• EU ANTI-CORRUPTION REPORT 2014

• June 8, 2001, the Italian Government – in compliance with the principles set forth in
EU legislation on the prevention of corporate crimes and the assessment of
companies’ liability – enacted the Legislative Decree no. 231/01 (hereinafter the
“Decree no. 231”)
• introduced for the first time into the Italian legal system the direct liability of
companies and other legal entities for crimes committed by directors, executives,
their subordinates and other subjects acting on behalf of the legal entity (e.g. the
agents), when the unlawful conduct has been carried out in the interest of or to the
benefit of the company concerned
• Italian Anti-Corruption Law (Law No. 190 which entered into force on November 28,
2012) imports new concepts and instruments into the Italian legal system for the
prevention of the crime of corruption.
The crimes provided for by the Decree no. 231:

• (i) crimes committed within the sphere of the relations with the Public Administration (i.e. fraud against the State or other
Governmental Agency; theft of public funds; fraud aimed at obtaining public financings; bribery).
• (ii) as per Article 6 of Law no. 409 dated November 11, 2001, crimes concerning the forgery of coinages, banknotes and
duty stamps;
• (iii) as per Legislative Decree no. 61 dated April 11, 2002, corporate crimes (so called “white-collar” crimes) as
misrepresentation of company accounts; forgery of a prospectus; falseness in statements or communications of the
audit company; obstructed control; fictitious capital formation; fraudulent restitution of contributions; etc.);
• (iv) as per Law no. 7 dated January 14, 2003, crimes committed with purposes of terrorism and eversion of democratic
order;
• (v) as per Law no. 228 dated August 11, 2003, crimes against the fundamental rights of freedom (in Italian “reati contro
la personalità individuale”);
• (vi) as per Law no.62 dated April 18, 2005 crimes relevant to “Market Abuse”;
• (vii) as per Law no. 123 dated August 3, 2007, crimes against person (manslaughter and negligently causing serious or
very serious injuries), committed in violation of safe working practices and the protection of hygiene and health at work;
• (viii) as per Legislative Decree no. 231, art. 63 co. 3, dated November 21 2007, crimes concerning receiving, recycling
and use of money, goods or usefulness of unlawful origin;
• (ix) as per Law no. 94, dated July 15, 2009, crimes of organised crime;
• (x) as per Law no. 99, dated July 23, 2009, crimes against industry and trade and crimes against infringements of
copyright;
• (xi) as per Law no. 116, dated August 3, 2009, Induction not to make statements or to make false statements to the
court.

Decree no. 231 is also known as „Italian Criminal Corporate Law”.

(Some) penalties anticipated by the Decree no. 231:

• Ban from business activity,

• Suspension or withdrawal of licenses and permits,
• Prohibition to contract with the State or Governmental agencies,
• Exclusion or revocation of financing and subsidies,
• Prohibition to advertise goods and services,
• Confiscation of profits,
• Fines up to 1.5 mil. of Euro.
Companies are not be considered liable pursuant to Decree no. 231 if the following conditions
are met:

• 1. the individual(s) who committed the crime acted in their own exclusive interest or in the
interest of third parties not related to the company;

• 2. the managing body of the company has adopted and implemented a Compliance
Program apt to prevent the misconducts sanctioned by the Decree no. 231;

• 3. an ad hoc internal body has been appointed by the management, to oversee the
implementation and updating of the Compliance Program (“Compliance Officer”).

In regard to territorial application and jurisdiction, as stated above, Law 231 applies to Italian
legal entities, conducting their business in Italy and abroad (unless the State where the offense
occurred commences legal proceedings against them). Nonetheless, it could also entail liability
for foreign entities, due to the fact that under the Italian Criminal Code all crimes committed in
the territory of Italy are punishable under Italian law, even if they have been committed by a
foreign person or entity. As noted above, a crime is considered to have been committed in Italy
when only the damages resulting from the criminal action were suffered in Italy.
The minimum requirements for the Compliance Program are:

• 1. identification of the Risk Areas, i.e. areas of activity of the company where
there is the possibility to commit the mentioned crimes;

• 2. identification of procedures for regulating the decision-making process in

Risk Areas, with respect to the crime prevention;

• 3. management of the financial resources for preventing the commission of

crimes provided for by the Decree no. 231;

• 4. obligations for each division of the company to inform and report to the
Compliance Officer;

• 5. disciplinary sanctions to be inflicted to trespassers of the measures and

procedures provided for by the Compliance Program.
The recent Italian Anti-Corruption Law imports new concepts and instruments into the Italian legal system for the prevention of the
crime of corruption.

