3.2 Internal control
3.2.1 Internal control framework
For the following description of internal control procedures, Rubis referred to the French Financial Markets Authority (Autorité des Marchés Financiers – AMF) guide dated 22 July 2010, which sets out a reference framework for risk management and internal control.
However, Rubis has adapted the AMF framework’s general principles to fit its business and own characteristics.
• the instructions and strategic goals defined by the corporate bodies of Rubis SCA and its subsidiaries are applied;
• the Company’s internal processes run smoothly, particularly processes that contribute to safeguarding its assets;
Like any internal control system, the system put in place by Rubis cannot provide an absolute guarantee that the Company will be able to achieve its objectives and eliminate all risks.
This section sets out the procedures applicable to Rubis Énergie, wholly-owned by Rubis SCA, and its sub-subsidiaries, as well as to Rubis Photosol and its sub-subsidiaries. These procedures are distinct due to the specificities of the two organisations and are therefore described separately.
The Rubis Terminal JV is managed jointly with the partner. The joint venture’s General Management is responsible for setting up and ensuring internal controls (in accounting, financial and risk matters) in accordance with applicable standards and regulations and its shareholders’ expectations. Details about this joint venture are provided in section 3.2.4 of this chapter.
Although it has acquired an international scale, Rubis wishes to remain a decentralised organisation that is close to the field so that it can provide its customers with solutions that are adapted to their needs by having the ability to take the necessary operational decisions quickly. Regular exchanges, conducted whenever necessary, between the Management Board, on the one hand, and the General Management and functional departments of Rubis Énergie and its foreign subsidiaries on the other hand, are the cornerstone of this organisation.
This managerial model gives the Manager of each industrial site or subsidiary a large degree of autonomy for managing his/her activity. However, such a delegation of responsibility is closely tied to complying with established procedures regarding accounting and financial information and risk monitoring, as well as regular controls by Rubis SCA’s relevant departments and by the functional departments of Rubis Énergie and Rubis Photosol (see sections 3.2.2.3 and 3.2.3.2).
Lastly, the Management Board inform Rubis SCA’s Supervisory Board (through its Accounts and Risk Monitoring Committee) of the essential characteristics of the Group’s internal control and risk management procedures. The Supervisory Board ensures that the main identified risks have been taken into account in the Company’s management and that systems designed to ensure the reliability of accounting and financial information are in fact in place (see chapter 5, section 5.3.2).
3.2.2 Accounting and financial internal control
Rubis SCA controls its divisional head subsidiaries: Rubis Énergie (Retail & Marketing and Support & Services activities) on the one hand, and Rubis Photosol on the other hand, in collaboration with the General Management of these companies. Rubis SCA draws up the Group’s strategy, coordinates and finances its development, takes the main management decisions resulting therefrom and ensures their implementation, both at the level of its direct subsidiaries and their subsidiaries. Rubis SCA has established accounting and financial structures and procedures that contribute to reliable internal controls being implemented.
The Consolidation & Accounting Departments of Rubis SCA, Rubis Énergie and Rubis Photosol consolidate the Group’s accounts on a quarterly, half-yearly and annual basis. Their work involves:
• checking that the consolidated financial statements are consistent with the provisional consolidated results prepared by the subsidiaries;
• analysing the consolidated financial statements through an analytical review, explaining changes in each item between two reporting dates.
They also monitor standards with a view to identifying any impact of proposed accounting reforms on the Group’s financial statements.
These departments are assisted by a specialist audit and accounting firm, and work under the oversight of the Managing Partners, the Chief Financial Officer and the Director of Accounting and Consolidation.
Accounting and financial information prepared by the subsidiaries is reported to Rubis SCA, via the Consolidation and Finance Departments and, ultimately, to the Management Board.
The main assignments of the Accounts and Risk Monitoring Committee (whose members and functioning are described in chapter 5, section 5.3.2) are as follows:
• examining the financial statements, ensuring consistency of methods, quality of data and completeness, and ensuring that the financial statements give a true and fair view;
• monitoring internal control procedures with respect to accounting and financial matters and risk exposure.
