3.2 Internal control
3.2.1 Internal control framework
For the following description of internal control procedures, Rubis referred to the French financial market authority (Autorité des Marchés Financiers - AMF) guide of July 22, 2010, which sets out a reference framework for risk management and internal control.
However, Rubis has adapted the general principles of the AMF framework to fit its business and characteristics.
|•||the compliance of its activities with laws and regulations;|
|•||implementation of the instructions and strategic goals laid down by the corporate bodies of Rubis SCA and its subsidiaries;|
|•||the smooth running of the Company’s internal processes, particularly those concerned with safeguarding its assets;|
|•||the reliability of financial information;|
|•||the existence of a process for identifying key risks linked to the Company’s business;|
|•||the existence of tools to prevent fraud and corruption.|
Like any internal control system, Rubis’ system cannot provide an absolute guarantee that the Company will be able to achieve its objectives and eliminate all risks.
The procedures described below are applicable to Rubis Énergie, which is wholly owned by Rubis SCA, and to its sub-subsidiaries.
The Rubis Terminal JV is managed jointly with the partner. The Management of the RT Invest joint venture is responsible for setting up and ensuring internal control (in accounting, financial and risk matters) in accordance with applicable standards and regulations and the expectations of its shareholders. Details of this joint venture are given in section 3.2.4 of this chapter.
Although it has acquired an international dimension, Rubis wishes to remain a decentralized organization close to the field in order to provide its customers with solutions adapted to their needs by retaining the capacity to take the necessary operational decisions quickly. Regular exchanges, conducted whenever necessary, between the General Management on the one hand, and the General and functional departments of Rubis Énergie and its foreign subsidiaries on the other hand, are the cornerstone of this organization.
This managerial model gives the Manager of each industrial site or subsidiary a large degree of autonomy in the management of his or her activity, although responsibilities delegated in this manner are heavily reliant on compliance with established procedures with regard to accounting and financial information and risk monitoring, as well as on regular monitoring of the relevant departments of Rubis SCA, and of the functional departments of Rubis Énergie (see sections 220.127.116.11 and 18.104.22.168).
Lastly, Rubis SCA’s Supervisory Board, through its Accounts and Risk Monitoring Committee, is informed by General Management of the essential characteristics of the Group’s internal control and risk management procedures. It ensures that the main risks identified have been taken into account in the Company’s management, and that systems designed to ensure the reliability of accounting and financial information are in place (see chapter 5, section 5.3.2).
3.2.2 Internal accounting and financial control
Rubis SCA controls its head of division subsidiary Rubis Énergie (retail & marketing and support & services businesses) in collaboration with its General Management. It defines the Group’s strategy, promotes and finances its development, makes the key management decisions that stem from this, and monitors their implementation at both its direct subsidiaries and those of their subsidiaries. It has established accounting and financial structures and procedures to ensure robust internal control.
The Rubis SCA and Rubis Énergie Consolidation and Accounting Departments consolidate the Group’s accounts on a quarterly, half-yearly and annual basis. Their work involves:
|•||checking that the consolidated financial statements are consistent with the provisional consolidated results prepared by the subsidiaries;|
|•||verifying the correct application of IFRS;|
|•||analyzing the consolidated financial statements through an analytical review, explaining changes in each item between two reporting dates.|
They also monitor standards with a view to identifying any impact on the Group’s financial statements from proposed accounting reforms.
They are assisted by a specialist audit and accounting firm, and work under the oversight of the Managing Partners, the Chief Financial Officer and the Director of Accounting and Consolidation.
Accounting and financial information prepared by the subsidiaries is reported to Rubis SCA, via the Consolidation and Finance Departments and, ultimately, the Management Board.
The main tasks of the Accounts and Risk Monitoring Committee, whose members and functioning are described in chapter 5, section 5.3.2, are as follows:
To carry out its work, the Accounts and Risk Monitoring Committee hears all the key people in the information chain: the General Management, the Chief Financial Officer, the Director of Accounting and Consolidation, the Corporate Secretary of Rubis SCA, the Head of CSR & Compliance and the Statutory Auditors.
The members of the Accounts and Risk Monitoring Committee have access to the same documents as the Statutory Auditors, and examine the summary of their work.
The internal control system relies on several channels for reporting information designed to identify sensitive points comprehensively.
Two manuals have been issued to harmonize the internal control and accounting treatment of the various transactions performed:
|•||delegation of powers and limits in terms of incurring expenses (including investments), approval of invoices, and bank payment authorizations;|
|•||sales management, to define the special terms and conditions granted to customers, limit the total outstanding amounts authorized, obtain bank guarantees, etc.|
Rubis Énergie has a centralized information system that consolidates all financial information: management reports for each company and terminal, standardized by type of business/activity; quarterly accounts, monthly margin analyses, monitoring of capital expenditure, budgetary and management forecast monitoring in three phases (initial budget validated during the prior year with a three-year plan, updating of the budget forecast in the second quarter and then in the fourth quarter of the year in question). All financial data are archived and backed up daily.
