methodological model for the … · strategy & objective-setting: the goal definition process...

1

METHODOLOGICAL MODEL FOR THE REALIZATION OF PREVENTIVE TESTS

AND AUDIT INSPECTIONS ON NATIONAL SPORTS FEDERATIONS AND

ASSOCIATE SPORTS DISCIPLINES

2

Table of contents

1 Introduction .................................................................................................................................... 3

1.1 Purpose of this document ............................................................................................................................................... 3

1.2 Structure of the document ............................................................................................................................................... 4

2. Reference framework ..................................................................................................................... 4

2.1 COSO Enterprise Risk Management Framework-Integrating with Strategy and Performance ………………………………5

2.2 Basic Universal Principles of Good Governance of the Olympic and Sports Movement ……………………………………..6

2.3 ASOIF Governance Task Force Framework …………………………………………………………………………………..…..7

2.4 Capability Maturity Model Integration ……………………………………………………………………………………………….7

2.5 COSO Internal Control-Integrated Framework ……………………………………...……………………………………………8

2.6 Fraud triangle ………………………………………………………………..……………………………………………………….10

3 Governance assessment methodology ...................................................................................... 12

3.1 Aims and objectives ......................................................................................................................................................... 12

3.2 Logical structure .............................................................................................................................................................. 13

3.3 Detection mode of data and information .......................................................................................................................... 17

3.4 Measuring method ........................................................................................................................................................... 18

3.5 Representation of the results of the evaluation ................................................................................................................ 20

3.6 Procedural aspects............................................................................................................................................................ 20

4 Monitoring of the internal control and risk management system ............................................. 21

4.1 Aims and objectives. ..................................................................................................................................................... 21

4.2 Logical structure ............................................................................................................................................................ 22

4.3 Methods for assessment of the adequacy of control ..................................................................................................... 33

4.4 Representation of the assessment outcomes ............................................................................................................... 35

4.5 Procedural aspects ....................................................................................................................................................... 37

5 Audit inspections ......................................................................................................................... 39

3

1 Introduction

1.1 Purpose of this document

CONI's power/duty of supervision on National Sports Federations (NSF) and Associate Sport

Disciplines (ASD) is established by the Law and the Articles of Association of the Entity.

CONI exercises this power/duty through preventive tests and audit inspections.

In the context of preventive verifications, this document introduces the governance system assessment

and provides the most efficient and equally effective verifications on the internal control and risk

management system (hereinafter “SCIGR”) moving from a logic of “summary” to one “on-going”.

The assessment of the governance system shall be carried out at least once every four years, and in

replacement of the audits carried out on the SCIGR, which instead are performed annually.

***

The International Standards for Professional Internal Auditing Practices promoted by the IIA1 define

governance as: “The set of procedures and structures implemented by the organisation's governing

body to inform, instruct, direct, manage and control the activities of the organisation’s activities in

achieving its objectives”.

CONI pursues the principle of “good governance”2, promoting its dissemination and actual

implementation in the Italian sport system and with particular reference to the Code of Ethics and the

Basic Universal Principles of Good Governance of the Olympic and Sports Movement of the

International Olympic Committee.

1 The Institute of Internal Auditors .

2 Reference is made to the following documents:

“Recommendation Rec(2005)8 on the Principles of Good Governance” (2005), Council of Europe.

“White paper on Sport” (2007), European Commission Communities.

“Basic Universal Principles of good Governance of the Olympic and Sports Movement” (2008), International Olympic Committee.

“Principles of good governance in sport” (2013), European Commission Expert Group on Good Governance.

“Guide to Corporate Responsibility” (2014), Global Compact.

“Consolidated minimum requirements for the implementation of the Basic Principles of Good Governance for NOCs” (2016), International Olympic Committee.

“International Federation Self-Assessment Questionnaire” (2016), ASOIF Governance Task Force.

4

In this sense, CONI has joined the UN Global Compact initiative in 2016, a voluntary code that was

created to promote a sustainable global economy and requiring the companies and organizations that

belong to adopt proactive behaviour in the field of protecting human rights, the environment,

occupational safety, the fight against corruption and, more generally, to support the broader

development objectives set by the United Nations.

1.2 Structure of the document

Following this introduction, the second chapter describes the reference framework that inspired the

governance system evaluation and the audits of the internal control and risk management system. The

third chapter contains the methodology that was developed for prior audits. The last chapter describes

the methods for performing the audits.

2 Reference framework

The models underlying the developed methodology are:

With reference to the assessment of the Corporate Governance System:

o The "COSO Framework Enterprise Risk Management" (published in 2017 by the Committee

of Sponsoring organisations of the Treadway Commission3).

o The "Basic Universal Principles of Good Governance of the Olympic and Sport Movement"

(2008, International Olympic Committee)

o The "ASOIF Governance Task Force Framework - International Federation Self-Assessment

Questionnaire" (2016, ASOIF4)

o The "Capability Maturity Model Integration (CMMI) for Development" (published in 2010 by

the CMMI Product Team expert group5)

3 The Committee of Sponsoring Organizations of the Treadway Commission is a committee founded in America in 1992 on the initiative of 5 leading organizations (IMA, AAA, AICPA, IIA, FEI) to provide a thought leadership to the management of corporations and government agencies, developing frameworks and guidelines for the management of business risk, internal control and fraud. 4 The ASOIF, Association of Summer Olympic International Federations, is an association that groups together the International Sports Federations that are part of the International Olympic Committee and that govern the disciplines included in the program of the Summer Olympic Games 5 The CMMI Product Team is made up of representative members of the American industry sector and government and also of the Software Engineering Institute (SEI), a research centre at Carnegie Mellon University.

5

With reference to the assessment of the corporate Internal Control System:

o The "COSO Internal Control - Integrated Framework" (published in 2013 by the Committee

of Sponsoring organisations of the Treadway Commission).

o The "Fraud triangle” (from a study of Donald R. Cressey, Other People's Money, published

in 1973).

2.1 COSO Framework Enterprise Risk Management - Integrating with Strategy and

Performance

The “COSO ERM Framework”, published by the Committee of Sponsoring organisations of the

Treadway Commission in 2004 and most recently updated in 2017, contains instructions on

organisational principles to which the organisations can refer to create value for their own stakeholders

and to manage the challenges and connected risks.

The 5 components of the framework are detailed in principles that define different thematic areas and

that an organisation must consider when creating value:

Governance & Culture: this is the foundation of the other components and the cultural

atmosphere within which people belonging to an organisation perform their activities and carry

out their responsibilities. It is evidenced in: "tone at the top", the decision-making and

management philosophy, roles and responsibilities, skills and resource management, ethical

values, standards of conduct, etc.;

Strategy & Objective-Setting: the goal definition process in line with the organisation's mission

(ultimate goal of the organisation, what it wants to achieve and the very reason for its

existence), its vision (aspiration for the future, what the organisation is trying to achieve), the

core values of the organisation and its willingness to take risks;

Performance: the process of identifying events that may impact the organisational goals,

analysis and risk assessment and the determination of the management actions taking risk

tolerance into account;

Review & Revision: monitoring the processes of governance, setting goals and risk

management systems in order to understand the changes that can affect the efficiency and

effectiveness of the organisation's performance from a continuously adaptive viewpoint;

Information, Communication & Reporting: the process of identifying, collecting and transmitting

relevant and timely information that allows people to perform their assignments and make

informed decisions.

