it belongs; (iii) their independence and autonomy of judgement with respect to the Company and the Group; (iv) the consistency of the remuneration requested with the time and level of professionalism considered.
The preliminary investigation prior to the appointment (or to subsequent modifications) of the auditing assignment is coordinated by the manager responsible for preparing the Company accounting documents, under the supervision of the Board of Auditors, which relies on the manager responsible for internal control to check the independence profiles (even for monitoring purposes during the term of appointment).
In order to protect the independence of the appointed auditor, the Group Guidelines establish the principle that the assignment of further tasks (when allowed by the reference standard) is limited to the services and activities closely related to the financial statements audit.
Executive responsible for preparing the corporate accounting documents
Following the inclusion in the Bylaws of the position of "executive responsible for preparing the corporate accounting documents" (identifying the respective professional requirements: experience in administration, finance and control), at its meeting held on 7 November 2007, the Board of Directors appointed the executive responsible for preparing the corporate accounting documents of Telecom Italia Media S.p.A..
This individual has been identified as Paolo Serra, Manager of the Company's Administration and Control Department. On 7 May 2008, the Board of Directors confirmed Paolo Serra as the executive responsible for preparing the corporate accounting documents pursuant to article 18.5 of the Bylaws.
The Board of Directors also adopted specific Rules that incorporate the corporate governance system of TI Media as part of the internal controls carried out for the purposes of economic and financial reporting. The new position is governed by including it among the governance structures of Telecom Italia Media S.p.A.: the appropriateness of the powers and resources of the executive (for which the Board of Directors is responsible) is ensured by the internal organisational powers granted to him in respect of the Company and the Group. The rules (which list the executive's operational and hierarchical responsibilities) also list the powers and resources granted to the executive for the performance of his duties.
The rules applicable to the executive responsible for preparing the corporate accounting documents can be found at www.telecomitaliamedia.it Governance channel.
Risk management and internal control system relating to the financial information process
Telecom Italia Media is aware that financial information has a central role in building and maintaining positive relationships between the company and its stakeholders, contributing – in addition to the company performance – to creating value for the shareholders. Telecom Italia Media is also aware that investors rely on full compliance by all managers and employees with the system of rules that constitute the company's internal control system.
The internal control system is a set of rules, procedures and organisational structures that, through a process of identifying, measuring, managing and monitoring the main risks, allows the sound and fair operation of the company in line with the pre-established objectives. This internal control system contributes to ensuring protection of the company's assets, effectiveness and efficiency of the company's operations, reliability of the financial information and compliance with laws and regulations.
In particular, the internal control system on Financial Reporting is aimed at ensuring the credibility(1), accuracy(2), reliability(3) and promptness(4) of financial information. With a view, inter alia, to ensuring compliance with Italian legislation (Law 262/2005) and US legislation (Section 404 of the Sarbanes Oxley Act) – given that it supplies financial data and information to the parent company Telecom Italia, which is listed on the NYSE –, Telecom Italia Media uses a structured and documented financial reporting risk detection and monitoring model based on the COSO framework.
The Telecom Italia Media financial reporting risk management and internal control system is split into the following stages:
Evidence of the assessment process described above (and particularly of the potential control shortcomings assessed as significant in terms of the potential error/fraud impact on the Financial Reporting) are periodically brought to the attention of the Internal Control and Corporate Governance Committee and the Board of Auditors. The existence of potential shortcomings leads to remedial plans being devised and scheduled with the relevant responsibilities being assigned.
1 - Credibility (of the reports): reports that are correct and comply with the generally agreed accounting principles and with the requirements of the applicable laws and regulations.
2 - Accuracy (of the reports): reports that are unbiased and accurate. Information is considered unbiased if it does not have pre-conceived distortions aimed at influencing the decision-making process of its users in order to obtain a specific result.
3 - Reliability (of the reports): reports that are clear and complete enough to allow investors to make informed investment decisions. Information is considered clear if it simplifies the understanding of complex aspects of the Company, without being excessive and pointless.
4 - Promptness (of the reports): reports that comply with due dates set for their release.
5 - Risk: potential event that may impair the achievement of goals related to the System, that is to say, accuracy, reliability, credibility and promptness goals of the financial information.
6 - Control objectives: set of goals that the internal control system on financial reporting aims to achieve in order to ensure truthful and correct representation in the financial reports. Such goals consist of "financial statement affirmations" (existence and occurrence, completeness, rights and obligations, assessment and registration, presentation and information) and of "other control goals" such as compliance with authorisation limits, separation of incompatible duties, controls on physical safety and assets, documentation and operations traceability, etc.).
7 - Error: in relation to the System, any unintentional act or omission that results in a misleading statement in the report.
8 - Fraud: in relation to the System, any unintentional act or omission that results in a misleading statement in the report.
9 - Analysis at company/group level, known as "entity level": in this context, the analysis (identification of risks, risks assessment, identification of controls, etc.) is carried out at the company/group level and is structured according to the CoSO model components. Elements to be considered for the analysis include staff skills, the corporate governance system, the company regulatory system, the communication of responsibilities related to the internal control system, risk assessment implementation procedures.
10 - Analysis at process level: in this context, the analysis (identification of risks, risks assessment, identification of controls, etc.) is carried out at the individual process level, identifying the specific process risks and the respective specific and monitoring controls.
11 - Known as the SOX Accelerator: a tree-structured database according to the COSO model (organised, for each Business Unit/company included in its perimeter, into processes, control goals, individual controls) that manages the required documents for the profiled users using a workflow.
12 - Assessment of the "design": this is an analysis of the adequacy of the control design, checking that the control reduces, to an acceptable level, the potential risk of a failure to achieve the control objectives for which it was designed.
13 - Assessment of the "operation": this is the set of activities performed to check that the controls designed to reduce the identified risks to an acceptable level, are operational in the specific period, i.e. actually carried out according to the "design".