In accordance with Section 243a (2) of the Austrian Commercial Code (Unternehmensgesetzbuch, UGB) as amended by the Austrian Company Law Amendment Act of 2008 (Unternehmensrechts-Änderungsgesetz, URÄG), companies whose shares are traded on the regulated markets must describe the key features of their internal control and risk management system with regard to accounting procedures in their management reports.
It is the responsibility of the Management Board to establish a suitable internal control and risk management system for accounting procedures pursuant to Section 82 of the Austrian Stock Corporation Act (Aktiengesetz, AktG). Therefore, the Management Board of voestalpine AG has adopted guidelines that are binding for the entire Group.
In line with the decentralized structure of the voestalpine Group, the local management of each Group company is obligated to establish and refine an internal control and risk management system for accounting procedures that meets the requirements of that individual company and ensures compliance with existing Group-wide guidelines and regulations.
The entire process, from procurement to payment, is subject to strict and unified Group-wide guidelines that are designed to reduce the risks associated with the business processes to a minimum. These Group guidelines set forth measures and rules for avoiding risk, such as, the separation of functions, signature authority rules, and particularly, signatory powers for authorizing payments that apply only collectively and are limited to only a few persons (four-eyes principle).
In this context, control measures for IT security constitute a cornerstone of the internal control system. Issuing IT authorizations restrictively supports the separation and/or segmentation of sensitive activities. Accounting in the individual Group companies is largely performed using SAP software. The reliability of these SAP systems is being guaranteed by automated business process controls that are built into the system as well as by other methods. Reports about critical authorizations and authorization conflicts are generated automatically.
In preparing the consolidated financial statements, the data for fully consolidated entities is transferred to the unified Group consolidation and reporting system.
The unified Group accounting policies for recording, posting, and recognition of commercial transactions are regulated in the voestalpine consolidated financial statements handbook and are binding for all Group companies.
On one hand, automatic controls built into the reporting and consolidation system, together with numerous manual reviews on the other, are implemented in order to avoid material misstatements to the greatest extent possible. These controls extend from management reviews and discussions of income and expenses for each period through to the specific reconciliation of accounts. The summarizing presentation of how the Group reports its accounting processes is provided in the voestalpine AG controlling handbook.
The accounting and controlling departments of the individual Group companies submit monthly reports with key performance indicators (KPIs) to their own managing directors and heads of the divisions, and, after approval, to the holding division Corporate Accounting & Reporting to be aggregated, consolidated, and reported to the Group Management Board. Quarterly reports include additional information, such as detailed target-performance comparisons, and follow a similar process. Quarterly reports are submitted to the Supervisory Board, Board, or Advisory Board of each Group company and a consolidated report is submitted to the Supervisory Board of voestalpine AG.
As with operational risks, accounting procedures are also subject to Group risk management. In this context, possible risks regarding accounting are analyzed on a regular basis, and measures to avoid them are taken. The focus is placed on those risks that are regarded as fundamental to the activities of that company.
Compliance with the internal control system, including the required quality standards, is monitored on an ongoing basis in the form of audits at the Group company level. The Internal Audit department works closely with the responsible Management Board members and managing directors. The Internal Audit department reports directly to the CEO and submits reports periodically to the Management Board and, subsequently, to the Audit Committee of the Supervisory Board of voestalpine AG.
The control systems and their Group-wide implementation are also subject to audit procedures by the auditor within the scope of preparation of the annual financial statements to the extent that these control systems are relevant to the preparation of the Group’s consolidated financial statements and to a true and fair view of the Group’s financial position.