Kanonismos Leitoyrgias en
Kanonismos Leitoyrgias en
Kanonismos Leitoyrgias en
Audit
Charter
INTERNAL AUDIT GENERAL DIVISION
NOVEMBER
2018
Contents
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 04
Internal
Audit
Principles
―3―
Introduction
T
he Internal Audit Charter aims at setting the scope and framework of duties
and responsibilities of the Group Internal Audit General Division of Hellenic
Petroleum (hence GIAGD), with jurisdiction in all the Companies in the Hellenic
Petroleum Group.
The Companies which belong to the Hellenic Petroleum Group are those under the di-
rect or indirect shareholding and/or administrative control of HELLENIC PETROLEUM S.A.
When performing its duties, the GIAGD must apply the pertinent Greek Laws on Cor-
porate Governance (Law 3016/2002, as in force), the Decision 5/204/14.11.2000 (as in
force) of the Hellenic Capital Market Commission, the Corporate Governance Code of the
Hellenic Federation of Enterprises (SEV) regarding listed companies, which HELLENIC
PETROLEUM S.A. has adopted in line with Law 3873/2010, the Group’s Code of Con-
duct and the International Standards of Internal Auditing as established by the Institute
of Internal Auditors (IIA).
In addition, Internal Auditors perform their duties based on the principles of inde-
pendence, objectivity and confidentiality and must act in full compliance with the Poli-
cies and Procedures of the Hellenic Petroleum Group.
CHAPTER Α INTERNAL AUDIT PRINCIPLES
―4―
ARTICLE 1 ARTICLE 2
Internal Audit
T I
he GIAGD has the authority and responsibility nternal Audit is performed by the GIAGD, which pro-
to assess the implementation of procedures and vides independent, objective assurance services for
policies that promote sound and lawful man- sound administration and risk management, through
agement in all Companies and units of the Hellenic the implementation of regulations, procedures and in-
Petroleum Group. This primarily includes the safe formation, as well as consulting services designed to
and efficient operation of facilities, the accuracy and add value to the Group, by means of proposals for the
reliability of accounting and operational data, the pro- improvement and updating of internal procedures that
tection of resources of the Hellenic Petroleum Group ensure transparency in the management of business
from mismanagement and unlawful acts and the ap- operations and the proper assessment of operational
propriate management of business risks. risks.
The GIAGD evaluates the strict implementation of The basic purpose of Internal Audit is to provide to
the Shareholders, reasonable assurance regarding
Management Policies by the various Departments and
the achievement of the Group’s business and financial
generally assesses the overall effectiveness and effi-
objectives, the evaluation of the Group’s actual finan-
ciency of the procedures and operations of the Com-
cial situation and results, the safeguarding of its assets
panies of the Hellenic Petroleum Group.
and to ensure the completeness and reliability of data
It periodically briefs Management (Board of Di- and information included in the accounting and man-
rectors, Audit Committee, Chairman and CEO) on the agement reports, so that they are accurate and reliable
above, proposes improvements, changes and addi- and lastly the lawful and safe operation of its facilities.
tions to procedures and policies, where appropriate, The operation of Internal Audit is independent and
and follows up on the implementation of its proposals. not subordinate to any other Group unit.
Internal auditing is an independent, objective as- Independence enables Internal Auditors to be ob-
surance and consulting activity designed to add val- jective and, therefore, to deliver unhindered and un-
ue and improve an organization’s operations. It helps biased judgments, which are important for the proper
an organization accomplish its objectives by bringing conduct of audits.
a systematic, disciplined approach to evaluate and im-
prove the effectiveness of risk management, control,
and governance processes.
―5―
ARTICLE 3
Compliance with the
Regualatory and Legal Framework
of Internal Audit
G
IAGD shall comply with the mandatory guide- The General Director of Group Internal Audit is re-
lines of the International Institute of Internal sponsible for ensuring that the Internal Audit Charter
Auditors (IIA), namely the Definition of Internal and related policies and procedures comply with the
Audit, the Code of Ethics and the International Internal legal framework regarding Corporate Governance.
Audit Standards (hereinafter: the Standards). These Any unforeseen conflicts of interest or activities
specific directives are the fundamental principles of should be dealt in accordance with the Code of Ethics
the professional implementation of Internal Audit as of the International Institute of Internal Auditors, the
well as the evaluation of the effectiveness of audit ac- International Standards for the Professional Practice
tivities. of Internal Auditing and the pertinent Code of Conduct
The Advisory Guidelines of IAA (Practical Adviso- and the principles of the Group.
ries, Practical Guides and Position Papers) are addi-
tional guidance in the effective execution of Internal
Audit activities.
In addition, the GIAGD has to conform to the per-
tinent Greek Laws on Corporate Governance (Law
CHAPTER Α INTERNAL AUDIT PRINCIPLES
―6―
CHAPTER
Β
Organisation
of Group
Internal Audit
General Division
―7―
ARTICLE 4 The Audit Committee evaluates the performance
Organizational Structure of the GIAGD and informs – in this respect – the
of the Group Internal Chairman of the BoD and the Board of Directors of
the Group (Article ΙΙΙ, Chapter Β, Para. 9 of the Audit
Audit General Division
Committee Operation Regulation).
