Pursuant to Section 243a (2) Austrian Commercial Code (Unternehmensgesetzbuch – UGB), Austrian companies whose shares are traded on a regulated market must describe the key features of their internal control and risk management system with regard to accounting procedures in their management reports.
Section 82 of the Austrian Stock Corporation Act (Aktiengesetz – AktG) requires the Management Board to establish a suitable internal control and risk management system for accounting procedures. The Management Board of voestalpine AG thus has adopted guidelines that are binding on the entire Group. In line with the decentralized structure of the voestalpine Group, the local management of each Group company is obligated to establish and refine an internal control and risk management system for accounting procedures that meets the given entity’s requirements; the management must also comply with existing Group-wide guidelines and regulations.
The entire process, from procurement to payment, is subject to strict Group-wide guidelines that are designed to reduce the risks associated with the business processes to a minimum. These Group guidelines set forth measures and rules for avoiding risk, such as the separation of functions, signature authority rules and, particularly, signing powers for authorizing payments that apply only collectively and are limited to only a few persons (four-eyes principle).
In this context, control measures related to IT security are a cornerstone of the internal control system (ICS). Issuing IT authorizations restrictively supports the separation and/or segmentation of sensitive activities. The accounting in the individual Group companies is largely carried out using the SAP software. The reliability of these SAP systems is guaranteed by automated business process controls that are built into the system as well as by other methods. Reports about critical authorizations and authorization conflicts are generated automatically.
In preparing the consolidated financial statements, the data regarding fully consolidated entities is transferred to the Group-wide consolidation and reporting system.
The Group-wide accounting policies for the recording, posting, and recognition of commercial transactions are regulated by the voestalpine Consolidated Financial Statements Handbook and are binding on all Group companies.
On the one hand, automatic controls built into the consolidation and reporting system, together with numerous manual reviews on the other, are implemented in order to avoid material misstatements to the greatest extent possible. These controls range from management reviews and discussions of income and expenses for each period to the specific reconciliation of accounts. The summarizing presentation of how the Group reports its accounting processes is provided in the voestalpine AG Controlling Handbook.
The accounting and controlling departments of the individual Group companies submit monthly reports containing key performance indicators (KPIs) to their own managing directors and to the management boards of the divisions, and, after approval, to the holding company’s Corporate Accounting & Reporting department to be aggregated, consolidated, and reported to the Group Management Board. Quarterly reports include additional information, such as detailed target/performance comparisons, and follow a similar process. Quarterly reports are submitted to the Supervisory Board, Management Board, or Advisory Board of each Group company, and a consolidated report is submitted to the Supervisory Board of voestalpine AG.
In this context, possible accounting risks are analyzed on a regular basis, and measures to avoid them are taken. The focus is placed on those risks that are regarded as fundamental to the activities of that company. Compliance with the ICS, including the required quality standards, is monitored on an ongoing basis through internal audits at the Group company level. Internal Audit works closely with the responsible Management Board members and managing directors. It reports directly to the CEO and submits reports periodically to the Management Board and, subsequently, to the Audit Committee of the Supervisory Board of voestalpine AG.