183 / 330
7
7
RISKS AND CONTROL
2. Internal control
183
SAINT-GOBAIN
- REGISTRATION DOCUMENT 2016
a technical standard to Secure the Hosting of Internet
Applications (SHIA);
a technical standard for SaaS systems which defines
responsibilities and security measures for implementation;
Rules 4 SG, the new version of the 55 Datacenter Rules);
the central and regional datacenters (Datacenter Security
a set of security rules to annually monitor the security of
by Saint-Gobain partners for publication on the internet.
a technical standard for the security of applications hosted
Moreover, the ITAC reference guide was published in 2012 as
describes the automated and semi-automated controls used
an addition to the Internal Control Reference Framework. It
Management and Accounting. It covers the Group’s main ERP
for five key processes: Purchasing, Sales, Inventory, Cash
software and includes:
points;
a reference guide for SAP: ITAC4SAP with 143 control
a reference guide for MOVEX M3: ITAC4M3 with
96 control points;
85 control points.
a reference guide for EXACT: ITAC4EXACT with
with the update to the Internal Control Reference Framework
The ITAC4SAP reference guide was updated for consistency
of tasks).
(143 control points, including the controls for the separation
information systems as follows:
The controls are being gradually integrated into the Group’s
systems covering 121 Group companies), including specific
ITAC100 ITAC4SAP for SAP systems (deployed in 22 SAP
updates for the Building Distribution Sector;
M3 systems covering 17 Group companies);
ITAC96 ITAC4M3 for MOVEX M3 systems (deployed in 4
EXACT system covering 2 Group companies);
ITAC85 ITAC4EXACT for EXACT systems (deployed in 1
covering 1 Group company.
ITAC principles deployed in 1 MS Dynamics system
prevention manual
Industrial and distribution risk
2.4.5
The Group’s policy for prevention of property damage and
policy implementation through the Sectors and Activities with
Risk and Insurance Department (DRA). The DRA coordinates
and Activities, Prevention Coordinators manage the
the support of the General Delegations. Within the Sectors
collection of standards and best practices, is defined by the
the resulting operating losses, compiled as part of an internal
application of Group policy within the scope of their activities.
At the site level, those in charge of Prevention Management
risk rating software package. This tool assesses risks as well
perform an annual self-assessment of risks at their sites via a
special assessment is carried out for the points of sale.
as the corresponding levels of protection and prevention. This
Research and Development Centers and logistical sites. A
self-assessment is updated annually by the industrial sites, the
Furthermore, regular inspections of the Group’s most
are auditors external to the Group (approximately 450
important sites are carried out by prevention engineers, who
a view to improving their level of prevention and protection
inspections per year). The sites update their action plans with
based on recommendations prepared by these prevention
engineers.
Tools of the Group’s culture of
2.4.6
compliance
Principles of Conduct and Action.
developed through its values, which are formally stated in the
The culture of compliance that drives the Group has
main themes: compliance with rules relating to competition
The compliance program currently focuses on the following
sanctions and embargos.
law, preventing corruption, and compliance with economic
The tools used in implementing the program include:
key messages are posted and tools made available;
a dedicated intranet, entitled Conform’Action, on which
sanctions and embargos);
Sanctions and Embargos (rules relating to economic
ACT (preventing corruption) and Saint-Gobain Economic
online training modules such as Comply (competition law),
in-person training;
distribution of technical guides:
the Thread of Competition,
20 best practices in competition law for purchasers;
such as:
the dissemination and implementation of internal policies
anti-corruption policy,
gifts and invitations policy,
conflicts of interest policy,
economic sanctions and embargos policy,
sales agents policy,
policy on membership of professional associations,
managers.
frequent dissemination of messages from General