Automatic consistency checks are also carried out directly by the IT system to limit any input errors. Documents stored in the central system also serve as a reference and a basis for reconciliation for the internal audit teams during their missions.
Rubis Énergie also operates a document management system allowing its various associates to share technical, HSE and legal information. Major investment and construction projects are thus closely monitored by the Rubis Énergie Technical Department.
Budgets are drawn up at the end of the year by Rubis Énergie’s subsidiaries and sub-subsidiaries successively, within the framework of a rolling three-year budget plan based on management items and budget indicators defined and standardized by business. The indicators are defined by General Management and operational management in accordance with Rubis’ strategy.
Budget indicators include gross margin, EBITDA, EBIT, capital expenditure, cash flow, debt, volume, traffic, capacity utilization and workforce.
At Rubis Énergie, budgets are drawn up by country and by each subsidiary. They are reviewed by the division’s Management Control, Audit and Consolidation Department before being presented to Rubis Énergie’s Management. After discussion and/or revision of the budgets presented to Rubis Énergie’s Management, the Management Control, Audit and Consolidation Department prepares a consolidated budget that is then reviewed by Rubis Énergie’s Management and forwarded to Rubis SCA for review at Management Committee meetings.
Rubis Énergie’s Finance and Management Control Department prepares monthly reports and analyzes any difference between actual data and budget forecasts.
The reports are issued roughly 10 days after the end of the month, and are then examined and compared with initial forecasts at the Management Committee meeting, with General Management in attendance.
Rubis SCA’s Finance Department negotiates with banks to raise acquisition financing. It also analyzes banking covenants. Cash investments are made in cash instruments, excluding any speculative or risky investments.
The companies prepare quarterly, half-yearly and annual consolidation packages. The half-yearly and annual financial statement are reviewed and audited by the Statutory Auditors. Rubis SCA’s Finance and Consolidation Departments prepare the Group’s consolidated financial statements in accordance with the standards issued by the International Accounting Standards Board (IASB) and adopted by the European Union. Consolidation procedures include a set of controls to guarantee the quality and reliability of the financial information.
The internal control system relies on technical and operational procedures designed to identify sensitive points, in addition to a lean and streamlined organization built around the General Management of Rubis SCA and the Senior Management as well as the functional and operational departments of Rubis Énergie, to ensure the effectiveness of the internal control systems via the Management Committees. An internal control manual was drafted in 2020 in collaboration with the French Institute of Audit and Internal Control (IFACI), making it possible to list all the control points to be complied with in each area of the procedures of Rubis Énergie’s subsidiaries. The new manual should ultimately enable the Group’s various companies to assess themselves on a regular basis and to continue to ensure that the risks of fraud or malfunction are properly controlled.
Rubis Énergie’s functional departments carry out regular and necessary checks on the procedures in place in their respective fields. Reporting procedures and indicators are used to optimize the monitoring process.
Internal audit is an independent and objective activity that ensures that operations are properly managed and the procedures in place constantly improved. Internal audits allow Rubis Énergie’s Management to reach its targets by assessing, via a systematic and methodological approach, its risk management, control and Corporate Governance processes, and making recommendations to improve their efficiency.
At Rubis Énergie, this function is part of the Management Control, Audit and Consolidation Department. The Head of the department and his or her colleagues carry out internal audits on the entire scope of the retail & marketing and support & services businesses. These audits are planned with Rubis Énergie’s Management at the beginning of the year. There are numerous fields of inquiry, mainly covering the correct application of local and Group processes, notably as regards the prevention of corruption, the improvement of internal control and accounts approval procedures, inventory, cash and fixed asset control, and the off-balance sheet assets and liabilities recorded in the accounts of the company audited. The audit may also cover capital expenditure and analysis of differences between expected returns and actual profitability.
The auditor has complete freedom to conduct his/her work as he/she deems appropriate and is independent from the local management when performing this task. The audit brief and report follow a standard model so that the conclusions can be clearly understood by all parties involved, namely the Chief Executive Officer of the audited company, the Finance Department and the Management of Rubis Énergie. The risk factors identified during internal audits are also used to update the risk mapping of the company concerned.
The audit recommendations include a timetable for implementation of corrective actions, which must be followed by the company concerned. Furthermore, the implementation of these corrective actions is automatically verified during the next audit of the company concerned. In addition, each subsidiary sends a report monitoring the implementation of audit recommendations to the Management of Rubis Énergie every two months until all the measures recommended by the internal audit have finally been implemented.
