Kanonismos Leitoyrgias en

Download as pdf or txt
Download as pdf or txt
You are on page 1of 44

Internal

Audit
Charter
INTERNAL AUDIT GENERAL DIVISION
NOVEMBER

2018
Contents

CHAPTER Α INTERNAL AUDIT PRINCIPLES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 03

INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 04

Article 1 INTERNAL AUDIT MISSION.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 05

Article 2 NTERNAL AUDIT OPERATION PRINCIPLES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 05

Article 3 COMPLIANCE WITH THE REGULATORY AND


LEGAL FRAMEWORK OF INTERNAL AUDIT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 06

CHAPTER B ORGANISATION OF GROUP INTERNAL AUDIT GENERAL DIVISION. . . . . . . . . . . . . . . . . . . . . . . . . . . . 07

Article 4 ORGANIZATIONAL STRUCTURE OF THE GROUP INTERNAL AUDIT GENERAL DIVISION. . . . . . . . . 08

Article 5 INTERNAL AUDITORS CODE OF CONDUCT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 09

Article 6 INDEPENDENCE AND OBJECTIVITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 09

Article 7 PROFESSIONAL COMPETENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Article 8 DUE PROFESSIONAL CARE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Article 9 DUTIES OF GENERAL DIRECTOR & SENIOR DIRECTORS


OF GROUP INTERNAL AUDIT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Article 10 RESPONSIBILITIES OF INTERNAL AUDIT CONCERNING THE IDENTIFICATION,


ASSESSMENT AND PREVENTION OF RISK OF PROPERTY DAMAGE OF
THE COMPANIES OF THE HELLENIC PETROLEUM GROUP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
CHAPTER C CONDUCTING INTERNAL AUDIT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Article 11 SCOPE OF APPLICATION OF INTERNAL AUDIT PROCEDURES.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20


Article 12 RISK ASSESSMENT PROCEDURE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Article 13 THE ROLE OF INTERNAL AUDIT IN THE PROCESS OF MANAGING BUSINESS RISKS. . . . . . . . . . . . . 22
Article 14 PREPARATION OF AUDIT PLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Article 15 RECORD KEEPING. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Article 16 COMMUNICATION OF INTERNAL AUDIT REPORTS.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Article 17 RECEIVING SERVICES TO SUPPORT THE OPERATION OF INTERNAL AUDIT. . . . . . . . . . . . . . . . . . . . . . . . . 27
Article 18 RELATIONS & COORDINATION WITH EXTERNAL AUDITORS AND
INTERNAL CONTROL MECHANISMS OF THE GROUP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Article 19 REPORTING TO THE AUDIT COMMITTEE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Article 20 PROVISION OF CONSULTING SERVICES BY THE GROUP INTERNAL AUDIT
GENERAL DIVISION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Article 21 REVIEW OF INFORMATION SYSTEMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Article 22 AUDIT OF PROCEDURE FOR SUBMITTING FINANCIAL AND OTHER REPORTS. . . . . . . . . . . . . . . . . . . . . . 29

CHAPTER D QUALITY ASSURANCE AND EVALUATION OF AUDITORS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Article 23 QUALITY ASSURANCE & IMPROVEMENT PROGRAM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31


Article 24 INTERNAL ASSESSMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Article 25 EXTERNAL ASSESSMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Article 26 PROCEDURE ON UPDATING THE CHARTER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
CONTENTS

CHAPTER Ε PRIVACY AND DATA PROTECTION.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Article 27 DATA PROTECTION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37


Article 28 PRIVACY PROTECTION OFFICER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
CHAPTER

Internal
Audit
Principles
―3―
Introduction

T
he Internal Audit Charter aims at setting the scope and framework of duties
and responsibilities of the Group Internal Audit General Division of Hellenic
Petroleum (hence GIAGD), with jurisdiction in all the Companies in the Hellenic
Petroleum Group.
The Companies which belong to the Hellenic Petroleum Group are those under the di-
rect or indirect shareholding and/or administrative control of HELLENIC PETROLEUM S.A.
When performing its duties, the GIAGD must apply the pertinent Greek Laws on Cor-
porate Governance (Law 3016/2002, as in force), the Decision 5/204/14.11.2000 (as in
force) of the Hellenic Capital Market Commission, the Corporate Governance Code of the
Hellenic Federation of Enterprises (SEV) regarding listed companies, which HELLENIC
PETROLEUM S.A. has adopted in line with Law 3873/2010, the Group’s Code of Con-
duct and the International Standards of Internal Auditing as established by the Institute
of Internal Auditors (IIA).
In addition, Internal Auditors perform their duties based on the principles of inde-
pendence, objectivity and confidentiality and must act in full compliance with the Poli-
cies and Procedures of the Hellenic Petroleum Group.
CHAPTER Α INTERNAL AUDIT PRINCIPLES

―4―
ARTICLE 1 ARTICLE 2
Internal Audit

CHAPTER Α INTERNAL AUDIT PRINCIPLES


Internal Audit Mission
Operation Principles

T I
he GIAGD has the authority and responsibility nternal Audit is performed by the GIAGD, which pro-
to assess the implementation of procedures and vides independent, objective assurance services for
policies that promote sound and lawful man- sound administration and risk management, through
agement in all Companies and units of the Hellenic the implementation of regulations, procedures and in-
Petroleum Group. This primarily includes the safe formation, as well as consulting services designed to
and efficient operation of facilities, the accuracy and add value to the Group, by means of proposals for the
reliability of accounting and operational data, the pro- improvement and updating of internal procedures that
tection of resources of the Hellenic Petroleum Group ensure transparency in the management of business
from mismanagement and unlawful acts and the ap- operations and the proper assessment of operational
propriate management of business risks. risks.

The GIAGD evaluates the strict implementation of The basic purpose of Internal Audit is to provide to
the Shareholders, reasonable assurance regarding
Management Policies by the various Departments and
the achievement of the Group’s business and financial
generally assesses the overall effectiveness and effi-
objectives, the evaluation of the Group’s actual finan-
ciency of the procedures and operations of the Com-
cial situation and results, the safeguarding of its assets
panies of the Hellenic Petroleum Group.
and to ensure the completeness and reliability of data
It periodically briefs Management (Board of Di- and information included in the accounting and man-
rectors, Audit Committee, Chairman and CEO) on the agement reports, so that they are accurate and reliable
above, proposes improvements, changes and addi- and lastly the lawful and safe operation of its facilities.
tions to procedures and policies, where appropriate, The operation of Internal Audit is independent and
and follows up on the implementation of its proposals. not subordinate to any other Group unit.
Internal auditing is an independent, objective as- Independence enables Internal Auditors to be ob-
surance and consulting activity designed to add val- jective and, therefore, to deliver unhindered and un-
ue and improve an organization’s operations. It helps biased judgments, which are important for the proper
an organization accomplish its objectives by bringing conduct of audits.
a systematic, disciplined approach to evaluate and im-
prove the effectiveness of risk management, control,
and governance processes.

―5―
ARTICLE 3
Compliance with the
Regualatory and Legal Framework
of Internal Audit

G
IAGD shall comply with the mandatory guide- The General Director of Group Internal Audit is re-
lines of the International Institute of Internal sponsible for ensuring that the Internal Audit Charter
Auditors (IIA), namely the Definition of Internal and related policies and procedures comply with the
Audit, the Code of Ethics and the International Internal legal framework regarding Corporate Governance.
Audit Standards (hereinafter: the Standards). These Any unforeseen conflicts of interest or activities
specific directives are the fundamental principles of should be dealt in accordance with the Code of Ethics
the professional implementation of Internal Audit as of the International Institute of Internal Auditors, the
well as the evaluation of the effectiveness of audit ac- International Standards for the Professional Practice
tivities. of Internal Auditing and the pertinent Code of Conduct
The Advisory Guidelines of IAA (Practical Adviso- and the principles of the Group.
ries, Practical Guides and Position Papers) are addi-
tional guidance in the effective execution of Internal
Audit activities.
In addition, the GIAGD has to conform to the per-
tinent Greek Laws on Corporate Governance (Law
CHAPTER Α INTERNAL AUDIT PRINCIPLES

3016/2002, as in force), the Decision 5/204/14.11.2000


(as in force) of the Hellenic Capital Market Commission,
the Corporate Governance Code of the Hellenic Feder-
ation of Enterprises (SEV) regarding listed companies,
which HELLENIC PETROLEUM S.A. has adopted in line
with Law 3873/2010 and the Group’s Code of Conduct.

