Saint Gobain - Registration document 2016

7 RISKS AND CONTROL 2. Internal control

control and anti-fraud. At the end of 2016, the Internal Audit and Business Control Department had 95 staff, working in the areas of audit, internal

Control Department Internal Audit and Business

Main responsibilities

Reference standards and/or measures 2016 key figures

Internal control

Control Reference Framework Develop and maintain the Internal ‹ Communicate and provide training ‹

Internal Control Reference ‹

(655 questionnaires sent) 2016 Compliance Statement update ‹ Approximately 6,700 action plans ‹ end of 2016 open within ACTT2 database at the managers trained during 16 Business 1,213 corporate leaders and ‹ countries Control Forums in 14 different newsletters published 19 webinars delivered and 13 ‹ Internal Control community Approximately 630 members of the ‹ 67 existing maps, of which 21 were ‹ updated in 2016 6 methodological training sessions ‹ via webex

data sheets or Group memos Framework and associated practical Internal Control briefs ‹ Webinars and training sessions ‹ (Business Control Forums (1) )

management on internal control and risk

statement process Lead the annual compliance ‹ Analyze incidents, self-assessments ‹ and audit results Monitor implementation of action ‹ plans universe Define and maintain the Group’s risk ‹ Perform risks map ‹ methodology Develop the risk management ‹ systems effectiveness of internal control statements Check the accuracy of compliance ‹ Identify and share best practices ‹ Perform organizational advisory ‹ request tasks at general management’s the department’s main objectives Cross-functional audits according to ‹ Ensure the relevance and ‹

Community (My SG) Intranet and Internal Control ‹ ACTT2 database (2) ‹ Dashboard/QlikView (3) ‹

Risk management

Risks universe ‹ Risks map ‹

companies Methodological tool for Group ‹

Internal Audit

Audit plan ‹ Audit methodology ‹ 6 Essentials (4) ‹ Best practices library ‹ IT Analysis Tool ‹ Auditor training Program ‹

169 audits performed ‹

published 52 new best practice briefs ‹ Entities covered every 5 years ‹

Anti-fraud

Develop anti-fraud policies ‹ Ensure fraud prevention ‹ Investigate fraud incidents ‹

Training and awareness ‹ Fraud incident reports ‹

managers trained More than 200 Directors and ‹

internal control, anti-fraud measures, audit and compliance statements results, as well as practical case studies on various processes. Business Control forums are 1- to 2-day training programs for Directors and managers, carried out within the Delegations. They primarily cover the fundamentals of (1) Centralized database for monitoring compliance statements and action plans. (2) security, risk and insurance, fraud reporting and financial data. Online dashboard containing all information relating to internal control (compliance statement results, action plan implementation rates), audit assignments, IT (3) Fraud detection audit methodology. (4)

7

177

SAINT-GOBAIN - REGISTRATION DOCUMENT 2016