T
The General Director of Group Internal Audit par-
he GIAGD is supervised by the Audit Commit-
ticipates in meetings with the Audit Committee that
tee of the Board of Directors (BoD) of HELLENIC
are convened either by the Committee, or on his/
PETROLEUM S.A. The General Division of Group
her own initiative, whenever he/she considers it
Internal Audit operationally reports to the Audit Com-
necessary for achieving the objectives of GIAGD.
mittee of the BoD, while it administratively reports to
CHAPTER Β ΟRGANISATION OF GROUP INTERNAL AUDIT GENERAL DIVISION
the Chairman of the BoD. The General Director of Group Internal Audit has
access το the Chairman and the Members of the
The General Director of Group Internal Audit is ap-
Audit Committee, whenever he/she considers it
pointed and recalled by the BoD upon proposal from
necessary for achieving the objectives of Internal
the Audit Committee, reports operationally to the Au-
Audit (for example, for matters related to risk man-
dit Committee of the BoD and administratively to the
agement, ethics, security, External Audits and other
Chairman of the BoD.
Internal Audit issues).
Within the framework of operational reporting:
Administrative reporting includes:
The BoD and the Audit Committee approve the
The approval of the Budget of the GIAGD.
present Charter governing the operation of Internal
Audit, the Strategy and the Internal Audit Manual Human resources management, including perfor-
mance appraisals, training, development and staff
of the GIAGD (art. ΙΙΙ, chapter Β, para. 2 of the Audit
remuneration.
Committee Operation Regulation)
Internal communication and information flow.
The General Director of Group Internal Audit in-
forms the BoD and the Audit Committee on the re- Management of the policies and procedures for the
sults of the GIAGD’s activities. operation of Internal Audit.
―8―
ARTICLE 5 5. They are not allowed to participate in activities
Internal Auditors which are in conflict with Group interests or which,
T
6. In accordance with the applicable Group Code of
he Internal Auditors Code of Conduct sets out Conduct, they must not accept any payment or gift
the basic principles of good practices for Inter- from any employee, customer, supplier or associ-
nal Audit regarding its various objectives. The
ate of the Group.
personal judgment of Internal Auditors is very often
necessary when applying these principles. At the
same time, Internal Auditors have the responsibility to
behave in a manner consistent with the principles of ARTICLE 6
good faith and integrity. Independence and
Objectivity
Specifically:
T
1. Internal Auditors must be honest, objective and dil- he work of the Internal Audit is independent in
igent when performing audits. matters related to the choice and scope of au-
2. They must be particularly cautious when using in- dits, the timing of performing the audits, as well
formation they receive during their work. It is for- as the content of the Audit Reports.
bidden for them to use professional information in Internal Auditors have no direct operational compe-
any way, outside the context of their duties. In this tence or jurisdiction over the audited areas. Therefore,
context, all GIAGD employees, upon starting their they shall not apply controls, develop procedures, in-
employment, shall sign an appropriate Confidenti- stall systems, create accounting records, or engage in
ality Agreement.
any other activity that may affect their judgment.
3. They must be diligent in supporting the opinion
Internal Audit shall operate with impartiality and
expressed, by providing appropriate and adequate
objectivity, in order to avoid conflicts of interest and
evidence. In their report, they must state and dis-
close all information they receive which, if not dis- disclose any activity which could lead to a possible
closed, may cause misinformation or conceal un- conflict of interest.
lawful acts. Internal Auditors must maintain their objectivity
4. They must make continuous effort to improve the when performing audit work. Their judgment must not
professionalism and efficiency of the services they be affected by personal interests or the opinions of
provide. third parties.
―9―
The following persons cannot be appointed as Audits should be assigned in a way that prevents
Internal Auditors: members of BoDs of Group Com- conflicts of interest. The General Director of Group In-
panies, their relatives by blood or marriage up to the ternal Audit must periodically receive information from
second degree, and Directors of Group Companies if the Group Compliance Unit on possible conflicts of in-
they also engage in other duties besides Internal Audit. terest and Internal Auditors must report any situations
Moreover, before the lapse of a twelve-month period, where conflict of interest is possible or inferred to the
Internal Auditors may not participate in projects relat- General Director of Group Internal Audit.
ed to a Division or to a subsidiary Company in which The General Director of Group Internal Audit must
they previously had managerial responsibilities. make all necessary changes in the audit process and
Internal Auditors must carry out their audit work in the persons involved in the audit engagement in order
CHAPTER Β ΟRGANISATION OF GROUP INTERNAL AUDIT GENERAL DIVISION
a way that ensures effectiveness and quality. There- to ensure the objectivity, accuracy and integrity of the
fore, they must not consent in being included in works audit.
in which they are unable, for any reason, to deliver Also, every year, the General Director of Group
substantial and objective audit judgments. Internal Audit must declare the independence of the
The GIAGD has full access to all records and in- GIAGD to the Group BoD, prior to the Group Annual
formation, premises and activities of the Group, which General Meeting.
are necessary for the implementation of its audit work. If, for any reason, any restriction on the operational
The GIAGD is of course responsible for the complete framework of Internal Audit prevents the achievement
preservation of the confidentiality of the data brought of its objectives, the restriction and its potential effect
to its attention and for ensuring confidentiality regard- must be communicated in writing to the BoD by the
ing corporate issues about which it is informed while General Director of Group Internal Audit.
performing its duties.