―6―
CHAPTER

Β
Organisation
of Group
Internal Audit
General Division
―7―
ARTICLE 4 ——The Audit Committee evaluates the performance
Organizational Structure of the GIAGD and informs – in this respect – the
of the Group Internal Chairman of the BoD and the Board of Directors of
the Group (Article ΙΙΙ, Chapter Β, Para. 9 of the Audit
Audit General Division
Committee Operation Regulation).

T
——The General Director of Group Internal Audit par-
he GIAGD is supervised by the Audit Commit-
ticipates in meetings with the Audit Committee that
tee of the Board of Directors (BoD) of HELLENIC
are convened either by the Committee, or on his/
PETROLEUM S.A. The General Division of Group
her own initiative, whenever he/she considers it
Internal Audit operationally reports to the Audit Com-
necessary for achieving the objectives of GIAGD.
mittee of the BoD, while it administratively reports to
CHAPTER Β ΟRGANISATION OF GROUP INTERNAL AUDIT GENERAL DIVISION

the Chairman of the BoD. ——The General Director of Group Internal Audit has
access το the Chairman and the Members of the
The General Director of Group Internal Audit is ap-
Audit Committee, whenever he/she considers it
pointed and recalled by the BoD upon proposal from
necessary for achieving the objectives of Internal
the Audit Committee, reports operationally to the Au-
Audit (for example, for matters related to risk man-
dit Committee of the BoD and administratively to the
agement, ethics, security, External Audits and other
Chairman of the BoD.
Internal Audit issues).
Within the framework of operational reporting:
Administrative reporting includes:
——The BoD and the Audit Committee approve the
——The approval of the Budget of the GIAGD.
present Charter governing the operation of Internal
Audit, the Strategy and the Internal Audit Manual ——Human resources management, including perfor-
mance appraisals, training, development and staff
of the GIAGD (art. ΙΙΙ, chapter Β, para. 2 of the Audit
remuneration.
Committee Operation Regulation)
——Internal communication and information flow.
——The General Director of Group Internal Audit in-
forms the BoD and the Audit Committee on the re- ——Management of the policies and procedures for the
sults of the GIAGD’s activities. operation of Internal Audit.

——The Audit Committee has the ultimate responsibil-


ity for reviewing and approving the long-term and
the annual Audit Schedule as well as any signifi-
cant amendments thereto.

―8―
ARTICLE 5 5. They are not allowed to participate in activities
Internal Auditors which are in conflict with Group interests or which,

CHAPTER Β ΟRGANISATION OF GROUP INTERNAL AUDIT GENERAL DIVISION


by objective judgment, affect their ability to per-
Code of Conduct form their duties.

T
6. In accordance with the applicable Group Code of
he Internal Auditors Code of Conduct sets out Conduct, they must not accept any payment or gift
the basic principles of good practices for Inter- from any employee, customer, supplier or associ-
nal Audit regarding its various objectives. The
ate of the Group.
personal judgment of Internal Auditors is very often
necessary when applying these principles. At the
same time, Internal Auditors have the responsibility to
behave in a manner consistent with the principles of ARTICLE 6
good faith and integrity. Independence and
Objectivity
Specifically:

T
1. Internal Auditors must be honest, objective and dil- he work of the Internal Audit is independent in
igent when performing audits. matters related to the choice and scope of au-
2. They must be particularly cautious when using in- dits, the timing of performing the audits, as well
formation they receive during their work. It is for- as the content of the Audit Reports.
bidden for them to use professional information in Internal Auditors have no direct operational compe-
any way, outside the context of their duties. In this tence or jurisdiction over the audited areas. Therefore,
context, all GIAGD employees, upon starting their they shall not apply controls, develop procedures, in-
employment, shall sign an appropriate Confidenti- stall systems, create accounting records, or engage in
ality Agreement.
any other activity that may affect their judgment.
3. They must be diligent in supporting the opinion
Internal Audit shall operate with impartiality and
expressed, by providing appropriate and adequate
objectivity, in order to avoid conflicts of interest and
evidence. In their report, they must state and dis-
close all information they receive which, if not dis- disclose any activity which could lead to a possible
closed, may cause misinformation or conceal un- conflict of interest.
lawful acts. Internal Auditors must maintain their objectivity
4. They must make continuous effort to improve the when performing audit work. Their judgment must not
professionalism and efficiency of the services they be affected by personal interests or the opinions of
provide. third parties.

―9―
The following persons cannot be appointed as Audits should be assigned in a way that prevents
Internal Auditors: members of BoDs of Group Com- conflicts of interest. The General Director of Group In-
panies, their relatives by blood or marriage up to the ternal Audit must periodically receive information from
second degree, and Directors of Group Companies if the Group Compliance Unit on possible conflicts of in-
they also engage in other duties besides Internal Audit. terest and Internal Auditors must report any situations
Moreover, before the lapse of a twelve-month period, where conflict of interest is possible or inferred to the
Internal Auditors may not participate in projects relat- General Director of Group Internal Audit.
ed to a Division or to a subsidiary Company in which The General Director of Group Internal Audit must
they previously had managerial responsibilities. make all necessary changes in the audit process and
Internal Auditors must carry out their audit work in the persons involved in the audit engagement in order
CHAPTER Β ΟRGANISATION OF GROUP INTERNAL AUDIT GENERAL DIVISION

a way that ensures effectiveness and quality. There- to ensure the objectivity, accuracy and integrity of the
fore, they must not consent in being included in works audit.
in which they are unable, for any reason, to deliver Also, every year, the General Director of Group
substantial and objective audit judgments. Internal Audit must declare the independence of the
The GIAGD has full access to all records and in- GIAGD to the Group BoD, prior to the Group Annual
formation, premises and activities of the Group, which General Meeting.
are necessary for the implementation of its audit work. If, for any reason, any restriction on the operational
The GIAGD is of course responsible for the complete framework of Internal Audit prevents the achievement
preservation of the confidentiality of the data brought of its objectives, the restriction and its potential effect
to its attention and for ensuring confidentiality regard- must be communicated in writing to the BoD by the
ing corporate issues about which it is informed while General Director of Group Internal Audit.
performing its duties.
If changes have been made to the BoD or other sig-
Group Management and employees are required nificant alterations have taken place within the Group,
to cooperate with Internal Auditors, provide informa- the General Director of Group Internal Audit must in-
tion to them and, in general, facilitate their work in form the BoD about the restrictions on the operation-
every way. al framework of Internal Audit, which had previously
The results of the audit work should be reviewed been disclosed to and accepted by the BoD.
before any engagement-related disclosures in order
to provide reasonable assurance that the work was
carried out objectively.

― 10 ―
ΆRTICLE 7 Internal Auditors must comply with the Profes-
Professional Competence sional Standards of Conduct, as described in the Code

CHAPTER Β ΟRGANISATION OF GROUP INTERNAL AUDIT GENERAL DIVISION


of Ethics of the Institute of Internal Auditors (IIA), which

T
comprises two significant parts:
he General Director of Group Internal Audit must
ensure that those employed in the GIAGD or ap- a) The principles relating to the profession and the
pointed for an audit work have, collectively, the implementation of Internal Audit, i.e. integrity,
necessary knowledge, skills and other competencies objectivity, confidentiality and competence.
to perform their duties properly and efficiently. b) The rules of professional conduct, which Inter-
The GIAGD must employ Auditors or use consult- nal Auditors must adhere to.
ants equipped at least with the following knowledge The General Director of Group Internal Audit is re-
and skills: sponsible for establishing the necessary criteria and
——Ability to apply Internal Audit Standards, proce- qualifications of the staff of the GIAGD. He draws up an
dures and techniques. annual analysis of the knowledge and skills of the en-
——Knowledge of accounting principles and tech- tire GIAGD staff and submits it to the Audit Committee
niques. in order to identify the areas which may be improved
through continuous professional training, recruiting or
——Understanding of business management princi-
collaboration with external parties who have the nec-
ples.
essary qualifications.
——Adequate technical knowledge for performing au- Internal Auditors are required to have mastery of
dits in industrial facilities. written and spoken language, so as to, clearly and
——Adequate knowledge of areas such as economics, effectively, communicate and provide information on
law, taxation, finance and computing. matters related to Audit objectives, evaluations, con-
clusions and recommendations.
The interpersonal relations of Internal Auditors
must be such that allow them to collaborate, con-
structively and effectively, with the auditees at all lev-
els of hierarchy.

