5. Propagaci´on de incertidumbre con m´etodos de reducci´on dimensional y
5.1.2. Revisi´on del estado del arte y perspectivas
The internal-control system, which comprises a set of resources, patterns of conduct, procedures and actions adapted to the individual characteristics of each Group company:
W contributes to the control of its activities, the effi ciency of its operations and the effi cient utilization of its resources; and
W enables it to take into consideration, in an appropriate manner, all major risks of an operational, fi nancial or compliance-related nature.
More specifi cally, the internal-control system is designed to ensure:
W that the Group’s economic and fi nancial objectives are achieved in accordance with laws and regulations;
W that instructions and directional guidelines fi xed by general management in respect of internal control and risk management are applied;
W that the internal processes are functioning correctly, particularly those contributing to the security of assets;
W that fi nancial information is reliable.
By helping to prevent and control the risk of the Group not achieving its objectives, the internal-control system plays a key role in the management and oversight of its activities. However, as the AMF reference framework underscores, no matter how well designed and properly applied, an internal-control system cannot fully guarantee that the Group’s objectives will be achieved.
There are inherent limitations in all internal-control systems, which arise, in particular, from uncertainties in the outside world, the exercise of judgment or problems that may occur due to human failure or simple error.
Scope
The internal-control and risk-management system presented in this section is implemented in the Company and at all its fully consolidated subsidiaries, and is not limited to a set of procedures or merely to accounting and fi nancial processes.
3.6.1.1
Components of internal control
A. Organisation
Customers and consumers lie at the heart of everything the Carrefour Group undertakes. The Company is organized geographically to ensure that the specifi c needs and interests of local customers and consumers are addressed most effectively and its operations are optimally responsive. Each country serves as a basic link in the Group’s organization. The internal-control and risk-management system is based on this organizational principle:
W General Management sets the reference framework for the Group’s internal-control and risk-management system. Its role is to coordinate, drive and supervise internal-control and risk-management systems;
W at country level, country executive directors coordinate and steer their own internal-control and risk-management systems.
The Group has set up a formal control environment with a Code of Professional Conduct and determination of the powers, responsibilities and objectives assigned at each level of the organization, according to the principle of the separation of tasks:
W the Code of Professional Conduct is provided to every Group employee.
The Code establishes the ethical framework within which all Carrefour employees must conduct their activities on a day-to-day basis;
W the corporate offi cers of each legal entity have limited powers in some areas that require prior approval by the Board of Directors or the equivalent body in each entity concerned;
3
W the powers and responsibilities of key employees are defi ned in delegations of powers and responsibilities established in accordance with hierarchical and functional organizational charts. This structure complies with the principle of the separation of tasks;
W lastly, this structure is conveyed by a management framework that is underpinned by medium-term objectives organized according to country and by the steering of activities orientated in line with annual budget targets and corresponding to individual plans.
Via its policies, the Human Resources department:
W ensures the proper availability level of resources, suitable for current and future business requirements;
W monitors employees’ career development and commitment;
W ensures high-quality industrial relations;
W defi nes the framework for the remuneration policy and corporate benefi ts and guides the associated commitments;
W helps to create a culture of collective development and performance.
The information systems aim to respond to needs and satisfy requirements regarding information security, reliability, availability and traceability:
W at Group level, the accounting and fi nancial information system is based on reporting and consolidation tools for preparation of the Consolidated Financial Statements and measurement of the Group’s operating performance;
W the country executive directors are responsible for their own information systems, and have implemented measures to ensure system security and digital data integrity.
Each process is subject to formal procedures and operational methods for each country, which stipulate ways of carrying out an action or process in accordance with the Group’s regulatory framework:
W the Group has established a Group regulatory framework to cover the main risks to its assets. Implementation of this framework is mandatory for all countries;
W the country executive directors have established procedures and operating methods, including control activities required to cover all the strategic, operational and asset risks relating to their businesses.
These procedures and operating methods include and extend the key controls set out in the Group regulatory framework.
B. Dissemination of internal information
The Group ensures that relevant information is properly circulated and conveyed to the individuals concerned so that they can perform their duties in accordance with Group standards and procedures.
W the GroupOnline intranet regularly disseminates information on the life of the Group and provides employees with a number of practical tools, including information on the primary standards and procedures with which they must comply;
W the Group regulatory framework has been communicated to all executive directors responsible for disseminating it;
W procedures setting out best practices and the information reporting process are also communicated to the various countries by the Group’s main departments;
W the Group’s accounting policy is sent to every fi nancial director at the end of each quarter.
Similarly, the countries ensure that relevant information is properly circulated and conveyed to the individuals concerned so that they can perform their duties in accordance with Group standards and procedures.
C. The risk-management system
The risk-management system implemented by the Group relies primarily on identifying, analyzing and addressing risk factors likely to affect people, assets, the environment, the Company’s objectives and its reputation.
