Internal control and risk management
The Group is structured around three business segments (Upstream, Refining & Chemicals, Marketing & Services) to which the Group’s operational entities report. Business segment management are responsible, within their area of responsibility, for ensuring that operations are carried out in accordance with the strategic objectives defined by the Board of Directors and General Management. The functional departments of the Holding level help General Management to define norms and standards and to oversee their application, as well as to monitor activities.
They also lend their expertise to the operational divisions. The functional departments of the Holding level include, in particular, the Finance division (to which Group Risk Assessment and Insurance department and the Group Information Technology and Telecommunications department report), the Legal Affairs department (including the Compliance and Social Responsibility department) and Corporate Affairs (to which the following departments report: Corporate Internal Control and Audit, Sustainable Development and Environment, Human Resources, Security, Industrial Safety).
The Group’s internal control and risk management systems are structured around this three-level organization – Holding level, business segments, operational entities – where each level is directly involved and accountable, in line with the degree of centralization decided by General Management.
General Management constantly strives to maintain an efficient internal control system across the Group, based on the framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). In this framework, internal control is a process intended to provide reasonable assurance that the objectives related to operations, reporting and compliance with applicable laws and regulations are achieved. As for any internal control system, it cannot provide an absolute guarantee that all risks are completely controlled or eliminated. The COSO framework is considered equivalent to the reference framework of the French Financial Markets Authority (Autorité des marchés financiers, AMF). The Group has also chosen to rely on this framework as part of its obligations under the Sarbanes-Oxley Act.
The COSO framework underwent significant changes in 2013. The Group implemented a transition plan throughout 2014 in order to adapt its internal control system to this new version of the framework, which has been fully applicable since December 15, 2014. The Group’s risk management system draws on the main international standards (COSO Enterprise Risk Management integrated framework, ISO 31000:2009 – Risk management) as well as on French standards (Reference framework of the French Financial Markets Authority).
The Group’s internal control and risk management systems cover the processes of the fully consolidated entities. The implementation of an internal control system adapted to the most important equity affiliates, which began in 2013, continued in 2014.
Under these internal control principles, which are part of the corporate governance organization, the Audit Committee is responsible for monitoring the efficiency of internal control and risk management systems, assisted by the Group Internal Control and Audit department and the internal control teams from the business segments. These rules are particularly designed to allow the Board of Directors to ensure that internal control is effective and that published information available to shareholders and financial markets is reliable.
The Risk Management, Internal Control and Audit internal charter forms the common framework on which the Group relies to ensure a control over its activities. The Group’s internal control and risk management systems are based on the five components below, which are derived from the COSO framework, and on all the principles that underpin it.
The control environment is based primarily on the Group’s Code of Conduct, which sets forth its core values (respect, responsibility and exemplary conduct), and on business principles in relation to safety, security, health protection and the environment, as well as in terms of integrity and respect for human rights.
Integrity and ethics
The Group’s values and business principles are set out in its Code of Conduct (revised in 2014) and in its Business integrity guide. These documents are circulated to employees and available on the Group’s Internet site. They articulate the Group’s values and elaborate its business and behavior principles with regard to employees, shareholders, customers, suppliers and competitors. They also set out the rules of individual behavior expected from all employees in the countries where the Group has presence. Furthermore, the Financial Code of Ethics, which also refers to the Code of Conduct, sets forth specific rules for the executive directors (Chairman of the Board of Directors and Chief Executive Officer) and Chief Financial Officer, Senior Vice President Accounting, as well as for the financial and accounting officers of the principal activities.
As a priority of General Management, the Group has been deploying ethics and compliance policies and programs since 2009, including in particular anti-fraud programs and programs for the prevention of corruption and competition law infringement. All these programs involve awareness-raising and training initiatives and include, in particular, specific compliance audits in terms of corruption prevention, with six to eight missions per year. These missions are followed up the next year to verify that the recommendations are implemented. A “Compliance” component has also been incorporated into the Group Audit framework. The purpose of these audits is to assess the proper implementation of the Compliance program and to test it particularly by means of controls on accounting records. A network of 370 Compliance Officers and 110 Ethics Correspondents follow up the implementation of these programs on the ground.
