In accordance with § 243a (2) of the Austrian Commercial Code (Unternehmensgesetzbuch – UGB) as amended by the Austrian Company Law Amendment Act of 2008 (URÄG 2008), companies whose shares are traded on the regulated markets must describe in their management reports the key features of their internal control and risk management system with respect to accounting procedures.
It is the responsibility of the Management Board to establish a suitable internal control and risk management system for accounting procedures pursuant to § 82 of the Austrian Stock Corporation Act (Aktiengesetz – AktG). For that purpose, the Management Board has passed guidelines which are binding for the whole Group.
In line with the decentralized structure of the voestalpine Group, the local management of each Group company is obliged to establish and design an internal control and risk management system for accounting procedures which meets the demands of that individual company and ensures adherence to existing Group-wide guidelines and regulations.
The entire procedure, from procurement to settlement, is subject to strict Group guidelines which are designed to avoid the risks associated with the business processes. These Group guidelines set out measures and regulations for avoiding risk. They include, for example, the separation of functions, signatory systems, and the authority to sign for settlements which is exclusively collective and limited to only a few persons (“four eyes” principle).
In this context, control measures for IT security constitute a cornerstone of the internal control system. The separation of sensitive activities is supported through the restrictive issuing of IT authorizations. Accounting at each Group company is basically effected using SAP software. The operational capability of this accounting system is also guaranteed by automatic IT controls, amongst others, in the system.
In preparing the consolidated financial statements, the data for fully consolidated or proportionately consolidated entities is transferred to the unified Group consolidation and reporting system.
The unified Group accounting policies for recording, booking, and balancing commercial transactions are regulated by the voestalpine consolidated financial statements handbook and are binding for all Group companies concerned. Automatic controls built into the reporting and consolidation system, together with numerous manual controls, are implemented in order to avoid material misstatements. These controls extend from management reviews of income and expenses for each period through to the specific reconciliation of accounts.
The form in which the Group reports its accounting processes is summarized in the voestalpine controlling handbook.
The accounting and controlling departments at each Group company submit monthly reports with Key Performance Indicators (KPIs) to their own managing directors and management board members, and, after authorization, to Corporate Accounting & Reporting. Here these reports are summarized, consolidated, and reported to the Group Management Board. Quarterly reports include additional information such as detailed target-performance comparisons and are dealt with in a similar manner. Quarterly reports are submitted to the supervisory or advisory board of each Group company and a consolidated report is submitted to the Supervisory Board of voestalpine AG.
As with operative risks, accounting procedures are also subject to risk management. Potential accounting risks are regularly surveyed and avoidance measures implemented. The focus is placed on those risks which are regarded as fundamental to the activities of that company. Compliance with the internal control system and its quality is monitored on an ongoing basis in the form of audits at Group company level. The Internal Audit department works closely with the responsible management board members and managing directors. The Internal Audit department reports directly to the CEO and submits reports periodically to the Management Board of voestalpine AG and subsequently to the Audit Committee of the Supervisory Board.
The control systems of each company division are also subject to control by the auditor as part of the annual financial statements where these controls are relevant to the preparation of the Group’s consolidated financial statements and to the fair presentation of the Group’s financial statements.