― 11 ―
ARTICLE 8 §§Drawing up and approving the annual Audit Plan and
Due Professional its budget and submitting it to the Audit Committee of
the BoD for approval.
Care
§§Safeguarding the action plan for the proper execu-

D
ue professional care is the attention and skill tion of the duties of Internal Auditors.
that a prudent and competent Internal Auditor §§Supervising the implementation of the Audit Plan
is expected to demonstrate when performing and final approval of Audit Reports before their sub-
his/her duties. Due professional care is proportional mission to the Audit Committee of the BoD, especially
to the complexity of the audit being performed and the classification of audit findings, recommendations,
requires the Internal Auditor to examine and veri-
CHAPTER Β ΟRGANISATION OF GROUP INTERNAL AUDIT GENERAL DIVISION

Directors’ comments and communication with Gen-


fy the subject of the audit in an objectively adequate
eral Directors, the CEO and the Chairman of the BoD.
and appropriate manner suitable for each case, with-
out necessarily having to review all transactions. Due §§Submitting Audit Reports to the Audit Committee of
professional care does not preclude the possibility of the BoD which supervises the GIAGD.
mistake. §§Deciding on emergency special audits or proposing
them, as appropriate, to the Audit Committee or the
Chairman of the BoD.
ARTICLE 9 §§Collaborating with the External Auditors.
Duties of General §§Collaborating with the Group’s other internal Control
Director and Senior Directors Mechanisms (Health, Safety and Environment, Com-
of Group Internal Audit pliance, etc.)
§§Preserving the reputation of the GIAGD and promot-
GENERAL DIRECTOR OF GROUP ing its work.
INTERNAL AUDIT
§§The assessment of the performance of the Senior
The General Director of Group Internal Audit is respon- Managers and Directors of the GIAGD, in order to en-
sible for the following: sure independence.
§§Assessing Group audit needs, drawing up the long §§Periodic evaluation of present Charter, in regards to
term Audit Plan and submitting it to the Audit Com- its adequacy for the effective operation and achieve-
mittee of the BoD for approval. ment of the objectives of the General Division.

― 12 ―
§§Periodic briefing of the Audit Committee on the cur- §§Auditing Information Systems.
rent institutional framework concerning the activity

CHAPTER Β ΟRGANISATION OF GROUP INTERNAL AUDIT GENERAL DIVISION


§§Assigning the execution of audits to the competent
of Internal Audit and related issues concerning the Internal Auditors, following consultation with the
operation of the GIAGD. General Director and other Directors of the General
§§Participates, as an observer, in the work of the Group Division.
and Trading Committees (Credit, Investment, Coordi- §§Supervising the work of the Internal Auditors regard-
nation, Refining & Supply, Research & Production), ing administrative and financial audits of HELLENIC
within the framework of the preventive and advisory PETROLEUM S.A.
role of the Internal Audit. §§Reviewing and approving the final Draft Reports of
the Internal Auditors on administrative and financial
The General Director of Group Internal Audit reserves
Audits of HELLENIC PETROLEUM S.A., including the
the right to request that a Technical Auditor remain at
risk rating, the classifications of findings and the rec-
the General Division for at least five years.
ommendations for the necessary changes and im-
provements.
§§Submitting the file of each Internal Audit engage-
SENIOR DIRECTOR OF ADMINISTRATIVE -
ment to the General Director of Group Internal Audit,
FINANCIAL INTERNAL AUDIT OF HELLENIC following completion of the audit engagement.
PETROLEUM
§§Monitoring the cost related to his/her Division.
The Senior Director of Administrative - Financial Internal §§Record-keeping of the files of all audit engagements
Audit of HELLENIC PETROLEUM is responsible for the for which he/she is responsible.
following: §§Communicating with Internal Auditors on matters for
which he/she is responsible.
§§Approval of the Audit framework of each assignment.
§§On the job training of the Internal Auditors, by assign-
§§Communicating with the Directors and officers of the
ing work in different fields (rotation) and by suggest-
Organizational Units being audited.
ing their participation in seminars in order for them
§§Communicating with other Group Internal Auditors to improve their auditing skills and be updated on
on matters for which he/she is responsible. developments regarding the audit methodology ap-
§§Planning the financial and administrative Audit en- plied in Administrative and Financial Audits.
gagements of HELLENIC PETROLEUM S.A. and its §§The quality of the GIAGD Policies and Procedures,
subsidiaries - except for the Retail & Marketing ones. pursuant to the International Professional Practices

― 13 ―
Framework for the Implementation of Internal Audit §§Submitting the file of each Internal Audit engage-
(Standards ΙΕΕ 2040, 2340). ment to the General Director of Group Internal Audit,
§§Participation, as an observer, in the work of Group following completion of the engagement.
Committees (Credits, Investment, Coordination, Re- §§Monitoring the cost related to his/her Division.
search & Production) within the framework of the §§Record-keeping of the files of all audit engagements
preventive and advisory role of the Internal Audit. for which he/she is responsible.
§§On the job training of the Internal Auditors, by assign-
ing work in different fields (rotation) and by suggest-
DIRECTOR OF INTERNAL AUDIT IN INDUSTRIAL
& SUPPLY FACILITIES OF HELLENIC PETROLEUM ing their participation in seminars in order for them
to improve their auditing skills and be updated on
CHAPTER Β ΟRGANISATION OF GROUP INTERNAL AUDIT GENERAL DIVISION

The Director of Internal Audit in Industrial & Supply Fa- developments regarding the audit methodology ap-
cilities of HELLENIC PETROLEUM is responsible for the plied in Technical Audits.
following: §§The GIAGD methodology, pursuant to the Interna-
tional Framework for the Professional Implementa-
§§Communicating with the Directors and officers of the
tion of Internal Audits (Standard ΙΕΕ 2040, 2340).
Organizational Units being audited.
§§Participation, as an observer, in the work of the Group
§§Communicating with other internal assurance teams
Committees (Investment, Refining & Supply) within
of the Group, regarding technical issues of the in-
the framework of the preventive and advisory role of
dustrial facilities and, more specifically, about health,
the Internal Audit.
safety and environmental issues.
§§Planning Technical Audit Engagements.
§§Assigning the execution of Audits to the competent
Internal Auditors, following consultation with the
General Director and other Senior Directors of the
GIAGD.
§§Supervising the work of Technical Internal Auditors.
§§Reviewing and approving the final Draft Reports of
Technical Internal Auditors, including the risk rating,
the classifications of findings and the recommenda-
tions for the necessary changes and improvements.

― 14 ―
SENIOR DIRECTOR OF INTERNAL AUDIT §§Record-keeping of the files of all audit engagements
IN DOMESTIC & INTERNATIONAL RETAIL for which he/she is responsible.

CHAPTER Β ΟRGANISATION OF GROUP INTERNAL AUDIT GENERAL DIVISION


& MARKETING §§Communicating with the External Auditors on mat-
ters for which he/she is responsible.
The Senior Director of Internal Audit in Domestic &
International Retail & Marketing is responsible for the §§On the job training of the Internal Auditors, by assign-
following: ing work in different fields (rotation) and by suggest-
ing their participation in seminars in order for them
§§Communicating with the Directors and officers of the to improve their auditing skills and be updated on
Organizational Units or Companies being audited. developments regarding the audit methodology ap-
§§Communicating with other Group internal assurance plied.
teams on matters for which he/she is responsible. §§Issues related to recruitment and training of GIAGD
§§Planning the Financial, Administrative and Technical personnel, pursuant to the International Framework
Audit engagements of the Group’s Retail & Marketing for the Professional Implementation of Internal Au-
Companies, in Greece and abroad. dits (standards ΙΕΕ 2030, 1230).
§§Auditing the Information Systems of these Compa- §§Scheduling of Audits and knowledge management
nies. within the GIAGD, pursuant to the International Pro-
fessional Practices Framework for the Implementa-
§§Assigning the execution of scheduled and/or emer-
tion of Internal Audits (standards ΙΕΕ 2010, 1230).
gency Audits to the competent Internal Auditors,
following consultation with the General Director and §§Privacy protection within the GIAGD, within the
other Directors of the General Division. framework of the Group’s compliance with the Gen-
eral Data Protection Regulation (GDPR).
§§Supervising the work of the Internal Auditors.
§§Participation, as an observer, in the work of Group
§§Reviewing and approving the final Draft Reports of
and R&M Committees (Credit, Investment, Coordi-
the Internal Auditors, including the risk rating, the
nation), within the framework of the preventive and
classifications of findings and the recommendations
advisory role of the Internal Audit.
for the necessary changes and improvements.
§§Submitting the file of each Internal Audit engage-
ment to the General Director of the Group Internal
Audit, following completion of the engagement.
§§Monitoring the cost related to his/her Division.