Furthermore, ethical assessments have been conducted regularly since 2002 by GoodCorporation, an organization specializing in ethical assessments of companies (110 since 2002). This process is based on a questionnaire consisting of 85 indicators derived from the Group’s Code of Conduct. GoodCorporation uses this questionnaire to assess on-site the systems implemented by the relevant Group companies (covering various ethics-related issues such as human rights, respect for individuals, integrity, etc.) and conducts anonymous interviews of employees, suppliers, customers, industrial partners, representatives of local authorities and other stakeholders to gather their opinions as to how well these systems function. Following these assessments, GoodCorporation prepares a report for the management of the relevant Group company. An action plan is then defined by the audited entity and its implementation is monitored. These ethical assessments are a means of continuously improving the Group’s policies and procedures by, among other things, identifying best practices.
TOTAL has also set a broader objective in the selection of its outsourced service providers in order to promote competence and experience in internal control as well as compliance with ethical standards compatible with its own. In this respect, the Group has prepared model contractual clauses.
The Board of Directors places a great deal of importance on its composition and that of its Committees. It relies on the work of the Governance and Ethics Committee within the context of a formal procedure so as to ensure the complementarity of the Directors’ competencies and the diversity of their profiles, as well as to maintain a high rate of independence (for more detailed information, refer to point 1.1. of this chapter). Moreover, the rules of procedure of the Board of Directors, which are updated regularly, contain strict rules to prevent potential conflict of interests.
Structure, authority and responsibility
General Management ensures that the organizational structure and reporting lines plan, execute, control and periodically assess the Group’s activities. General Management regularly reviews the relevance of the organizational structures so as to be able to adapt them quickly to changes in the activities and in the environment in which these are carried out.
The Group has moreover defined central responsibilities that cover the three lines of defense of internal control: (1) operational management, which is responsible for maintaining an effective and updated internal control, (2) support functions (such as Finance, Legal, Human Resources, etc.), which assist operational management, and (3) internal auditors who, through their internal control reports, provide recommendations to improve the efficiency of the internal control system across the organization.
Furthermore, an accountability system is defined and formalized at all levels of the organization, through organization notes, organization charts, appointment notes, job descriptions and delegations of powers. Each business segment has established clear rules applicable to its specific scope by directly integrating the Group’s instructions. These rules published on the Group’s Intranet are reviewed regularly and their implementation is monitored.
Commitment to competence
The Group’s Human Resources policy, revised in 2014, sets out rules and practices that reflect its expectations in terms of its employees’ competencies. The Group’s various entities review and approve the required competence levels. Job descriptions take the Group’s values into account and define the competencies and expertise necessary for employees to carry out their functions effectively.
Furthermore, the Human Resources function shapes and periodically updates policies aimed at attracting talents, as well as policies for employee training, coaching, assessment and retention, such as annual appraisals, training programs and compensation and benefits schemes.
In 2014, in addition to employee training and retention initiatives, and as part of the COSO 2013 transition plan, the Group implemented its wish to adopt a procedure to take into account the assessment of the qualifications and skills of outsourced service providers in view of strengthening its internal control.
The Board of Directors, with the support of the Audit Committee, ensures that the internal control functions are operating properly. The Audit Committee ensures that General Management implements internal control and risk management procedures depending on the risks identified, such that the Group’s objectives are achieved.
The general managements of business segments and operational entities are in turn responsible for designing and deploying specific components of this internal control and risk management system within their scope of responsibility. In this context, a representation letter process is deployed at various levels in the organization. It reinforces the efficiency of the internal control system over financial reporting.
The Internal Control Department has initiated a process to strengthen the role and involvement of employees in regard to internal control as part of the COSO 2013 transition plan. Moreover, to enhance communication and the sharing of best practices between internal controllers, the Internal Control and Audit department organized the first internal control seminar for the Group in 2014. Finally, training initiatives tailored to the various stakeholders involved in the internal control process were launched within the Group.