To carry out its work, the Accounts and Risk Monitoring Committee hears all managers in the information chain: the Management Board, Managing Director, Chief Financial Officer, Director of Accounting and Consolidation, Corporate Secretary, the CSR Director & Chief Compliance Officer, and the Statutory Auditors.
The members of the Accounts and Risk Monitoring Committee have access to the same documents as the Statutory Auditors and examine the summary of the Statutory Auditors’ work.
The internal control system relies on several channels for reporting information designed to comprehensively identify sensitive issues.
Two manuals have been issued to harmonise the internal control and accounting treatment of the various transactions carried out:
• delegations and limitations of powers in terms of incurring expenses (including investments), approving invoices, and bank payment authorisations;
• sales management, to define the special terms and conditions granted to customers, limit the total outstanding amounts authorised, obtain bank guarantees, etc.
Notes and procedures are formalised for all areas considered strategic in the company, and in particular in terms of:
• delegations and limits of authority, relating to expenditure commitments, on the one hand, and bank payment powers, on the other;
• capex monitoring (accounting, capitalisation by components, related tax declarations, budget monitoring).
All operations involved in the preparation of financial data (production, first-level controls, and even second-level controls) are inventoried in a work programme adapted to each type of company and are systematically monitored.
The roles and responsibilities of all persons involved in the preparation and reporting of accounting and financial information are identified and summarised in dedicated documents.
Rubis Énergie has a centralised information system that makes it possible to consolidate all financial information: management reports for each company, standardised by type of business line/activity; quarterly accounts, monthly margin analyses, monitoring of capital expenditures, budgetary and management forecast monitoring in three phases (initial budget approved in year Y-1 including a three-year plan, budget forecast updated in the second quarter and then in the fourth quarter of year Y). All financial data is archived and backed up daily.
Automatic consistency checks are also carried out directly by the IT system in order to limit any input errors. Documents stored in the central system also serve as a reference and a basis for reconciliation for the internal audit teams during their missions.
Rubis Énergie also operates a document management system that allows its various subsidiaries to share technical, HSE and legal information. Major investment and construction projects are thus closely monitored by Rubis Énergie’s Technical Department.
Rubis Photosol’s accounting and financial information is produced and recorded using modular financial management software integrating the monitoring of investments, to which a cash management system and a supplier invoice digitisation solution are linked. The server hosting the financial management tool is backed up daily.
The information systems are configured to integrate a certain number of controls, to limit and/or block transactions according to the powers of each individual and to integrate certain internal control rules, in particular:
• the so-called “four eyes” rule is systematically included in the definition of profiles in all systems impacting financial flows;
• the expenditure commitment powers of all employees concerned are configured in the invoice validation system;
• automatic consistency checks are integrated into the accounting system to limit data entry errors (duplication, nature and calculation of VAT).
Information system administration rights are granted to a limited number of people who receive specific training.
Financial, legal and operational documents are produced and backed up via a document management system equipped with a back-up system with redundant server and daily backups.
For the financial year 2022, the work relating to the consolidated financial statements was carried out by the central Rubis SCA team using the Group tool (SAP BFC) and according to the customary procedures.
Budgets are drawn up at the end of the year by Rubis Énergie’s subsidiaries and sub-subsidiaries successively, as part of a rolling three-year budget plan based on management elements and budget indicators defined and standardised by business line. The indicators are defined by Rubis Énergie’s General Management and operational management in accordance with Rubis’ strategy.
Budget indicators include gross profit, EBITDA, EBIT, net profit/(loss), capital expenditure, cash flow and free cash flow, debt, volumes, carbon footprint reduction.
At Rubis Énergie, budgets are drawn up by each subsidiary by country. They are reviewed by the division’s Management Control, Audit and Consolidation Department, which, after discussion and/or revision, prepares a consolidated budget that is then reviewed by Rubis Énergie’s General Management and forwarded to Rubis SCA for review at Management Committee meetings.
