6 Risks and control Internal control SAINT-GOBAIN UNIVERSAL REGISTRATION DOCUMENT 2021 245 The internal control and risk management system 2.3 in the Group entities Each entity is responsible for implementing an internal control and risk management system that is appropriate to its needs and aligned with the Group’s internal control and risk management system. Each Managing Director is responsible for: the relevance and effectiveness of the internal control ■ system in place within their entity; its compliance with the Group’s internal control system; ■ appropriate management of the risks faced by their ■ entity. This responsibility cannot be delegated. Management exercises this by relying on the company’s functional directors, operational staff and the site directors. To build an internal control system adapted to their activity, the Chief Executive Officers of the companies aim to: establish the fundamental bases for internal control and ■ risk management, and in particular the controls described in the Internal Control Reference Framework; adapt the internal control and risk management system ■ by analyzing specific risks and enhancing the internal control system to include checks tailored to the management of identified risks; roll out the internal control and risk management ■ system on all of the sites; oversee the internal control and risk management ■ system. The procedure for monitoring the internal control 2.4 and risk management system The Audit and Internal Control Department monitors the internal control and risk management systems using four main factors: compliance statement; ■ internal audits; ■ action plan monitoring; ■ monitoring of fraud and incidents. ■ The results of this oversight are reported to the Audit and Risk Committee. The compliance statement 2.4.1 The Managing Directors, for the applicable management levels, report to the Group’s General Management on their levels of internal control via an annual compliance statement. The form includes a certain number of key checks extracted from the Internal Control Reference Framework. The Managing Director must provide assurances that: the controls selected are implemented in a compliant ■ and efficient manner; the action plans arising from the self-assessment have ■ been activated and implemented within the given time frames; significant internal control incidents, fraud and breaches ■ of the Principles of Conduct and Action were reported to the Audit and Internal Control Department or via the Group whistle-blowing system. The Managing Directors make a personal commitment to the accuracy of the self-assessment by signing a letter of commitment at the end of the form. In 2021, a super-validation was introduced, aimed at obtaining the commitment of the Directors of Clusters, Regions and HPS for all declarations of compliance belonging to their respective scopes. The declarations of compliance and the action plans are gathered, summarized and monitored by the Audit and Internal Control Department. They are covered in an annual report to the Group’s Management team and the Audit and Risk Committee. Internal audits 2.4.2 Internal audits are centralized at Compagnie de Saint-Gobain level. The Head of Audit and Internal Control reports to the Chairman of the Board of Directors. Internal auditors located at the Group’s headquarters or in the countries report directly to the Audit and Internal Control Department and work under its authority. The audits are scheduled based on long-term, pre-determined criteria, in line with a yearly audit plan which is designed taking into account the requirements of the company’s General Management, corporate departments and operational departments. The audit plan prepared by the Audit and Internal Control Department is approved by the Audit and Risk Committee. The aim of the audits is to evaluate the relevance and effectiveness of the internal control systems of the Group and its subsidiaries and to carry out cross-business missions with an operational benefit. Generally, they include an examination of the internal control environment, risk analysis system, internal control organization and procedures and information systems of one or more processes.
RkJQdWJsaXNoZXIy NzMxNTcx