The second line comprises Group support functions which are responsible for leading and coordinating the implementation of Group policies for which they are responsible.
The Group risk mapping comprises:
These risks are laid out in § 2.2 “Risks to which the Group is exposed”. In addition, some risks are detailed in section 3, in particular risks related to climate and environmental issues, duty of care, and personal health and safety.
On the basis of the risk maps and activity control reports drawn up by the Group’s entities and subsidiaries (1st line of control), supplemented by cross-reviews with the 2nd line of control and with the Internal Audit Department, the Group’s Risk Management Department draws up a consolidated map of its major risks. This map includes an overall assessment of internal control, and provides Management and the governance bodies with a consolidated, prioritised and regularly updated view of the major risks, and their level of control. This mapping is validated by the Risk Committee and is presented to the Board of Directors after examination by the Audit Committee.
The Group’s audit unit is composed of all of the Group’s internal audit resources. Pursuant to a decision of the Chairman and Chief Executive Officer, this unit is led by the Group Audit Director. It includes the Internal Audit Department (“IAD”, reporting to the General Secretary) and audit teams specific to each of the main French and foreign subsidiaries. The relationship between the IAD and audit teams of the operators of regulated infrastructure, and also their respective prerogatives, have been defined to ensure compliance with the principle of management independence. The IAD carries out functional supervision of the unit (co- appointment and co-assessment of the subsidiaries’ Audit Directors by the IAD – excluding Enedis –, sharing best practice, training, sharing tools and methods, etc.). At the end of 2022, the Group audit unit consisted of 70 FTE employees.
The IAD applies the international standards defined by the Institute of Internal Auditors and monitors their compliance.
The remits, powers and responsibilities of the auditors as well as the rights and duties of the audited parties are defined in a charter issued in July 2019. It sets out the fundamental principles governing audits, the procedures for drawing up the programme, the types of assurance assignments entrusted to it, and the duties of the audited parties and auditors. It includes a code of ethics applicable to the entire audit function. This Code is aimed at promoting an ethical culture, and recalls that the auditor must comply with and apply certain basic principles relevant to the profession and the conduct of internal audits.
The Internal Audit Department has direct access to the Chairman and Chief Executive Officer. It reports on assignments to the Audit Committee, which issues an opinion on the risk-based internal audit, reviews the performance of audits and verifies the matching of the resources dedicated to internal audits with the workload. The IAD’s processes, from the definition of the audit programme to the monitoring of action plans, are all outlined and managed.
Auditors are trained in the same methodology, in line with international standards and are evaluated at the end of each assignment. The IAD’s processes for all the above-mentioned activities (from the definition of the audit programme to the monitoring of action plans) are outlined and managed. The audit unit regularly submits voluntarily to assessment by IFACI (1). The last assessment, in 2018, stated as previously that the audit practices complied with the international standards of the profession.
(1) Institut français de l’Audit et du Contrôle Interne (French Institute of Audit and Internal Control).