Home / Investors / The Group / Internal Control

Internal Control

Internal control system designed throughout the Group aims to ensure: compliance with applicable laws and regulations; application of instructions and directional guidelines settled by General Management; correct functioning of company’s internal processes particularly those implicating the safeguarding of its assets; reliability of financial information. One of the objectives of internal control procedures is to prevent and control risks of error and fraud, in particular in the accounting and financial areas. As for any internal control system, this mechanism can only provide reasonable assurance and in no event gives an absolute guarantee against these risks. Organization / control environment The organisation, competencies, systems and policies (methods, procedures and practices) represent the ground layer of the internal control system and the fundamentals of the Group in the matter. Matrix organisation: The Company runs a matrix organisation structure that combines Operational Management (Countries) and Functional Management (service lines, sales and markets and support functions). This constitutes a source of control with a dual view on all operations. Responsibilities and powers: Specific attention has been paid to ensure that the right people are granted the appropriate responsibilities and powers, especially through the following initiatives: Delegation of Authority: A formal policy sets out the authorisation of officers of subsidiaries to incur legal commitments on behalf of the Group with clients, suppliers and other third parties. The intention of these rules is to ensure efficient and effective management control from the country level to General Management level. The delegation of authority policy was rolled-out under the supervision of the Group Legal department. Segregation of Duties: Updated rules for segregation of duties have been implemented in the organisation. A program is managed to follow-up the improvement of segregation of duties, including functional review of segregation of duties and review of procedures for profiles attribution. Tooling has been used to perform automatic assessments of those rules in the systems. Policies and procedures: The Group has designed and implemented over the last years several policies and procedures in order to establish common practices and standardised methods. These policies and procedures are reviewed when necessary to be in line with the objectives of the Group. Human Resource Management: A Group Human Resource management policy has been designed through the Global Capability Model (GCM) which is a standard for categorising jobs by experience and expertise across the Group. It helps employees in to be aware of their responsibility through job description; it helps managers in recruitment and rewarding; and it helps the Operations in resourcing and budgeting. A Group Policy on bonus scheme completes this organisation by setting additional incentives. Information Systems: Group Business Process and Internal IT department is in place to provide common internal IT infrastructures and applications for Atos staff worldwide. It supports functions like Finance (accounting and reporting applications), Human Resources (resourcing tool, corporate directory), Communication (Group websites and intranet) or Project Managers (capacity planning and project management). Security and access to these infrastructures and applications as well as their reliability and performance are managed by this department and benefit from the core expertise and resources from the Group. Communication of relevant and reliable information Several processes are in place to ensure that relevant and reliable information is communicated on a timely manner to relevant players within Atos. A shared ERP system is deployed and used in the main countries of the Group, enabling easier exchange of operational information. It allows producing cross border reporting and analysis (cross border project analysis, customer profitability…) as well as business reports through different analytical axis (service line, geographical and market axis). Formal information reporting lines have been defined, following the operational and the functional structures. This formal reporting, based on standard formats, concerns both financial and non financial information. Communication of relevant information is also organized in the Group through several specialised escalation processes that define criteria to raise issues to the appropriate level of management, up to General Management for the most important ones. This covers a wide range of topics like operational risks (through Risk Management Committees), treasury (with Payment and Treasury Security Committee), or financial restructuring (Equity Committee). This bottom-up communication is accompanied by top-down instructions, issued regularly, and especially for budgeting and financial reporting sessions. A dedicated intranet portal is accessible to all employees which facilitates the sharing of knowledge and issues raised by the Atos internal communities. This global knowledge management system promotes collaboration and allows efficient and effective information transfer. System for risk management Risk management refers to means deployed in Atos to identify, analyse and manage risks. Although risk management is part of a manager’s day to day decision making process, specific formal initiatives have been led concerning risk management: The risk mapping has been updated in 2010, in order to identify and assess risks that may impact the objectives of the Group. The selected methodology involved the managers of the Group TOP 400 through interviews and questionnaires, to collect their perception of the main risks