Rubis Énergie’s Finance and Management Control Department prepares monthly reports and analyses differences between actual data, budget forecasts, and data from prior financial years.
The reports are issued within 10 calendar days after the end of the month and are then examined and compared to initial forecasts at the Management Committee meeting, with the Rubis SCA Management Board in attendance.
On the basis of the strategic orientations defined by Rubis Photosol’s General Management in conjunction with Rubis SCA’s Management Board, budgets are prepared at the beginning of the financial year by each operational management, for their respective areas of responsibility and with a horizon of two years.
These budgets are integrated into a two-year forecasting model (known as the “short-term model”) that includes data from almost all of the Group’s entities, as well as a consolidated overview at the level of the Rubis Photosol head entity. This model enables the production of key indicators essential to the monitoring of the activity, namely: revenue, EBITDA, net profit, investments, net debt, electricity production and installed capacity.
The indicators from the model are then reviewed by Rubis Photosol’s General Management, which ensures consistency with the strategic orientations defined in conjunction with Rubis SCA’s Management Board and the consistency of budgets between them. Some budgets may then be revised.
The final budgets approved by Rubis SCA’s Management Board and Rubis Photosol’s General Management are included in the final short-term model, the indicators of which will then be fixed as reference indicators.
These budgets, and consequently the short-term model, are then updated quarterly. At each quarterly closing, the data obtained are compared to the forecasts and the differences are analysed and explained.
A 35-year forecasting model (known as the “long-term model”) is also developed, based, on the one hand, on the short-term model and, on the other hand, on assumptions that may be internal (for example, changes in the portfolio and forecast MWp) or external (for example, changes in the price of electricity).
In addition, a report produced and distributed on a monthly basis enables Rubis Photosol’s General Management to precisely monitor the key elements of the activity of Rubis Photosol and its subsidiaries and presents changes in the project portfolio, monthly electricity production, corresponding revenue, and explanations of differences between forecasts and previous financial years.
Lastly, monthly reporting (also available on a daily basis via a dedicated tool) makes it possible to monitor mark-to-market exposures for derivatives of Rubis Photosol and its subsidiaries.
Rubis SCA’s and Rubis Énergie’s Finance Departments are responsible for negotiating with banks to raise acquisition financing. They also analyse bank covenants. Cash investments are made in cash instruments, excluding any speculative or risky investments.
Rubis Photosol’s Financing Department is responsible for negotiating project financing with banks (non-recourse debt), on the one hand, and corporate financing (bank or private financing), on the other hand.
Banking covenants are verified twice a year, on the basis of the annual and half-yearly financial statements.
Cash management, together with verification of compliance with the various conditions imposed in loan and cash agreements are carried out by the Treasury division within the Administration and Finance Department.
The companies falling within the scopes of Rubis Énergie and Rubis Photosol prepare quarterly, half-yearly and annual consolidation packages. The half-year and annual financial statements are reviewed and audited by the Statutory Auditors. Rubis SCA’s Finance and Consolidation Departments prepare the Group’s consolidated financial statements in accordance with the standards issued by the International Accounting Standards Board (IASB) and adopted by the European Union. Consolidation procedures include a set of controls to guarantee the quality and reliability of financial information.
The internal control system relies on technical and operational procedures designed to identify sensitive issues, and on a lean and streamlined organisation built around Rubis SCA’s Management Board and General Management and Rubis Énergie’s functional and operational departments in order to ensure the effectiveness of the internal control systems via the Management Committees. An internal control manual was drafted in 2020 in collaboration with the French Institute of Audit and Internal Control (IFACI), making it possible to list all the control points to be complied with in each area in which Rubis Énergie’s subsidiaries operate. The new manual should enable the Group’s various companies to conduct self-assessments on a regular basis and to continue to ensure that the risks of fraud and failures are properly controlled. At Rubis Photosol, Management Committees are held monthly, bringing together the Directors and General Management of Rubis Photosol. These Committees ensure in particular that effective internal control is put in place at the subsidiary. In addition, Rubis Photosol has an internal Management Committee whose main mission is to ensure the retranscription of the decisions and orientations defined during the Management Committee meeting with Rubis SCA.