The Group incorporates risk management into its day-to-day business practices. Risk management is a job shared by all employees with the aim of developing a risk management culture.
In particular, the system aims to:
W create and preserve the Company’s value, assets and reputation;
W increase the security of the Company’s decision-making and procedures to promote achievement of objectives;
W promote actions consistent with the Company’s values;
W mobilize Company employees to adopt a shared vision of the principal risks.
Risk management within the Group is decentralized to the country executive directors, who are tasked with identifying, analyzing and handling the main risks with which they are faced.
They are supported in this by the Group Risk & Compliance department, which coordinates the deployment of a management and mapping tool for major risks whilst developing mapping of operational risks.
The Risk & Compliance department has also worked on country-by-country mapping of health risks, natural risks, risk of crime and terrorism and legal risk, while conducting studies on emerging risks and supporting certain operational departments. It also supports the Purchasing departments in their knowledge and evaluation of supplier risk.
Twenty-three risk factors have been identifi ed by the Group and are presented in the management report. These factors cover fi ve themes:
the business environment, strategy and governance, operations, fi nancial risks and fi nancial services.
In operational terms, the Group Risk and Compliance department coordinates and leads a network of Risk Prevention directors present in all Group countries. During 2011, Carrefour communicated a Risk Prevention Charter which defi nes the scope of action, the role and responsibilities of the country-level Risk Prevention units, and the ethical rules they must follow.
In each country where the Group operates, a Risk Prevention department is responsible for the security of the Company’s tangible and intangible assets and ensures the safety of persons present on its sites. It is tasked with implementing the human, organizational and technical resources necessary to manage both accidental and intentional risks (natural disasters, malicious acts, theft etc.).
The prevention policy relies on risk mapping, loss analysis and identifi cation of emerging risks as part of its ongoing oversight and specifi c studies.
The Risk and Compliance department prepares a consolidated annual report on the risk prevention function at Group level, with benchmarks between management and performance indicators for the function in each country, in terms of loss, workforce, resources and action plans.
A summary of the results is presented annually to general management so that it can supervise the risk-management system, and specifi cally:
W update the Group risks register;
W update risk maps and the risk assessment and analysis system;
W progress action plans to reduce exposure to risk factors.
For the past several years, the Group’s insurance strategy has focused on providing the best possible protection for people and property.
The Group’s insurance strategy is primarily based on identifying insurable risks through a regular review of existing and emerging risks, in close collaboration with operational managers, the various Carrefour Group departments involved and outside specialists.
The Group’s Insurance department is responsible for covering insurable risks for the entities when national legislation permits it. It is in charge of the subscription and centralized management of insurance policies.
D. Control activities responding to these risks
Control activities are designed to ensure that the necessary measures are taken in order to reduce exposure to three types of risk – strategic, operational and asset – likely to affect the achievement of the Group’s objectives. Control activities take place throughout the organization, at every level and in every function, including prevention and detection controls, manual and IT controls and hierarchical controls.
The Group’s regulatory framework includes control activities aimed at covering asset risks, which include four risk families:
W accounting and fi nancial risks,
W risks associated with the safety and security of property and people, W risks to the continuity, integrity, confi dentiality and security of information
systems,
W contractual obligation, compliance and communication risks.
Control activities are defi ned and implemented by process managers, coordinated by internal controllers who report to members of the Country Executive Committee and to the country executive director.
Coordination of the internal controllers ensures that control activities are methodologically consistent and that risks are comprehensively covered throughout all processes.
Details of internal-control procedures relating to the preparation and processing of accounting and fi nancial information for the corporate and Consolidated Financial Statements are provided in Section 3.6.2.
E. Guidance and monitoring of the internal-control system
Continuous monitoring
Continuous monitoring is organized so that incidents can be pre-empted or detected as rapidly as possible. The framework plays a long-term daily role in the effective implementation of the internal-control system.
Specifi cally, it establishes corrective action plans and reports to general management on signifi cant malfunctions when necessary.
Periodic monitoring
Periodic monitoring takes place through managers and operatives, internal country controllers and the Group Internal Audit department:
W managers and operatives check that the internal-control and risk-management system is functioning correctly, identify the main risk incidents, draw up action plans and ensure that the control and risk-management system is appropriate for the Company’s objectives;
W the internal country controllers periodically check that control activities are being properly implemented and that they are effective against risks;
W the Group Internal Audit department provides the country executive directors and Group general management with the results of their assignments and their recommendations.
In addition, the operational effectiveness of internal control relevant to the preparation of the fi nancial information is subject to audit work by the auditors, which report their conclusions and recommendations to the country executive directors and Group general management.
Each country executive director has established a formal annual self-assessment process:
W which uses standard tools that focus on existing frameworks and are based on an internal-control risk analysis for each activity and on identifi cation of key control points;
W the results of the internal-control self-assessment covering asset risks are centralized periodically at Group Internal Audit level;
W one of the Group Internal Audit department’s objectives in implementing actions is the quantitative measurement, through scoring systems, of the divergence between the self-assessment and the level of internal control determined on the basis of its work. Monitoring these divergences allows the quality of the country’s internal-control self-assessment to be gauged.
