The internal control and audit system

The internal control system helps control business activities, and there- fore to prevent and manage risks facing the company. RATP group relies on three levels of internal controls:

• On-going controls, or fi rst level controls, to control the quality of transac- tions and ensure that procedures and regulations are followed; • Periodic controls, or second and third level controls, to detect major weak-

nesses in the fi rst level control system and provide reasonable assurance that activities are controlled at the corporate level.

.. FIRST LEVEL CONTROLS: FIRST LINE MANAGERS

At the local level, RATP internal control is under the direct responsibility of managers who exercise fi rst level controls closest to operations. It includes on-going controls by line managers.

Operational managers play a key role. They are responsible for following the instructions and guidelines set by executive management, implementing production processes in compliance with current legislation and policies, performing checks at the local level and providing users with high quality transport services.

Support and control groups are on hand to assist managers in achieving their goals by providing expertise and measuring performance. The man- agement control, human resource, and procurement functions perform these roles.

.. SECOND LEVEL CONTROLS: OPERATIONAL

CONTROLS AT DEPARTMENT OR UNIT LEVEL

To the fi rst level controls are added inspection and control structures in the company’s various departments, independent from operating departments. Operational controls at the department or unit level ensure, on a regular basis, that fi rst level controls are in place and eff ective.

Operational controls mainly include:

• Transport and service controls performed per type of control (transport or maintenance inspections);

• Specialized audits within each department (e.g. service department and department on multimodal passenger service areas);

• Systems risk management;

• Quality controls within each department.

Operational controls ensure the decentralized management of operational risks relating to the company’s various business activities. The Risk Man- ager works alongside the departments and units to share knowledge and increase involvement in risk management company-wide.

.. THIRD LEVEL CONTROLS:

COMPANYWIDE FUNCTIONS

The Internal Audit department (IA), which reports to the President, is responsible for the following on behalf of Executive Management: • Conducting internal audits to “provide assurance on the level of control

over operations by auditing and assessing the business activities of RATP group”4_;

• Conducting general inspections to provide Executive Management non- biased information on sensitive matters5_;

• Providing guidance on change management.

The Internal Audit work is part of an annual plan established on the basis of input from members of the Executive Committee6 _{and the main risks}

identifi ed during RATP’s risk mapping process. When each audit is com- pleted, a written report is sent to the Chief Executive Offi cer and other members of the Executive Committee, and to the heads and managers of the departments and units directly concerned. The heads and managers of the audited departments and units are asked to draft an action plan within two months of the audit. The action plan is approved by the Head of Inter- nal Audit. Implementation of the plan is monitored by Internal Audit staff and the individual who commissioned the audit.

The Group audit provides input for executive decision-making on company change policy implemented through the Business Plan:

• The audit focuses on the company’s major risks (fi nancial and regula- tory) and strategic priorities, including economic performance, process effi ciency and high quality management;

• The audit responds rapidly to the company’s needs and ad-hoc assign- ments are performed alongside the planned annual work, as required; • The audit methods are aimed at inciting the audited units to share fi nd-

ings and implement corrective measures (fi ndings are objective and quan-

4 Instruction 432 D of November 2013, Art. 2.2. 5 Instruction 541 of November 2011.

6 Members of the Executive Committee, department heads and delegates.

tifi ed, their analysis is transparent, draft written reports are submitted by the audited units for discussion of audit fi ndings);

• A new general instruction (IG 541) was issued in November 2011 updat- ing the scope and terms of the inspections;

• A new general instruction (IG 432D) was issued in November 2013 updat- ing internal audit action by setting forth a new type of internal audit: the fl ash audit. IG 432D also requires that working plans and the fi ndings of audits/inspections be transmitted by other audit/inspection units in the company.

Internal Audit staff perform rigorous monitoring of post-audit action plans. With some “fl ash audits”, monitoring makes it possible to more eff ectively track the actions recommended when there are major malfunctions. Finally, the Inspector-General head of the Internal Audit is responsible for liaising with the audit and internal control business lines on behalf of RATP Group. He provides advice and enforces ethics and methods among all department audit and business line inspection structures, and heads the Internal Control network which aims to:

• Organize the internal control process within the company;

• Implement cooperative relationships and pool work between company audit and inspection teams;

• Develop professionalism in the “Audit and Internal Controls” family by imparting a shared methodology, encouraging dialogue on items con- trolled and progress detected after audits and inspections, and sharing and leveraging best practices;

• Draw on work performed, fi elds of activity, and the members of the inter- nal audit network and their teams to improve skills.

The Internal Audit network met fi ve times in 2013 and worked on: • New, more operational architecture for the collaborative forum dedicated

to the “Audit Community” (Wiki Audit);

• An updated chart of the company audit and inspection units; • Communicating the fi ndings of work performed;

• Developing coordination with the work of the Risk Management team; • Identifying possible areas for joint work with the Head of the Railway

Safety Unit.

The Inspectorate General for Fire Safety, which reports to the President, is responsible for issuing a formal opinion on:

• Compliance with the general provisions of the security rules governing fi re safety and the panic risk in public establishments:

− Administrative applications for building permits, construction authoriza- tions and requests to build, renovate or refurbish areas open to or used by the public, such as the train and metro stations operated by RATP; − Completed building work in public areas such as stations, during the

preliminary inspections prior to opening to the public; − Continued operation of stations, during periodic controls.

• Compliance of guided transport infrastructure with basic safety require- ments to avoid fi re and panic risk and deal with the consequences of accidents.

The Fire Safety Unit provides technical support to the Inspectorate Gen- eral for Fire Safety as set out in Article 2 of the Order of December 24, 2007 approving the safety rules governing fi re safety and panic risk in sta- tions.

The following were the main endeavours of the Inspectorate General for Fire Safety in 2013:

• Setting up specifi c monitoring to ensure that the fi ve-year checks on the escalators are performed by an accredited body;

• Seeking regulatory approval for a mobile walk-through smoke curtain, as a smoke barrier;

• Controlling the true-to-scale fi re behaviour test of a T6 tramway car; • Preliminary inspections of the George V metro station renovations (plat-

form facings) prior to opening to the public.

The Corporate Risk Management unit conducts inquiries and performs appraisals on incidents relating to railway equipment, rolling stock, build- ings and civil engineering. The associated action plans are systematically drawn up and monitored.

Until June 1, 2013, the Corporate Risk Management unit performed operat- ing safety audits on the basis of an annual program approved by executive management upon the advice of the director of the infrastructure man- agement department. After the audit on the operating safety of the trac- tion power systems on the tramway and regional express service networks fi nished, another audit was started on the metro screen doors:

• Review of documentation;

• Overall system analysis (scope of responsibility among the various stake- holders);

• Tests and controls during maintenance operations.

As of June 1, 2013, the Railway Safety Unit (DGSF) performs these audits. The Railway Safety Unit was created on July 1, 2012 and reports to the President. Its role is to monitor railway safety procedures throughout the company. It enforces the railway safety policy, structures and guidelines set by executive management through a systemic approach, defi ned by the Chief Executive Offi cer.

The management and implementation of RATP’s railway safety policies have been delegated by the Chief Executive Offi cer to the Railway Safety Unit. Railway safety policies concern infrastructure, technical installations, vehicles and operating, maintenance and control policies. The Railway Safety Unit sets out the framework to be followed by all of the company’s railway safety managers. Responsibility for enforcing the railway safety guidelines issued by the Railway Safety Unit is delegated to the directors of the departments and operating units.

The head of the Railway Safety Unit may request professional advice, as appropriate, from the various departments (e.g. railway engineers, inspec- tors, general safety controllers). The Unit is sent all surveys, studies and reports conducted on railway safety incidents.

It audits rail security and suggests preventive and corrective measures in conjunction with the departments concerned. These audits are performed in compliance with French standard NF EN ISO 19 011 of December 2002. To complement the above-mentioned audit on metro screen doors, a safety audit on track surveillance for the metro, RER and tramway lines was started in 2013.

The Unit is responsible for RATP and its subsidiaries. It is authorized to conduct investigations in all Group entities, and consequently may be

involved in the safety aspects of an RATP Dev project or service conces- sion arrangement.