The internal-control system, which comprises a set of resources, patterns of conduct, procedures and actions adapted to the individual characteristics of each Group company:
■contributes to the control of its activities, the effi ciency of its operations and the effi cient utilization of its resources;
■enables it to take into consideration, in an appropriate manner, all major risks of an operational, fi nancial or compliance-related nature.
More specifi cally, the internal-control system is designed to ensure:
■that the Group’s economic and fi nancial objectives are achieved in accordance with laws and regulations;
■that instructions and directional guidelines fi xed by general management in respect of internal control and risk management are applied;
■that the internal processes are functioning correctly, particularly those contributing to the security of assets;
■that fi nancial information is reliable.
By helping to prevent and control the risks that may prevent the Group from achieving its objectives, the internal-control system plays a key role in the management and oversight of its activities. However, as the AMF reference framework underscores, no matter how well designed and properly applied, an internal-control system cannot fully guarantee that the Group’s objectives will be achieved. There are inherent limitations in all internal-control systems, which arise, in particular, from uncertainties in the outside world, the exercise of judgement or problems that may occur due to technical or human failure, or simple error.
SCOPE
The internal-control and risk-management system presented in this section is implemented in the Company and at all its fully consolidated subsidiaries, and is not limited to a set of procedures or merely to accounting and fi nancial processes.
3.6.1.1
Components of internal control and risk management
◗ A. Organisation
Customers and consumers lie at the heart of everything the Carrefour group undertakes. The Company is organized geographically to ensure that the specifi c needs and interests of local customers and consumers are addressed most effectively and its operations are optimally responsive. Each country serves as a basic link in the Group’s organization. The internal-control and risk-management system is based on this organizational principle:
■General Management sets the reference framework for the Group’s internal-control and risk-management system. Its role is to coordinate, lead, and continuously supervise internal-control and risk-management systems;
■at country level, each country executive director adopts and implements the internal-control and risk-management principles.
Using various procedures and control measures, with a system of Group rules, the Group has set up a formal control environment with a Code of Professional Conduct and determination of the powers, responsibilities and objectives assigned at each level of the organization, according to the principle of the separation of tasks:
■at country level, the Group rule system is refl ected in precise operating procedures; it is the tool with which each country conducts its internal controls, which are, in turn, audited by the Group;
■the Code of Professional Conduct is provided to every Group employee.
The Code establishes the ethical framework within which all Carrefour employees must conduct their activities on a day-to-day basis;
■the Group has established rules of governance limiting the powers of the corporate offi cers of each legal entity have limited powers in some areas that require prior approval by the Board of Directors or the equivalent body in each entity concerned;
■the powers and responsibilities of key employees are defi ned in delegations of powers and responsibilities established in accordance with hierarchical and functional organizational charts. This structure complies with the principle of the separation of tasks;
3
■lastly, this structure is conveyed by a management framework that is underpinned by medium-term objectives organized according to country and by the steering of activities orientated in line with annual budget targets and corresponding to individual plans.
Through its policies, the Human Resources department:
■ensures the proper availability level of resources, suitable for current and future business requirements;
■monitors employees’ career development and commitment;
■ensures high-quality industrial relations;
■defi nes the framework for the remuneration policy and corporate benefi ts and guides the associated commitments;
■helps to create a culture of collective development and performance.
The information systems aim to respond to needs and satisfy requirements regarding information security, reliability, availability and traceability:
■at Group level, the accounting and fi nancial information system is based on reporting and consolidation for preparation of the Consolidated Financial Statements and measurement of the Group’s operating performance;
■the country executive directors are responsible for their own information systems, and have implemented measures to ensure system security and digital data integrity.
◗ B. Functioning of internal processes
Each process is subject to formal procedures and operational methods for each country, which stipulate ways of carrying out an action or process in accordance with the Group’s regulatory framework:
■the group has established a regulatory framework to cover the main risks to its assets. Implementation of this framework is mandatory for all countries;
■the country executive directors have established procedures and operating methods, including control activities required to cover all the strategic, operational and asset risks relating to their businesses and organization. These procedures and operating methods include and extend the key controls set out in the Group regulatory framework.
◗ C . Internal dissemination of information
The Group ensures that relevant and reliable information is diseeminated and conveyed to the individuals concerned so that they can perform their duties in accordance with Group standards and procedures.
■the GroupOnline intranet provides employees with a number of practical tools, including information on the primary standards and procedures with which they must comply;
■the Group regulatory framework has been communicated to all executive directors responsible for disseminating it;
■procedures setting out best practices and the information reporting process are also communicated to the various countries by the Group’s main departments;
■the Group’s accounting policy is sent to every fi nancial director at the end of each quarter.
Similarly, the countries make sure to relay relevant and reliable information to the individuals concerned so that they can perform their duties in accordance with Group standards and procedures.
◗ D . The risk-management system
The risk-management system implemented by the Group relies primarily on identifying, analyzing and addressing risk factors likely to affect people, assets, the environment, the Company’s objectives and its reputation.
