The internal control system applied to the financial reporting process

The internal control system applied to financial reporting aims to provide reasonable certainty of the reliability¹ of the financial information itself, and of the capability of the annual report drafting process to yield financial reporting that complies with the generally accepted accounting principles.

The Management System Guideline (MSG) "Eni Control System over Company Reporting" approved by the Board of Directors on December 15, 2010, which fully transposes the content of the reference Guideline issued in 2007, defines the rules and procedures for planning, implementing and preserving an internal control system applied to Eni's financial reporting with external relevance, as well as for assessing its efficacy. The contents of the MSG have been defined in accordance with the provisions of the aforementioned article 154-bis of the Consolidated Law on Finance and the provisions of US Sarbanes-Oxley Act of 2002 (SOA), to which Eni is subject as an issuer listed on the New York Stock Exchange (NYSE), and are based on the model adopted by the CoSO Report ("Internal Control - Integrated Framework" published by the Committee of Sponsoring Organizations of the Treadway Commission). The MSG applies to Eni SpA and its direct or indirect subsidiaries in compliance with the international accounting principles, on account of their relevance with regard to the drafting of financial reporting documents. All subsidiaries, regardless of their significance in terms of the Eni control system applied to financial reporting, adopt the MSG as the reference system for planning and implementing their own internal control system over financial reporting, and tailor it to their dimensions and complexity of the activities carried out.

The planning, implementation and preservation of the internal control system over financial reporting are guaranteed through:
-   risk assessment,
-   identification of controls,
-   assessment of controls,
-   information flows (reporting).

The risk assessment process conducted using a "top-down" approach is aimed at identifying the organisational entities, processes and specific activities that may generate risk of unintentional errors or fraud that may have a significant impact on the accounts. In particular, the organisational entities that fall within the context of the control system applied to financial reporting are identified both on the basis of the contribution of the various entities to certain items of the consolidated financial statements (total assets, total financial debt, net income, income before tax), and in relation to the existence of processes that present specific risks which – if they materialise – may jeopardise the reliability and accuracy of the financial reporting (such as fraud-related risks)².

In relation to the companies affected by the control system applied to financial reporting, the relevant processes are subsequently identified on the basis of an analysis of quantitative factors (processes that contribute to making up the financial statement entries for amounts exceeding a certain percentage of the income before tax) and qualitative factors (for example: complexity of the accounting treatment of transactions; assessment and estimation processes; new issues or significant changes affecting the business conditions). In relation to the relevant processes and activities, any risks which consist in potential events that – if they materialise – may jeopardise the attainment of the control objectives with regard to financial reporting (for example financial statement assertions), are identified. The identified risks are assessed in terms of their potential impact and probability of occurrence, on the basis of quantitative and qualitative parameters and assuming the absence of a control system (inherent assessment). In particular, with reference to fraud risks³ at Eni, a dedicated risk assessment is implemented based on a specific methodology relative to "Antifraud programs and controls" referred to in the aforementioned MSG. In consideration of the relevant companies, processes and relative risks, a control system was defined based on two fundamental principles, namely the application of a control system to all levels of the organisational structure – in accordance with the assigned operating responsibilities - and the sustainability of controls over time, so as to ensure that their implementation is integrated and compatible with the operational requirements.

The structure of the control system applied to financial reporting includes controls implemented at entity level that operate in a transversal manner with respect to the reference entity (Group/ Division/single Company), in addition to controls implemented at process level. The controls implemented at entity level are based on a checklist defined according to the model adopted in the CoSO Report and based on five components (control environment, risk assessment, control activity, information systems and reporting, monitoring activities).

Of particular importance are the controls relative to the definition of the deadlines for drafting and diffusing the economic-financial results ("half-yearly and financial statement circular" and relative calendars); the existence of organisational structures and of a regulatory framework adequately designed to ensure the attainment of the financial reporting objectives (these controls include, for example, auditing activities and updating carried out by specialised Company units on the Group's regulations concerning financial statements and the Group's accounting plan); training activities with regard to accounting principles and the internal control system applied to financial reporting; and, lastly, the activities relative to the reporting system for the management of the consolidation process (Mastro).

The controls implemented at process level are grouped into the following: specific controls intended as a set of manual or automated activities aimed at preventing, identifying and correcting errors or irregularities that occur during the course of operational activities; pervasive controls intended as structural elements of the control system applied to financial reporting, and aimed at defining a general context that promotes the correct execution and control of operational activities (such as, for example, the segregation of incompatible tasks and the "General Computer Controls" that include any control aimed at guaranteeing the correct operation of IT systems). In particular, among the specific controls, the Company procedures identify the so-called "key controls", the absence or non-functioning of which determines the risk of errors/fraud that impact the financial statements and that cannot be identified by other controls. Both the controls implemented at entity level and controls implemented at process level are subject to evaluation (monitoring) to verify the effectiveness of the design and actual functioning over time; to this aim the following activities have been defined: ongoing monitoring activities – carried out by the management responsible for relevant processes/activities – and separate evaluations – assigned to the Internal Audit Dept. that operates according to a pre-defined plan, transmitted by the CFO/AO – aimed at defining the scope and objectives of the interventions through agreed audit procedures. The monitoring activities allow for identifying any deficiencies in the control system applied to financial reporting that are subject to evaluation in terms of their probability of occurrence and impact on Eni's financial reporting and, based on their relevance, are qualified as "deficiencies", "significant weak points" and "relevant deficiencies".

The results of the monitoring activities are included in a periodic information flow (reporting) on the state of the control system applied to financial reporting: this information flow is guaranteed by the use of computerised instruments that allow for tracking any information on the adequacy of the plan and functioning of the controls. On the basis of this reporting activity, the CFO/AO drafts a report on the adequacy and actual implementation of the control system applied to financial reporting. This report – following the approval by the CEO – is submitted to the Board of Directors, prior review by the Internal Control Committee, during the approval of the draft annual financial statements and half-yearly financial statements, in order to ensure the execution of the aforementioned supervisory activities and evaluations regarding the internal control system applied to financial reporting. Furthermore, the above-mentioned report is transmitted to the Board of Statutory Auditors, in its role of Audit Committee pursuant to US legislation. The activity of the CFO/AO is supported within Eni by various people, whose roles and responsibilities are defined in the aforementioned MSG. In particular, the control activities involve all levels of Eni's organisational structure, from the operational business managers and unit managers to the executives and CEO. In this organisational context, a particularly important role in terms of the internal control system is carried out by the so-called "Risk owner", who carries out ongoing monitoring evaluating the plan and effectiveness of specific and pervasive controls, in addition to providing information for drafting reports on the monitoring activities and any deficiencies encountered, in order to ensure the timely identification of any necessary corrective actions.

¹Reliability (of the statement): a statement possessing the characteristics of correctness and conformity to generally accepted accounting principles, and satisfying the requirements of the laws and applicable regulations.

²The organisational entities falling within the internal control system include companies incorporated and regulated in accordance to the laws of Countries outside the European Union, to which the provisions of article 36 of the Consob Market Regulation applies.

³Fraud: in the context of the control system, any act or intentional omission that generates a deceptive statement in the reporting.