― 15 ―
INTERNAL AUDITORS OF THE GIAGD

The Internal Auditors of the GIAGD are responsible for


the following:

§§Conducting any Audit assigned to them and prepar-


ing the Draft Report.
§§Editing the Draft Reports and submitting them to the
Directors of Group Internal Audit, as appropriate.
§§Submitting the file of each Internal Audit engagement
CHAPTER Β ΟRGANISATION OF GROUP INTERNAL AUDIT GENERAL DIVISION

to the Director of the Group Internal Audit, as appro-


priate, following completion of the engagement.
§§Monitoring the implementation of the agreed recom-
mendations included in the Final Audit Reports.
§§Participating in discussions with the audited parties
regarding the audit findings and recording their opin-
ions and agreement or disagreement.
§§Participating in the evaluation of procedures, risk
management and advisory matters in general.
§§Participation in the process of self-assessment.

― 16 ―
ARTICLE 10 tigation for possible indications of unlawful acts and
Responsibilities of Internal unethical behavior.

CHAPTER Β ΟRGANISATION OF GROUP INTERNAL AUDIT GENERAL DIVISION


Audit Regarding the If any sign of offences (for instance: fraud, embez-
zlement, misappropriation, forgery) against the prop-
Identification, Assessment and
erty and interests of the Companies of the Hellenic
Prevention of Risk of Damage Petroleum Group is detected during the audit work,
to the Property of the Companies the Internal Auditor is responsible for showing due
of the Hellenic Petroleum Group professional care, as described in the relevant Stand-
ards (1210.Α2, 1220 & 2120.Α2 The IIA, October 2012).

M
anagement is responsible for implementing Internal Audit does not carry the main responsibil-
and maintaining an effective system of Con- ity for addressing any acts or omissions against the
trol Procedures at a reasonable cost. This property and interests of the Companies of the Hel-
lenic Petroleum Group, which may have been detect-
responsibility entails the design of an appropriate
ed during the audit procedure. However, it assists with
system of periodic Internal Controls, which indicate
the collection of information and suggests improve-
or reveal cases where current procedures and op-
ments to Internal Control Systems in order to protect
erational systems of the Group are either missing, or the Group from similar events in the future.
fail to meet requirements, are not effective or are not
Internal Auditors may participate as consultants
implemented. in addressing unlawful behavior or high risk actions,
provided that their participation does not affect the in-
A properly designed system of Internal Controls
dependence of Internal Audit.
prevents actions which:
The GIAGD advises Management in regards to
a) Do not comply with the rules of good adminis-
planning the strategy of divulging documents and in-
tration, formation, in the earliest possible stage of the investi-
b) Violate Group regulations and procedures, gation of unlawful behavior or high risk actions, so as
c) Jeopardize the proper and safe operation of the to minimize the risk of inappropriate communications
or leakage of information or inaccurate information.
Group,
Additionally, Internal Auditors should evaluate
d) Expose the Group to high risks (in regards to
the evidence and advise Management in regards to
assets, human resources, financial results, en- the deficiencies identified in Internal Control Systems
vironment and business continuity). and the application of appropriate controls, in order to
The Audits carried out by the Internal Auditors in- prevent similar incidents of unlawful behavior in the
crease the possibility of detection and further inves- future.

― 17 ―
In brief, the role of the GIAGD in the assessment, prevention and identification of risk of property damage of the
Hellenic Petroleum Group, is listed in the Table below:

Finding Role of Internal Audit

— The Internal Auditor demonstrates due professional care in detecting fraud


(Standard 1220).
Fraud
— Assessment of the possibility of fraud and evaluation of managing
CHAPTER Β ΟRGANISATION OF GROUP INTERNAL AUDIT GENERAL DIVISION

the related risk by Management (Standard 2120.A2).

Violation of the Code — The Internal Auditor demonstrates due professional care (Standard 1220)
of Conduct in identifying cases of violation of the Code of Conduct.

— The Internal Auditor demonstrates due professional care (Standard 1220)


Violation of Policies in identifying cases of non-compliance with policies and procedures.
& Procedures — Advisory role of the Internal Auditor in the implementation of controls
for preventing such incidents.

Actions that
— The Internal Auditor demonstrates due professional care (Standard 1220)
endanger smooth
in identifying actions which endanger the smooth operations of the Group.
operations

Excessive
— Advisory role of the Internal Auditor in assessing the management of
risk-taking by the
business risks by Management.
Group

― 18 ―
CHAPTER Β ΟRGANISATION OF GROUP INTERNAL AUDIT GENERAL DIVISION
Conducting
Internal
Audit
CHAPTER

― 19 ―
ARTICLE 11 III. Technical Audits, which are conducted on the
Scope of Application of Group’s Technical Divisions, such as production,
Internal Audit Procedures trading of oil products, equipment maintenance,
environmental protection, investments, etc. The

T
scope of a Technical Audit includes all rules
he General Director of Group Internal Audit
and procedures relating to technical activities,
must establish policies and procedures to guide
construction contracts and equipment orders.
Internal Audit activity.
The methodology of the Technical Audit is sim-
The relevant procedures are to be reviewed at ilar to that of the Financial Audit, however, the
least every two years and are updated upon written evaluation of risks that arise from lack of pro-
submission of improvement suggestions, analysis cedures or non-compliance with procedures
and evaluation by the hierarchy and approval by the and contractual terms, requires the specialized
Group’s General Manager of Group Internal Audit Di- knowledge and expertise of engineers. There-
vision. The content of the final proposals is reviewed fore, Technical Audits are performed mainly by
and approved by the Audit Committee of the HELPE engineers trained in auditing.
BoD.

The scope of Internal Audit is mainly threefold and in-


cludes:

I. Financial Audits, which are pertinent to pre-


CHAPTER C CONDUCTING INTERNAL AUDIT

serving the Group’s assets, long-term Group


operations and the reliability of financial data.
II. Operational or Procedural Audits, which are
pertinent to evaluating the adequacy of the
Group’s Internal Control Systems and proce-
dures for informing Management, the existing
controls for achieving audit objectives, compli-
ance with policies and the implementation of all
rules and procedures for the operation of the
Group, in order to avoid risks.

― 20 ―
ARTICLE 12 existing measures are adequate or if more
Risk Assessment action/s shall be undertaken

CHAPTER C CONDUCTING INTERNAL AUDIT


Procedure Step 4: Description of the measures to be taken
Step 5: Follow-up check on the assessment and its

R
isk assessment is the process of identifying review (if necessary)
and measuring risk and assessing the effec-
tiveness of the existing procedures for manag- The GIAGD considers the effectiveness of risk man-
ing and responding to risk. Indicatively, following risks agement processes by assessing whether:
shall be considered: risk of business interruption,
——The objective purposes of the Group support and
sovereign, exchange rate, tax, legal, environmental,
align with its mission
business, operational, credit, liquidity, systems, risks
——Significant risks are identified and assessed
of fraud, technological, natural, geopolitical, health,
safety, life, etc. ——Risk management measures are assessed –
whether they are appropriate depending on the
Against all risks, the Group is required to prepare
acceptable risk margins as set by the Group
action plans to control and prevent the unpleasant
——Risk-related information is collected and commu-
consequences of their occurrence.
nicated in a timely manner across the Group, ena-
The GIAGD, through its procedures, shall facilitate bling the human resources, the Management and
the identification, assessment and management of the BoD to take up their responsibilities.
any risk that threatens the smooth operation of the
Group. The GIAGD gathers information to support this as-
The assessment of each risk faced by the Group sessment when performing various activities. The
shall be based on the understanding of the conse- comprehensive review of this information enables the
quences that may arise should the risk is not effec- understanding of the Group’s risk management pro-
tively addressed. cesses and their effectiveness.
Risk management processes are monitored by on-
Indicatively, there are five steps of risk assessment at
going activities by the Management, using individual
the workplace:
assessments, or in combination of both.
Step 1: Identifying the source of risk
The GIAGD shall assess the exposure to risks related
Step 2: Determining potential impact/damage to governance systems, functions and IT systems of
Step 3: Risk assessment in order to ascertain if the the Organization with regard to:

― 21 ―
——Achieving the objectives of the Organisation ARTICLE 13
——Reliability and integrity of financial and operation- The Role of Internal Audit
al information in the Process of
——Effectiveness and efficiency of operations and Managing Business Risks
programmes

T
he BoD of HELLENIC PETROLEUM S.A., as the
——Safeguarding of assets
body responsible for implementing the Strate-
——Compliance with laws, regulations, procedures gy and achieving the Objectives of the Hellen-
and agreements. ic Petroleum Group of Companies, must design and
implement the necessary Control Mechanisms, so as
The GIAGD shall assess the likelihood of fraud and the
to provide reasonable assurance to the shareholders
way the Group manages the risk of fraud.
that the Group’s Objectives are achieved.
In the course of their advisory work, the Internal
Auditors shall identify the risk associated with the Control Mechanisms include:
project’s objectives and be vigilant about the exist- §§Corporate Governance Procedures.
ence of other significant risks.
§§Internal Control Systems.
Internal Auditors shall incorporate knowledge
§§Risk identification procedures.
about risks they derive from advisory deeds into the
assessment of risk management processes of the §§Risk assessment procedures.
CHAPTER C CONDUCTING INTERNAL AUDIT

Group. §§Risk management procedures.


Internal Auditors shall not assume management
According to the internationally accepted definition
responsibility through risk management, but they
established by COSO (Committee of Sponsoring Or-
should support the Management in order to improve
ganizations of the Treadway Commission), Internal
risk management processes.
Control Mechanisms are all the measures planned
and adopted by the Group, with the purposes of
providing maximum possible assurance that it will
achieve its objectives in terms of effectiveness and
efficiency of operations, reliability of financial state-
ments and compliance with the law. Control systems
can be preventive (preventing undesirable events),
detection-oriented (detection, identification and cor-

― 22 ―
rection of undesirable events which have already oc- §§The Board of Directors must evaluate Manage-
curred) or directional (encouragement of desirable ment response to errors and weaknesses detect-

CHAPTER C CONDUCTING INTERNAL AUDIT


events). ed in the Internal Control Mechanisms.

All these operational systems, procedures, activities


During the Group’s identification and risk management
and operations are subject to Internal Audit evalua-
process:
tions and are a main audit priority.
§§The risks arising from strategic choices and oper- Internal Audit has the responsibility of providing
ational activities must be identified. reasonable assurance that:

§§The risks must be assessed and classified ac- §§Management’s risk identification and management
cording to their probability and severity of impact system is adequate and effective (policies, regula-
on the achievement of Group aims and objectives. tions, procedures, reports, audits).

§§The Board of Directors should have identified the §§The operational procedures, policies and reports
level of strategic and other risks which is accept- are adequate.
able to the Group. §§Internal Control Mechanisms are adequate, effec-
§§Activities for addressing and managing risk tive and efficient.
should have been designed in order to reduce risk Within this framework, Internal Audit must system-
to levels that the BoD has recognized as accept- atically and consistently evaluate the adequacy and
able. effectiveness of risk identification and management
§§Regular monitoring of operations must take place procedures, Internal Control Mechanisms and Busi-
in order to periodically reassess the risks and the ness Operation Procedures and reports, and suggest
effectiveness of Internal Control Mechanisms in improvements and corrective actions in cases where
risk management. deficiencies or inadequacies are detected.
The BoD and the Audit Committee have a supervi-
§§Management should receive regular periodic
sory role in the risk management process.
reports on the results of risk management pro-
cedures. The identified risks, the strategies for Internal Auditors must assist Management and
addressing them and the related Internal Control the Audit Committee by examining, evaluating and
Mechanisms for preventing said risks in the future, submitting reports and recommendations for the im-
should also be communicated to the Divisions in- provement of the efficiency and effectiveness of the
volved. Group’s risk management procedures.

― 23 ―
The Head of the Internal Audit and the members of required within the scope of the project. The audit
the GIAGD shall be aware of the various types of risks scope shall be communicated to the Head of the area
within the Group and of their tolerance margins. concerned and sufficient time for preparation shall
In addition, when it is established that an Organi- be provided. Moreover, the Internal Auditors commu-
sational Unit assumes a risk in excess of Group - set nicate with other people in the area under review in
tolerance, the case has to de reported/referred to the order to ensure their availability from the initial stages
Audit Committee. of the process.
As long as the Organisation has a risk manage-
ment policy that may include a risk acceptance pro- Throughout the planning of the project, the Internal
cess (quantified risk assessment; risk matrix), it is im- Auditors shall:
portant the GIAGD becomes aware of it. ——Keep, as a rule, evidence of the discussions and
conclusions reached during meetings, and subse-
quently incorporate or attach them to the Work-
ARTICLE 14 sheets of the project;
Preparation of ——Define the levels of required standardisation and
Audit Plan documentation;
——Develop the project’s Work Programme, taking

T
he audit work shall have clear objectives, which into account budgets, logistics support and the
are part of planning the Audits. The starting
CHAPTER C CONDUCTING INTERNAL AUDIT

shape of the final notification of the project results.


point of the planning is the examination of the
recent risk assessment conducted by the Manage- The competent Internal Audit Director determines
ment and the one completed by the GIAGD during how, when and to whom the results of the project
the annual scheduling of Audits, because the project’s will be communicated to (Standard 2440 – Project
objectives shall be linked to the risks identified in the Results Reporting), as well as the required level of
area under consideration. monitoring of the Audit personnel, specifically for the
Once the objectives have been determined based project’s Work Programme (Standard 2340 – Super-
on the risks, the scope of the audit work shall be de- vision of Project activities). The final step of the plan-
termined, setting the limits the Internal Auditors of the ning usually involves the approval of the Project Work
GIAGD will work within. Programme by the GIAGD.
In order to determine the objectives of the pro- The Project planning and the Work Programme
ject, the Internal Auditors generally identify the data can be modified – after their approval by the GIAGD

― 24 ―
– as well as during work execution/implementation, ine the results of the work performed by other internal
when new information is obtained. or external assurance providers and/or the results of

CHAPTER C CONDUCTING INTERNAL AUDIT


previous Audits in the area or the audited process.
In the process of planning the project, Internal Audi-
It is important that Internal Auditors identify new
tors shall take into account:
processes or conditions that have introduced new
——The strategy and the objectives of the activity risks. They also define the preliminary resources and
under review and the means its performance is information, including the skills required for the effec-
measured by; tive implementation of the project.
——Significant risks to the objectives of the activity, the Additionally, walk-through tracking, process flow
resources, its implementation procedures and the diagrams, worksheets, as well as various gaps in the
means the potential impact of the risks is mitigated policies and procedures of the area under audit are re-
at an acceptable level; corded in the notes.
——The adequacy and effectiveness of governance
processes, risk management and control proce- The activity planning of the GIAGD must be in line
dures, in comparison to a related framework or with its Charter and the Group’s objectives. The pro-
model; cess of drafting the Annual Audit Plan includes:
——Opportunities to make significant improvements in ——Objectives and scope of work.
the fields of governance, risk management and ac-
——Time schedule of Audit engagements.
tivity control procedures.
——Staff engagement planning.
The development of a Risk and Control Matrix – or the
——Financial budget.
examination of an existing one is used by Internal Au-
ditors to identify risks that could affect the objectives, ——Activity reports.
the resources and/or the activities of the audited area.
The Annual Audit Plan must be based on the assess-
When planning the project, Internal Auditors col-
ment of risk severity and the extent of the Group’s ex-
lect information on the policies and procedures of
the Unit audited and try to understand the informa- posure to these risks.
tion systems used in the audited area, along with the
sources, formats and reliability of the information used During the Audit engagements, the methods and tech-
for implementing the procedure, in order to be consid- niques for reviewing exposure to risks must reflect the
ered as evidence. In addition, Internal Auditors exam- severity of the risks and the probability of occurrence.