The Group major risks management into its day-to-day business practices.
Risk management is a job shared by all employees with the aim of developing a risk management culture.
In particular, the system aims to:
■create and preserve the Company’s value, assets and reputation;
■increase the security of the Company’s decision-making and procedures to promote achievement of objectives;
■mobilize Company employees to adopt a shared vision of the principal risks and raise their awareness of the risks inherent in their business.
The country executive director, with the support of the Risks & Compliance department, are responsible for risk management within the Group.
The country executive director:
■perform regulatory watch and recognize impacts;
■establish procedures and suitable measures for preventing and protecting against occurrence and limiting impacts;
■manage incidents;
■notify general management of any event that is likely to have an impact on the Group’s image or fi nancial performance.
Adopting and implementing risk management principles is delegated to the country executive directors, whose mission is to identify, analyse and handle the main risks they incur.
The Risk & Compliance department leads the risk management system and provides methodological support to the operational and functional departments through the deployment of an assessment and mapping tool for major risks whilst developing mapping of operational risks.
Twenty-three risk factors have been identifi ed by the Group and are presented in the management report. These factors cover fi ve themes:
the business environment, strategy and governance, operations, fi nancial risks and fi nancial services.
The risk assessment tool is completed each year by the country executive directors on the basis of identifi ed risk factors. These assessments are reviewed during an interview with the Risk & Compliance department.
The Risk & Compliance department has also worked on mapping risks from external sources, health risks, natural risks, risk of crime and terrorism and legal risk, while conducting studies on emerging risks and supporting certain operational departments. It also supports the Purchasing departments in their knowledge and evaluation of supplier risk.
In operational terms, the Group Risk and Compliance department coordinates and leads a network of Risk Prevention directors present in all Group countries. During 2011, Carrefour communicated a Risk Prevention Charter which defi nes the scope of action, the role and responsibilities of the country-level Risk Prevention units, and the ethical rules they must follow.
In each country where the Group operates, a Risk Prevention department is responsible for the security of the Company’s tangible and intangible assets and ensures the safety of persons present on its sites. It is tasked with implementing the human, organisational and technical resources necessary to manage both accidental and intentional risks (natural disasters, malicious acts, theft etc.).
The safety of persons and property is one of the essential elements of the risk management system, ensuring:
■protection suitable for the Group’s clients, employees, service providers and sites;
■regulatory compliance of sites throughout the country where the Group does business;
■protection and enhancement of the Company’s image and reputation.
The prevention policy relies on risk mapping, loss analysis and identifi cation of emerging risks as part of its ongoing oversight and specifi c studies.
The Risk and Compliance department prepares a consolidated annual report on the risk prevention function at Group level, with benchmarks between management and performance indicators for the function in each country, in terms of loss, workforce, resources and action plans.
An alarm and crisis management system is set up by each country executive director through a formalized crisis management organization that deals with the major scenarios likely to affect the continuity of operations.
For the past several years, the Group’s insurance strategy has focused on providing the best possible protection for people and property.
The Group’s insurance strategy is primarily based on identifying insurable risks through a regular review of existing and emerging risks, in close collaboration with operational managers, the various Carrefour group departments involved and outside specialists.
The Group’s Insurance department is responsible for covering insurable risks for the entities when national legislation permits it. It is in charge of the subscription and centralised management of insurance policies.
◗ E . Control activities covering these risks
Control activities are designed to ensure that the necessary measures are taken in order to reduce exposure to the strategic, operational and asset risks – likely to affect the achievement of the Group’s objectives.
Control activities take place throughout the organization, at every level and in every function, including prevention and detection controls, manual and IT controls and hierarchical controls.
The Group’s regulatory framework is aimed at covering asset risks and include:
■accounting and fi nancial risks;
■risks associated with the safety and security of property and people;
■risks to the continuity, integrity, confi dentiality and security of information systems;
■contractual obligation, compliance and communication risks.
Control activities are defi ned and implemented by process managers, coordinated by internal controllers who report to members of the Country Executive Committee and to the country executive director.
Coordination of the internal controllers ensures that control activities are methodologically consistent and that risks are comprehensively covered throughout all processes.
Details of internal-control procedures relating to the preparation and processing of accounting and fi nancial information for the corporate and Consolidated Financial Statements are provided in Section 3.6.2.
◗ F . Guidance and monitoring of the internal-control system and risk management system
◗ Continuous monitoring
Continuous monitoring is organized so that incidents can be pre-empted or detected as rapidly as possible. The framework plays a long-term daily role in the effective implementation of the internal-control system.
Specifi cally, it establishes corrective action plans and reports to general management on signifi cant malfunctions when necessary.
◗ Periodic monitoring
Periodic monitoring takes place through managers and operatives, internal country controllers and the Group Internal Audit department:
■managers and operatives check that the internal-control and risk-management system is functioning correctly, identify the main risk incidents, draw up action plans and ensure that the control and risk-management system is appropriate for the Company’s objectives;
■the internal country controllers periodically check that control activities are being properly implemented and that they are effective against risks;
■the Group Internal Audit department provides the country executive directors and Group general management with the results of their assignments and their recommendations.
In addition, the operational effectiveness of internal control relevant to the preparation of the fi nancial information is subject to audit work by the auditors, which report their conclusions and recommendations to the country executive directors and Group general management.
3
Each country executive director has established a formal annual self-assessment process:
■which uses standard tools that focus on existing frameworks and are based on an internal-control risk analysis for each activity and on identifi cation of key control points;
■the results of the internal-control self-assessment covering asset risks are centralized periodically at Group Internal Audit level;
■one of the Group Internal Audit department’s objectives in implementing actions is the quantitative measurement, through scoring systems, of the divergence between the self-assessment and the level of internal control determined on the basis of its work. Monitoring these divergences allows the quality of the country’s internal-control self-assessment to be gauged.
Guidance and supervision of internal control entails internal country controllers’ monitoring of action plans relating to the internal-control self-assessment and risk mapping processes and of the recommendations of the Group Internal Audit department. The results of the internal-control self-assessment covering asset risks are centralized periodically at Group Internal Audit level.
The fi nal result of the supervision and guidance system is a letter of affi rmation on risk management and internal control signed by the country executive director and the, confi rming their appropriation of and responsibility for internal control in terms of reporting and correcting defi ciencies.
Group general management supervises the internal-control and risk-management system in particular through the minutes of meetings of the following bodies and departments:
■the Ethics Committee;
■the Group Investment Committee;
■the IT Request Management Committee;
■F inancial committees that guide the Group’s fi nancial policy;
■the Information Systems Governance department;
■the Group Internal Audit department;
■any other ad hoc committee meeting convened according to the needs identifi ed by general management.
Lastly, the performance of the internal-control supervision and guidance system for accounting and fi nancial risks is presented regularly to the Accounts Committee.
3.6.1.2
Entities and individuals involved in internal control and risk management
◗ A. At Group level
Group general management is responsible for the internal-control and risk-management systems. It is also tasked with designing, implementing and supervising the internal-control and risk-management systems suited to the size of the Group, its activity and its organization.
It initiates any corrective actions necessary to rectify an identifi ed malfunction and to maintain a situation within the limits of acceptable risk. It ensures that these actions are successfully implemented.
General management performs its duties, in relation to the internal-control and risk-management systems, which also include defi ning the roles and responsibilities in that regard in the Group.
Group general management has created the following structure:
■the Group Finance department is responsible for:
■maintaining the reliability of fi nancial and accounting information,
■controlling accounting and fi nancial risks,
■measuring Group performance and budget control,
■fofollowing Group investment procedure;
■the Group Legal department is responsible for:
■the governance policy for legal services,
■establishing the governance policy of Group subsidiaries,
■managing the Group’s legal risks;
■the Group Risks & Compliance department is responsible for:
■identifying, analysing, evaluating and treating risks within the Group in support of the country executive directors,
■company-wide risk prevention policy,
■managing risks associated with the safety and security of property and people,
■leading the Groupe ethic system,
■coordinating the Group crisis-management system;
■the Group Property department is responsible for:
■establishing the Group’s property policy,
■managing risks relating to building security;
■the Group Quality department is responsible for:
■establishing product quality, health and safety policy within the Group,
■managing product safety risks,
■coordinating crisis management relating to product safety risks;
■the Group Human Resources department is responsible for:
■establishing human resources security policy within the Group,
■coordinating social risk management;
■the Group Information Systems Governance department is responsible for:
■establishing the information systems management policy within the Group,
■managing risks relating to the continuity, integrity, confi dentiality and security of information systems;
■the Group Insurance department is responsible for setting up insurance to cover the Group’s insurable assets as effectively as possible and according to available capacity on the market, pursuant to Group insurance policies. It works with the Risks & Compliance in transferring of a portion of the risks to the insurance market.
The Group Internal Audit department is tasked with:
■assessing the operation of the internal-control and risk-management systems related to asset risks, by performing the missions included in the annual audit plan;
■regularly monitoring and making any necessary recommendations to improve these systems;
■leading and consolidating the annual self-assessment campaigns to develop internal-control tools as carried out by the executive director.
The Board of Directors reports on the principal risks and uncertainties faced by the Group in the management report.
It takes note of the essential characteristics of the internal-control and risk-management systems communicated in a timely manner by the Accounts Committee and general management. In particular, it acquires an overall understanding of procedures relating to the production and treatment of fi nancial and accounting information.
The role of the Accounts Committee set up by the Board of Directors is:
■to assess the effectiveness and quality of the Group’s internal control systems and procedures, to interview the internal audit manager, to give an opinion on the organization of the department and to be informed of its program of work;
■to examine, in conjunction with internal control managers, the objectives and intervention and action plans in the area of internal audit, the conclusions of such interventions and the actions, recommendations and follow-up arising from them;
■to examine the methods and results of the internal audit and check that
■to examine the methods and results of the internal audit and check that