Internal control system designed throughout the Group aims to ensure:
One of the objectives of internal control procedures is to prevent and control risks of error and fraud, in particular in the accounting and financial areas. As for any internal control system, this mechanism can only provide reasonable assurance and not an absolute guarantee against these risks.
- compliance with applicable laws and regulations;
- application of instructions and directional guidelines settled by General Management;
- correct functioning of company’s internal processes particularly those implicating the safeguarding of its assets;
- reliability of financial information.
Components of the internal control system
The internal control system within Atos is a combination of closely related components that are detailed hereafter.
A - Organization / control environment
The organization, competencies, systems and policies (methods, procedures and practices) represent the ground layer of the internal control system and the fundamentals of the Group in the matter. The main components are presented in this section.
Matrix organization: The Company runs a matrix organization structure that combines Operational Management (Global / Specialized Business Units / Service Lines) and Functional Management (Sales and Markets and Support Functions). This constitutes a source of control with a dual view on all operations.
Roles and responsibilities have been updated in 2011 following the Siemens IT Services (SIS) acquisition, and organizations for the main Functions communicated to all employees.
Policies and procedures: The Group has designed and implemented over the last years several policies and procedures in order to establish common practices and standardised methods. Most of them have been renewed or reviewed in the SIS acquisition’s context to ensure they were still in line with organization’s objectives.
Process management: Along with the centralization of the Group Policies, Atos has created in 2011 a “Business Process and Organization Management” (BPOM) department focused on creating an Atos Business Process Center of Excellence (BPCOE) in coordination with business process owners and the functions related to Internal Control, Quality, security etc. The BPCOE community, supported by process analysts, is responsible for documenting existing and targeted business processes, including the supporting organization, KPIs, and internally and externally mandated compliance parameters.
Human Resource Management: The Group Human Resource management policy relies on the Global Capability Model (GCM) which is a standard for categorising jobs by experience and expertise across the Group. A Group Policy on bonus scheme completes this system by setting additional incentives.
Information Systems: Group Business Process and Internal IT department is in place to provide common internal IT infrastructures and applications for Atos staff worldwide. It supports functions like Finance (accounting and reporting applications), Human Resources (resourcing tool, corporate directory), Communication (Group websites and intranet) or Project Managers (capacity planning and project management).
Security and access to these infrastructures and applications as well as their reliability and performance are managed by this department and benefit from the core expertise and resources from the Group.
B - Communication of relevant and reliable information
Several processes are in place to ensure that relevant and reliable information is communicated within Atos.
The systematic holding of monthly reviews of operational performance by Service Line and Operational Entity organized under the responsibility of the Group Chief Financial Officer and in the presence of at least one of two Executive Vice Presidents. These sessions aim to review the results and operational forecasts, as well as the implementation and monitoring of action plans.
A shared ERP system is deployed and used in the main countries of the Group, enabling easier exchange of operational information.
It allows producing cross border reporting and analysis (cross border project analysis, customer profitability…) as well as business reports through different analytical axis (service line, geographical and market axis).
A deployment program has been initiated in 2011 to ensure timely migration of newly acquired entities to the Atos’ ERP.
Formal information reporting lines have been defined, following the operational and the functional structures. This formal reporting, based on standard formats, concerns both financial and non financial information. Communication of relevant information is also organized in the Group through several specialised escalation processes that define criteria to raise issues to the appropriate level of management, up to General Management. This covers a wide range of topics like operational risks (through Risk Management Committees), treasury (with Payment and Treasury Security Committee), or financial restructuring (Equity Committee).
This bottom-up communication is accompanied by top-down instructions, issued regularly, and especially for budgeting and financial reporting sessions.
Specialized committees have been initiated to exchange information and to follow-up initiatives on specific topics. Among others Quality, Security and Compliance committees have been regularly held with General Management and representatives of respective functions and their stakeholders.
A dedicated intranet portal is accessible to all Atos employees which facilitates the sharing of knowledge and issues raised by the Atos internal communities. This global knowledge management system promotes collaboration and allows efficient and effective information transfer.