If changes have been made to the BoD or other sig-
Group Management and employees are required nificant alterations have taken place within the Group,
to cooperate with Internal Auditors, provide informa- the General Director of Group Internal Audit must in-
tion to them and, in general, facilitate their work in form the BoD about the restrictions on the operation-
every way. al framework of Internal Audit, which had previously
The results of the audit work should be reviewed been disclosed to and accepted by the BoD.
before any engagement-related disclosures in order
to provide reasonable assurance that the work was
carried out objectively.
― 10 ―
ΆRTICLE 7 Internal Auditors must comply with the Profes-
Professional Competence sional Standards of Conduct, as described in the Code
T
comprises two significant parts:
he General Director of Group Internal Audit must
ensure that those employed in the GIAGD or ap- a) The principles relating to the profession and the
pointed for an audit work have, collectively, the implementation of Internal Audit, i.e. integrity,
necessary knowledge, skills and other competencies objectivity, confidentiality and competence.
to perform their duties properly and efficiently. b) The rules of professional conduct, which Inter-
The GIAGD must employ Auditors or use consult- nal Auditors must adhere to.
ants equipped at least with the following knowledge The General Director of Group Internal Audit is re-
and skills: sponsible for establishing the necessary criteria and
Ability to apply Internal Audit Standards, proce- qualifications of the staff of the GIAGD. He draws up an
dures and techniques. annual analysis of the knowledge and skills of the en-
Knowledge of accounting principles and tech- tire GIAGD staff and submits it to the Audit Committee
niques. in order to identify the areas which may be improved
through continuous professional training, recruiting or
Understanding of business management princi-
collaboration with external parties who have the nec-
ples.
essary qualifications.
Adequate technical knowledge for performing au- Internal Auditors are required to have mastery of
dits in industrial facilities. written and spoken language, so as to, clearly and
Adequate knowledge of areas such as economics, effectively, communicate and provide information on
law, taxation, finance and computing. matters related to Audit objectives, evaluations, con-
clusions and recommendations.
The interpersonal relations of Internal Auditors
must be such that allow them to collaborate, con-
structively and effectively, with the auditees at all lev-
els of hierarchy.
― 11 ―
ARTICLE 8 §§Drawing up and approving the annual Audit Plan and
Due Professional its budget and submitting it to the Audit Committee of
the BoD for approval.
Care
§§Safeguarding the action plan for the proper execu-
D
ue professional care is the attention and skill tion of the duties of Internal Auditors.
that a prudent and competent Internal Auditor §§Supervising the implementation of the Audit Plan
is expected to demonstrate when performing and final approval of Audit Reports before their sub-
his/her duties. Due professional care is proportional mission to the Audit Committee of the BoD, especially
to the complexity of the audit being performed and the classification of audit findings, recommendations,
requires the Internal Auditor to examine and veri-
CHAPTER Β ΟRGANISATION OF GROUP INTERNAL AUDIT GENERAL DIVISION
― 12 ―
§§Periodic briefing of the Audit Committee on the cur- §§Auditing Information Systems.
rent institutional framework concerning the activity
― 13 ―
Framework for the Implementation of Internal Audit §§Submitting the file of each Internal Audit engage-
(Standards ΙΕΕ 2040, 2340). ment to the General Director of Group Internal Audit,
§§Participation, as an observer, in the work of Group following completion of the engagement.
Committees (Credits, Investment, Coordination, Re- §§Monitoring the cost related to his/her Division.
search & Production) within the framework of the §§Record-keeping of the files of all audit engagements
preventive and advisory role of the Internal Audit. for which he/she is responsible.
§§On the job training of the Internal Auditors, by assign-
ing work in different fields (rotation) and by suggest-
DIRECTOR OF INTERNAL AUDIT IN INDUSTRIAL
& SUPPLY FACILITIES OF HELLENIC PETROLEUM ing their participation in seminars in order for them
to improve their auditing skills and be updated on
CHAPTER Β ΟRGANISATION OF GROUP INTERNAL AUDIT GENERAL DIVISION
The Director of Internal Audit in Industrial & Supply Fa- developments regarding the audit methodology ap-
cilities of HELLENIC PETROLEUM is responsible for the plied in Technical Audits.
following: §§The GIAGD methodology, pursuant to the Interna-
tional Framework for the Professional Implementa-
§§Communicating with the Directors and officers of the
tion of Internal Audits (Standard ΙΕΕ 2040, 2340).
Organizational Units being audited.
§§Participation, as an observer, in the work of the Group
§§Communicating with other internal assurance teams
Committees (Investment, Refining & Supply) within
of the Group, regarding technical issues of the in-
the framework of the preventive and advisory role of
dustrial facilities and, more specifically, about health,
the Internal Audit.
safety and environmental issues.
§§Planning Technical Audit Engagements.
§§Assigning the execution of Audits to the competent
Internal Auditors, following consultation with the
General Director and other Senior Directors of the
GIAGD.
§§Supervising the work of Technical Internal Auditors.
§§Reviewing and approving the final Draft Reports of
Technical Internal Auditors, including the risk rating,
the classifications of findings and the recommenda-
tions for the necessary changes and improvements.
― 14 ―
SENIOR DIRECTOR OF INTERNAL AUDIT §§Record-keeping of the files of all audit engagements
IN DOMESTIC & INTERNATIONAL RETAIL for which he/she is responsible.
― 15 ―
INTERNAL AUDITORS OF THE GIAGD
― 16 ―
ARTICLE 10 tigation for possible indications of unlawful acts and
Responsibilities of Internal unethical behavior.
