Report on the key features of the Group’s internal control and risk management system with regard to accounting procedures

      Pursuant to Section 243a (2) Austrian Commercial Code (Unternehmensgesetzbuch – UGB), Austrian companies whose shares are traded on a regulated market must describe the key features of their internal control and risk management system with regard to accounting procedures in their management reports.

      Section 82 Austrian Stock Corporation Act (Aktiengesetz – AktG) requires the Management Board to establish a suitable internal control and risk management system for accounting procedures. The Management Board of voestalpine AG has adopted relevant guidelines that are binding on the entire Group. In line with the voestalpine Group’s decentralized structure, the local management of each Group company is obliged to establish and shape an internal control and risk management system for accounting procedures that meets the requirements of that individual company and ensures compliance with the relevant, existing Group-wide guidelines and regulations.

      The entire process, from procurement to payment, is subject to strict and unified Group-wide guidelines that are designed to reduce the risks associated with the business processes to a minimum. These Group guidelines set forth measures and rules for avoiding risk, such as the strict separation of functions, signature authority rules, and, in particular, signing authorizations for payments that apply only collectively and are limited to only a few individuals (four-eyes principle). In this context, control measures related to IT security are a cornerstone of the internal control system (ICS). Issuing IT authorizations restrictively supports the separation and/or segmentation of sensitive activities. The accounting in the individual Group companies is largely carried out using SAP software. The reliability of these SAP systems is guaranteed by automated business process controls that are built into the system as well as by other methods. Reports on critical authorizations and authorization conflicts are generated in an automated process.

      To prepare the consolidated financial statements, the data pertaining to fully consolidated entities is transferred to the unified Group consolidation and reporting system. Group-wide accounting policies applicable to the recording, posting, and recognition of business transactions are governed by the voestalpine Consolidated Financial Statements Manual and are binding on all Group companies. Automatic controls built into the reporting and consolidation system, along with numerous manual reviews, have been put in place to avoid material misstatements to the greatest extent possible. These controls range from management reviews and discussions of the net profit/loss for the reporting period all the way to the specific reconciliation of accounts. voestalpine AG’s Controlling Manual contains a summarizing presentation of how the accounting system is organized. The accounting and controlling departments of the individual Group companies submit monthly reports containing key performance indicators (KPIs) to their own managing directors and to the management boards of the respective divisions and, upon approval, to the holding company’s Corporate Accounting & Reporting department to be aggregated, consolidated, and reported to the Group Management Board. Additional information, such as detailed target/performance comparisons, is prepared in a similar process as part of quarterly reporting. Quarterly reports are submitted to the supervisory board, board, or advisory board of the given Group company, and a consolidated report is submitted to the Supervisory Board of voestalpine AG.

      Besides operational risks, the accounting system is also subject to Group risk management. In this context, possible accounting risks are analyzed on a regular basis, and measures to avoid them are taken. The focus is on those risks that are regarded as fundamental to the given company’s activities. Compliance with the ICS, including the required quality standards, is monitored continuously by way of audits at the Group company level. Internal Audit works closely with the appropriate management board members and managing directors. It reports directly to the Chairman of the Management Board of voestalpine AG and submits reports periodically to the Group Management Board and, subsequently, to the Audit Committee of the Supervisory Board of voestalpine AG.