The internal control system is an important element of ROSSETI’s and ROSSETI SDCs’ governance. The effectiveness of internal control is ensured by the interrelationship of internal audit, internal control, risk management, and auditorial control. The principal goal of the ROSSETI Group’s internal control is to provide reasonable assurance that the Company and ROSSETI’s subsidiaries and dependent companies achieve the goals in the following areas:

• cost effectiveness of the Company’s activities;
• compliance with legal requirements and internal documents;
• prevention of wrongful acts on the part of employees and third parties in relation to the Company’s assets;
• reliability, completeness, and timeliness of preparing all kinds of reports.

The ROSSETI Group’s internal control system is built on unified approaches. The functions of internal audit, internal control, and risk management are vertically integrated. The functions of internal audit, internal control, and risk management are effectively implemented by means of unifying regulatory documents. In 2014, the Board of Directors of ROSSETI approved the Strategy for Developing and Improving the Internal Control System of ROSSETI and SDCs. The following model documents were developed subject to the provisions of the Corporate Governance Code and the requirements of the Federal Agency for State Property Management of the Russian Federation and introduced into SDCs:

• Internal Control Policy;
• Risk Management Policy;
• Internal Audit Policy;
• Regulations for the Internal Audit Commission;
• Regulations for the Audit Committee.

Internal Audit Commission

The competence of the Internal Audit Commission of the Company and the internal audit commissions of SDCs includes:

• exercising control of the Company’s and SDCs’ financial and economic activities;
• ensuring compliance of business transactions conducted by the Company and SDCs with the laws of the Russian Federation and the Articles of Association of the Company and SDCs;
• making an independent assessment of information about the Company’s and SDCs’ financial condition;
• assuring the reliability of information contained in reports and other financial documents of the Company and SDCs.

Board of Directors

Within the internal control system, the competence of the Board of Directors of the Company includes ensuring the creation, supervising the operation, and defining the general development strategy of the ROSSETI’s internal control system. The corresponding functions are performed by the boards of directors of SDCs.

Audit Committee

The Audit Committees of the Boards of Directors of ROSSETI and SDCs:

• ensures the selection of the external auditor;
• monitor the preparation of accounting (financial) statements and conducts their preliminary reviews;
• assess external auditors’ reports;
• review the internal audit policy;
• are responsible for the functional management of internal audit;
• review the report on key risks;
• are responsible for the prior approval of the internal documents defining the principles of and approaches to organizing the internal control and risk management system;
• assess the effectiveness of the internal control system and prepares proposals for its improvement.

Management Board

SDCs’ management boards review and analyze reports on the status of SDCs’ internal control and risk management systems, while the Management Board of ROSSETI does the same in relation to the entire ROSSETI Group.

Director General

The Director General of ROSSETI and the sole executive bo­dies of SDCs ensure the creation and operation of the Company’s and SDCs’ effective and reliable internal control and risk management system and formulate proposals to improve the internal control and risk management system.

Internal Audit, Internal Control, and Risk Management Division

The functions of internal audit and methodological support for the ROSSETI Group’s internal audit, internal control, and risk ma­nagement system are the responsibility of the Internal Audit and Control Department of ROSSETI.

As part of preventive and routine control, this department is responsible for:

• assisting management in building a control environment;
• applying routine control procedures in key and high-risk business processes;
• developing and ensuring the implementation of basic and methodological documents in relation to building and improving the Group’s internal control, risk management, and internal audit system;
• coordinating activities in relation to maintaining and monitoring the target state of SDCs’ internal control and risk management system.

The Internal Audit and Control Department of JSC ROSSETI, jointly with SDCs’ internal audit divisions:

• conducts internal audits of divisions, branches, business processes, projects, and activities;
• assesses the reliability and effectiveness of internal control and risk management;
• formulates recommendations to improve the efficiency of operations, enhance corporate governance, and increase the effectiveness of internal controls and risk management processes.

Performance Results in 2014

The units responsible for internal audit, internal control, and risk management conducted 563 inspections in the reporting period, including 107 internal audits of subsidiaries, subsidiary subsidia­ries, and dependent companies. Internal audits covered 104 entities of the ROSSETI Group.

2,286 corrective measures were proposed for implementation by the ROSSETI Group’s entities as a result the above-mentioned inspections. Out of the 1,897 corrective measures to be implemented in the reporting year, 1,701 were completed.

Goals of Development for 2015

For the purpose of implementing the internal audit function, the Company set up a special division of the Company, namely the Directorate for Internal Audit, after the reporting date (on January 19, 2015). This division is functionally subordinate to the Board of Directors of ROSSETI and administratively subordinate to the sole executive body of the Company.

The principal internal documents that govern the Company’s internal audit are the Internal Audit Policy (approved by the Board of Directors of ROSSETI; Minutes of the Meeting No. 151 of April 28, 2014) and the Regulations for the Directorate for Internal Audit.

The Policy is based on best practices and experience of leading international and Russian companies and is formulated in accordance with the approaches applied by The Institute of Internal Auditors (IIA), an international professional association. The IIA is the internal audit profession’s global voice, recognized authority, acknowledged leader, chief advocate, and principal educator.

Work will continue in 2015 on integrating control procedures into the Company’s and SDCs’ business processes, integrating risk information into the ROSSETI Group’s business planning system, develo­ping and improving the regulatory framework for the ROSSETI Group’s risk management and internal audit, implementing an automated system of internal audit, etc.

Risk management ensures the sustained development of the Company by means of the timely identification, assessment, and effective management of risks threatening the Company’s operations and re­putation, the health of its employees, the environment, and the property interests of its shareholders and investors.

The system is governed by two key documents: Risk Management Policy and Recommended Guidelines for Risk Management.

The Company defined the following principles of risk management:

• systematic approach;
• senior management’s support for developing the corporate culture of risk management;
• integration into strategic and operational administration;
• separated decision-making levels;
• responsibility for risk management;
• common information channel;
• cost-effectiveness.

Key Risks of the Company

In the reporting year, the ROSSETI Group’s risk information was consolidated using data about ROSSETI and SDCs. Each risk was assigned a significance level and changes. The Company is aware that some risks that are currently negligible can have a substantial impact on the Company’s activities in the future.

The main groups of risks affecting ROSSETI are as follows:

• industry-specific risks;
• country and regional risks;
• financial risks;
• legal risks;
• risks associated with the Company’s activities.

The Company has the limited ability to influence some existing (mostly, macroeconomic) risks. These risks may affect the Company’s profit, assets, capital, liquidity, and solvency.