6

The principles of the framework can be adopted at different organisational levels (entire organisation/

"entity level", business unit, process, activity).

The figure below (fig. 1) shows the reference principles of each component of the framework:

Fig. 1 - COSO ERM Framework: components and principles (COSO, 2017)

2.2 Basic Universal Principles of Good Governance of the Olympic and Sports

Movement

The "Principles of Good Governance” (hereinafter also "PGG") represent the guidelines provided by the

International Olympic Committee to all the National Olympic Committees to implement a shared

approach to good governance and provide a means for identify possible weaknesses in its governance

system and the related necessary remediation.

The PGG identify the following 7 principles that all the Organisations belonging to the Olympic

Movement must take into account to design and assess their own governance model:

1. Vision, mission and Strategy.

2. Structures, regulations and democratic processes.

3. Highest level of competence, integrity and ethical standards.

4. Accountability, transparency and control.

5. Solidarity and development.

6. Athletes' involvement, participation and care.

7. Harmonious relations with governments while preserving autonomy.

The PGG has articulated another 38 topics that provide a representation of each principle.

7

2.3 ASOIF Governance Task Force Framework

The Governance Task Force of the ASOIF (Association of Summer Olympic International Federations)

has developed a methodology for detecting the governance status of the International Federations of

Summer Olympic Sports aimed at identifying the best practices and the priority areas for action to

promote a culture inspired by good governance and to support the Federations in achieving the highest

level of governance attainable in the reference context and in relation to the potential of each

Federation.

The Task Force used a Self-Assessment Questionnaire as a detecting tool which includes an

introductory section, which investigates the adoption of the Codes and the level of compliance in

relation to the main reference documents of the Olympic Movement, such as the Olympic Charter and

the Anti-Doping Code, and is divided into 50 clear and measurable indicators, organised in 5 sections:

1. Transparency.

2. Integrity.

3. Democracy.

4. Development/Solidariety.

5. Control Mechanism.

Each section listed above consists of a set of 10 indicators.

2.4 Capability Maturity Model Integration

The "Capability Maturity Model" was developed and first introduced by Watts Humphrey in the context

of his position in IBM for the U.S. Department of Defense. The model was acquired, developed and

sponsored by the Carnegie Mellon University Software Engineering Institute (SEI) and was formalised

in the book "Managing the software process" published in 1989.

Subsequently, the CMM has evolved into the "Capability Maturity Model Integration" (hereinafter

"CMMI") thanks to the cooperation of representatives from industry, government and the SEI. Today

the CMMI is administered by CMMI Institute, a subsidiary of ISACA (Information Systems Audit and

Control Association) internationally recognised for its expertise on topics of IT governance.

The CMMI is available in different versions, all oriented toward providing organisations with a guide to

improved performance.

Particular reference has been made to the version "CMMI for Development”, updated in 2010, that

pursues process optimisation for developing products and services in line with the needs and

8

expectations of its stakeholders, making better use of available resources and contributing to the

development of the relevant environment. This version is one of the most complete best-practices

recognised internationally in the field.

The Framework is based on 5 levels of maturity defining an evolutionary path of progressive

effectiveness in the organisation's processes, as shown in the following figure (fig. 2).

Fig 2 - CMMI: Levels of maturity (CMMI Institute, 2010)

Each level of maturity corresponds to a different scenario and a dynamic reading of the scenarios offers

a structured and systematic path for organisational development and improvement and the related

processes.

2.5 COSO Internal Control - Integrated Framework

The "COSO IC Framework", published by the Committee of Sponsoring Organisations of the Treadway

Commission in 1999 and subsequently updated in 2013, represents the internal control and risk

management system (SCIGR) through three dimensions, as shown below in fig. 3:

the objectives of the SCIGR — the objectives of effectiveness and efficiency in business

processes (operations), reliability of financial information management and reporting, internal

and external compliance with laws and regulations (compliance) ;

the various levels of the organisation in which the SCIGR is implemented (company, business

unit, business function, process, activity, etc.);

http://cmmiinstitute.com/sites/default/files/resource_asset/What-Is-CMMI.pdf

https://www.microsofttranslator.com/bv.aspx?from=it&to=en&a=https%3A%2F%2Fwww.microsofttranslator.com%2Fbv.aspx%3Ffrom%3Dit%26to%3Den%26a%3Dhttp%253A%252F%252Fcmmiinstitute.com%252Fsites%252Fdefault%252Ffiles%252Fresource_asset%252FWhat-Is-CMMI.pdfFig

9

the 5 fundamental components of SCIGR:

1. Control Environment: represents the general context in which the company personnel

perform their activities and carry out their responsibilities. It includes the integrity and ethical

values of the company, the organisational structure, the system of attribution and the related

exercise of mandates and responsibilities, the segregation of functions, the management

policies and personnel incentives, staff expertise and, more generally, the "culture" of the

company;

2. Risk Assessment: consists of the process of identifying risks, analysing and assessing

potential impacts and defining prevention or containment actions;

3. Control Activities: this is the element implementing the corporate SCIGR. It is articulated in

the set of policies, procedures and practices defined to allow the organisation to achieve

corporate objectives and reduce the related risk to an acceptable level. Control activities

include, for example, the authorisation limits, controls to reduce exposure to losses and fraud,

the procedures to ensure data reliability and the integrity of information and the appropriate

procedures to ensure compliance with laws and regulations;

4. Information and Communication: this includes both systems suitable for collecting and

processing data and information relevant to the management of the business and the

appropriate mechanisms for ensuring effective communication thereof inside and outside the

organisation;

5. Monitoring Activities: this is the set of activities required to monitor and periodically evaluate

the adequacy, effectiveness and efficiency of internal controls, with a view to their improvement.

These activities are carried out both by the process managers/organisational structure, through

a systematic and continuous monitoring (level 2 control), and by independent internal structures

operating through specific evaluations (level 3 control).

