In accordance with Sec. 243a (2) of the Austrian Commercial Code (Unternehmensgesetzbuch, UGB) as amended by the Austrian Company Law Amendment Act of 2008 (Unternehmensrechts-Änderungsgesetz, URÄG), companies whose shares are traded on the regulated markets must describe the key features of their internal control and risk management system with regard to accounting procedures in their management reports.
It is the responsibility of the Management Board to establish a suitable internal control and risk management system for accounting procedures pursuant to Sec. 82 of the Austrian Stock Corporation Act (Aktiengesetz, AktG). Therefore, the Management Board has adopted guidelines that are binding for the entire Group.
In line with the decentralized structure of the voestalpine Group, the local management of each Group company is obligated to establish and refine an internal control and risk management system for accounting procedures that meets the requirements of that individual company and ensures compliance with existing Group-wide guidelines and regulations.
The entire process, from procurement to payment, is subject to strict Group guidelines that are designed to avoid the risks associated with the business processes. These Group guidelines set forth measures and rules for avoiding risk, such as, the separation of functions, signature authority rules, and signatory powers for authorizing payments that apply only collectively and are limited to only a few persons (four-eyes principle).
In this context, control measures for IT security constitute a cornerstone of the internal control system. Thus, the separation of sensitive activities is supported by restrictiveness in the assignment of IT authorizations. Accounting in the respective Group companies is largely performed using SAP software. The functioning and effectiveness of this accounting system is also assured, among other ways, by automated IT controls installed in the system.
In preparing the consolidated financial statements, the data for fully consolidated or proportionately consolidated entities is transferred to the unified Group consolidation and reporting system.
The unified Group accounting policies for recording, posting, and recognition of commercial transactions are regulated in the voestalpine consolidated financial statements handbook and are binding for all Group companies concerned.
Automatic controls built into the consolidation and reporting system, together with numerous manual controls, are implemented in order to avoid material misstatements. These controls extend from management reviews of income and expenses for each period through to the specific reconciliation of accounts.
The form in which the Group reports its accounting processes is summarized in the controlling handbook of voestalpine AG.
The accounting and controlling departments of the individual Group companies submit monthly reports with key performance indicators (KPI) to their own Management Boards and managing directors, and, after approval, to Corporate Accounting & Reporting to be aggregated, consolidated, and reported to the Group Management Board. Quarterly reports include additional information, such as detailed target-performance comparisons, and follow a similar process. Quarterly reports are submitted to the Supervisory or Advisory Board of each Group company and a consolidated report is submitted to the Supervisory Board of voestalpine AG.
As with operational risks, accounting procedures are also subject to risk management. Potential accounting risks are regularly surveyed and avoidance measures implemented. The focus is placed on those risks that are regarded as fundamental to the activities of that company.
Compliance with the internal control system and its quality is monitored on an ongoing basis in the form of audits at the Group company level. The Internal Audit department works closely with the responsible management board members and managing directors; it reports directly to the CEO and submits reports periodically to the Management Board of voestalpine AG and subsequently to the Audit Committee of the Supervisory Board.
The control systems of each company division are also subject to audit procedures by the auditor within the scope of preparation of the annual financial statements to the extent that these control systems are relevant to the preparation of the Group’s consolidated financial statements and to a true and fair view of the Group’s financial position.