M
anagement is responsible for implementing Internal Audit does not carry the main responsibil-
and maintaining an effective system of Con- ity for addressing any acts or omissions against the
trol Procedures at a reasonable cost. This property and interests of the Companies of the Hel-
lenic Petroleum Group, which may have been detect-
responsibility entails the design of an appropriate
ed during the audit procedure. However, it assists with
system of periodic Internal Controls, which indicate
the collection of information and suggests improve-
or reveal cases where current procedures and op-
ments to Internal Control Systems in order to protect
erational systems of the Group are either missing, or the Group from similar events in the future.
fail to meet requirements, are not effective or are not
Internal Auditors may participate as consultants
implemented. in addressing unlawful behavior or high risk actions,
provided that their participation does not affect the in-
A properly designed system of Internal Controls
dependence of Internal Audit.
prevents actions which:
The GIAGD advises Management in regards to
a) Do not comply with the rules of good adminis-
planning the strategy of divulging documents and in-
tration, formation, in the earliest possible stage of the investi-
b) Violate Group regulations and procedures, gation of unlawful behavior or high risk actions, so as
c) Jeopardize the proper and safe operation of the to minimize the risk of inappropriate communications
or leakage of information or inaccurate information.
Group,
Additionally, Internal Auditors should evaluate
d) Expose the Group to high risks (in regards to
the evidence and advise Management in regards to
assets, human resources, financial results, en- the deficiencies identified in Internal Control Systems
vironment and business continuity). and the application of appropriate controls, in order to
The Audits carried out by the Internal Auditors in- prevent similar incidents of unlawful behavior in the
crease the possibility of detection and further inves- future.
― 17 ―
In brief, the role of the GIAGD in the assessment, prevention and identification of risk of property damage of the
Hellenic Petroleum Group, is listed in the Table below:
Violation of the Code The Internal Auditor demonstrates due professional care (Standard 1220)
of Conduct in identifying cases of violation of the Code of Conduct.
Actions that
The Internal Auditor demonstrates due professional care (Standard 1220)
endanger smooth
in identifying actions which endanger the smooth operations of the Group.
operations
Excessive
Advisory role of the Internal Auditor in assessing the management of
risk-taking by the
business risks by Management.
Group
― 18 ―
CHAPTER Β ΟRGANISATION OF GROUP INTERNAL AUDIT GENERAL DIVISION
Conducting
Internal
Audit
CHAPTER
― 19 ―
ARTICLE 11 III. Technical Audits, which are conducted on the
Scope of Application of Group’s Technical Divisions, such as production,
Internal Audit Procedures trading of oil products, equipment maintenance,
environmental protection, investments, etc. The
T
scope of a Technical Audit includes all rules
he General Director of Group Internal Audit
and procedures relating to technical activities,
must establish policies and procedures to guide
construction contracts and equipment orders.
Internal Audit activity.
The methodology of the Technical Audit is sim-
The relevant procedures are to be reviewed at ilar to that of the Financial Audit, however, the
least every two years and are updated upon written evaluation of risks that arise from lack of pro-
submission of improvement suggestions, analysis cedures or non-compliance with procedures
and evaluation by the hierarchy and approval by the and contractual terms, requires the specialized
Group’s General Manager of Group Internal Audit Di- knowledge and expertise of engineers. There-
vision. The content of the final proposals is reviewed fore, Technical Audits are performed mainly by
and approved by the Audit Committee of the HELPE engineers trained in auditing.
BoD.
― 20 ―
ARTICLE 12 existing measures are adequate or if more
Risk Assessment action/s shall be undertaken
R
isk assessment is the process of identifying review (if necessary)
and measuring risk and assessing the effec-
tiveness of the existing procedures for manag- The GIAGD considers the effectiveness of risk man-
ing and responding to risk. Indicatively, following risks agement processes by assessing whether:
shall be considered: risk of business interruption,
The objective purposes of the Group support and
sovereign, exchange rate, tax, legal, environmental,
align with its mission
business, operational, credit, liquidity, systems, risks
Significant risks are identified and assessed
of fraud, technological, natural, geopolitical, health,
safety, life, etc. Risk management measures are assessed –
whether they are appropriate depending on the
Against all risks, the Group is required to prepare
acceptable risk margins as set by the Group
action plans to control and prevent the unpleasant
Risk-related information is collected and commu-
consequences of their occurrence.
nicated in a timely manner across the Group, ena-
The GIAGD, through its procedures, shall facilitate bling the human resources, the Management and
the identification, assessment and management of the BoD to take up their responsibilities.
any risk that threatens the smooth operation of the
Group. The GIAGD gathers information to support this as-
The assessment of each risk faced by the Group sessment when performing various activities. The
shall be based on the understanding of the conse- comprehensive review of this information enables the
quences that may arise should the risk is not effec- understanding of the Group’s risk management pro-
tively addressed. cesses and their effectiveness.
Risk management processes are monitored by on-
Indicatively, there are five steps of risk assessment at
going activities by the Management, using individual
the workplace:
assessments, or in combination of both.
