Pursuant to Section 243a (2) Austrian Commercial Code (Unternehmensgesetzbuch – UGB), Austrian companies whose shares are traded on a regulated market must describe the key features of their internal control and risk management system with regard to accounting procedures in their management reports.
Section 82 Austrian Stock Corporation Act (Aktiengesetz – AktG) requires the Management Board to establish a suitable internal control and risk management system for accounting procedures. The Management Board of voestalpine AG has adopted relevant guidelines that are binding on the entire Group. In line with the voestalpine Group’s decentralized structure, the local management of each Group company is obliged to establish and shape an internal control and risk management system for accounting procedures that meets the requirements of that individual company and ensures compliance with the relevant, existing Group-wide guidelines and regulations.
The entire process, from procurement to payment, is subject to strict and unified Group-wide guidelines that are designed to reduce the risks associated with the business processes to a minimum. These Group guidelines set forth measures and rules for avoiding risk, such as the strict separation of functions, signature authority rules and, particularly, signing powers for authorizing payments that apply only collectively and are limited to only a few persons (four-eyes principle).
In this context, control measures related to IT security are a cornerstone of the internal control system (ICS). Issuing IT authorizations restrictively supports the separation and/or segmentation of sensitive activities. The accounting in the individual Group companies is largely carried out using SAP software. The reliability of these SAP systems is guaranteed by automated business process controls that are built directly into the system as well as by other methods. Reports on critical authorizations and authorization conflicts are generated in an automated process.
To prepare the consolidated financial statements, the data pertaining to fully consolidated entities is transferred to the unified Group consolidation and reporting system. Group-wide accounting and valuation policies applicable to the recording, posting, and recognition of business transactions are governed by the voestalpine Consolidated Financial Statements Manual and are binding on all Group companies.
Automatic controls that are built into the consolidation and reporting system, for one, and numerous manual reviews, for another, have been put in place to avoid material misstatements to the greatest extent possible. These controls range from management reviews and discussions of income and expenses for each period to the specific reconciliation of accounts. voestalpine AG’s Controlling Manual contains a summarizing presentation of how the accounting system is organized.
The accounting and controlling departments of the individual Group companies submit monthly reports containing key performance indicators (KPIs) to their own managing directors and to the management boards of the respective divisions and, after approval, to the holding company’s Corporate Accounting & Reporting department to be aggregated, consolidated, and reported to the Group Management Board. Additional information, such as detailed target/performance comparisons, is prepared in a similar process as part of quarterly reporting. Quarterly reports are submitted to the supervisory board, board, or advisory board of the given Group company, and a consolidated report is submitted to the Supervisory Board of voestalpine AG.
Besides operational risks, the accounting system is also subject to Group risk management. In this context, possible accounting risks are analyzed on a regular basis, and measures to avoid them are taken. The focus is on those risks that are regarded as fundamental to the given company’s activities. Compliance with the ICS, including the required quality standards, is monitored on an ongoing basis through internal audits at the Group company level. Internal Audit works closely with the appropriate Management Board members and managing directors. It reports directly to the Chairman of the Management Board and submits reports periodically to the Management Board and, subsequently, to the Audit Committee of the Supervisory Board of voestalpine AG.