The consolidators are also responsible for analyzing the monthly results and the consistency of the data supplied each month by all consolidated companies. This preempts any accounting errors and improves the reliability of the Group’s financial statements.
Each Rubis Énergie subsidiary is audited once every two years on average. In 2020, due to the restrictions on movement resulting from the Covid-19 pandemic from the end of the first quarter of the year, the audit program was interrupted with the exception of a few assignments that could be carried out remotely. The internal audit teams put this time to good use to draft an internal control manual, which will provide a reference framework known to all and with varying levels of detail so that it can be used by all Senior Executives and Managers of the Group and its subsidiaries.
A Management Committee has been set up for each country or region. It meets twice a year and includes: the Country Director, Management, Finance Department, Management Control, Audit and Consolidation Department, Technical Department and Resources and Risks Department of the division, and the Managing Partners and Chief Financial Officer of Rubis SCA.
During these meetings, budget reports and dashboards are analyzed, along with the performance and results of each business line, development projects and their follow-up, and events considered to be significant for the Company and Group, as much in terms of strategy and operations, as personnel. Questions and issues raised at previous meetings may also be reviewed if necessary.
It is therefore ultimately the Management Committees that analyze the financial and non-financial information collected through the reporting process set up by the operational departments of Rubis Énergie and its sub-subsidiaries. The entire reporting cycle is based on standardized principles and a single database is shared by all teams within the Finance and Operational Departments involved in reporting.
Rubis SCA’s Consolidation and Accounting Department runs numerous checks to ensure that financial information is reliable, particularly during account closing reviews.
Rubis SCA’s General Management and Finance Department regularly analyze the financial statements of subsidiaries, and periodically meet with Rubis Énergie’s Senior Managers in order to conduct a review, assess risks and instigate any corrective action needed to achieve the Group’s targets. Lastly, the Group’s Head of CSR & Compliance, maintains ongoing dialog with the subsidiaries on various topics, including litigation, trademarks, insurance, identification and mapping of risks, compliance (anti-corruption, embargoes, etc.).
3.2.3 Internal risk management
All key risks, risk monitoring procedures and the corresponding hedging policies are described in detail in this chapter, section 3.1, and in chapter 4.
In terms of risk, the Group operates in business sectors that are tightly controlled and regulated. Its structure is designed to reflect this. All French sites covered by the Seveso directive have safety management systems, whose main purpose is to define the organization, staff functions, procedures and resources that allow the Group to establish and implement a prevention policy for major accidents.
In addition, Group entities often operate under ISO 9001 and ISO 14001 quality certification, particularly with respect to the establishment and application of procedures and instructions relating to safety and the environment (see chapter 4, section 22.214.171.124). Therefore, they follow processes that are largely formalized.
Internal control procedures for risk management and monitoring cover all of the Group’s businesses and assets. These are based on a process to identify and analyze the main risks, underpinned by the appropriate organization which allows Senior Managers to tackle these risks and maintain them at an acceptable level.
Internal risk management, in the same way as accounting and financial internal control, is subject to monitoring by the operational management of the subsidiaries, which keep Rubis SCA regularly informed.
At Rubis Énergie, the Technical Departments (QHSE) at headquarters establish information reporting procedures and preventive measures for anticipating and managing risks, as described in chapter 4, section 4.2.1.
Rubis Énergie’s Technical Department reports information on the main risks to its Senior Management. Certain events may also be discussed by the Management Committee. Lastly, Rubis Énergie lays out the main risks to the relevant departments of Rubis SCA (General Management, Accounting and Consolidation Department, Finance Department and Corporate Secretary in charge of the Legal Department, CSR & Compliance Department) through different transmission channels such as risk mapping (see section 126.96.36.199 below).
The Accounts and Risk Monitoring Committee reviews the organization of internal control and risk management procedures, under the conditions described in this chapter, section 188.8.131.52, and in chapter 5, section 5.3.2.
The internal control system relies on several channels for reporting information on the main risks, designed to identify sensitive points comprehensively.
Rubis has developed and conducted mapping of risks to which the Group’s various activities may be exposed. The analysis of such risks also considers their occurrence as well as their financial and reputational impact (on a scale from one to five). The mapping was conducted in close cooperation with Rubis SCA’s Legal, Consolidation, and Finance Departments, together with the operational Managers and the Rubis Énergie Financial and Technical Departments. A self-assessment is carried out at regular intervals to identify new risks.