Step 1: Identifying the source of risk
The GIAGD shall assess the exposure to risks related
Step 2: Determining potential impact/damage to governance systems, functions and IT systems of
Step 3: Risk assessment in order to ascertain if the the Organization with regard to:
― 21 ―
Achieving the objectives of the Organisation ARTICLE 13
Reliability and integrity of financial and operation- The Role of Internal Audit
al information in the Process of
Effectiveness and efficiency of operations and Managing Business Risks
programmes
T
he BoD of HELLENIC PETROLEUM S.A., as the
Safeguarding of assets
body responsible for implementing the Strate-
Compliance with laws, regulations, procedures gy and achieving the Objectives of the Hellen-
and agreements. ic Petroleum Group of Companies, must design and
implement the necessary Control Mechanisms, so as
The GIAGD shall assess the likelihood of fraud and the
to provide reasonable assurance to the shareholders
way the Group manages the risk of fraud.
that the Group’s Objectives are achieved.
In the course of their advisory work, the Internal
Auditors shall identify the risk associated with the Control Mechanisms include:
project’s objectives and be vigilant about the exist- §§Corporate Governance Procedures.
ence of other significant risks.
§§Internal Control Systems.
Internal Auditors shall incorporate knowledge
§§Risk identification procedures.
about risks they derive from advisory deeds into the
assessment of risk management processes of the §§Risk assessment procedures.
CHAPTER C CONDUCTING INTERNAL AUDIT
― 22 ―
rection of undesirable events which have already oc- §§The Board of Directors must evaluate Manage-
curred) or directional (encouragement of desirable ment response to errors and weaknesses detect-
§§The risks must be assessed and classified ac- §§Management’s risk identification and management
cording to their probability and severity of impact system is adequate and effective (policies, regula-
on the achievement of Group aims and objectives. tions, procedures, reports, audits).
§§The Board of Directors should have identified the §§The operational procedures, policies and reports
level of strategic and other risks which is accept- are adequate.
able to the Group. §§Internal Control Mechanisms are adequate, effec-
§§Activities for addressing and managing risk tive and efficient.
should have been designed in order to reduce risk Within this framework, Internal Audit must system-
to levels that the BoD has recognized as accept- atically and consistently evaluate the adequacy and
able. effectiveness of risk identification and management
§§Regular monitoring of operations must take place procedures, Internal Control Mechanisms and Busi-
in order to periodically reassess the risks and the ness Operation Procedures and reports, and suggest
effectiveness of Internal Control Mechanisms in improvements and corrective actions in cases where
risk management. deficiencies or inadequacies are detected.
The BoD and the Audit Committee have a supervi-
§§Management should receive regular periodic
sory role in the risk management process.
reports on the results of risk management pro-
cedures. The identified risks, the strategies for Internal Auditors must assist Management and
addressing them and the related Internal Control the Audit Committee by examining, evaluating and
Mechanisms for preventing said risks in the future, submitting reports and recommendations for the im-
should also be communicated to the Divisions in- provement of the efficiency and effectiveness of the
volved. Group’s risk management procedures.
― 23 ―
The Head of the Internal Audit and the members of required within the scope of the project. The audit
the GIAGD shall be aware of the various types of risks scope shall be communicated to the Head of the area
within the Group and of their tolerance margins. concerned and sufficient time for preparation shall
In addition, when it is established that an Organi- be provided. Moreover, the Internal Auditors commu-
sational Unit assumes a risk in excess of Group - set nicate with other people in the area under review in
tolerance, the case has to de reported/referred to the order to ensure their availability from the initial stages
Audit Committee. of the process.
As long as the Organisation has a risk manage-
ment policy that may include a risk acceptance pro- Throughout the planning of the project, the Internal
cess (quantified risk assessment; risk matrix), it is im- Auditors shall:
portant the GIAGD becomes aware of it. Keep, as a rule, evidence of the discussions and
conclusions reached during meetings, and subse-
quently incorporate or attach them to the Work-
ARTICLE 14 sheets of the project;
Preparation of Define the levels of required standardisation and
Audit Plan documentation;
Develop the project’s Work Programme, taking
T
he audit work shall have clear objectives, which into account budgets, logistics support and the
are part of planning the Audits. The starting
CHAPTER C CONDUCTING INTERNAL AUDIT
― 24 ―
– as well as during work execution/implementation, ine the results of the work performed by other internal
when new information is obtained. or external assurance providers and/or the results of
― 25 ―
ARTICLE 15 ARTICLE 16
Record Keeping Communication of Internal
Audit Reports
T
he General Director of Group Internal Audit is
T
responsible for procedures of keeping engage- he Audit engagement is completed with the is-
ment records in electronic and/or paper form. sue of a relevant signed Report.
Record keeping procedures should be in line with
If Audit Reports are distributed by electronic
Group policies and other related regulatory (e.g. Hel-
means, the GIAGD should keep a record of the original
lenic Capital Market Commission) or other require-
signed Report.
ments.
Final communications of the audit engagement
Unless otherwise specified, the GIAGD records are
must be forwarded to the relevant Group Executives,
kept for a period of 10 years (for regular Audits, con-
in order to ensure that the recommended corrective
sulting deeds or other data) or 15 years (for extraor-
actions are undertaken and implemented.
dinary Audits) after being processed by the GIAGD.
If it is necessary to provide information outside the
Then they are destroyed, unless there are specific
Group, it should be assessed whether the informa-
reasons for extending the period of keeping them (e.g.
tion can be disclosed to third parties without harming
pending investigations, court proceedings or other le-
corporate interests. Otherwise, information should be
gal actions in progress, etc.).
revised or adjusted to a form which can be communi-
Records for pending civil or criminal proceedings
CHAPTER C CONDUCTING INTERNAL AUDIT
― 26 ―
ARTICLE 17 ARTICLE 18
Receiving Services Relations & Coordination
W
hen the General Director of Group Internal
I
Audit intends to use or rely on an external nternal and External Audit tasks should be coor-
party, he should consider the ability, in- dinated, to the extent possible, in order to ensure
dependence, integrity and objectivity of the external adequate audit coverage and minimize overlap of
party in relation to the specific work to be assigned actions and duplication of costs.
to them.