Rubis Énergie’s functional departments carry out regular and necessary checks on the procedures in place in their respective fields. Reporting procedures and indicators make it possible to have high-quality monitoring.
Rubis Photosol’s functional and operating departments meet bi-monthly in the presence of Rubis Photosol’s General Management. These meetings are designed to present reportings, budget dashboards and the progress of projects at their various stages, as well as significant events that may impact results. Non-financial challenges (notably, the determination of CSR commitments and risk mapping) are also presented to ensure that they are taken into account operationally by all departments.
Internal audit is an independent and objective activity that makes it possible to ensure that operations are properly controlled and that the procedures in place are constantly improved. Internal audits allow Rubis Énergie’s General Management to reach its targets by assessing its risk management, control and corporate governance processes via a systematic and methodological approach, and to make recommendations to improve their efficiency.
At Rubis Énergie, this function is part of the Management Control, Audit and Consolidation Department. The Director of the department and his/her colleagues carry out internal audits on the entire scope of the Retail & Marketing and Support & Services activities. These audits are planned with Rubis Énergie’s General Management at the beginning of the year. There are numerous fields of inquiry, which mainly cover verifying that local and Group processes are correctly applied, in particular with regard to the prevention of corruption, the improvement of internal control procedures and accounts closing procedures, inventory, cash and fixed asset controls, and controls of all other off-balance sheet commitments and liabilities recorded in the audited company’s accounts. The audit may also cover capital expenditures and analyse differences between expected returns and actual profitability.
The auditor has complete freedom to conduct his/her work as he/she deems appropriate and is independent from the local management when performing this task. The audit brief and report template follow a standard model so that the conclusions can be efficiently understood by all recipients, namely the General Manager of the audited company and the Finance Department and General Management of Rubis Énergie. The risk factors identified during internal audits are also used to update the relevant company’s risk mapping.
The audit recommendations are subject to a schedule for the implementation of corrective actions which must be respected by the company concerned.
The proper implementation of these corrective actions is also automatically verified during the next audit of the relevant company. In addition, each subsidiary sends Rubis Énergie’s General Management a monitoring report on the implementation of audit recommendations every two months until all the measures recommended by the internal audit have been definitively implemented.
The consolidators are also responsible for analysing the monthly results and the consistency of the data supplied each month by all consolidated companies. This work makes it possible to anticipate accounting errors and improves the reliability of the Group’s financial statements.
Each Rubis Énergie subsidiary is audited once every two years, on average. Internal auditors have worked on the development of IT tools making it possible for Rubis Énergie to better manage risks and associated action plans. These new tools, after validation of the needs expressed by Rubis Énergie’s various operational departments, should, by mid-2023, contribute to strengthening risk management and reinforcing control and due diligence procedures.
A Management Committee has been established for each country or region. This Committee meets twice a year and includes: the country’s General Manager, General Management, Finance Department, Management Control, Audit and Consolidation Department,Technical Department, the division’s Resources and Risks Department, and Rubis SCA’s Managing Partners, Managing Director and Chief Financial Officer.
During these meetings, budget reportings and dashboards are analysed, along with the performance and results of each business line, development projects and project monitoring, and events considered to be significant for the Company and Group, as much in terms of strategy and operations as in terms of personnel. Questions and issues raised at previous meetings may also be reviewed if necessary. Non-financial challenges, such as the rollout and implementation of the CSR strategy (and in particular the CSR Roadmap, Think Tomorrow 2022-2025) and decarbonisation projects are also carefully reviewed during these Management Committee meetings.
Therefore, it is ultimately the Management Committees that analyse the financial and non-financial information collected through the reporting process set up by Rubis Énergie’s operational management and those of its sub-subsidiaries. The entire reporting cycle is based on standardised principles and a single database that is shared by all teams within the Finance Departments and operational management involved in reporting.
Rubis SCA’s Consolidation and Accounting Department runs numerous checks aimed at ensuring that financial information is reliable, particularly during account closing reviews.
