Internal Auditing Control and Risk Management

Internal Control and Risk Management System (ICRMS)

A fundamental element of the Governance system

Rai Way has adopted an Internal Control and Risk Management System (ICRMS), which, alongside rules, procedures, and organisational structures, allows us to conduct business in a healthy, fair, and coherent way, with predetermined objectives. This is achieved through a suitable identification, measurement, management, and monitoring process of the main risks.

The ICRMS is integral to the organisational and corporate governance framework: it is a key element of our entire governance system and plays a central role in our company’s organisation.

The planning, implementation and maintenance of the ICRMS and its periodic assessment are all based upon the principles of the Corporate Governance Code and best practices, complying with the CoSO Report (Committee of Sponsoring Organisations of the Treadway Commission, Internal Control, Integrated Framework). The latter is the internationally accepted framework for integrated functioning, analysis and assessment of the ICRMS.

The implementation of an effective and efficient ICRMS promotes an informed decision- making process. It also contributes to ensuring the protection of corporate assets, the efficiency and effectiveness of corporate processes, the reliability of financial information, and compliance with laws and regulations, the Bylaws and internal rules. Therefore, the corporate compliance models structured and organised in accordance with applicable statutory provisions, are an integral part of the ICRMS.

Bodies and functions involved with the ICRMS

The Internal Control and Risk Management System requires the involvement of various corporate bodies and company functions, which interact in certain ways, which have been predetermined to avoid overlaps and shortcomings as much as possible.

Board of Directors and Control, Risks and Sustainability Committee

The responsibility of the ICRMS falls to the Board of Directors. Following favourable advice provided by the Control, Risks and Sustainability Committee, the Board’s main task is to define the direction of the ICRMS, evaluating at least yearly the sufficiency of the company’s characteristics and its risk profile, as well as its efficiency and effectiveness.

Managing Director

The Managing Director bears the role of implementing and maintaining the ICRMS.
The Managing Director, in this regard, is particularly responsible for:

  • curating the identification of the company’s main risks, taking into account the characteristics of Rai Way’s business, and periodically examining these risks with the Board;
  • determining the direction of the Board, curating the planning, implementation, and management of the ICRMS, as well as constantly verifying its sufficiency and efficiency;
  • curating the adjustment of the ICRMS to suit the company’s working conditions, as well as any legal context.

Board of Auditors

The Board of Auditors is responsible for the observation of the law and the statue/terms of reference, respecting the principles of fair administration, and the sufficiency of the organisational, administrative, and financial structure adopted by the company. It must verify that everything operates correctly.

Among the Board of Auditors’ responsibilities, they must also evaluate the efficiency, thoroughness, sufficiency, functionality, and reliability of the ICRMS.

Manager of Audit Functions

The Manager of Audit Functions, in particular, bears the responsibility of verifying – both continually and related to specific needs – the operation and suitability of the ICRMS using an audit plan approved by the Board of Directors, and based upon a process structured on the analysis and prioritisation of the main risks.


The Manager of Audit Functions must carry out an independent and objective ‘assurance’ audit, designed to promote improvement in the efficiency and effectiveness of the ICRMS, as well as the organisation of the company. The Manager of Audit Functions must also assist in the organisation of the company itself, and in ensuring objectives are followed using a professional and systematic approach. This will allow the evaluation and improvement of audit systems, risk management, and corporate governance.

Manager in Charge

The Manager in Charge of drafting corporate accounting documents is also responsible particularly for preparing suitable administrative and financial procedures for the annual accounts, the consolidated budget (when written), and any other financial communications – particularly quarterly and biannual. They are also responsible for the preparation of these documents.

Three levels of Internal Auditing

Our ICRMS is based upon three levels of internal auditing, characterised by a different level of operative involvement in the management of risks.


Identify, evaluate, manage, and monitor risks of competence, which will determine the identification and implementation of specific actions.

The first auditing level is represented by the company management.


  • Monitor the risk management of the first level, in order to assure its efficiency and effectiveness.
  • Monitor the sufficiency and function of the audits applied to tackle the main risks.
  • Supply support to the first level in the definition and implementation of sufficient management systems for the main risks, and their relative audits.

The second auditing level is represented by the management whose role involves monitoring, auditing, and managing Enterprise Risk Management.


Provide individual and objective assurance on the sufficiency and effective function of the first and second auditing levels, as well as on the ICRMS in general.

The third auditing level is guaranteed by the company audit, which carries out checks on the ICRMS as a whole using a risk-based approach.

The structure of the first and second auditing levels is coherent with the size, complexity, risk profile, and regulatory context in which Rai Way operates