― 25 ―
ARTICLE 15 ARTICLE 16
Record Keeping Communication of Internal
Audit Reports

T
he General Director of Group Internal Audit is

T
responsible for procedures of keeping engage- he Audit engagement is completed with the is-
ment records in electronic and/or paper form. sue of a relevant signed Report.
Record keeping procedures should be in line with
If Audit Reports are distributed by electronic
Group policies and other related regulatory (e.g. Hel-
means, the GIAGD should keep a record of the original
lenic Capital Market Commission) or other require-
signed Report.
ments.
Final communications of the audit engagement
Unless otherwise specified, the GIAGD records are
must be forwarded to the relevant Group Executives,
kept for a period of 10 years (for regular Audits, con-
in order to ensure that the recommended corrective
sulting deeds or other data) or 15 years (for extraor-
actions are undertaken and implemented.
dinary Audits) after being processed by the GIAGD.
If it is necessary to provide information outside the
Then they are destroyed, unless there are specific
Group, it should be assessed whether the informa-
reasons for extending the period of keeping them (e.g.
tion can be disclosed to third parties without harming
pending investigations, court proceedings or other le-
corporate interests. Otherwise, information should be
gal actions in progress, etc.).
revised or adjusted to a form which can be communi-
Records for pending civil or criminal proceedings
CHAPTER C CONDUCTING INTERNAL AUDIT

cated to third parties with due professional care and


are kept until case is finally closed.
always in accordance with the relevant International
The records kept by the GIAGD are confidential. Standards for the Professional Implementation of In-
Unauthorized persons within the Group or third ternal Auditing.
persons outside the Group should have no access The Report and the information contained therein
to records, with the exception of those from public are confidential and their use is solely for informing
or independent supervisory Authorities which have a the Management. Therefore, it is not permissible to
statutory right to access. In this case, there should be reproduce and distribute it in whole or in part without
previous written communication with the CEO and the the prior written consent by the GIAGD, except for dis-
Group’s General Division of Legal Services. closures provided in the Company’s procedures and
obligations on hierarchical reporting.

― 26 ―
ARTICLE 17 ARTICLE 18
Receiving Services Relations & Coordination

CHAPTER C CONDUCTING INTERNAL AUDIT


to Support the Operation with External Auditors
of Internal Audit and Internal Control
Mechanisms of the Group

W
hen the General Director of Group Internal

I
Audit intends to use or rely on an external nternal and External Audit tasks should be coor-
party, he should consider the ability, in- dinated, to the extent possible, in order to ensure
dependence, integrity and objectivity of the external adequate audit coverage and minimize overlap of
party in relation to the specific work to be assigned actions and duplication of costs.
to them.
The coordination of Internal Audit with other inter-
In regards to the procedures for selecting and as-
nal or external assurance providers entails:
signing a project to external parties, the Group’s Pro-
curement Rulebook should apply. ——Periodic meetings and discussions of issues of
common interest.
——Common access to audit programs and project
files.
——Common understanding of audit methodology,
techniques and terminology.

Access of External Auditors to the files of the GIAGD,


requires the approval of the General Director of Group
Internal Audit.

― 27 ―
ARTICLE 19 ARTICLE 20
Reporting to the Provision of Consulting
Audit Committee Services by the GIAGD

T W
he General Director of Group Internal Audit must ithin the Group, the GIAGD may provide
submit reports, at least every three months, to consulting services regarding activities
the Audit Committee of the BoD (Article 8 of for which it has sufficient knowledge and
Law 3016/2002). Reports should highlight the most experience. For example: consulting services in risk
significant observations and recommendations of the evaluation and management, evaluation of proce-
Audit engagements and provide information on all dures, preparation procedure of Financial Statements,
serious deviations from the agreed time schedules of administrative accounting, customization of informa-
Audits, staffing plans and financial budgets, as well as tion systems so that they are in line with the Group’s
the reasons for such deviations. Internal Control Mechanisms.
Where non-compliance with the Code of Ethics or the Internal Auditors must maintain such services within
Standards affects a particular project, the disclosure of the limits set out by basic Internal Audit operation, for
the results shall quote the specific items of the Code of reasons of objectivity and independence.
Ethics or the Standards with which full compliance has The assignment of consulting work must be ap-
not been established, the reasons for non-compliance proved by the General Director of Group Internal Audit
and the effect of non-compliance for the project and the and communicated to the Audit Committee.
CHAPTER C CONDUCTING INTERNAL AUDIT

disclosed project results.


Every six months, the GIAGD must provide the Audit
ARTICLE 21
Committee with reports on the progress of the actions
Review of
and the corrective measures taken regarding findings of
previous Audits (follow-up).
Information Systems

T
For high-risk findings, the review and report on the
he General Director of Group Internal Audit
progress of the implementation of corrective measures
should ensure that the GIAGD has access to
should be performed at the end of each quarter.
independent and adequate audit resources in
The findings of these reports are communicated to
order to review information systems and evaluate the
the BoD by the Audit Committee.
Group’s exposure to related risks.

― 28 ―
A significant part of Audit planning is the adequate The GIAGD is required to provide reasonable assur-
understanding of the environment of the Group’s infor- ance to Management that the Internal Control Mecha-

CHAPTER C CONDUCTING INTERNAL AUDIT


mation systems, so that the Internal Auditor may deter- nisms which support the process of preparing Financial
mine the size and complexity of the systems, the extent Reports are adequately designed and effectively imple-
of the dependence of the Group on its information sys- mented. Internal Control Mechanisms should be suf-
tems and suggest methods and procedures to mitigate ficient, so as to ensure the prevention and detection of
possible risk. significant errors, irregularities, incorrect assumptions
In any event, Internal Audit shall cover the proce- and calculations which could result in providing inac-
dures related to the development of information sys- curate information in the Financial Reports, the related
tems, changes in information systems, security and notes and other notifications.
authorized access to the systems, daily operation of the Internal Auditors may suggest improvements to pol-
systems, assurance of business continuity and system icies and procedures for the preparation and submis-
recovery in case of crisis or disaster. sion of financial and other reports.
If any omissions are detected in the existing proce-
dures or in the controls, Internal Auditors must recom-
mend improvements in order to ensure that serious er-
ARTICLE 22
rors or omissions are avoided and which will contribute
Audit of Procedure for
to the accuracy, completeness, correctness and reliabil-
Submitting Financial ity of financial statements.
and other Reports

T
he GIAGD must confirm that the Group has
well-documented procedures for the prepara-
tion of quarterly and annual Financial Reports
as well as related notifications and report require-
ments to the Supervisory Authorities. A review of re-
lated policies and procedures by Legal Consultants,
External Auditors and/or other external consultants
may provide additional assurance that the policies
and procedures accurately reflect current require-
ments.

― 29 ―
CHAPTER

D
Quality
Assurance
and Evaluation
of Auditors
― 30 ―
ARTICLE 23 The General Director of Internal Audit shall disclose
Quality Assurance and the results of the Quality Assurance and Improve-

CHAPTER D QUALITY ASSURANCE AND EVALUATION OF AUDITORS


ment Programme to Senior Managers and the Audit
Improvement Program
Committee, immediately after its completion. This up-

T
date includes:
he General Director of Group Internal Audit
must implement a Quality Assurance and Im- ——The range and frequency of internal and external
provement Program (Attribute Standards 1300 assessments
-1320) in order to evaluate the operations and pro- ——The conclusions of the assessor or the assess-
cedures of the GIAGD. To this end, the best practices ment team on the degree of compliance
on the Internal Audit profession should be taken into
——The proposed corrective Action Plans..
account.

