Internal Control and Risk Management System
The Company’s Internal Control System (hereinafter, ICS) is an element of the Company’s general management system. ICS covers all of the Сompany’s activities, control procedures are ongoing in all processes (businesses), at all management levels and are aimed at ensuring achievement of goals in the following areas:
- effective, cost-efficient, and successful management of the Company’s business activities;
- compliance with statutory and regulatory requirements applicable to the Company’s business activities as well as the Company’s internal documents requirements;
- prevention of unlawful actions of the Company employees and third parties towards the Company’s assets;
- data reliability, full scope and timeliness of all types of reports.
For the purpose of the implementation of the ICS development and improvement strategy for PJSC ROSSETI and its subsidiaries the Internal Control Policy of PJSC IDGC of the North-West was approved in 2014. The Internal Control Policy defines the goals, principles, and elements of the Company’s ICS, key functions, and responsibility of ICS parties, as well as procedure for ICS efficiency assessment.
Board of Directors
- Defining strategy for ICS development in the Company;
- Approval of main internal regulations of the Company pertaining to internal control, risk management, and internal audit;
- Creating efficient internal control processes, including review of reports and decision-making on system, key, and problematic internal control issues.
- Control over the Company’s business activities;
- Independent assessment of the reliability of data in the Company’s annual report and annual statutory financial statements.
Audit Committee of the Board of Directors
- Preliminary review of the Company’s internal documents relating to the strategy, processes and development of the Company’s ICS before their approval by the Company’s Board of Directors;
- Control over completeness, accuracy, and reliability of the issuer’s financial statements;
- Control over reliability and effectiveness of ICS, including ICS efficiency assessment, development of proposals for ICS improvement;
- Ensuring independence and objectivity of internal and external audit functions;
- Control over the selection of an external auditor, its independence, and overall effectiveness of the external audit;
- Control over regulatory compliance and reporting to the executive bodies on any violations.
Company’s Management Board
- Review and analysis of the Company’s ICS performance reports, including ICS status reports.
- Ensuring creation and ongoing functioning of an effective and reliable ICS in the company;
- Submission of Company’s and subsidiaries’ ICS improvement proposals to the Board of Directors in the Company.
Managers of blocks and structural units
- Ensuring implementation of the ICS principles;
- Organizing an efficient control environment for the processes (businesses activities) under their coordination;
- Ensuring regulation of the processes (businesses activities) under their coordination;
- Assessment of the processes (businesses activities) under their coordination for the need of their optimization to improve the performance and compliance with changing external and internal environment; and development of proposals for the improvement of control procedures;
- Ensuring elimination of any identified defects in control procedures and the control process environment;
- Managing risks of the processes (businesses activities) under their coordination and implementation of control procedures;
- Responsibility for efficient achievement of operating goals of the processes (businesses activities) under their coordination.
Employees of the Company’s structural units implementing control procedures as part of their job responsibilities
- Implementation of ICS control procedures in accordance with job descriptions and approved regulations;
- Monitoring of ICS control procedures implementation;
- Self-assessment of the effectiveness of ICS control procedures implementation and involvement in ICS improvement efforts.
Risk Management and Internal Control Division
- Develops and ensures the implementation of major and methodology documents for the development of ICS and risk management system;
- Coordinates actions aimed to ensure and monitor the target state of the ICS and risk management;
- Develops information on ICS status for all stakeholders;
- Helps the Company’s management in developing control environment, recommendations for the integration of control procedures into business processes and assigning responsibility among employees;
- Government and regulator relations in the field of internal control;
- Relations with the external auditor of the Company and its subsidiaries on ICS and risk management performance.
Internal Audit Division
- Develops recommendations on the improvement of control procedures and ICS components (elements) based on internal audit results;
- Provides internal independent assessment of the ICS effectiveness and prepares recommendations for improvement of the ICS effectiveness.
To ensure the ICS efficiency and its compliance with changing requirements and conditions, the Company conducts assessment of the ICS effectiveness — its compliance with target state and maturity level.