This law expands the definition of the crime of corruption, increases penalties and strengthens requirements for transparency and
disclosure.

The law modifies the crimes of corruption as follows:

• (i) It expands the scope of the crime of corruption of public officials, since the crime is related not only to a specific lawful act but,
more generally, to the exercise of public functions and powers;

• (ii) It introduces new crimes:

– (a) the crime of “illicit trafficking in influence”, which punishes any private individual who profits from an existing
relationship with a public official, by giving or promising money or any other undue advantage, in consideration of the
illicit influence of the public official, or to reimburse the official for the commission of an act in breach of official duties, or
for the omission or the delay of an act which is due; and

– (b) the crime of “improper induction to give or promise an undue benefit”, which punishes both the official who induces
an individual to give or promise money or any other benefit, and the individual;

• (iii) It increases the penalties for certain crimes of public corruption (e.g. the crime of corruption in the exercise of public
functions is now punished with imprisonment from one to five years, increased from the previous law’s six months to three
years);

• (iv) It expands the scope of the crime of private corruption, including not only the individual potentially punishable, but also
persons working under the company’s senior management’s direction or control;

• (v) It extends the criminal liability of corporations pursuant to Italian Legislative Decree No. 231 of 2001 to (a) the crime of
inducing to give or promise money or any undue advantage, and (b) to the crime of private corruption.

Additionally, the new law introduces “white lists”, which are special lists of suppliers, providers of services and construction businesses
compliant with anti-mafia legislation and working in specific sectors that are particularly exposed to the risk of mafia infiltration (e.g. the
shipping of garbage). These white lists are to be drawn up and maintained by Italian Prefects.
INTERNATIONAL LEGISLATION

• UN Convention against Transnational Organized Crime and associated Protocols

• Brussels Convention on the Protection of Financial Interest of 26 July 1995
• Brussels Convention on the Fight Against Corruption
• Involving Officials of the European Community of Officials of Member States of the European
Union of 26 May 1997
• OECD Convention Combating Bribery of Foreign Public
• Officials in International Business transactions of 17 December 1997
• Sarbanes-Oxley Act (Pub.L. 107–204, 116 Stat. 745, enacted July 30, 2002), also known as
the 'Public Company Accounting Reform and Investor Protection Act‘
• US Foreign Corrupt Practices Act of 1977

INTERNAL MODEL IMPLEMENTATION AND CODE OF ETHICS

The Model is a set of rules, principles, provisions, organizational schemes and related duties and
responsibilities, necessary for the implementation and efficient management of the monitoring and
control system for sensitive activities, in order to prevent the commitment, even attempted, of
offences by employees of the company.
COMPLIANCE COMMITTEE

• Oversees the effectiveness of the Model

• Promotes and contributes to model adoption, in collaboration with other business
functions by:
– updating and adjusting the Model
– supervising the system for the Model implementation
– ensuring the formulation of the supervision planning
– with the principles of the Model for the different business activities and
business lines
 Monitoring
Introductory Risk Reporting Follow up
Gap analysis activities
activities assessment on findings (gap closing)
test
INTRODUCTORY ACTIVITIES
Identification of sensitive activities, tailoring of the audit plan and related controls, collection of basic
documentation set (procedures, PoAs, organizational charts), draft of risk assessment and gap analysis,
audit kick off meeting

RISK ASSESSMENT
Confirmation of sensitive activities, evaluation (gap testing) of compliance of sensitive activities to
the Model, preparation of the risk assessment and gap analysis based on interviews with
responsibles, distribution of deliverables to responsibles for acceptance

GAP ANALYSIS and MONITORING ACTIVITIES TEST

Creation of the work plan for sensitive activities based on the risk assessment and gap analysis,
definition of the testing, collection of relevant audit trail documentation, testing control effectiveness,
sharing of findings with responsibles and the top management.