The risks analyzed have been divided into various families: market, accounting miscalculation, insurance, business, environmental, industrial, climate, supply chain, social, legal, and IT risks. The category relating to legal risks also includes issues related to fraud, contractual breaches, ethics and, until 2017, corruption. In 2018, the Group carried out specific mapping to assess the risks of corruption to which entities may be exposed, in accordance with the Sapin II law (see chapter 4, section 184.108.40.206).
The maps are completed annually by the operational Managers of the industrial sites and by the Directors of the French and international subsidiaries, assisted by the functional Managers of Rubis Énergie. They are updated during the year whenever the Management Committee meets. They aim to provide, on a yearly basis, a clear picture of the significant risks that have been identified and any measures that have been taken or need to be taken to mitigate or eliminate them.
All of these maps are consolidated by Rubis Énergie, before being passed on, together with a review of the major events and non-financial issues of the past year, by the General Management of Rubis SCA to the Accounts and Risk Monitoring Committee at special meetings dedicated to risks (see chapter 5, section 5.3.2). In turn, the Accounts and Risk Monitoring Committee and General Management report to the Supervisory Board at its meetings in March and September.
Rubis Énergie’s functional departments have established reporting, analysis and information-sharing systems covering health, safety and environment (HSE) issues. These systems are described in greater detail in chapter 4, section 220.127.116.11.
Rubis SCA’s CSR & Compliance Department has also implemented an IT tool for reporting and analyzing CSR data (environmental, safety, social, compliance and societal), as described in chapter 4, section 4.5.2 (methodological note on the Non-Financial Information Statement).
The control system is based on management accountability and risk monitoring entrusted by the General Management to each subsidiary Manager, as well as a system of internal and external audits.
Rubis Énergie’s Senior Management is ultimately responsible for risk management policy, within the framework defined by Rubis SCA’s General Management.
The operational Managers of each site are assisted by Rubis Énergie’s functional departments: Technical/HSE Department, Finance Department, Management Control, Audit and Consolidation Department (including Compliance), Resources and Risks Department.
Entity Managers have overall responsibility for risk management and control at their facilities. In addition, Rubis Énergie has a Technical Department that regularly provides operational advice and inspects facilities to guarantee compliance with uniform operational, safety and environmental standards.
As part of its decentralized structure, the Group encourages quality and independence among its employees, who are responsible for all aspects of their role, including risk management.
At meetings of subsidiaries’ Management Committees (see section 18.104.22.168), an item bearing on the review and monitoring of risks is regularly included on the agenda, giving rise to discussions between the Managers of subsidiaries and the General Management.
Some non-financial risks are included in internal audit programs. Verifying the reliability of ethics and anti-corruption policies is accordingly one of the issues dealt with during inspections performed locally by the Rubis Énergie Management Control, Audit and Consolidation Department. The Covid-19 pandemic prevented on-site work at subsidiaries from the end of the first quarter of 2020. Rubis Énergie’s internal audit teams did, however, continue to monitor the rollout of anti-corruption measures in its subsidiaries using an IT document management solution implemented within the Group in 2019. This work constituted a form of general remote audit of the compliance of Rubis Énergie’s subsidiaries with the measures provided for in the Sapin II law. The results of these audits give rise to a specific report annexed to the standard internal audit report, allowing Rubis Énergie Senior Management to take the appropriate measures to correct faults.
|•||French Regional Environment, Development and Housing Departments (DREALs), which are responsible in France for regular inspections of industrial facilities and the application of the Safety Management System to make sure the subsidiary has its business risks under control. Similar systems exist for the sites of certain foreign subsidiaries;|
|•||ISO certification bodies such as AFAQ (Association Française de l’Assurance Qualité) or LRQA (Lloyds Register Quality Assurance), which regularly audit certain ISO 9001-certified Rubis Énergie subsidiaries. During these audits, facilities are regularly checked for compliance with procedures, processes and operating practices put in place as part of the Quality plan to ensure they keep their certification and identify areas for improvement.|
3.2.4 Rubis Terminal JV
The Senior Management of Rubis Terminal Infra is responsible for implementing and ensuring internal control (in accounting, financial and risk matters) in all of the joint venture’s subsidiaries, in accordance with the applicable standards and regulations. Rubis SCA exercises its control through monthly reports sent by Rubis Terminal Infra’s Senior Management to the designated members of the Board of Directors, on which Rubis SCA has representatives.
Rubis Terminal Infra’s budget is drawn up by its Management in conjunction with the Finance Department and approved by the Board of Directors of RT Invest.
Rubis Terminal Infra’s Management provides RT Invest’s shareholders with an annual update of the consolidated risk maps of all its subsidiaries (technological risk map; financial, legal and commercial risk map; corruption risk map), as well as a review of the major events and non-financial challenges of the past year.