Rubis SCA’s Management Board, Managing Director and Chief Finance Officer regularly analyse the subsidiaries’ financial statements and periodically meet with Rubis Énergie’s General Management in order to conduct an assessment, evaluate risks and the corrective actions that may be necessary to achieve the Group’s objectives (both financial and CSR). Lastly, the Group CSR Director & Chief Compliance Officer maintains ongoing dialogue with the subsidiaries on various topics, including litigation, trademarks, insurance, risk identification and monitoring (mapping), compliance (anti-corruption, embargoes, etc.).
3.2.3 Internal risk management
All major risks and their monitoring, as well as the corresponding policies for covering these risks are described in detail in section 3.1 of this chapter and in chapter 4.
In terms of risk, the Group operates in business sectors that are tightly controlled and regulated. The Group’s structure is designed to reflect this circumstance. All French sites covered by the Seveso directive have safety management systems whose main purpose is to define the organisation, staff functions, procedures and resources that allow the Group to establish and implement a prevention policy for major accidents.
In addition, Group entities often operate their activities in the framework of ISO 9001 and ISO 14001 quality certifications, particularly with respect to the adoption and application of procedures and instructions relating to safety and the environment (see chapter 4, section 4.2.1.2). Accordingly, they follow processes that are extremely formalised.
Internal control procedures for risk management and monitoring seek to cover all of the Group’s businesses and assets. They are based on a process for identifying and analysing the main risks which is reinforced by the appropriate organisation, allowing General Managers to address these risks and maintain them at an acceptable level.
In the same way as for accounting and financial internal control, internal risk management is subject to monitoring by the subsidiaries’ operational management, which keep Rubis SCA regularly informed.
At Rubis Énergie, the headquarters’ Technical Department (QHSE) establishes information reporting procedures and preventive measures for anticipating and managing risks, as described in chapter 4, section 4.2.1. Rubis Énergie’s Technical Department reports information on the main risks to its General Management. Certain events may also be discussed by the Management Committee.
At Rubis Photosol, internal procedures are backed up by control systems. The management control function has also been strengthened.
Lastly, Rubis Énergie and Rubis Photosol present these main risks to the relevant departments of Rubis SCA (Management Board, Accounting and Consolidation Department, Finance Department and Corporate Secretary in charge of the Legal Department, CSR & Compliance Department) through different transmission channels, such as risk mapping (see section 3.2.3.2 below).
The Accounts and Risk Monitoring Committee reviews how internal control and risk management procedures are organised, as described in this section 3.2.2.1 of this chapter and in section 5.3.2 of chapter 5.
The internal control system relies on several channels for reporting information on the main risks, which are designed to exhaustively identify sensitive areas.
Rubis has developed and conducted mappings of risks to which the Group’s various activities may be exposed. The analysis of these risks also takes into account their occurrence and their financial and reputational impact (on a scale of one to five). These mappings were conducted in close cooperation with Rubis SCA’s Legal, Consolidation, and Finance Departments, together with the operational managers and Rubis Énergie’s Financial and Technical Departments. The risk mapping system has been extended to Rubis Photosol as part of its integration process. A self-evaluation is carried out at regular intervals to identify new risks.
The risks analysed have been divided into different families: market risk, accounting miscalculation, insurance, and commercial, environmental, industrial, climate, supply chain, social, legal, and IT risks. The legal risk category also includes issues related to fraud, contractual breaches and, until 2017, corruption risks. In 2018, the Group carried out a specific process to assess the corruption risks to which entities may be exposed, in accordance with the Sapin II law (see chapter 4, section 4.4.1.1).
The maps are completed annually by the operational Managers of the industrial sites and by the Directors of the French and international subsidiaries, assisted by Rubis Énergie’s functional Managers. They are updated during the year at Management Committee meetings. The maps aim to provide on a yearly basis the monitoring status of the significant risks that have been identified and to describe any measures that have been taken or need to be taken to mitigate them if they cannot be completely eliminated.