TOTAL has set up an ongoing process to identify and analyze risks that may preclude the achievement of its objectives. The Group takes into account risks at all levels of the organization and in all its entities, and examines factors that influence the severity, probability of occurrence of risks or the loss of its assets, and the potential impact on operations, reporting (financial and non-financial) and compliance with applicable laws and regulations.
Specification of objectives
To implement its strategy, General Management ensures that clear and precise objectives are defined at the various levels of the organization with regard to operations, reporting and compliance.
Operational objectives focus on the definition and efficient use of human, financial and technical resources. They are in particular defined during budgetary processes and in the long-term plan (LTP), and are monitored regularly as part of the self-assessment process
The monitoring of operational objectives (financial and non-financial) helps decision making and the performance monitoring of activities at each level of the organization.
In the framework of the COSO 2013 transition plan, the Group has adapted its self-assessment questionnaire relating to the operational and financial budget in order to encompass operational and financial aspects in the definition of resources and in budgeting.
Risk identification and analysis
The Executive Committee, with the assistance of the Group Risk Committee (GRC) created in 2011, is responsible for identifying and analyzing the internal and external risks that could impact TOTAL’s performance. The GRC’s two main assignments are to identify risks that could prevent the Group from achieving its objectives and to ensure the existence and effectiveness of risk management systems adapted to the Group’s needs.
The GRC relies on the work done by the business segments and the functional departments, which draw up their risk mapping and regularly report to the Audit Committee. These maps are drawn up according to a methodological framework developed by the Group.
The Group’s business segments and entities are responsible for defining and implementing a risk management policy best suited to their specific activities. However, today the handling of certain transverse risks is more closely coordinated by the respective functional departments.
The principal risks monitored at Group level are: sensitivity to the economic environment, especially the oil market environment (oil prices, refining, marketing and petrochemical margins, parity between currencies); exposure to oil and gas trading risks; financial markets risks (exchange risk, particularly related to the U.S. Dollar, and interest rate risk); political and legal risks related to the operating and contractual environment of the Exploration & Production activities; and industrial and environmental risks related to the sectors in which the Group is active. The “Risk Factors” section of this Registration Document (chapter 4) contains a formal and extensive description of the principal risks faced by the Group and how the Group manages these risks and secures appropriate insurance coverage.
With regard to risks connected to the trading of oil and gas and related financial instruments, the departments concerned, whose activity is governed by limits set by the Executive Committee, measure their positions and exposure daily and analyze their market risk, in particular using value-at-risk assessment methods.
With regard to counterparty risks, credit limits and risk analysis processes are set and updated regularly for each activity.
The Group’s broad range of activities and countries in which the Group has presence requires local analysis, by business segment, of the related legal, contractual and political risks. Compliance programs with regard to competition and corruption prevention are implemented by the Group to ensure compliance with applicable legislation.
Operating entities are responsible for assessing their industrial and environmental risks and for implementing the regulatory requirements of the countries where they are active, as well as any relevant directives and recommendations defined at the Group or business segment level. They are also responsible for actively monitoring changes in legislation in order to comply with local and international standards concerning industrial and environmental risk assessment and management. Risk assessments lead to the implementation of control measures to prevent and reduce environmental impact, minimize the probability of accidents and contain their consequences. General Management exercises operational control over TOTAL’s activities through the Executive Committee’s approval of investments and commitments for projects based on defined thresholds. These projects are subject to prior review by the Risk Committee (CORISK), whose conclusions are transmitted to the Executive Committee. As part of this review, the CORISK verifies the analysis of the various project-related risks.
Fraud risk assessment (Integrity risks)
The Group deploys an anti-fraud and fraud prevention program and has implemented a range of procedures and programs that help to prevent, detect and limit different types of fraud. This effort is supported by the business principles and values of individual behavior described in the Group’s Code of Conduct and in the
codes, charters and other standards applied by business segments.
The Group has also issued a directive for handling incidents of fraud that have been widely distributed to employees, and created an alert system that employees can use to report circumstances that might amount to fraud. In addition, a specific process is in place for reporting irregularities related to accounting, internal control and auditing matters. This warning process, implemented at the request of the Audit Committee, is monitored by the Audit Committee and may be used by shareholders, employees and third parties.