REPORTING ON FINDINGS
Report on identified gaps and creation of rating sent to top management and the Compliance
Commitee

FOLLOW UP (GAP CLOSING)

Sending out request for the Action Plan with target date for implementation, follow up
activities and final results report sent out to the Compliance Commitee
SENSITIVE ACTIVITIES: IMPACT:

• Terrorism and Money Laundaring Negligible, Low, Moderate, Medium, High, Extremely high
• Rights of the Individual
LIKELIHOOD OF THE ACTIVITY FULFILLMENT, BASED
• Transborder Crimes ON FREQUENCY/VOLUME PER YEAR:
• Corporate Crimes-Market Abuse
• Supply Management Chain Processes Highly probable (>52) Probable (13-52) Moderate (5-12)
• Health and Safety Improbable (2-4) Unusual (1)
• Public Administration
SAMPLING STRATEGY: Overall Low Risk Medium High
populati Risk Risk
on
1 1 1 1
2‐4 2 2 2
5‐12 3 3 5
13‐52 10 15 20
53‐360 20 30 40
>360 30 45 60
It is acceptable that the scope of audit does not include sensitive activities managed by the principal, transactions with
related parties, commercial policies, investment authorizations and some other activities (charities, donations, JVs,
sponsorship, entertainment costs), cyber crimes, unlawful data processing, and private data protection.

The scope may omit crimes of manslaughter and non-intentional injuries arising from breach of applicable HSE laws,
and practices and environmental crimes.
CONTENTS

1. Background
2. Objectives and scope
3. Approach and limitations
4. Summary results
5. Risk assessment
6. Gap analysis
7. Rating of the internal control system
8. Annex 1: Analysis of PoAs
9. Annex 2: Reference documents
10. Annex 3: Acknowledgements

RATING SCALE OF THE INTERNAL CONTROL SYSTEM

1. Critical - Serious deficiencies, complex and long lasting remedial actions required, management did not
identify deficiencies. Requires management follow up.
2. Lacking - Internal control system operational, significant deficiencies identified by the management but
resolution actions are not implemented. Requires management follow up.
3. Improvable - Sporadic deficiencies identified by the management and quickly resolved. Document follow up
is adequate.
4. Adequate - Marginal weaknesses, management monitors deficiencies in the real time. Follow up during
next audit.
5. Optimized - Internal controls effective and efficient; real time oversight of the control system on behalf od
the Management, follow up during next audit.
• Simplified approach common for all structured audit systems
• „1”-”5” rating oversimplified, even though details can be read from the audit report
• Audits are not repetitive by design but intermittent
• All documents in the sample are treated equal
• Focus tends to be on those activities in the sample for which it is easier to obtain audit trail
• Findings tend to result in „over-organizing” of the corporate processes
• Audit is more focused on lower-level corporate functions
• Sampling issues – sample size: inadequate sampling and more often, issue of oversampling
• Sampling issues – sample structure: number of documents or total financial impact
• Overlapping with other audits: financial reports, ISO standards, Sarbanes-Oxley, internal audit
1. Cova, B: "How Italy has toughened its anti-corruption laws", http://www.ethic-
intelligence.com/experts/351-how-italy-has-toughened-its-anti-corruption-laws-
and-what-this-means-for-companies/ , Ethic Intelligence (accessed 5th May 2014.)
2. "BRIEF SUMMARY OF ITALIAN LEGISLATIVE DECREE n. 231/2001 - Criminal
liability of legal entities", Ethic Intelligence (accessed 5th May 2014.)
3. Model 231, University Bocconi,
http://www.unibocconi.eu/wps/wcm/connect/Bocconi/SitoPubblico_EN/Navigation+
Tree/Home/About+Bocconi/Organization/Model+231/ (accessed 5th May 2014.)
4. "Italy adopts new anti-corruption law",
http://www.nortonrosefulbright.com/knowledge/publications/73424/italy-adopts-
new-anti-corruption-law , Norton Rose Fulbright (accessed 5th May 2014.)
5. EU ANTI-CORRUPTION REPORT 2014 - Country sheet Italy, Europen
Commission, 2014.