3
Guidance and supervision of internal control entails internal country controllers’ monitoring of action plans relating to the internal-control self-assessment and risk mapping processes and of the recommendations of the Group Internal Audit department. The results of the internal-control self-assessment covering asset risks are centralized periodically at Group Internal Audit level.
The fi nal result of the supervision and guidance system is a letter of affi rmation on risk management and internal control signed by the country executive director and the fi nancial director, confi rming their appropriation of and responsibility for internal control in terms of reporting and correcting defi ciencies.
Group general management supervises the internal-control and risk-management system in particular through the minutes of meetings of the following bodies and departments:
W the Ethics Committee;
W the Group Investment Committee;
W the IT Request Management Committee;
W fi nancial committees that guide the Group’s fi nancial policy;
W the Information Systems Governance department;
W the Group Internal Audit department; and
W any other ad hoc committee meeting convened according to the needs identifi ed by general management.
Lastly, the performance of the internal-control supervision and guidance system for accounting and fi nancial risks is presented regularly to the Accounts Committee.
3.6.1.2
Entities and individuals involved in internal control
A. At Group level
Group general management is responsible for the quality of the internal-control and risk-management system. It is also tasked with designing, implementing and supervising the internal-control and risk-management system. It initiates any corrective actions necessary to rectify an identifi ed malfunction and to maintain a situation within the limits of acceptable risk.
It ensures that these actions are successfully implemented.
General management performs its duties in relation to the internal-control and risk-management system through the following structure:
W the Group Finance department is responsible for:
W maintaining the reliability of fi nancial and accounting information, W controlling accounting and fi nancial risks,
W measuring Group performance and budget control;
W the Group Legal department is responsible for:
W establishing the governance policy of Group subsidiaries, W managing the Group’s legal risks;
W the Group Risk & Compliance department is responsible for:
W coordinating the Group crisis-management system;
W the Group Property department is responsible for:
W establishing the Group’s property policy, W managing risks relating to building security;
W the Group Quality department is responsible for:
W establishing product quality and safety policy within the Group, W managing product safety risks,
W coordinating crisis management relating to product safety risks;
W the Group Human Resources department is responsible for:
W establishing human resources management policy within the Group,
W coordinating social risk management;
W the Group Information Systems Governance department is responsible for:
W establishing the information systems management policy within the Group,
W managing risks relating to the continuity, integrity, confi dentiality and security of information systems;
W the Group Insurance department is responsible for setting up insurance to cover the Group’s insurable assets as effectively as possible and according to available capacity on the market, pursuant to Group insurance policies. It works with the Risks & Compliance department to identify risks and implement prevention procedures.
The Board of Directors reports on the principal risks and uncertainties faced by the Group in the management report.
It takes note of the essential characteristics of the internal-control and risk-management systems communicated in a timely manner by the Accounts Committee and general management. In particular, it acquires an overall understanding of procedures relating to the production and treatment of fi nancial and accounting information.
The role of the Accounts Committee set up by the Board of Directors is:
W to assess the effectiveness and quality of the Group’s internal control systems and procedures, to interview the internal audit manager, to give an opinion on the organization of the department and to be informed of its program of work;
W to examine, in conjunction with internal control managers, the objectives and intervention and action plans in the area of internal audit, the conclusions of such interventions and the actions, recommendations and follow-up arising from them;
W to examine the methods and results of the internal audit and check that the procedures used help the fi nancial statements to refl ect a true and accurate picture of the business in accordance with accounting rules;
W to assess the reliability of the systems and procedures used to produce the fi nancial statements and the validity of the positions taken in respect of presenting signifi cant transactions;
W to examine the methods used to report and present accounting and fi nancial information from the subsidiaries and/or operational units;
to examine the draft report on internal control procedures.
3.6.2 DATA RELATING TO INTERNAL ACCOUNTING AND FINANCIAL CONTROL
The Group Internal Audit department is tasked with:
W regularly assessing the operation of the internal-control and risk-management systems related to asset risks, by performing the missions included in the annual audit plan,
W making any necessary recommendations to improve these systems, W helping to develop internal-control tools and frameworks relating to
asset risk.
B. At country level
The country executive director, whether acting directly or by delegation, is responsible for the establishment, operation and supervision of the internal-control and risk-management system at country level. The country executive director is supported by internal controllers, who are tasked with:
W helping to defi ne the country internal-control system, particularly by ensuring that the Group internal-control framework is properly rolled out;
W ensuring that procedures defi ned by the country and the Group are properly applied.
During 2013, the Group continued to enhance its accounting and fi nancial internal-control system by boosting the role of the functional departments and implementing the Corporate Rules.
3.6.2.1