that may impact Atos objectives, their potential impact and likelihood. This assessment has covered potential risks related to our environment (stakeholders, natural disasters), the transformation & business development (evolution, culture, market positioning), our operations (clients, people, IT, processes) and the information used for decision making (financial and operational). Results have been shared with General Management, to ensure that appropriate measures are deployed to manage the main risks, and presented to the Audit Committee. The Risk Analysis presents the Group’s vision of the main business risks, as well as the way those risks are managed. This includes the contracting of several insurance policies to cover primary insurable risks including the protection of Group assets (production sites and datacenters) and people. Operational risks on projects have been managed by the Risk Management function (including a Group Risk Management Committee who met monthly to review the most significant and challenging contracts. Risks related to logical or physical security are managed through a Security Organization coordinated at Group level. Control activities have also been implemented (through the Book of Internal Control), on the basis of main risks identified, as described next section related to “control activities”. Control activities Atos’ key control activities are described in the Book of Internal Control (BIC). This document, sent out to all entities by the General Management, complements the different procedures by addressing the key control objectives of each process to achieve a convenient level of internal control. For each control objective, one or more control activities (including control activities’ description, evidences, owners and periodicity) have been identified in order to formalize Group’s expectations in terms of control. The Book of Internal Control covers not only the financial processes, but also delivery processes (like contract management), support processes (including legal, purchasing, HR or IT) and some management processes (Mergers and Acquisitions). A new version of the Book of Internal Control has been communicated throughout the Group in August 2009 in order to take into account some improvements in terms of content and layout. This framework will continue to evolve, according to evolving maturity of processes and emerging risks. A specific action has also been led with regards to “SAS70” reports . A control framework has been defined, detailing control activities related to client service. This framework has been built on the basis of the ITGI model (IT Governance Institute’s publication titled IT Control Objectives for Sarbanes-Oxley, 2nd Edition). Monitoring Monitoring of internal control system includes the analysis of results of controls (identification and treatment of incidents) and the assessment of controls to ensure controls are relevant and appropriate with control objectives. This monitoring is the responsibility of the Group and Local Management, and is also supported by Internal Audit missions. Internal Audit has been responsible to assess the functioning of internal control system. Internal Audit has carried out reviews to ensure that the internal control procedures are properly applied and supported the development of internal control procedures. Internal Audit also defined, in partnership with Group and Local management, action plans for continuously improving internal control processes. In 2010, Internal Audit carried out a total of 87 audit assignments assessing the functioning of internal control system: 53 in the domain of support functions (Finance, Human Resources, Purchasing and Internal IT) and 34 related to Operations/core business (mainly focus on Worldline activities). All assignments have been finalised by the issuance of an audit report including action plans to be implemented by the related division or country. Internal audit has also actively contributed to help the business meeting the compliance requirements to obtain the “payment institution” status for Worldline Belgium. Systems related to accounting and financial information Processes contributing to the accounting and financial information, referred as “financial processes”, are in line with the internal control system of Atos, and are subject to specific attention due to their sensitivity. Local and Group financial organisation The financial processes have relied on finance teams in each country. Country CFOs had a dual reporting to local management and to Group CFO until February 2009. Since this date, country CFOs have a direct reporting line exclusively to Group CFO. Direct reporting to Group Function, as for the other support functions, reinforces the integration of the financial function and contributes to the full alignment of key processes and provides an appropriate support to operational entities of the Group. Piloting was ensured by Group CFO assisted by the Group Finance Executive Committee that included main country chief financial officers and Group Finance functions. This committee met on a regular basis and was in charge of the overall monitoring of the process of preparation of the financial information. Significant accounting issues, as well as potential internal control deficiencies, were reported to this committee, which decided corrective actions to be carried out. Group Finance Department was in charge of piloting the financial processes, especially through the financial consolidation, the monitoring of compliance matters, the supply of expertise and the control of the reported financial information. In 2010, the Financial System Alignment initiative has been pursued to reinforce alignment between countries in terms of indicators and processes, as well as to streamline IT tools