The coordination of Internal Audit with other inter-
In regards to the procedures for selecting and as-
nal or external assurance providers entails:
signing a project to external parties, the Group’s Pro-
curement Rulebook should apply. Periodic meetings and discussions of issues of
common interest.
Common access to audit programs and project
files.
Common understanding of audit methodology,
techniques and terminology.
― 27 ―
ARTICLE 19 ARTICLE 20
Reporting to the Provision of Consulting
Audit Committee Services by the GIAGD
T W
he General Director of Group Internal Audit must ithin the Group, the GIAGD may provide
submit reports, at least every three months, to consulting services regarding activities
the Audit Committee of the BoD (Article 8 of for which it has sufficient knowledge and
Law 3016/2002). Reports should highlight the most experience. For example: consulting services in risk
significant observations and recommendations of the evaluation and management, evaluation of proce-
Audit engagements and provide information on all dures, preparation procedure of Financial Statements,
serious deviations from the agreed time schedules of administrative accounting, customization of informa-
Audits, staffing plans and financial budgets, as well as tion systems so that they are in line with the Group’s
the reasons for such deviations. Internal Control Mechanisms.
Where non-compliance with the Code of Ethics or the Internal Auditors must maintain such services within
Standards affects a particular project, the disclosure of the limits set out by basic Internal Audit operation, for
the results shall quote the specific items of the Code of reasons of objectivity and independence.
Ethics or the Standards with which full compliance has The assignment of consulting work must be ap-
not been established, the reasons for non-compliance proved by the General Director of Group Internal Audit
and the effect of non-compliance for the project and the and communicated to the Audit Committee.
CHAPTER C CONDUCTING INTERNAL AUDIT
T
For high-risk findings, the review and report on the
he General Director of Group Internal Audit
progress of the implementation of corrective measures
should ensure that the GIAGD has access to
should be performed at the end of each quarter.
independent and adequate audit resources in
The findings of these reports are communicated to
order to review information systems and evaluate the
the BoD by the Audit Committee.
Group’s exposure to related risks.
― 28 ―
A significant part of Audit planning is the adequate The GIAGD is required to provide reasonable assur-
understanding of the environment of the Group’s infor- ance to Management that the Internal Control Mecha-
T
he GIAGD must confirm that the Group has
well-documented procedures for the prepara-
tion of quarterly and annual Financial Reports
as well as related notifications and report require-
ments to the Supervisory Authorities. A review of re-
lated policies and procedures by Legal Consultants,
External Auditors and/or other external consultants
may provide additional assurance that the policies
and procedures accurately reflect current require-
ments.
― 29 ―
CHAPTER
D
Quality
Assurance
and Evaluation
of Auditors
― 30 ―
ARTICLE 23 The General Director of Internal Audit shall disclose
Quality Assurance and the results of the Quality Assurance and Improve-
T
date includes:
he General Director of Group Internal Audit
must implement a Quality Assurance and Im- The range and frequency of internal and external
provement Program (Attribute Standards 1300 assessments
-1320) in order to evaluate the operations and pro- The conclusions of the assessor or the assess-
cedures of the GIAGD. To this end, the best practices ment team on the degree of compliance
on the Internal Audit profession should be taken into
The proposed corrective Action Plans..
account.
It operates efficiently and effectively. Ongoing monitoring of the work of the Internal Au-
dit.
Internal Auditors adhere to the Code of Ethics.
Periodic assessments by the GIAGD Managers
It is perceived by stakeholders as a function that
(self-assessment, at least every two years) or
adds value to the Group and improves its Internal
by other Executives of the Group with adequate
Control Mechanisms.
knowledge of Internal Audit practices. The period-
The Quality Assurance and Improvement Program ic assessment may refer to the degree of compli-
must contain at least the following elements: ance with the International Professional Practices
Framework (IPPF, Standard 1321).
Supervision of Internal Audit work.
In addition, the opinion of the audited parties
Internal assessments (Standard 1311).
should be requested after each Audit, in the form
External assessments (Standard 1312). of relevant questionnaires. The advantage of this
― 31 ―
method is that an additional opinion may be com- E. Degree of meeting stakeholders’ expectations.
municated to Management in regards to the work The self-assessment process is implemented as
of the GIAGD, which may lead to recommendations part of the GIAGD’s Quality Assurance and Improve-
for improvement. ment Programme. According to Standard 1311 Imple-
mentation Guide (Internal Assessments), “Periodic
The General Director of Group Internal Audit presents
internal self-assessments have a different target in
the annual review of the results of ongoing monitor-
contrast to the ongoing performance monitoring, since
ing with the relevant findings as well as the corre-
they provide a more holistic overview of the Standards
sponding improvement recommendations to the Audit
and the Internal Audit activity. By contrast, continuous
Committee.
performance monitoring is more focused on audit-lev-
The General Director of Group Internal Audit re-
el overviews.”