At Rubis Photosol, a risk mapping was formalised in 2022, drawn up in close collaboration between the Rubis SCA Corporate Secretary and the Rubis Photosol Legal Department, on the basis of discussions with the heads of the various departments (International Development and France Development, Administration and Finance Department, Technical Department, Engineering and Construction Department, Operations and Maintenance Department, Human Resources) as well as Rubis Photosol’s General Management.
These consolidated mappings, together with a review of the major events and non-financial challenges of the past year, are sent by Rubis SCA’s Management Board to the Accounts and Risk Monitoring Committee for special meetings dedicated to risks (see chapter 5, section 5.3.2). In turn, the Accounts and Risk Monitoring Committee and the Management Board report to the Supervisory Board at its meetings in March and September.
The functional departments of Rubis Énergie and Rubis Photosol have established reporting, analysis and information-sharing systems covering health, safety and environment (HSE) issues. These systems are described in greater detail in chapter 4, section 4.2.1.2.
The Group CSR & Compliance Department has also implemented an IT tool for reporting and analysing CSR data (environmental, safety, social, compliance and societal) as described in chapter 4, section 4.5.2 (methodological note in the Non-Financial Information Statement).
The control system is based on management accountability and risk monitoring entrusted by the Management Board to each subsidiary’s General Manager and on a system of internal and external audits.
As part of its decentralised structure, the Group encourages quality and independence among its employees, who are responsible for all aspects of their role, including risk management.
Rubis Énergie’s General Management is ultimately responsible for the risk management policy, within the framework defined by Rubis SCA’s Management Board.
In addition to the local teams, the operational managers of each entity are assisted by Rubis Énergie’s functional departments: Technical/HSE Department, Finance Department, Management Control, Audit and Consolidation Department (including Compliance), Resources and Risks Department, CSR/Climate/New Energies Department.
Entity General Managers have overall responsibility for risk management and control at their facilities. In addition, Rubis Énergie has a Technical Department that regularly provides operational advice and conducts inspections of facilities with the aim of guaranteeing compliance with uniform operational, safety and environmental standards.
Rubis Photosol’s General Management is ultimately responsible for the risk management policy, within the framework defined by Rubis SCA’s Management Board.
Certain non-financial risks are included in the internal audit programmes. Accordingly, verifying the reliability of ethics and anti-corruption policies is one of the issues addressed during inspections performed locally by Rubis Énergie’s Management Control, Audit and Consolidation Department.
At meetings of subsidiaries’ Management Committees (see section 3.2.2.3), an item bearing on the review and monitoring of risks is regularly included on the agenda and is the subject of discussions between the subsidiaries’ General Managers and the Management Board.
• French Regional Environment, Development and Housing Departments (DREALs), which are responsible in France for regular inspections of industrial facilities and for the application of the “Safety Management System” in order to ensure that the subsidiary has its business risks under control. Similar systems exist for the sites of certain foreign subsidiaries;
• ISO certification bodies, such as AFAQ (Association française de l’assurance qualité) or LRQA (Lloyds Register Quality Assurance), which regularly audit certain ISO 9001-certified Rubis Énergie subsidiaries. During these audits, facilities are regularly checked for compliance with procedures, processes and operating practices put in place as part of the Quality plan to ensure they keep their certification and identify areas for improvement.
3.2.4 Rubis Terminal JV
The General Management of Rubis Terminal Infra is responsible for implementing and ensuring internal control (in accounting, financial and risk matters) in all of the joint venture’s subsidiaries, in accordance with applicable standards and regulations. Rubis SCA exercises its control through monthly reports sent by Rubis Terminal Infra’s General Management to the designated members of the Board of Directors, on which Rubis SCA has representatives.
Rubis Terminal Infra’s budget is drawn up by its General Management in conjunction with the Finance Department and is approved by RT Invest’s Board of Directors.
Rubis Terminal Infra’s General Management provides RT Invest’s shareholders with an annual update of the consolidated risk maps of all its subsidiaries (technological risk map; financial, legal and commercial risk map; corruption risk map) as well as a review of the major events and non-financial challenges of the past year.