and reporting demand. Group finance policies & procedures Group Finance has drawn up a number of Group policies and procedures to control how financial information is processed in the subsidiaries. These policies and procedures were discussed with the statutory auditors before issuance and included the following main elements: Financial accounting policies include a Group reporting and accounting principles handbook applicable to the preparation of financial information, including off-balance sheet items. The handbook sets out how financial information must be prepared, with common presentation and valuation standards. It also specifies the accounting principles to be implemented by Atos entities in order to prepare budget, forecast and actual financial reporting required for Group consolidation purposes. Group reporting definitions and internal guidelines for IFRS, and particularly accounting rules applicable in the Operations, are regularly updated. An IFRS knowledge center is in place at Group level to assist and support local operations. Training and information sessions are organised regularly in order to circulate these policies and procedures within the Group. A dedicated intranet site is accessible to all accounting staff, which facilitates the sharing of knowledge and issues raised by members of the Atos financial community. Instructions and timetable: Financial reporting including budget, forecast and financial information by subsidiary is carried out in a standard format and within a timetable defined by specific instructions and procedures. Group Finance liaised with statutory auditors to coordinate the annual and half-year closing process. Information systems Information systems have played a key role in the control system related to the accounting and financial information, as they have both strongly structured the processes and provided automated preventive controls, but have also provided monitoring and analysis capabilities. An integrated ERP system has supported the production of accounting and financial information in the main countries. A unified reporting and consolidation tool has been used since the beginning of 2007 for financial information (operational reporting and statutory figures). Each subsidiary reported its financial statements on a standalone basis in order to be consolidated at Group level. There was no intermediary consolidation level and all accounting entries linked to the consolidation remain under the direct control of Group Finance. Off balance sheet commitments were reported as part of the mainstream financial information and are examined by Group Finance. Monitoring and control In addition to the financial processes defined, monitoring and control processes have aimed to ensure that accounting and financial information complies with rules and instructions. The Closing File (included in the Book of Internal Control) is deployed at local level since 2008. It was required for each subsidiary to elaborate on a quarterly basis, a standard closing file formalising key internal controls performed over financial cycles and supporting closing positions. Functional reviews were performed by Group financial support functions on significant matters relating to financial reporting, such as tax issues, pensions, litigations, off balance sheet items or business performance and forecast. Operational and financial reviews: Group controlling is supporting Operations and General Management in the decision making process through monthly reviews and by establishing a strong link with country management in financial analysis & monitoring, enhancing control & predictability of operations and improving the accuracy & reliability of information reported to the Group; Representation letters: During the annual and half-year accounts preparation, the management and financial head of each subsidiary was required to certify in writing: they have complied with the Group's accounting rules and policies; they are not aware of cases of proven or potential fraud that may have an impact on the financial statements; the estimated amounts resulting from the assumptions made by management enable the Company to execute the corresponding actions and that, to the best of their knowledge, there was, no major deficiency in the control systems in place within their respective subsidiary. Internal Audit Department: The review of the internal control procedures linked to the processing of financial information was a component of the reviews conducted by the Internal Audit Department. The Internal Audit Department worked together with Group Finance to identify the main risks and to focus its audit plan consequently as effectively as possible. Internal control system players The main bodies involved in the implementation of internal control procedures at Atos are as follows: Board of Directors supported by Audit Committee General management and Executive Committee  Risk Management Committee  Internal control Internal Audit Outlook and related new procedures to be implemented In 2011, the Top Program, as largely detailed, will pursue its effects to improve and streamline processes, with benefits for the Internal Control System. Initiatives identified through the updated risk mapping will be monitored to ensure that proper attention is given to those topics. The Internal Audit Department will pursue the internal review programme initiated in 2010. In line with the planned development of the internal control system of the Group, Internal Audit plans to pursue its focus on the implementation of the Book of Internal Control and Top program. In parallel with the continuation of the self-assessment process on financial internal controls, the Internal Audit team will continue to reinforce control and verification of financial information.