The Program should be designed so as to provide


reasonable assurance that the GIAGD: ARTICLE 24
——Operates in line with its Charter as well as with the Internal Assessments
International Standards for the Professional Im-
plementation of Internal Auditing of the IIA (Insti- An internal assessment (Standard of Procedure 1311)
tute of Internal Auditors). includes:

——It operates efficiently and effectively. ——Ongoing monitoring of the work of the Internal Au-
dit.
——Internal Auditors adhere to the Code of Ethics.
——Periodic assessments by the GIAGD Managers
——It is perceived by stakeholders as a function that
(self-assessment, at least every two years) or
adds value to the Group and improves its Internal
by other Executives of the Group with adequate
Control Mechanisms.
knowledge of Internal Audit practices. The period-
The Quality Assurance and Improvement Program ic assessment may refer to the degree of compli-
must contain at least the following elements: ance with the International Professional Practices
Framework (IPPF, Standard 1321).
——Supervision of Internal Audit work.
——In addition, the opinion of the audited parties
——Internal assessments (Standard 1311).
should be requested after each Audit, in the form
——External assessments (Standard 1312). of relevant questionnaires. The advantage of this

― 31 ―
method is that an additional opinion may be com- E. Degree of meeting stakeholders’ expectations.
municated to Management in regards to the work The self-assessment process is implemented as
of the GIAGD, which may lead to recommendations part of the GIAGD’s Quality Assurance and Improve-
for improvement. ment Programme. According to Standard 1311 Imple-
mentation Guide (Internal Assessments), “Periodic
The General Director of Group Internal Audit presents
internal self-assessments have a different target in
the annual review of the results of ongoing monitor-
contrast to the ongoing performance monitoring, since
ing with the relevant findings as well as the corre-
they provide a more holistic overview of the Standards
sponding improvement recommendations to the Audit
and the Internal Audit activity. By contrast, continuous
Committee.
performance monitoring is more focused on audit-lev-
The General Director of Group Internal Audit re-
el overviews.”
ceives a written report on the results of each inter-
“Audits shall be properly supervised in order to
nal review and must ensure appropriate actions have
achieve the defined objectives, to assure quality and
CHAPTER D QUALITY ASSURANCE AND EVALUATION OF AUDITORS

been taken in order to improve the operation (work) of


to develop the personnel.”
the GIAGD.
In addition, relevant Standard requires the main-
tenance of appropriate (written) evidence of supervi-
SELF-ASSESSMENT PROCEDURE sion in order to establish that continuous monitoring
is integrated into the day-to-day practices and pol-
icies applied to manage the activity of the Internal
Periodic self-assessment is conducted to confirm the
Audit.
continued compliance of the GIAGD with the Inter-
national Standards of Internal Audit and the Code of
Ethics, and thereby the adherence with the Definitions
and Basic Principles of Internal Audit. During periodic
self-assessments, it is possible to assess:
A. Quality and supervision of the work carried out
B. Adequacy and relevance of the Internal Audit Pol-
icies and Procedures;
C. The ways that Internal Audit activity adds value
D. Achievement of performance measurement indi-
cators and

― 32 ―
The following table shows the GIAGD’s self-assessment procedure:

CHAPTER D QUALITY ASSURANCE AND EVALUATION OF AUDITORS


Process Features Process Stages

Step 1:
Coordinator Attributes Initial writing of a Questionnaire/
(pursuant to the ΙΙΑ): Regular (Periodic) review
Member of the IIA, certified by IPPF,
Step 2:
internal or external
Sending the Self-Assessment Questionnaire
Step 3:
Timetable of the self-assessment Collection of Completed Questionnaire
process:
Step 4:
Start date, duration, estimated date
Processing the Questionnaire Results & the results
of publication of the final Report
of the GIAGD Self-Assessment Report

Step 5:
Sending the GIAGD Report on the self-assessment,
Frequency of sending with specific action plans for any corrective proposals
the questionnaire: [Audit Committee, BoD, the General Manager of the
Once in two years Group’s Internal Audit, the GIAGD personnel
(Alternative Reference Presentation
(alternatively: presentation of the Report)]

QUESTIONNAIRE ON AUDIT SATISFACTION


urement of its effectiveness. The continuous overview
The present procedure aims at defining the terms and
is integrated into the policies and practices followed
the successive stages of conducting the two-year sat-
in order to manage the operation of Internal Audit. It
isfaction survey of the GIAGD’s Internal Auditors.
uses the procedures, tools and information deemed
It is part of and is included in the procedure of on- necessary to assess the degree of compliance with
going monitoring of the effectiveness of the GIAGD the Definition of Internal Audit, the Code of Ethics, the
work. International Standards of Internal Audit, the Com-
Continuous monitoring of the work of Internal Audit pany’s Code of Ethics and other adopted compliance
is an integral part of the daily monitoring and meas- principles.

― 33 ―
ARTICLE 25 ——Partial compliance – Deficiencies in the Internal
Audit practices are noted, and they are considered
Εxternal Assessments
as deviations from the Standards. However, this

T
does not prevent the Internal Audit from perform-
he GIAGD shall be subject to an external as-
ing its responsibilities.
sessment at least every five (5) years (pursuant
——Non-compliance – it reveals shortcomings in the
to Standard 1312), by an independent assessor
Internal Audit practices, the significance of which
or an assessment team outside the Organisation, with
the purpose of validating: is deemed to affect the operations of the Internal
Audit or prevent it from performing its task in its
——The compliance of the Internal Audit to the Stand- entirety or in important areas.
ards;
During the external assessment and in case of gen-
——The implementation of the Code of Ethics by all GI- eral non-compliance, the assessor shall provide rec-
CHAPTER D QUALITY ASSURANCE AND EVALUATION OF AUDITORS

AGD members; ommendations for the areas that do not comply with
——To establish to what extent the work of Internal the Standards and indicate opportunities for improve-
Audit meets the expectations of the BoD, the Sen- ment. The General Director of Internal Audit has to no-
ior Management and the Managers of the Group’s tify the Audit Committee, and produce an action plan
Divisions and adds value to the Group. for the implementation of the recommendations of the
external assessor.
The External Assessment Reports include an expres-
sion of opinion or conclusions about its results. In ad-
dition to the general conclusion on compliance with
the Standards for all activities of the Internal Audit, the FINDING A NON-CONFORMITY
Report includes an assessment of the implementation
of each Standard and/or set of Standards separately. The results of the internal and external assessments
and the level of GIAGD compliance with the Standards
The rating scale used to indicate the degree of com- shall be communicated to the Audit Committee of the
pliance is as follows: BoD. These evaluations may reveal a weakening of in-
——General compliance (denotes the highest score) - dependence or objectivity, limitations in the scope of
The Internal Audit is run by the Charter, Policies the audit work, limitations on resources or other con-
and Procedures. Their implementation and out- ditions that may affect the ability of the Internal Au-
come are considered to be in accordance with the ditors to carry out their responsibilities vis-à-vis the
Standards. stakeholders. When such non-compliance occurs, it

― 34 ―
shall be generally reported to the Audit Committee of ARTICLE 26
the BoD and recorded in the minutes of the meeting. Procedure on

CHAPTER D QUALITY ASSURANCE AND EVALUATION OF AUDITORS


Disclosure of the results of the Quality Assurance Updating the Charter
and Improvement Programme includes findings, cor-

T
rective action plans and actions taken in order to im-
his Operating Charter shall be reviewed peri-
prove the GIAGD compliance with the Standards and
odically, at least every two years, based on the
the Code of Ethics.
conclusions of the mandatory internal assess-
In addition, any documentation of corrective ac- ments.
tions undertaken to improve the efficiency and effec-
Ad hoc or additional overviews are carried out
tiveness of the GIAGD may help to demonstrate com-
based on independent external assessments of the
pliance with the Standard.
GIAGD, but also to incorporate any significant chang-
In any case, the General Director of Group Internal es in legislative and regulatory framework for the im-
Audit assesses the non-compliance and determines plementation of Internal Audit.
its impact on the overall range or exercise of its op-
The General Director of Internal Audit assigns to
erations. In addition, he considers the likelihood and
GIAGD groups the regular monitoring of the websites
degree of impact in case of non-compliance, on the
of the International and the Hellenic Institute of Inter-
ability of Internal Auditors to assume their profes-
nal Auditors, in order to timely review any information
sional responsibilities and/or meet the expectations
on developments in Internal Audit and in particular in
of the stakeholders. The affected responsibilities may
the Standards, the Code of Ethics and the IIA Practice
relate to the ability to provide credible assurance in
Advisories.
specific areas within the Organisation, the completion
of the Audit Programme and the response to high-risk The competent Auditor Groups communicate by
areas. Any non-compliance as well as its effects are e-mail, important issues to the Directors and the Gen-
communicated by GIAGD to the Group’s Audit Com- eral Director of Internal Audit, who, after analysing the
mittee. data, decide on the relevant adjustment of the Charter.
The Audit Committee is responsible for the approv-
Demonstration of Compliance: In order to demon- al and adoption of the updated Charter.
strate compliance with the Standards, the GIAGD
Updates of the Charter are communicated to the
shall keep evidence of the occurrence and nature of
GIAGD Internal Auditors by email, while signed print-
any non-compliance with the Standards or the Code
outs are kept with the Secretary.
of Ethics.