10

Fig 3 - COSO Internal Control-Integrated Framework (COSO, 2013)

2.6 Fraud Triangle

For the purposes of the SCIGR verification, some of the major theories developed on the factors

affecting behaviour contrary to business ethics were taken as reference. One of the main

methodological reference standards is represented by the so-called "Fraud Triangle", taken from a

study by Donald R. Cressey, Other People's Money, published in 1973, identifying three variables that

underly the unacceptable or fraudulent act:

Incentives/pressures felt by the individual, such as revenge, personal economic difficulties but

also incorrect interpretation of the results expected from the organisation, etc.;

Rationalisation or normalisation, i.e., that psychological mechanism that triggers, before the

maturity of the individual’s choice, a violation in the regulations, which induces him to justify the

unethical and illegal scope, ascribing blame to other organisation members or to factors

extraneous to himself ("other people do worse, so do the bosses, etc.”) This mechanism

combines easily and a strong mitigation element can be found precisely by controlling the

environment, in exemplary executive management and diffusion of ethical values;

Opportunities linked to the person’s awareness of being able to exploit the weaknesses in the

system of internal controls. In fact, despite any number of circumstances that could take place

and trigger the variables "rationalisation" and "pressure/incentives" during a person’s working

life, no fraud could take place if there were no chance to take advantage of the deficiencies or

weaknesses in the control system. However, that element also involves communication,

11

because it is not enough to have an effective and efficient internal control system, it is

necessary also that that is how it is perceived by all the addressees.

In addition to the above, recent studies have identified an additional variable represented by the ability

of the person to be able to take advantage of the weaknesses of the internal control system.

For the purpose of identifying potential fraud schemes, the taxonomy considered is that developed by

the Association of Certified Fraud Examiners (ACFE), which attributes all possible fraud schemes to

three main categories:

Financial statement fraud: this is manifested through the commission of one or more intentional

acts performed for the purpose of providing an altered and misleading representation of the

company’s economic, financial and equity situation. Generally, this category of fraud is

perpetrated by senior managers of the organisation, with the goal of obtaining undue

advantages. However, this also includes all forms of falsification in the accounting records, even

when instrumental in other violations (e.g., falsification of repayments);

Asset misappropriation: this includes all those illegal schemes involving forms of embezzlement

and misappropriation of corporate assets and resources. In particular the misappropriation may

involve money, tangible property assets other than cash and intangible assets. This category of

fraud represents, according to the ACFE, is the most widespread.

Corruption: covers all those behaviours of abuse of power, authority, and knowledge

implemented with the intent to award an illegal or unfair advantage or benefit or agent of certain

entities both external and internal to the organisation.

Finally another factor taken into consideration for identifying and investigating fraud is represented by

the fraud indicators (the so-called red flags or anomaly signals), representing those conditions,

symptomatic situations and clues that can be attributed to fraudulent or dishonest activities or an

attempt to conceal the tracking.

12

3 Description of the Governance System assessment methodology

The assessment methodology of the Governance System is described in the paragraphs below in

terms of:

Purposes and Goals.

Logical structure.

Methods for the collection of data and information.

Measurement logic.

Assessment outcome.

Procedural aspects

3.1 Purposes and Goals

The International Olympic Committee (IOC) regards "good governance" as an essential principle of the

Olympic Movement; the Olympic Charter establishes the responsibility of the organisations that are part

of the Movement to ensure that the principles of "good governance" are applied and the IOC Code of

Ethics requires that the "Basic Principles of Good Governance of the Olympic and Sports Movement"

(hereinafter also "PGG") are complied with by all the members of the Olympic Movement.

"Recommendation 27” of the Olympic Agenda 2020 reaffirms the essential nature of compliance with

the PGG by all the organisations that are part of the Olympic Movement.

"Good governance" in the sports sector has particular significance as it represents «the fundamental

basis to secure the Autonomy of Olympic and Sports organisations and to ensure that this Autonomy is

respected by […] stakeholders.» (EU White Paper on Sport, SEC (2007).

There are numerous international multi-stakeholder initiatives on governance and the fight against

corruption in the sports sector such as those promoted by the IPACS (Partnership against Corruption in

Sport6).

6The IPACS (Partnership Against Corruption in Sport) is the partnership set up during meeting held in Paris at the Council of

Europe (June 2017) which aims to bring together international sports organizations, governments and non-governmental

organizations as well as other relevant stakeholders in order to fight against and eliminate corruption in the world of sport,

promoting a culture of "good governance”. On this occasion the British Department for Culture, Communication and Sport, the

Council of Europe, the International Olympic Committee and the Organization for Economic Cooperation and Development

(OECD) were involved as guests and co-organizers - in addition to the ASOIF and other international organizations - to

discuss and identify the principles of "good governance" in sports.

13

***

The methodology for assessing the Governance System is to be viewed in this context and is aimed at

understanding the level of maturity and the opportunities that can support the creation of value for the

stakeholders of the sports system, identifying and promoting best-practices as well as defining and

implementing cross-actions for development and evolution.

3.2 Logical structure

This methodology refers exclusively to the "off-the-field" area of governance, that is the area relating to

the organisation and the "decision-making and administrative machine" and not to sports performance.

The following 4 “thematic areas” have been identified that characterise the FSN governance system:

1. Democracy.

2. Environment and ethical culture.

3. Goals, risks and controls.

4. Accountability and transparency.

***

Each area is developed:

vertically, in specific "themes" and "sub-themes" that reflect the fundamental points of the 5

components of the COSO ERM Framework, the 7 principles of the IOC and the 5 sections of

the ASOIF, adapting them to the global context of the FSN (the diagram represented in fig. 4

describes the 4 areas and their breakdown);

horizontally, in an evolutionary process of progressive decisional, organisational and

managerial effectiveness articulated in the following 4 standard maturity levels (as shown in

the diagram in fig. 5):

1. Initial.

2 Managed.

3. Defined.

4. Optimised.

14

Fig. 4- Diagram: areas, themes and aspects of detail

15

Level 1 - Initial Level 2 - Managed

A process of democratic participation is present at this level. There are no defined conflicts of interest with regard to eligible candidates. Candidates can be elected by acclamation and multiple votes can be cast as no balancing methods are present. No commissions are set up for the verification of voting rights, counting and checking of the polls. Candidates are not required to file programs and objectives for their mandate and no institutional information on the background of candidates is given.

Any resolutions that, during election time, might involve conflicts of interest, in particular any resolutions referring to the allocation of resources and advantages to stakeholders, are not published.

Ethical rules are not codified and there is no commitment on ethics-related issues. No tools for the management and investigation of alerts are in place.

Decision-makers use their own mental model for the representation of internal and external contexts, feeding on subjective experience and perceptions, and define the decisions to be made without a structured informative support process. There is no dedicated reflection on current issues and significant risks, including emerging risks, for the Federation.

The strategic reference is static and coincides with the mission provided for in the Articles

of Association. There is no process of defining and assigning objectives to the structures, which perform tasks and activities without a formal definition of roles and responsibilities.

No policies and procedures are present, activities and controls are based on individual initiative and experience with no methodological structure. There are no internal or external control bodies, nor second- or third-level internal assurance structures. There is no management of conflicts of interest on operational processes (procurement, treasury,...).

No forms of transparency are in place for the democratic process, the decision-making, management and performance processes.

The results are substantially represented in the financial statements, which are not published.

A process of democratic participation is present. The fundamental conflicts of interest in relation to eligible candidates are defined and managed. Elective mechanisms are traceable and objective, but multiple votes can be cast as no balancing methods are present. Commissions are set up for the verification of voting rights, counting and checking of the polls, but there are no rules on their independence nor rules on the possibility of making timely reports and appeals. Candidates are required to file programmatic statements but an actual mandate program is not present and no institutional information on the background of candidates is given.

Any resolutions that, during election time, might involve conflicts of interest, in particular any resolutions referring to the allocation of resources and advantages to stakeholders, are not published.

Ethical rules are not codified, but there is commitment. The reports are managed and investigated even if through unstructured channels. The staff takes part in training and refresher courses and conferences on ethics-related issues.

Decision-makers define the decisions to be taken using data supplied by the structures, though mainly on the basis of historical series and without an adequate information process to support them. Decision-makers are informed, though not promptly and not in a structured way, of the significant risks for the Federation, especially in relation to compliance issues.

The strategic reference is static and coincides with the mission set out in the Articles of Association, but some of the objectives can be inferred from various documents (e.g. budget, management report,..). There is no process of definition and attribution of goals to the structures, but their roles and responsibilities are formalized.

The activities are carried out on the basis of established practices, with regulations that define the main aspects of the business cycles in a general way. Key controls are present and are performed - but their adequacy is not reassessed on a regular basis - and are focused on financial reporting. There is a Board of Auditors, but no second or third level internal assurance structures. Conflicts of interest on operational processes (procurement, treasury,...) are not managed.

The democratic process involves the publication of results. The decision-making process is characterized by the publication of the summaries of the most significant decisions. Management and performance are not subject to forms of publication.

The results are substantially represented in the financial statements, which are published.

16

3 - Defined 4 - Optimized

A process of democratic participation guarantees the participation of all the stakeholders and regulates the ways the main conflicts of interest with regard to eligible candidates are defined and managed. Elective methods are traceable, objective, regulated by rules that govern the mechanisms of delegating and balancing multiple voting. Commissions are set up for the verification of voting rights, counting and checking of the polls, and there are rules on the independence of the commissions and on the possibility of making timely reports and appeals. Mechanisms are in place for the handling of claims filed by entitled persons. Candidates are required to file specific programmes even if the information on the background of candidates is not published.

Any resolutions that, during election time, might involve conflicts of interest, in particular any resolutions referring to the allocation of resources and advantages to stakeholders, are published during the period of the elections.

There is a Code of Ethics and commitment is required on ethics-related issues. The staff participates in training and refresher courses, conferences and initiatives on ethics-related issues. There is a system for managing and investigating reports.

Decision-makers define the decisions to be made using reliable information promptly provided by identified process owners. Strategic objectives are defined and the structures achieve specific objectives with a certain degree of decision-making independence; however, performance is measured in terms of quality, as no specific targets are set.

There is commitment with regard to the identification and management of significant risks and on these issues decision-makers receive information provided by the persons in charge of the individual issues.

A formal organisational Chart and formal Job Descriptions are in place.

Activities are carried out on the basis of procedures and the adequacy of controls is assessed by the managers. Second level assurance structures (e.g. compliance) are present.

The democratic process requires the publication of the assigned voting rights and poll results. The decision-making process is characterized by the publication of the agenda and the syntheses of the decisions / resolutions. Management and performance are subject to various forms of transparency on certain issues, with the exception of the procurement process and the allocation of resources and benefits.

There is a Board of Auditors and financial statements are audited by independent auditors.

A process of democratic participation exists, is open to all the stakeholders and is respectful of genders. The main conflicts of interest in relation to eligible candidates are defined and managed. Elective methods are traceable, objective, regulated by rules for the management of proxies and balancing of multiple voting mechanisms. Independent commissions are set up for the verification of voting rights, the counting and checking of the polls, capable of ensuring that the rules defined are complied with. The commissions are open to external parties. There are mechanisms for handling the claims filed by anyone entitled, also outside the organisation. The information on the candidates, their background and the objectives of their programs are published on the institutional website on a fair and equal basis.

A Code of Ethics, an anti-corruption compliance Model and a related disciplinary system are present. The staff receives training on ethics-related topics. A management system for whistleblowing reports is in place which ensures the privacy of the whistleblower.

Decision-makers define measurable goals and take decisions within structured planning and control processes. The goals are assigned to the structures and their respective performances are measured through ad hoc indicators.

A process for the management of significant risk, based on an internationally recognized framework is present.

Organisational Chart and Job Descriptions are formalized and the relevant updates are approved and communicated promptly.

There is a structured process for the drafting, updating, issuance and dissemination of policies and procedures. There are second-level (e.g. compliance) and third level (internal audit) control structures, which provide assurance on the adequacy and effectiveness of governance, risk management and internal control processes.

The organisation is responsive to change. Democratic process, management and performance are transparent. Documents and decisions are widespread and accessible.

There is a Board of Auditors and financial statements are audited by independent auditors, whose reports/minutes are published on the institutional website.

A Sustainability Report is drawn up and published on the institutional website.

Fig. 5 - Standard maturity levels

17

3.3 Methods for the collection of data and information

The "data collection card" (fig. 6) is the tool used to collect data and information in relation to all the

aspects of detail that make up each thematic area to be assessed. The purpose of the data collection

card is to find out contingent and specific situations.

Fig. 6 - Format of the data collection card

Data and information can be acquired through the three procedures illustrated below (Illustration 6),

which can also be implemented in synergy with each other.

Procedure Description Control risk

Request for information

Interview

Survey

The request for information produces indirect evidence that in itself is not generally considered persuasive.

Observation Direct observation

Walk-throughs

The presence of a survey evaluator can influence the attitude of the persons subject to the survey.

Document verification Study of documents and transactions

Physical examination of tangible resources

Verification is influenced by the evaluator's ability to understand what he sees and examines.

Fig. 7 - Data and information acquisition procedures

The information collected must be:

sufficient: factual, adequate and convincing information, such that would lead a prudent and

informed person to reach the same conclusions as the evaluator;

reliable: the best information obtainable through the procedures that can be carried out and the

available sources;

relevant: information consistent with the objectives of the assessment and relevant to the

processes investigated.

18

3.4 Measuring method

The contingent situation recorded for each aspect of detail is assessed against the "scenarios" (fig. 8)

that represent decision-making, organisational and management situations based on the 4 levels of

maturity (fig.5).

The valuation is carried out on the basis of a prudential principle in such a way that, in the event of a

partial overlap, the lower level scenario is chosen.

Fig. 8 - Format of the collection card

Each scenario is attributed a score of 1 to 4 depending on the corresponding maturity level, as follows:

• Initial - score "1”; • Managed - score "2”; • Defined - score "3”; • Optimized - score "4”.

The maturity level of each thematic area is measured by calculating the simple arithmetic average of

the above scores.

The simple arithmetic average ( ), thus calculated, is normalized ( ) through an automatic algorithm

that operates the following function:

19

The normalized values ( ) are reallocated according to a normal distribution divided into 4 frequency

ranges corresponding respectively to the 25-th, 50-th, 75-th and last intervals, as shown below (fig. 9).

Fig. 9 - Distribution range

Each range is associated with a level of maturity from 1 to 4, as shown in the illustration below

(Illustration 9).

Range Interval Level of Maturity

R1 [ 0% - 25% ] 1 - Initial

R2 [ 25% - 50% ] 2 - Repeatable

R3 [ 50% - 75% ] 3 - Defined

R4 [ 75% - 100% ] 4 - Optimized

Fig 10 - Range, intervals and maturity levels

The maturity level of each thematic area corresponds to the maturity level associated with the range

which includes the normalized value of the simple arithmetic average of the scores of the aspects of

detail into which the thematic area is organized.

Range Interval

R1 [ 0% - 25% ]

R2 [ 25% - 50% ]

R3 [ 50% - 75% ]

R4 [ 75% - 100% ]

20

3.5 Results of the assessment

The overall results of the assessment are formally set out in a "summary dashboard" that illustrates the

outcome of the assessment for each thematic area, specifying the level of maturity that results from the

aggregation of the scores referred to in the previous paragraph (fig 11):

Fig. 11 - Format of the summary dashboard

The combination of all the summary assessments allows to conduct an overall assessment of the

maturity level of the "system" governance and the identification of best practices to be promoted as

cross-actions to strengthen it.

3.6 Procedural aspects

The Supervisory Office proposes to the National Board to start the assessment of the NSF (National

Sport Federations) governance system. This assessment is carried out every four years and replaces,

in that year, the assessments carried out on the SCIGR (Sistema di Controllo Interno e di Gestione dei

Rischi - Internal Control and Risk Management System).

Following approval by the National Board, the Supervisory Office sends a communication to the all NSF

and defines the activities timetable.

In carrying out the activities the Office can request additional documentation and meetings.

Following the assessments, the Supervisory Office processes the summary dashboards sent to

individual FSNs and a summary report, also with the support of competent and independent third

parties, on the overall maturity level of the system which is sent to the CONI’s General Secretary and

National Board.

21

4 Monitoring of the internal control and risk management system

The assessment methodology is described in the following paragraphs in terms of:

Aims and objectives.

Logical structure.

Modality for measuring the adequacy of control measures.

Representation of the assessment outcomes.

Procedural aspects.

4.1 Aims and objectives.

The monitoring activity is carried out alongside and does not replace audit inspections and represents

an element of guarantee and prevention since, on the one hand, it is not open to any subjective

discretionary choice, given that is a simultaneous check on all the NSF/ASD (around 64 entities), and

on the other hand, it is aimed at identifying any shortcomings or points for improvement in the design of

federal controls, in order to mitigate the probability of the occurrence of events or situations that could

give rise to audit inspections.

The methodology is characterised as follows:

remote monitoring, without on-site visits to federal offices;

the checks are implemented by adopting an approach that requires reporting of on-going controls,

i.e. during operativity, rather than at the end of activities. This approach has the following main

benefits:

o the verification activities are more efficient and less burdensome for the NSF in terms of

documentation production, with such requests spaced out through the year;

o checks are focused on specific aspects of control design with respect to each Area being

examined in all NSF/ASD;

o controls are verified in a continuous manner, acquiring the documentary evidence that

complies with the timetable of the activities in examination;

o control failures and shortcomings can be quickly identified, ensuring the minimisation of

consequent risks;

search for synergies and dialogue with other control actors in order to avoid duplications and

overlaps.

22

In consideration of the characteristics described above, this method presents by its very nature a7

higher “control risk” than on-site audit “inspections” at the federal office. In this sense it is not possible

to exclude that tests carried out on site and with procedure other than those described in this document

may reveal different results. However, the advantages of the approach used are connected:

to the cost-benefit ratio, in terms of a control plan that annually impacts 64 different entities and

that, with different procedures, could only be implemented with a high expenditure of resources

both on the supervising entity and by the supervised subjects;

to the possibility of identifying cross-cutting issues and of providing uniform solutions in a

“system” perspective, generating possible economies of scale;

to the “deterrent” effect generated by a periodical and constant monitoring cycle.

4.2 Logical structure

The monitoring process is developed through the following logical and time phases:

identification of the management Areas to be monitored.

identification and assessment of the inherent risks for each Area in question.

identification of control measures.

assessment of the adequacy of control measures.

identification and communication of remedial actions.

The following paragraphs describe the operating methods of each phase.

***

Identification of management Areas to be monitored

The following are the management Areas identified as possible targets of the monitoring activity:

1. Fixed assets and Inventories.

2. Investments.

3. Receivables.

4. Treasury (Bank, cash, credit cards and advances).

7That is to say the risk that a failure of the internal federal control system may not be identified by the monitoring activity of the Supervisory

Office.

23

5. Potential Payables and Liabilities.

6. Purchasing cycle.

7. Personnel.

8. Consultations, professional appointments and technical sport services.

9. Travel expenses.

10. Entertainment expenses, gifts and benefits.

11. Local Territory Committees.

A management Area is a uniform set of processes that identify groups of transactions, recorded in

specific balance sheet accounts, which normally present the same information system, the same

sequence of activities and the same organisational functions.

The Supervisory Office reserves the right to review/integrate the list of the aforementioned Areas,

subject to the approval of CONI’s National Board.

The Supervisory Office annually selects from 1 to 3 Areas to be proposed to the CONI National Board.

The selection is made based on weighted average scores8 (value x weight) obtained from each Area in

relation to the following criteria:

a) nature of the accounting entries and complexity of processes;

b) regulatory changes;

c) distance in time from the last control/monitoring activities carried out;

d) outcome of previous control/monitoring activities;

e) presence of reports;

f) Area-related fraud risk.

8 The score is calculated as the weighted average of the assessments obtained from each criterion.

24

The value of each criterion can be weighted using weights defined on a yearly basis by the Supervisory

Office to reflect the relative significance of the criterion.

a) Nature of the accounting entries and complexity of processes

Assessment Description Score

High

The accounting entries that refer to this Area are normally estimates (e.g. risk fund, credit write-

downs funds) and/or processes referring to this Area are usually highly concentrated from an

organisational and decision-making point of view, i.e. the processes are, in most cases, not-

automatic.

3

Medium

The accounting entries referring to this Area are of a partially evaluative nature and/or the processes

referring to this Area are, as rule, characterised by a segregation that involves at least two

organisational structures in an equal way, or the processes, in most cases, are automated through

systems without interfaces and characterised by poorly structured control systems.

2

Low

The accounting entries referring to this Area are of a certain nature and/or the processes referring to

the Area are characterised by a segregation involving at least three organisational structures in an

equal way, or the processes, in most cases, are automated with integrated systems with structured

controls.

1

b) Regulatory changes9


High

The Area has been subject to regulatory action in the last 3 financial years (introduction of new

provisions or amendments to previous ones) with significant operational/procedural/accounting

impacts on the NSF/ASD or from the point of view of the penalties to which the NSF/ASD can be

exposed to in the event of non-compliance.

3

Medium

The Area has been subject to regulatory action in the last 3 financial years (introduction of new

provisions or amendments to previous ones) with impact on the NSF/ASD that are not significant

from an operational/procedural/accounting point of view and from the point of view of the penalties to

which the NSF/ASD can be exposed to in the event of non-compliance.

2

Low The Area has not been subject to regulations actions in the last 3 financial years. 1

c) Distance in time from the last control/monitoring activities


High The Area has not been monitored in the last 4 years. 3

Medium The Area has not been monitored in the last 2 to 4 years. 2

Low The Area has not been monitored in the last 2 years. 1

9 In this context, by variation to regulations we intend a variation to regulations brought about with reference to laws/regulations and/or applicable CONI circulars and procedures.

25

d) Outcome of previous control/monitoring activities10


High In the last periodical monitoring activity the Area presented a percentage of control measures assessed as

inadequate and/or deficient in more than 30% of the total surveys carried out11.

3

Medium In the last periodical monitoring activity the Area presented a percentage of control measures assessed as

inadequate and/or deficient in between 15% and 30% of the total surveys carried out or even if it falls in the “High”

assessment cluster (above) the results of the follow-up activities have been such that the assessment has dropped

to “Medium”.

2

Low In the last periodical monitoring activity the Area presented a percentage of control measures assessed as

inadequate and/or deficient in up to 15% of the total surveys carried out or even if it falls in the “Medium”

assessment cluster (above) the results of the follow-up activities have been such that the assessment has dropped

to “Low”.

1

e) Presence of reports


High In the last 3 years, the Area has received at least one report followed up by an audit inspection that ended with

denunciations/reports to the competent authorities or with the appointment of an external commissioner.

3

Medium In the last 3 years the Area has received reports followed up by audit inspections that ended with recommendations

regarding important aspects of the financial statements or of organisational procedures or was subject to detailed

reports for which the related investigations are still ongoing.

2

Low In the last 3 years the Area has received reports subject to an audit that concluded with suggestions for

improvement or has not received reports in the last 3 years.

1

f) Area-related fraud risk.


High The Area is characterised by a high number of potential fraud schemes that can be empirically identified in the

context of the NSF/ASD.

The hypothetical fraud schemes are not complex (the activity/process involved is managed by a single structure)

and/or the event can potentially generate significant economic impacts at unit level.

3

Medium The Area is characterised by a high number of potential fraud schemes, even if empirically not identified in the

context of the NSF/ASD.

The hypothetical fraud schemes are fairly complex (the activity/process is managed by 2 structures) and/or even if it

does not generate significant economic impact at unit level, it is characterised by high frequency.

2

10 In the event that no monitoring activities have been carried out on the Area, this parameter will be excluded from the assessment. 11 The figure of “total of surveys carried out” is calculated as the product among the control measures relating to the Area under survey and the number of NSF/ASD for which the monitoring activity has been carried out.

26

Low The Area is not characterised by potential fraud schemes.

Fraud schemes are highly complex (the activity/process involves at least 3 subjects belonging to different

structures).

These are low-impact, low-frequency fraud schemes.

1

***

27

Identification and assessment of risks inherent to each area in question.

On the basis of professional judgement and empirical experience of the Supervisory Office, the typical

relevant risks are identified for each Area subject to annual monitoring with reference to the following

categories:

risks of reliability of financial reporting, these are events that may compromise the reliability of

financial statements;

compliance risks, these are events that may involve the application of penalties or reputational

damages as a consequence of violations of laws/regulations and/or CONI’s circulars and

regulations;

fraud risks, these are events that may involve:

o the maliciously altered and deceptive representation of the economic, financial and equity

situation;

o the misappropriation of federal goods and assets;

o the non-compliant or illegal assignment of advantages or benefits to external and/or internal

parties.

In order to identify typical and significant risks, we have applied a statistical derivation approach that

allows the formulation of reasonably valid conclusions, even if they cannot mathematically measured in

terms of risk exposure of the various management Areas.

In other words, it is a matter of planning repeated surveys of the processes that are connected to the

Area: observing the different implementations of a process at a given moment (t) we obtain a random

variable X(t) which includes the different values that the process could take at that precise moment (t).

These values, detected by the instant (t), will presumably be distributed at a normal (or Gauss) curve,

around the mean value. Therefore, for each time instant, the most probable value of the process can be

defined with the relative variance index or standard deviation. For the purpose of identifying a specific

risk, for each process of the Area, it is necessary to assess whether, among the possible values that

the process could take at any instant in time (t) (beyond the one which, on average and “normally”, it

assumes in that given moment) it is possible to identify a value that represents a typical and relevant

event/risk with reference to the aforementioned categories. Once identified a specific risk meaning as

hypothetical value that a process can take at a given moment (t) both a “probability” and an “impact”

must be associated.

The risk weighting has the sole purpose of establishing the priorities of the identified risks.

28

The weighting or assessment of the inherent risk is carried out by combining the following dimensions:

Probable occurrence, or the frequency of the occurrence of a risk event;

Potential impact, or the possible effect that the occurrence of the risk event may have on achieving

the goals of the NSF and ASD.

In relation to probable occurrence, the following elements are taken into consideration:

Assessment Risk category

Reliability of financial reporting Compliance Fraud

High The accounting records derive from

complex calculations or writings, consisting

of coordinated, connected and non-

automated surveys (i.e. managed by

specific management software).

Accounting entries are mainly estimates.

The specific process/activity is governed

by complex and highly structured

regulations and are subject to

numerous/frequent interpretations/case

studies

The specific process/activity has been

subject in the last 3 years to regulatory

actions with significant

operational/procedural/accounting

impacts

The advantage or the hypothetical interest

of the conduct is concrete, direct and

immediate.

The activity/process is managed by a

single structure.

The documentation supporting the

process presents highly technical

contents.

Accounting entries are mainly estimates.

There are historical cases/empirical evidence related to the manifestation of the risk event.

Medium The accounting records derive from

complex calculations or writings, consisting

of surveys connected to each other and of

automated coordinates (i.e. managed by

specific management software).

Accounting entries are partly of an estimate

nature.

The specific process/activity is governed

by specific technical legislation but with a

clear and systematic application

The specific process/activity has been

subject in the last 3 years to regulatory

actions with

operational/procedural/accounting

impacts that do not present particular

difficulties in management and

implementation.

The advantage or the interest of the

conduct is hypothetical but without strong

motivational elements.

The activity/process is managed by 2

structures.

The documentation supporting the

process presents technical contents, but

on average understandable, or it is the

subject of communication.

Accounting entries are partly of an

estimate nature.

There are historical cases/empirical evidence related to the risk event, even if not directly attributable to the “sport” system.

Low Accounting entries are typical, frequent and

not complex and/or Accounting entries do

not present assessment elements.

The specific process/activity is not

governed by complex or technical

regulations and/or has been subject in the

last 3 years to regulatory actions.

The advantage or the hypothetical interest

of the conduct is difficult to postulate.

The activity/process involves at least 3

subjects belonging to different structures.

The supporting documentation/acts in

which the conduct is substantiated are

disseminated and the content easily

usable.

Accounting entries are certain.

There are no documented historical cases related to the manifestation of the risk event.

29

In relation to its potential impact, the following elements are taken into consideration:

Assessment Risk category

Reliability of financial reporting Compliance Fraud

High Event that affects the overall representation of

the financial statements, making them

unreliable.

Event involving economic,

administrative sanctions or

commissioning by the CONI.

Event that impacts on the continuity of the

NSF/ASD (e.g. the NSF/ASD is put under

administration of an external commissioner)

with widespread attention from the national and

international media.

Event that affects the performance of activities and processes with a significant impact on the pursuit of objectives.

Medium An event that does not affect the overall

reliability of the financial statements but which

generates the need to revise individual items.

An event that may result in

administrative sanctions or audits

by CONI.

An event that generates the need to report to

the authorities with ongoing attention over time

by the local media.

An event which, while having an impact on the smooth running of activities and processes, does not affect the pursuit of objectives.

Low An event that does not affect the overall

reliability of the financial statements but which

highlights the need to strengthen skills and

administrative-accounting processes.

An event that does not generate

sanctions but which necessitates

an in-depth and/or corrective

action.

An event that does not involve a formal

reporting to the authorities and generates a

marginal interest in the local media.

An event that does not compromise the activities and processes nor the pursuit of objectives, but which involves a significant review of the

activities and processes involved.

The assessment of inherent risk is carried out by combining the levels of probability of occurrence and

potential impact through the following matrix:

Inherent risk

30

Risk of high and medium value (respectively “red” and “yellow” in the matrix) are considered relevant

and therefore subject to subsequent monitoring phases.

***

31

Identification of control measures

Controls for the mitigation of significant risks (from 1 to n) are logically identified, then detected and

assessed at each NSF and ASD during the subsequent monitoring phases.

The set of controls associated with each risk is designated as a “control point”.

In particular, controls are identified taking into account the efficiency/cost efficiency principle12, as well

as the following reference criteria/parameters:

Relevance: the set of controls must be suitable to mitigate a risk (for example identifying potential

anomalies);

Optimisation: controls are identified avoiding duplications in the same Area;

Prevention: “preventive” controls are preferable to “investigative” controls as they aim to prevent the

occurrence of a risk event rather than detecting the event once it has occurred;

12 The assessment of the efficiency/cost efficiency of controls is based on the cost (not only in terms of necessary resources, but also of impact of the speed of decision-making processes) necessary to carry out a control, compared to its benefits (in terms of risk mitigation, i.e. reduction of the potential impact and probability of a risk occurring). In general, if the cost arising from carrying out a control is lower than the benefits deriving from the reduction of risks, a control can be considered efficient.

32

Automation: controls which can be carried out automatically are preferable to those which require

manual execution;

Reliability: controls must be based on reliable data, information and facts;

Independence: controls must not depend on other controls, discretionary elements or other factors

that may not be controlled.

Each identified control is defined in terms of attributes, which constitute its essential and objective

elements. Identifying these attributes has the effect of minimising the subjective element that is

necessarily part of an assessment.

In addition to controls, the risk of fraud can be monitored through specific indicators of anomalies

(known as red flags), consisting in symptomatic conditions, situations, clues that can be connected to

fraudulent activities or the relevant concealment strategies.

33

4.3 Assessment of the adequacy of control measures

During monitoring, each attribute of each control is associated with two variables:

the score (s),

the weight (w).

The score, during the assessment, can only take two values (0,1) depending on whether there is

sufficient documentary evidence for the identified attribute.

The weight, which is predefined, is a function of the relevance of an attribute or of a red flag with

respect to the other parts of the control.

In assessing the adequacy of each control point, the following steps are followed:

Step 1: definition of the top score hypothetically obtainable (Vm) by each control (C)

The score expresses the complete adequacy of the control to mitigate the risk and is expressed by the

following formula:

34

In other words, this score is achieved when all the expected attributes referring to the control are

present.

Step 2: calculation of he actual score (V) obtained by each control (during the assessment).

This score is expresses by the following formula:

In other words, this score indicates that the document verification has confirmed that each attribute

exists and/or is adequate.

Step 3: synthetic assessment of each control (VALcont).

The summary assessment of the control to which the attributes are referred is defined by the following

ranges:

VALcont Effective: if the ratio between V/Vm exceeds 0.8, i.e. 80% of the expected attributes are

confirmed to exist.

VALcont Partially effective: if the ratio between V/Vm is between 0.5 and 0.8, i.e. 50% and 80% of the

expected attributes are confirmed to exist.

VALcont Ineffective: if the ratio between V/Vm gives a result below 0.5, i.e. less than half of the

expected attributes are confirmed to exist.

Step 4a: assessment of control oversight (VALpres_a).

The summary assessment of the control point is carried out by assigning to the assessment range

obtained by individual controls (VALcont) the following scores:

VALcont Effective = 3

VALcont Partially effective = 2

VALcont Ineffective = 1

The assessment of the control point (VALpres_a) is defined by the average score associated with the

individual controls (C) that make up the control point:

The control point is synthetically assessed based on the following range:

35

Adequate, namely the control point is confirmed to be logically adequate to prevent risk events or to

promptly remove their consequences:

VALpres_a > 2.5

Inadequate, when the control point will presumably be unsuitable to prevent completely or

systematically the risk event or to remove promptly its consequences:

1.5 ≥ VALpres_a ≤ 2.5

Deficient, when the control point does not appear suitable to reduce the possibility of risk events

occurring at a remote level:

1 ≥ VALpres_a < 1.5

Step 4b: Assessment of control points in the event of red flags (VALpres_b).

In relation to the risks of fraud, specific red flags can be identified in addition to controls.

If the red flag, understood as an anomaly or “false positive” signal, shows, then the score obtained by

the control point (step 4a) is decreased in line with the relevance of the red flag and the scale of such

decrease is assessed by professional judgement.

Controls can also be associated to a weight (w) in relation to their “relative” significance with respect to

the control point. In this event, the assessment of the control point (VALpres) with reference to the risk in

question is defined by the following formula:

4.4 Representation of the assessment outcomes

The level of residual risk is determined by the relationship between the level of inherent risk and the

range of assessment of the control point (VALpres). However, this assessment range, calculated as

described above, may be subject to revisions depending on the identification of corrective, endogenous

and/or exogenous factors, which have an improving or deteriorating effect on the assessment of the

control point.

These are factors that cannot be foreseen during the logical processing of the assessment forms, but

emerged during verification and the subject of motivated professional judgement (for example:

presence of compensatory controls, presence of external controls, etc.)

The relationship between level of inherent risk, assessment of control points, level of residual risk is

expressed through the following correlation matrix:

36

The level of residual risk determines the forecast of the following actions:

Opportunity Area: The control system is considered satisfactory, as a whole, depending on its

suitability to mitigate the inherent risk; therefore the NSF/ASD are obliged to maintain and monitor

the state of their control systems and, in some cases, the NSF/ASD should consider the opportunity

to strengthen them further;

Area for improvement: The control system is considered partially effective in relation to its ability to

mitigate the “medium” inherent risk; therefore, the NSF/ASD are invited to constantly monitor the

activities at risk and carry out the suggested interventions over the medium term.

Intervention Area: The control system is considered partially effective in relation to its ability to

mitigate the “high” inherent risk; therefore, the NSF/ASD are invited to reinforce certain aspects

related to controls and provide feedback in the follow-up carried out by the Supervisory Office.

Priority Area: The control system is inadequate in relation to its ability to mitigate the level of

inherent risk; therefore, the NSF/ASD are obliged to give priority and act promptly to implement the

suggested controls and provide feedback in the follow-up checks by the Supervisory Office, which

may in certain cases require the National Board to carry out specific on-the-spot checks.

37

4.5 Procedural aspects

The Supervisory Office selects the respective separate areas for auditing FSNs and ASD to submit to

the Secretary General of CONI for approval by the National Board which normally takes place within

the first four months of the every year. After approval, the Supervisory Office:

prepares its own assessment form formats;

periodically, in accordance with an on-going logic arrangement, sends to the NSF/ASD requests for

information, data and document necessary for the implementation of tests, communicating the

relative deadlines.

In carrying out the tests, the Office may request additional documentation and meetings. The NSF/ASD

may ask for clarification and support. Upon justified request, the Supervisory Office may agree on one

or more extensions of the terms.

The Supervisory Office may send reminders in the event the requested information fails to be

transmitted or is delayed.

If it is not possible to receive the documentation within a reasonable period for the purposes of the

analysis, the NSF/ASD, upon notice, is excluded from monitoring activities and the Supervisory Office

will inform the National Board for the relevant assessments.

The operations described above can be carried out taking into account the following two possibilities:

1) Relations with the Auditors

Annually, the Supervisory Office assesses the possibility of involving the Board of Auditors of NSF

and/or ASD in the monitoring activity, also in relation to the Areas being analysed and taking into

account possible synergies on common control Areas. In this case, the Office:

a) requires the availability of each federal Board of Auditors,

b) if they accept, the Office informs the Federation and provides the Board with the procedures, the

formats and the list of documents to be used for the execution of the activities, agreeing the related

deadlines,

c) in the course of its activities, it may request each of the Boards (or they may request) to schedule

one or more meetings aimed at sharing the progress made and the content,

d) at the end of the activities, they conduct a closing meeting, during which the Board submits the

working documentation to the Office.

38

The Office may request further information, from the Board, on the activities carried out and request

access to the documentation and data analysed by the Board to carry out the monitoring.

The Office can always take over the activities assigned to the Board, upon communication to the

Federation and to the Board itself.

2) Relations with the NSF/ASD’ auditing companies

The Supervisory Office may request a review of the audit procedures implemented by the auditors and

the relevant report, identify within the management Areas subject to monitoring on a yearly basis any

common Areas and/or methods of intervention and exclude them from its activities by acknowledging

results of the auditing company, also in order to avoid double sets of controls at the NSF.

***

After the analysis, the Supervisory Office draws up:

a summary report to be transmitted to the Secretary General of the CONI and to the National

Board,

the audit forms, sent by the Secretary General and containing the specific actions suggested to

each NSF/ASD.

The Office can propose to the Secretary General of the CONI and to the National Board to carry out

actions in support of NSF/ASD on possible cross-cutting issues.

The Supervisory Office can, after sending the forms, also at the request of the NSF/ASD or their

Boards, carry out meetings to examine, share and possibly review the actions suggested in the forms.

The Office can also carry out a regular follow-up, with a view to gaining feedback on the state of the

implementation of the suggested actions, preparing a memorandum for the Secretary General of the

CONI and the National Board on the state of implementation of specific and cross-sectional actions.

39

5 Audit inspections

This chapter intends to illustrate some general aspects of the specific tests and inspections carried out

by the Supervisory Office in relation to the power/duty of direction and control over the National Sports

Federations (NSF), the Associate Sport Disciplines (ASD) and the Institutions for the Promotion of

Sports (IPS) established by the Law and the Articles of Association of CONI.

These audits are carried out by the Supervisory Office of CONI Servizi, which can also seek external

help, on behalf of the CONI National Board.

The Secretary of CONI must inform the Top Management of the Federation when audits are started.

By way of example and without limitation, audits of this type can be initiated as a result of:

anomalies and critical issues emerging from the remote monitoring of the NSF/ASD;

reports, including anonymous ones, provided they are adequately detailed;

findings and/or information contained in the minutes of the Boards of Auditors or communicated by

individual members;

requests from the NSF/ASD/IPS themselves;

investigations, inspections or other interventions carried out by external authorities;

news broadcast by the media or other specific situations or circumstances however known.

The audits may also concern companies directly or indirectly owned by the NSF/ASD/IPS.

CONI and CONI Servizi guarantee the confidentiality of the identity of the whistle-blower, the protection

of the data and of the identity of the reported person and of any third parties that my emerge in the

context of the reports and auditing activity, in compliance with the regulations in force for the protection

of personal data (Legislative Decree 196/03), the provisions of the National Anti-Corruption Authority

(ANAC) and the provisions of the Three-year Corruption Prevention Plan shared by CONI and CONI

Servizi.

CONI and CONI Servizi do not take into consideration reports that are unsubstantiated or abusive or

that exclusively regard the private life of people, and undertake to prosecute the authors of reports that

may prove to be libellous, defamatory or otherwise in bad faith, implementing the appropriate actions

after receiving them or upon their completion.

40

The operating procedures of the preventing tests (monitoring) and the specific test and inspections are

regulated, also in compliance with the principles defined in the CONI Policies and Guidelines and in the

procedures established in relation to the Three-year Corruption Prevention Plan shared by CONI and

CONI Servizi, approved by the CONI’s National Board and CONI Servizi’s Board of Directors.