A Fraud risk coordinator position was created in 2014 in the Compliance and Social Responsibility department within the Group’s Legal Affairs department.
The deployment of the anti-fraud and fraud prevention program relies on the network of fraud risk coordinators.
Prevention of corruption risks
General Management constantly reiterates the principle of zero tolerance with regard to corruption. A set of internal standards has been published since 2011. This specific framework, which takes into account relevant applicable laws, covers various areas where particular risks of exposure to corruption may exist (business partnerships, representatives, procurement and sales, gifts, etc.) and is based on a due diligence process for detecting and addressing them at an early stage.
To support the launch of this program, an e-learning module in twelve languages has been widely deployed since 2011, and 370 Compliance Officers have been appointed and trained in the business segments and operational entities. Their role is to ensure that the program is implemented at the local level.
Finally, under the settlements reached in 2013 between TOTAL, the United States Securities and Exchange Commission (SEC) and the Department of Justice (DoJ) (refer to point 4. of chapter 4), an independent monitor was appointed to conduct a three-year review of the anti-corruption compliance and related internal control procedures implemented by the Group and to recommend improvements when necessary. The monitor’s assignment started on December 2, 2013 and his first report was submitted to the authorities at the end of July 2014. This report gives recommendations for improving the Program, which TOTAL has already started to implement. In October 2014, the monitor had to relinquish his assignment for health reasons, and, as a result, the process of selecting a new monitor has been launched.
Prevention of competition law infringement
A Group policy aimed at ensuring compliance with, and preventing infringement of, competition law was also adopted as a follow-up to the various measures previously implemented by the business segments. Its deployment is based, in particular, on the involvement of hierarchies and staff, training courses that include an e-learning module and an organization responsible for implementing the program.
Prevention of insider trading and conflict of interests
The Group’s Ethics Committee implements a policy to prevent insider trading on the financial markets that is based, in particular, on the Group’s internal ethics rules. These rules are updated on a regular basis and widely distributed to employees who are permanently or occasionally in possession of insider knowledge about the Group. These ethical rules require, in particular, that permanent insiders refrain from carrying out any transactions, including hedging transactions, in TOTAL shares or ADRs and in shares in collective investment plans (FCPE) invested primarily in TOTAL shares (as well as derivatives related to such shares) on the day on which the Company discloses its periodic earnings publications (quarterly, interim and annual) as well as during the thirty calendar days preceding such date.
In order to prevent conflicts of interest, each of the Group’s Senior executives completes an annual declaration regarding any conflicts of interest to which he or she may be subject. By completing this declaration, each Senior executive also agrees to report to his or her supervisor any conflict of interest that he or she has had or of which he or she is aware in performing his or her duties.
Change identification and analysis
As part of risk assessment, TOTAL identifies changes that could have a significant impact on its internal control system, particularly changes related to assets consolidated by business segments. To this end, the Group relies on governance bodies adapted to its various activities and capable of making and implementing decisions necessary for quickly responding to material changes that the Group must deal with.
Thus, given the substantial contribution of equity affiliates to the Group’s earnings, a framework for monitoring the audit of financial statements was deployed in the Group’s various business segments as early as December 31, 2013, primarily in equity affiliates.
The risk mapping activities carried out by the Group’s entities as part of a regular risk assessment process help identify and analyze key ongoing or foreseeable changes.
The Group examined and assessed the design and effectiveness of the key operational, financial and information technology controls related to internal control over financial reporting in fiscal year 2014, pursuant to Section 404 of the Sarbanes-Oxley Act. This assessment was performed with the assistance of the Group’s main entities and the Group Internal Control and Audit department. The system used is based on the following categorization:
- the most significant entities assess their key operational controls based on their significant processes and respond to a Group questionnaire for assessing the internal control system;
- other less significant entities respond only to the Group questionnaire for assessing the internal control system.
These two categories of entities account for approximately 80% and 10%, respectively, of the financial aggregates in the Group’s Consolidated Financial Statements. In 2014, the quantitative criteria for defining these categories were adjusted to reflect the changes in the Group’s financial items. Qualitative factors were also considered.