The Company faces the challenge of implementing a range of measures aimed at the development and improvement of the internal control system and risk management, proposed in the Performance Report on the Company’s internal control for 2014, including improvement of the internal audit function, thus ensuring the higher level of the internal control and risk management system maturity.
In the reporting year, the Company took the following key measures aimed at improving ICS:
- A new version of the Company’s Articles of Association was approved with amendments introduced in accordance with the Corporate Governance Code recommended by the Central Bank of the Russian Federation (Letter dated April 10, 2014). The competence of the Company’s Board of Directors was supplemented with the following new powers: determination of the principles and approaches for the Company’s risk management and internal control system; assessment of key operational risks (financial and non-financial); determination of acceptable risk values for the Company; organization of the risk management and internal control system analysis and assessment at least once a year; annually examination of issues related to the organization, functioning and efficiency of the risk management and internal control system in the Company; control over and organization of the Company’s internal audit division, including approval of the internal audit division’s activity plan, the report on the internal audit division’s activity plan implementation and the budget of the internal audit division, approval of appointment and termination of appointment and determination of remuneration of the head of the internal audit division.
- The new version of the Regulations for the Audit Committee was approved.
- Regulations and methodology documents on the internal control system and risk management were updated.
- The risk management process and planning guidelines were approved.
- Business planning and risk management system were integrated, key risks were compared with the key performance indicators in the business plan.
- Consultation sessions for key operational risk owners were organized by the Internal audit and control department (IA&C Department).
- A comparative assessment of resources required to implement risk management activities, including financial, human, and other resources (with a focus on the cost of activity), and resources spent on the risk management activities implementation is made by the risk owners as part of their risk reports on a quarterly basis.
- Heads of IA&C Department have access to internal control automation software AuditModern.
- Vacant positions in IA&C Department are filled.
- Internal independent assessment of ICS performance is carried out by the Company’s internal auditor.
- The ICS maturity level in 2014 was assessed by IA&C Department as moderate. No external independent assessment was carried out.
Internal independent assessment of ICS performance is carried out by the Company’s internal auditor. The ICS maturity level in 2014 was assessed by IA&C Department as moderate. No external independent assessment was carried out.
In order to further implement the ICS Development Strategy in 2016 actions to improve ICS and increase its maturity level will be planned on the basis of the results of the ICS assessment for 2015 by the Company’s auditor.
Internal Audit Division of the Internal Audit and Control Department is responsible for internal control in the Company. Internal audit functionally reports to the Company’s Board of Directors which means that the Board of Directors exercises control and aligns internal audit, including approval of the internal audit division’s activity plan, the report on the internal audit division’s activity plan implementation and the budget of the internal audit division, approval of appointment and termination of appointment and determination of a remuneration of the head of the Internal audit division.
Key goals of internal audit:
- provide the Company’s Board of Directors / Board of Directors’ Audit Committee and executive bodies with independent and unbiased guarantees certifying that the Company has adequate internal control, risk management, and corporate governance systems;
- assist Company management in building efficient internal control, risk management, corporate governance systems through consultations.
In 2015, there were six people in internal audit and actual internal audit headcount varied between 3 and 5 employees.
In accordance with the 2015 Action Plan, IA&C Department carried out eight audits of the executive management and branches of the Company. It also audited implementation of corrective actions based on the results of the Karelenergo branch’s business activities audit for nine months of 2014 conducted in Q4 2014.8 audits of the executive management and BRANCHES of the Company in 2015
269 corrective actions to eliminate and prevent in the future violations and defects identified by the internal auditor were prescribed as a result of control activities carried out by the internal auditor in 2015. All of the 222 corrective actions with the deadline in the reporting year were taken. The due date is pending for 47 corrective actions.
Corrective measures are followed up by the Board of Directors’ Audit Committee by reviewing periodical reports of the Company’s management on corrective actions taken to eliminate any deficiencies identified by the Company’s Auditing Commission, internal auditor, and external regulatory authorities.