The Internal Audit Department (managed by Maurizio Bonzi) plays a significant role in the internal control system with the principal task of assessing the adequacy and functional operation of Pirelli’s control processes, through independent assurance and consultancy activities.
The Internal Audit Department’s activity is performed in line with the mandate received and duly approved by the Committee for Internal Control and Corporate Governance, in compliance with international standards, in relation to the following aspects:
- targets and responsibilities (independence, complete access to information, field of activity, disclosure of results);
- improving the quality of the internal audit activities;
- principles of professional conduct;
- professional reference standards.
The Internal Audit function Manager (who does not have responsibility for any operational area) reports hierarchically to the Chairman and CEO and functionally to the CICRCG and to the Board of Statutory Auditors.
The Internal Audit Department operates on the basis of an annual audit report approved in advance by the CICRCG and subsequently by the Board of Directors.
The companies and corporate departments “subject” to possible audits are identified once a year to define the Audit Plan and these are subsequently classified in relation to the need to ensure “coverage” and their respective degree of risk. The following factors are involved in defining the (risk-based) ranking: (i) the level of control identified in the previous audits performed in the specific company and/or organisational unit; (ii) the “vulnerability” factor in relation to specific assessments which take into account, by way of example, country risk, market risk, the size and organisational complexity, recent organisational changes made, the extent of any critical aspects identified, the time that has elapsed since the last audit (iii) the Company’s impact on the Group in relation to the consolidated data, in terms of the operational results or the invested capital, as well as (iv) the risk assessment activities performed during the previous financial year.
The Audit Plan evidently does not have a rigid structure, since the Plan can be integrated during the financial year in relation to specific control requirements.
Specific interventions were also performed on the information systems, including the accounting-related information systems, in the framework of the audit activities.
The Internal Audit function Manager reports, on a quarterly basis, to the CICRCG, to the Board of Auditors and sends a report to the Board of Directors on a half-yearly basis outlining the activity performed. In particular, the Internal Audit function Manager reports on the outcomes of the audits performed, compliance with the action plans defined and expresses an assessment relating to the suitability of the internal control system.
In addition to the Internal Audit Management, the internal control system is completed by the following:
- a planning and control system, structured by sector and operating unit that produces a detailed monthly report for the top management to provide the top management with a useful tool to supervise the specific activities;
- the Group Compliance Function that reports to the Legal, Corporate Affairs and Group Compliance Manager (therefore, separate from the Internal Audit Management), called on to collaborate with the other group functions in order to guarantee the constant alignment of the internal regulations, processes, and more in general, the business activities with the applicable regulatory framework;
- the “whistleblowing policy”, amended during the 2013 financial year, also gives the “external community” the possibility of reporting forms of conduct which can represent a breach, or incitement to breach laws and regulations, principles sanctioned in the Code of Ethics, internal control principles, policies, corporate rules and procedures and/or which may produce direct or indirect economic-equity damage or damage the reputation of Pirelli.
The Procedure envisages the express protection against reprisals of any nature in relation to the reporting persons or the employees who collaborated with the in-depth investigation to verify the grounds of the notification.