Selection and development of controls
The Group has developed a control framework in line with the risk assessments performed and implements initiatives necessary for addressing specific risks by enforcing Group-wide rules. These initiatives are implemented to reduce the probability of occurrence of risks and their possible consequences. They also cover the main processes outsourced via service contracts.
Control activities intended to prevent industrial and environmental risks are implemented in the operational entities. External certification or third-party reviews are conducted for some of the management systems related to this type of risk. Information on the Group’s safety and environmental initiatives is provided in point 2. of chapter 4 and chapter 7 of this Registration Document and in the annual report on CSR (Corporate Social Responsibility) topics.
For financial reporting, the Group has identified key processes that have a significant direct or indirect impact on financial items as well as related risks that can influence the procedure for preparing them. It has developed control activities addressing such risks in order to guarantee the reasonable reliability of the disclosed financial information.
Control activities are primarily based on a strategic plan that is reviewed annually. They also rely on an annual budget, monthly financial reports with detailed analysis of differences between actual and budgeted items, and a reconciliation between quarterly published Consolidated Financial Statements and reporting. These processes are supervised by the Accounting and Budget- Controlling departments, which are part of the Finance department, and are performed in compliance with financial reporting standards, consistent and compliant with the accounting standards used for the published financial statements. Financial indicators and the accounting methods used allow appropriate assessment of risks and return on average capital employed (ROACE).
The Group’s Accounting department draws up a quarterly report of consolidated off-balance sheet commitments as part of the closure of the Consolidated Financial Statements. The financial reporting manual contains a procedure to identify and escalate off-balance sheet commitments.
The interpretation of accounting standards applicable to the Group’s Consolidated Financial Statements is centralized by the Group’s Accounting department, which also distributes these standards through formal procedures and a financial reporting manual. The department monitors the effective implementation of standards across TOTAL through periodic, formal communication with functional managers in the business segments.
The Group’s Treasury department monitors and manages risks related to cash management activities and interest rate-related and foreign exchange-related financial instruments in accordance with strict rules defined by General Management. Cash and cash equivalents, financial positions and financial instruments are centralized by the Treasury Department.
Oil and gas reserves are reviewed by a committee of experts (the Reserves Committee), approved by the Exploration & Production’s senior management and then validated by the Group’s General Management.
Controls over information technology
The Group has developed control activities at various levels of the organization in areas where information systems cover all or part of the processes. A set of Information Technology General Controls (ITGC) aim at guaranteeing that information systems are functioning and available as required, and that data integrity is guaranteed and changes controlled.
Information Technology Automated Controls (ITAC) aim at ensuring the integrity of data generated or supported by business applications, particularly those that impact financial flows. Furthermore, the Group outsources some components of its IT infrastructure to service providers. This outsourcing poses specific risks and requires the selection and development of additional controls on completeness, accuracy and validity of the information supplied and received from such service providers. Accordingly, in view of continuous improvement, the Group assesses whether suitable controls are implemented by the service providers concerned and which controls are necessary in its own organization to maintain these risks at an acceptable level.
Policies and procedures
TOTAL incorporates the key objectives given by General Management and the risks analyses performed at all levels of the organization into a normative framework, supplemented by a set of practical recommendations and experience feedback. This framework has a three-level structure, just as the Group’s organization: a Group level, with the REFLEX Group framework and the technical framework produced by the Scientific development department, one or more frameworks for each business segment, and one framework for each operational entity.
The normative framework governance document sets out the articulation between these frameworks and describes their respective scope of responsibility, the manner in which some are drawn from others (adaptation, additional information, standards from the higher level further strengthened at each level), procedures for derogation, if any, document preparation processes, and the monitoring system put in place.
These texts are all published on the Group’s Intranet sites.
The main procedures regarding financial controls established at the corporate level cover acquisitions and asset sales, capital expenditure, financing and cash management, budget control and financial reporting. Disclosure controls and procedures are in place. At the operating levels, they mainly consist of procedures, directives and recommendations covering safety and security (both industrial and information technology), health, the environment, corruption prevention, integrity and sustainable development.