― 35 ―
CHAPTER

Privacy
and Data
Protection
― 36 ―
ARTICLE 27 Digital Archive. In no event do users keep data and
information arising from their work at the GIAGD on

CHAPTER Ε PRIVACY AND DATA PROTECTION


Data Protection
their personal computers or other personal electron-
ic devices or in personal cabinets, desks and offices.

T
he GIAGD complies with the Group’s Personal Data is kept for a period of 10 years (for regular Au-
Data Protection Policy (GDPR) and related Pro- dits, consulting deeds or other data) or 15 years (for
cedures that define the behaviour both of Group
extraordinary Audits) after being processed by the
employees and third parties that the Group is dealing
GIAGD. It is then destroyed, unless there are specif-
with, when processing Personal Data. ic reasons for extending the period of keeping it (e.g.
The GIAGD acquires Personal Data directly from pending investigations, court proceedings or other le-
the subjects or from the audited Organisational Units/ gal actions in progress, etc.).
Companies of the Hellenic Petroleum Group or from All GIAGD employees, including temporary asso-
the digital systems Installed in the Group (e.g., SAP, ciates (e.g. specialised consultants, contractors, stu-
Galaxy, etc.) or from the physical records of the au- dents, etc.), at the beginning of their assignment to the
dited Organisational Units/Companies or finally from GIAGD, must sign a Confidentiality Statement, setting
third parties, in particular in cases of complaints. out the restrictions and their obligations regarding
The GIAGD collects and processes only data relat- the Personal Data Protection and, in the context of
ed to its specific, duly approved, auditing and/or advi- their duties/tasks within the Group, they also comply
sory projects in addition to its operational obligations with the respective Group Policy. The Privacy Policy
arising from the respective procedures of the Group Officer in the GIAGD has to send a reminder of their
(e.g., personnel assessment). This data may concern Confidentiality commitment to all GIAGD employees
partners of the Group (e.g., customers, suppliers or on an annual basis.
other third parties) or Group employees. The GIAGD issues Internal Audit Reports, which
The data the GIAGD keeps and processes in the are communicated to the stakeholders (typically to
course of its duties is stored in digital format in the the Head of the audited organisational Unit/Com-
Digital Archive (ARTEMIS system) and printed – at the pany/Audit Committee/BoD, Chairman of the BoD).
GIAGD Physical Archive. The contents of the Physical Parts of specific Reports (e.g. individual findings and
Archive are limited to what is absolutely necessary suggestions for improvement) may be communicated
(e.g., specimen of signatures, documents unsuitable to other stakeholders (e.g. employees of the Group
for scanning, etc.), while all other data and informa- who have an operational role in the implementation
tion is digitised (e.g. by scanning, uploading from elec- of corrective actions). All Internal Audit Reports are
tronic systems of the Group, etc.) and registered in the flagged as confidential, while their introduction in-

― 37 ―
cludes a confidentiality protection clause. In addition, and only the Secretary and the General Director
all electronic and/or printed correspondence con- have keys in their possession. The Secretary keeps a
taining audit data (e.g. Reports, findings, improvement Physical File Access Log (user’s name, date and time
suggestions, follow-up, etc.) is flagged as confidential. of access, delivery or receipt, name of the file moved,
Except for certain cases involving countries out- purpose of moving).
side the European Union where the Group operates Every employee has to ensure the security of the
through subsidiary companies (e.g. Montenegro, data kept on their computer disk and/or in file cabi-
Serbia, FYROM, etc.) or directly, the GIAGD does not nets, by applying, as a minimum, the same security
transfer Personal Data to third party countries. measures.
Any records, printed or electronic, produced dur- Persons outside the GIAGD may not have access
ing a GIAGD Auditing and/or Advisory task and locat- to data kept and processed by the GIAGD except in
ed outside of the abovementioned official Digital and special cases (e.g. external auditors or third parties
Physical Archives and the GIAGD and/or the Group’s having a lawful interest). In those cases a special per-
systems (e.g., computer discs or personal records of mission is granted by the GIAGD, access is recorded
employees, etc.) are minimised and, in any case, must and they remain under the continuous supervision of
the Head of Privacy Protection within the GIAGD.
be destroyed immediately after use, on the responsi-
bility of the users. Under no circumstances, data can be As far as the rights of the data subjects are con-
stored in files and systems outside the official Archives cerned, the GIAGD follows the provisions of the
(Electronic and Physical) of the GIAGD and the Group. Group’s Personal Data Protection Policy. In particular,
CHAPTER Ε PRIVACY AND DATA PROTECTION

if a breach of the Personal Data maintained and pro-


The GIAGD implements strict control over access
cessed by the GIAGD is found, the DPO is immediate-
rights to its Digital and Physical Archives. Specifically:
ly notified, and applicable procedures are followed.
Regarding the Digital Archive, access rights (le- Thus, the incident is recorded, including information
gitimate interest) and personal passwords (person- on what happened, the conditions, the impact of the
al computer passwords and/or customised “locked” breach, and the corrective actions initiated.
electronic files) are granted based on the purpose of In order to facilitate the search for and/or retrieval
use. Access rights are granted only to those GIAGD of personal data of a certain person (e.g. upon request
employees who participate in the respective projects. by stakeholder), every Internal Audit Report incor-
These rights are reviewed and updated according to porates a table of personal data references of that
the operational needs, whenever appropriate. report (e.g. names, titles/positions, etc.). The GIAGD
The Physical Archive is kept by the GIAGD Sec- Secretary incorporates all of the above elements into
retary and is updated under the responsibility of the a single electronic file stored with the GIAGD Digital
users – the Internal Auditors. It is permanently locked Archive.

― 38 ―
ARTICLE 28 Moreover, the PPO initiates the establishment of a
Privacy Protection Officer Data Privacy culture, achieved by educating the GI-

CHAPTER Ε PRIVACY AND DATA PROTECTION


AGD employees on the GDPR, making them realize
The GIAGD has appointed a Privacy Protection Officer the importance of its implementation. The develop-
(PPO), with the following competences: ment of a culture centred on Personal Data protec-
tion is a key factor in the data’s successful and safe
§§Is responsible for the processing of Personal Data
management by the GIAGD. All GIAGD employees
within the GIAGD.
are fully aware of its importance and must follow the
§§Has a full understanding of the Personal Data pro- provisions of the GDPR with consistency and com-
cessing within the GIAGD. mitment. Responsibilities and obligations in this reg-
ulatory environment are important and any deviation
§§Collects requests internally from the GIAGD, as-
from (breach of) the provisions of the GDPR may lead
sesses them, transfers them to the DPO, if neces-
to potentially serious financial and other effects for
sary, and follows their course of development.
both the Group and the employee who manages and
§§Receives external requests by the DPO regarding processes Personal Data. Ensuring privacy is taken
the GIAGD, processes and coordinates their pro- into account in the process of planning Audit and/or
cessing. advisory activities in order to undertake relevant and
§§Has to train and guide colleagues within the GIAGD appropriate measures.
in order to follow the Group’s governance frame-
work with regard to Personal Data Protection.
§§Is aware of the importance of sensitive Personal
Data managed by the GIAGD.
§§Coordinates actions in order to ensure the GIAGD
is fully compliant with the Group’s Protection of
Personal Data and Privacy Policy and its obliga-
tions arising from it.
§§Keeps track (a file) of Personal Data processing ac-
tivities carried out by the GIAGD.
§§Applies Group procedures concerning manage-
ment of Personal Data.

― 39 ―
This Charter of the Group Internal Audit General Division was reviewed in November
2018 by the Group Internal Audit General Division and complies with Greek Law
3016/17.05.2002, Decision 5/204/14.11.2000 of the Hellenic Capital Market
Commission on Corporate Governance and their respective modifications, the Code
of Corporate Governance of the Hellenic Federation of Enterprises (SEV) for Listed
Companies, as adopted by the Company under Law 3873/2010, the Group’s Code of
Conduct and the Code of Ethics of the Institute of Internal Auditors (IIA).

Approval: The Audit Committee

― 40 ―
HE
AD
OF
FI
CE
8A
CH
IM
AR
RA
S
st
r.,
15
12
5-
M
AR
OU
SS
I, A
TH
EN
S
-G
RE
EC
E

:+
30
21
0
63
02
00
0
-F
:+
30
21
0
63
02
51
0,
+3
0
21
0
63
02
51
1-
w
w
w
.h
el
pe
.g
r

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy