ASSYSTEM_Registration_Document_2017

MANAGEMENT REPORT

INTERNAL CONTROL AND RISK MANAGEMENT PROCEDURES PUT IN PLACE BY THE COMPANY RELATING TO THE PREPARATION AND PROCESSING OF ACCOUNTING AND FINANCIAL INFORMATION

Magnitude

Monetary impact on operating profit

Very low

Less than €0.5m

Low

Between €0.5m and €1m Between €1m and €2m Between €2m and €5m

Medium

High

Very high

Over €5m

PROBABILITY The probability of risks occurring is measured by reference to the past occurrence of comparable and/or similar events, according to the following scale:

Extent

Occurrence of comparable/similar events in the past

Improbable (less than 5%)

Never occurred in the past 5 years

Unlikely (between 5% and 15%) Possible (between 15% and 30%) Very possible (between 30% and 90%)

Occurred once or twice in the past 5 years Occurred once a year in the past 5 years

3

Occurred more than once a year in the past 5 years

Certain (over 90%)

The risk is the result of non-compliance

The controls performed cover each contract phase:

The various risks thus assessed are positioned on a map with two axes (impact and probability), which is then used to rank them as follows: ● High probability/significant impact: priority risks which require attention and monitoring by the Board of Directors. These risks are placed under the direct responsibility of one or more members of the Board of Directors, who are tasked with ensuring that a related action plan is in place and that the resulting measures taken effectively reduce the level of risk. ● High probability/low to medium impact: risks requiring that the Board of Directors is regularly informed in order to provide it with a reasonable assurance of the proper functioning of controls aimed at reducing the possibility of the risks occurring. ● Low to medium probability/low to medium impact: risks requiring that the Board of Directors is regularly informed in order to provide it with reasonable assurance of the proper functioning of controls aimed at mitigating the impact in the event that the risks occur. ● Low probability/low impact: non-priority risks requiring that the Board of Directors is periodically informed in order to provide it with reasonable assurance of the proper functioning of controls aimed at containing the risks in this category or completely eliminating them. 3.8.3.4 Control activities in line with objectives In view of the Group's high degree of decentralisation and its policy of delegating powers and responsibilities, the scope of the controls implemented is defined by each subsidiary's management team based on the Group's underlying internal control framework. The main purpose of the controls performed is to reduce the major risks to which the Group is exposed. The principal categories of control activities cover the following areas: ● Contract authorisation: the Group has established delegation principles which give the appropriate managers the necessary powers to authorise contracts.

● selection of invitations to tender,

submission of bids,

●

● definition of billing rates and pricing,

contract riders;

●

● Contract review: the Legal Affairs Department conducts an independent review of major contracts before they enter into force. In particular, the Legal Affairs Department is responsible for defining the general terms and conditions of services, which are stated on client invoices. ● Time management and billing: each subsidiary verifies the time entered into the applications used for this purpose. The controls carried out ensure that time is correctly allocated to ongoing projects and also trigger client invoicing. ● Payments: the Group has introduced a dual signature policy for means of payment. In line with this policy, the Company defines thresholds for the authorisation of subsidiaries' expenses based on categories of authorised signatories. The secure bank messaging system, “swaps”, is used to ensure that the policy is respected. In order to reinforce the supervision and control of certain geographically distanced subsidiaries, the Group Treasury Department receives details of monthly expenses incurred and carries out ex-post controls on these expenses. ● Budget and budget adjustments: each subsidiary presents the budget that it has drawn up for the current financial year to the members of the executive management team who authorise budgets. The same procedure applies to budget adjustments that are made during the year. ● Periodic results and reporting: periodic results are reported every month via the reporting and consolidation application (LINK). The Group Finance Department conducts a critical review of these results and obtains any further information that it may require from the relevant subsidiaries. The Group also places particular importance on the appropriate segregation of tasks in order to strengthen the controls undertaken in relation to critical transactions, particularly payments.

51

ASSYSTEM

REGISTRATION DOCUMENT 2017