C - System for risk management
Risk management refers to means deployed in Atos to identify, analyze and manage risks. Although risk management is part of a manager’s day to day decision making process, specific formal initiatives have been led concerning risk management:
The risk mapping has been reviewed in 2011 (four months after the acquisition of SIS), in order to identify and assess risks that may impact the objectives of the Group. The selected methodology involved the managers of the Group TOP 200 through workshops and questionnaires, to collect their perception of the main risks that may impact Atos’ objectives, their relative importance and mitigation effectiveness.
This assessment has covered potential risks related to our environment (stakeholders, natural disasters), the transformation & business development (evolution, culture, market positioning), our operations (clients, people, IT, processes) and the information used for decision making (financial and operational).
Results have been shared with General Management, to ensure that appropriate measures are deployed to manage the main risks, and presented to the Audit Committee.
The Risk Analysis (as detailed in the “Risks” section of the 2011 Annual Report) presents the Group’s vision of the main business risks, as well as the way those risks are managed. This includes the contracting of several insurance policies to cover primary insurable risks including the protection of Group assets (production sites and datacenters) and people. Operational risks on projects have been managed by the Risk Management function (including a Group Risk Management Committee who met monthly to review the most significant and challenging contracts. Risks related to logical or physical security are managed through a Security Organization coordinated at Group level. Control activities have also been implemented (through the Book of Internal Control), on the basis of main risks identified, as described next section related to “control activities”.
D - Control activities
Atos key control activities are described in the Book of Internal Control (BIC). This document, sent out to all entities by the General Management, complements the different procedures by addressing the key control objectives of each process to achieve a convenient level of internal control.
For each control objective, one or more control activities (including control activities’ description, evidences, owners and periodicity) have been identified in order to formalize Group’s expectations in terms of control.
The Book of Internal Control covers not only the financial processes, but also delivery processes (like contract management), support processes (including legal, purchasing, HR or IT) and some management processes (Mergers and Acquisitions):
An updated version of the Book of Internal Control has been released and communicated throughout the Group in January 2012, following SIS acquisition, in order to take into account additional controls and some improvements in various processes. This framework will continue to evolve, according to evolving maturity of processes and emerging risks.
A specific action has also been led with regards to “ISAE3402” reports.
A control framework has been defined, detailing control activities related to client service. This framework has been built on the basis of the ITGI model (IT Governance Institute’s publication titled IT Control Objectives for Sarbanes-Oxley, 2nd Edition).
E - Monitoring
Monitoring of internal control system includes the analysis of results of controls (identification and treatment of incidents) and the assessment of controls to ensure controls are relevant and appropriate with control objectives. This monitoring is the responsibility of the Group and Local Management, and is also supported by Internal Audit missions.
Internal Audit is responsible for assessing the functioning of the Internal Control system.
It has carried out reviews to ensure that the internal control procedures are properly applied and supported the development of internal control procedures. Internal Audit also defined, in partnership with Group and Local management, action plans for continuously improving internal control processes.
In 2011, Internal Audit carried out a total of 69 audit assignments assessing the functioning of internal control system: 43 in the domain of support functions (Finance, Human Resources, Purchasing) and 26 related to Operations/core business (mainly focus on Worldline activities). All assignments have been finalized by the issuance of an audit report including action plans to be implemented by the related division or country.
Internal audit has also actively contributed to help the business meeting the compliance requirements to maintain the “payment institution” status for Worldline Belgium. An annual assessment has therefore been included in the audit plan.
Internal control system players
The main bodies involved in the implementation of internal control procedures at Atos are as follows:
Outlook and related new procedures to be implemented
- Board of Directors supported by Audit Committee
- General management and Executive Committee
- Risk Management Committee
- Internal control & ERM
- Internal Audit
In 2012, financial, commercial and social development programs will pursue their effects to improve and streamline processes, with benefits for the Internal Control System.
Initiatives identified through the updated risk mapping will be monitored to ensure that proper attention is given to those topics.
The Internal Audit Department will pursue the internal review program initiated in 2011 and the follow-up of its recommendations. In line with the planned development of the internal control system of the Group, Internal Audit plans to pursue its focus on the implementation of the Book of Internal Control, especially in newly acquired locations, and on controls over operations.