At the business segment or operational entities levels, control activities are organized around the principal operational processes: exploration and reserves, procurement, capital expenditures, production, sales, oil and gas trading, inventories, human resources, financing and cash management, as well as the account closure process including, in particular, control of amortization, depreciation, provisions and identification of off-balance sheet commitments.
Information and communication
TOTAL has set up an ongoing process to identify and gather information necessary for the achievement of its objectives and the proper operation of internal control components, and thereafter to ensure internal and external communication.
Relevance of information
The Group selects the most relevant and the most useful sources of information in light of its economic model, its organization and its objectives. This is achieved particularly by using information systems as well as systems for processing internal and external data.
The nature and extent of information needs, the complexity and volume of information and the increasing dependence on external parties led the Group to review its self-assessment questionnaire on internal control in 2014 and to incorporate a topic on internal control monitoring so as to ensure that the relevance and quality of information is controlled and assessed by the entities.
TOTAL also establishes and deploys measures to ensure that the information obtained from its main service providers meets the same internal control requirements.
Moreover, in 2014, aware of its constantly changing challenges and developments in the regulatory system on information governance, the Group coordinated its policies relating to the protection of information, document retention and protection of personal data. The Group also continues to deploy a multi-year IT security plan, which supplements and strengthens its operational set-up.
The Ethics Committee can receive reports of any event likely to pose a risk for the Group in the following areas only: financial, accounting, banking, anti-fraud and corruption prevention; anticompetitive practices; fight against discrimination and workplace harassment; health, hygiene and safety at work; and environmental protection. Any Group employee may contact the Ethics Committee in order to ask any relevant question or request advice on the application of and / or compliance with the Group’s Code of Conduct.
An alert system is in place and allows Group employees to share their concerns about any professional misconduct they might have observed, or any other important issue likely to have an impact on ethics and internal control.
The external communication of material information concerning the Group’s performance is prepared for shareholders, business partners, regulators, financial analysts, government entities and other stakeholders, as part of the internal procedures put in place.
The Disclosure Committee ensures the application of procedures designed to ensure the quality and accuracy of external communications intended for financial markets. Press releases on the Group’s earnings or strategic perspectives are submitted to the Audit Committee and to the Board of Directors prior to their publication.
The work of external auditors is also part of the external communication process established by the Group. Thus, in every Audit Committee meeting on the review of quarterly financial statements, statutory auditors give a presentation highlighting the main points noted during their work. The Audit Committee also interviews statutory auditors at least once a year without any Company representatives being present.
The alert system available internally is also accessible to stakeholders external to the Group.
Together, the Holding level, the business segments and the operational entities are responsible for monitoring the internal control and risk management system in their respective operations.
On-going and separate evaluations
The assessment of the internal control and risk management system is primarily the responsibility of the Group Internal Control and Audit department, whose activities are scheduled in an annual plan validated by the Executive Committee. In 2014, the Group Internal Control and Audit Department employed 77 people and conducted more than 170 audits.
With the assistance of its main entities and the Group Internal Control and Audit department, the Group examined and assessed the design and effectiveness of the key operational, information systems and financial controls related to internal control over financial reporting in fiscal year 2014 pursuant to Section 404 of the Sarbanes-Oxley Act. Based on these internal reviews, General Management has reasonable assurance of the effectiveness of the Group’s internal control.
The statutory auditors also perform those internal control audits that they deem necessary as part of their mission to certify the financial statements. For 2014, they reviewed the implementation of the Group’s internal control framework and the design and effectiveness of key internal controls at its main entities concerning financial reporting. Based on the work performed, the statutory auditors declared that they had no comments on the information and conclusions related to this subject presented in this report.
Evaluation and communication of deficiencies
The reports on audits performed (by Group Audit, statutory auditors, etc.) are periodically summarized and presented to the Audit Committee and, thereby, to the Board of Directors. The Senior Vice President, Group Internal Control and Audit attended all the Audit Committee meetings held in 2014.
If areas of progress are identified by these internal audits and operational controls, then corrective action plans are drawn up and shared with operational management, who along with the Group Internal Control and Audit department closely monitor them.