ceives a written report on the results of each inter-
“Audits shall be properly supervised in order to
nal review and must ensure appropriate actions have
achieve the defined objectives, to assure quality and
CHAPTER D QUALITY ASSURANCE AND EVALUATION OF AUDITORS
― 32 ―
The following table shows the GIAGD’s self-assessment procedure:
Step 1:
Coordinator Attributes Initial writing of a Questionnaire/
(pursuant to the ΙΙΑ): Regular (Periodic) review
Member of the IIA, certified by IPPF,
Step 2:
internal or external
Sending the Self-Assessment Questionnaire
Step 3:
Timetable of the self-assessment Collection of Completed Questionnaire
process:
Step 4:
Start date, duration, estimated date
Processing the Questionnaire Results & the results
of publication of the final Report
of the GIAGD Self-Assessment Report
Step 5:
Sending the GIAGD Report on the self-assessment,
Frequency of sending with specific action plans for any corrective proposals
the questionnaire: [Audit Committee, BoD, the General Manager of the
Once in two years Group’s Internal Audit, the GIAGD personnel
(Alternative Reference Presentation
(alternatively: presentation of the Report)]
― 33 ―
ARTICLE 25 Partial compliance – Deficiencies in the Internal
Audit practices are noted, and they are considered
Εxternal Assessments
as deviations from the Standards. However, this
T
does not prevent the Internal Audit from perform-
he GIAGD shall be subject to an external as-
ing its responsibilities.
sessment at least every five (5) years (pursuant
Non-compliance – it reveals shortcomings in the
to Standard 1312), by an independent assessor
Internal Audit practices, the significance of which
or an assessment team outside the Organisation, with
the purpose of validating: is deemed to affect the operations of the Internal
Audit or prevent it from performing its task in its
The compliance of the Internal Audit to the Stand- entirety or in important areas.
ards;
During the external assessment and in case of gen-
The implementation of the Code of Ethics by all GI- eral non-compliance, the assessor shall provide rec-
CHAPTER D QUALITY ASSURANCE AND EVALUATION OF AUDITORS
AGD members; ommendations for the areas that do not comply with
To establish to what extent the work of Internal the Standards and indicate opportunities for improve-
Audit meets the expectations of the BoD, the Sen- ment. The General Director of Internal Audit has to no-
ior Management and the Managers of the Group’s tify the Audit Committee, and produce an action plan
Divisions and adds value to the Group. for the implementation of the recommendations of the
external assessor.
The External Assessment Reports include an expres-
sion of opinion or conclusions about its results. In ad-
dition to the general conclusion on compliance with
the Standards for all activities of the Internal Audit, the FINDING A NON-CONFORMITY
Report includes an assessment of the implementation
of each Standard and/or set of Standards separately. The results of the internal and external assessments
and the level of GIAGD compliance with the Standards
The rating scale used to indicate the degree of com- shall be communicated to the Audit Committee of the
pliance is as follows: BoD. These evaluations may reveal a weakening of in-
General compliance (denotes the highest score) - dependence or objectivity, limitations in the scope of
The Internal Audit is run by the Charter, Policies the audit work, limitations on resources or other con-
and Procedures. Their implementation and out- ditions that may affect the ability of the Internal Au-
come are considered to be in accordance with the ditors to carry out their responsibilities vis-à-vis the
Standards. stakeholders. When such non-compliance occurs, it
― 34 ―
shall be generally reported to the Audit Committee of ARTICLE 26
the BoD and recorded in the minutes of the meeting. Procedure on
T
rective action plans and actions taken in order to im-
his Operating Charter shall be reviewed peri-
prove the GIAGD compliance with the Standards and
odically, at least every two years, based on the
the Code of Ethics.
conclusions of the mandatory internal assess-
In addition, any documentation of corrective ac- ments.
tions undertaken to improve the efficiency and effec-
Ad hoc or additional overviews are carried out
tiveness of the GIAGD may help to demonstrate com-
based on independent external assessments of the
pliance with the Standard.
GIAGD, but also to incorporate any significant chang-
In any case, the General Director of Group Internal es in legislative and regulatory framework for the im-
Audit assesses the non-compliance and determines plementation of Internal Audit.
its impact on the overall range or exercise of its op-
The General Director of Internal Audit assigns to
erations. In addition, he considers the likelihood and
GIAGD groups the regular monitoring of the websites
degree of impact in case of non-compliance, on the
of the International and the Hellenic Institute of Inter-
ability of Internal Auditors to assume their profes-
nal Auditors, in order to timely review any information
sional responsibilities and/or meet the expectations
on developments in Internal Audit and in particular in
of the stakeholders. The affected responsibilities may
the Standards, the Code of Ethics and the IIA Practice
relate to the ability to provide credible assurance in
Advisories.
specific areas within the Organisation, the completion
of the Audit Programme and the response to high-risk The competent Auditor Groups communicate by
areas. Any non-compliance as well as its effects are e-mail, important issues to the Directors and the Gen-
communicated by GIAGD to the Group’s Audit Com- eral Director of Internal Audit, who, after analysing the
mittee. data, decide on the relevant adjustment of the Charter.
The Audit Committee is responsible for the approv-
Demonstration of Compliance: In order to demon- al and adoption of the updated Charter.
strate compliance with the Standards, the GIAGD
Updates of the Charter are communicated to the
shall keep evidence of the occurrence and nature of
GIAGD Internal Auditors by email, while signed print-
any non-compliance with the Standards or the Code
outs are kept with the Secretary.
of Ethics.
― 35 ―
CHAPTER
Privacy
and Data
Protection
― 36 ―
ARTICLE 27 Digital Archive. In no event do users keep data and
information arising from their work at the GIAGD on
T
he GIAGD complies with the Group’s Personal Data is kept for a period of 10 years (for regular Au-
Data Protection Policy (GDPR) and related Pro- dits, consulting deeds or other data) or 15 years (for
cedures that define the behaviour both of Group
extraordinary Audits) after being processed by the
employees and third parties that the Group is dealing
GIAGD. It is then destroyed, unless there are specif-
with, when processing Personal Data. ic reasons for extending the period of keeping it (e.g.
The GIAGD acquires Personal Data directly from pending investigations, court proceedings or other le-
the subjects or from the audited Organisational Units/ gal actions in progress, etc.).
Companies of the Hellenic Petroleum Group or from All GIAGD employees, including temporary asso-
the digital systems Installed in the Group (e.g., SAP, ciates (e.g. specialised consultants, contractors, stu-
Galaxy, etc.) or from the physical records of the au- dents, etc.), at the beginning of their assignment to the
dited Organisational Units/Companies or finally from GIAGD, must sign a Confidentiality Statement, setting
third parties, in particular in cases of complaints. out the restrictions and their obligations regarding
The GIAGD collects and processes only data relat- the Personal Data Protection and, in the context of
ed to its specific, duly approved, auditing and/or advi- their duties/tasks within the Group, they also comply
sory projects in addition to its operational obligations with the respective Group Policy. The Privacy Policy
arising from the respective procedures of the Group Officer in the GIAGD has to send a reminder of their
(e.g., personnel assessment). This data may concern Confidentiality commitment to all GIAGD employees
partners of the Group (e.g., customers, suppliers or on an annual basis.
other third parties) or Group employees. The GIAGD issues Internal Audit Reports, which
The data the GIAGD keeps and processes in the are communicated to the stakeholders (typically to
course of its duties is stored in digital format in the the Head of the audited organisational Unit/Com-
Digital Archive (ARTEMIS system) and printed – at the pany/Audit Committee/BoD, Chairman of the BoD).
GIAGD Physical Archive. The contents of the Physical Parts of specific Reports (e.g. individual findings and
Archive are limited to what is absolutely necessary suggestions for improvement) may be communicated
(e.g., specimen of signatures, documents unsuitable to other stakeholders (e.g. employees of the Group
for scanning, etc.), while all other data and informa- who have an operational role in the implementation
tion is digitised (e.g. by scanning, uploading from elec- of corrective actions). All Internal Audit Reports are
tronic systems of the Group, etc.) and registered in the flagged as confidential, while their introduction in-
― 37 ―
cludes a confidentiality protection clause. In addition, and only the Secretary and the General Director
all electronic and/or printed correspondence con- have keys in their possession. The Secretary keeps a
taining audit data (e.g. Reports, findings, improvement Physical File Access Log (user’s name, date and time
suggestions, follow-up, etc.) is flagged as confidential. of access, delivery or receipt, name of the file moved,
Except for certain cases involving countries out- purpose of moving).
side the European Union where the Group operates Every employee has to ensure the security of the
through subsidiary companies (e.g. Montenegro, data kept on their computer disk and/or in file cabi-
Serbia, FYROM, etc.) or directly, the GIAGD does not nets, by applying, as a minimum, the same security
transfer Personal Data to third party countries. measures.
Any records, printed or electronic, produced dur- Persons outside the GIAGD may not have access
ing a GIAGD Auditing and/or Advisory task and locat- to data kept and processed by the GIAGD except in
ed outside of the abovementioned official Digital and special cases (e.g. external auditors or third parties
Physical Archives and the GIAGD and/or the Group’s having a lawful interest). In those cases a special per-
systems (e.g., computer discs or personal records of mission is granted by the GIAGD, access is recorded
employees, etc.) are minimised and, in any case, must and they remain under the continuous supervision of
the Head of Privacy Protection within the GIAGD.
be destroyed immediately after use, on the responsi-
bility of the users. Under no circumstances, data can be As far as the rights of the data subjects are con-
stored in files and systems outside the official Archives cerned, the GIAGD follows the provisions of the
(Electronic and Physical) of the GIAGD and the Group. Group’s Personal Data Protection Policy. In particular,
CHAPTER Ε PRIVACY AND DATA PROTECTION
― 38 ―
ARTICLE 28 Moreover, the PPO initiates the establishment of a
Privacy Protection Officer Data Privacy culture, achieved by educating the GI-
― 39 ―
This Charter of the Group Internal Audit General Division was reviewed in November
2018 by the Group Internal Audit General Division and complies with Greek Law
3016/17.05.2002, Decision 5/204/14.11.2000 of the Hellenic Capital Market
Commission on Corporate Governance and their respective modifications, the Code
of Corporate Governance of the Hellenic Federation of Enterprises (SEV) for Listed
Companies, as adopted by the Company under Law 3873/2010, the Group’s Code of
Conduct and the Code of Ethics of the Institute of Internal Auditors (IIA).
― 40 ―
HE
AD
OF
FI
CE
8A
CH
IM
AR
RA
S
st
r.,
15
12
5-
M
AR
OU
SS
I, A
TH
EN
S
-G
RE
EC
E
-Τ
:+
30
21
0
63
02
00
0
-F
:+
30
21
0
63
02
51
0,
+3
0
21
0
63
02
51
1-
w
w
w
.h
el
pe
.g
r