BIC - 2018 Registration document

RISKS

Risk management and internal control procedures implemented by the Company Risk management and internal control procedures

The Internal Control & Audit (IC&A) 2.4.3.4. Department The Internal Control and Audit Department reports operationally to the Group Finance Department and, on request, to the Leadership Team and the Chairman of the Board. This department reviews both financial and operational activities and expresses an independent assessment on the degree of compliance with the policies, rules and procedures of the BIC Group. The IC&A Department focuses on: business cycle and process reviews (such as sales and ● collection, purchasing and disbursements, fixed assets, inventories, payroll, cash management and accounting entry processing) at both subsidiary and Corporate level; testing of the controls in place to ensure their effectiveness ● and efficiency; coordination with functional managers for the continuous ● updating of the Controller’s Manual; issuance of guidance and recommendations for improvement ● to existing processes, including the sharing of Group best practices. This department also provides assistance on timely and specific engagements, such as external acquisition or internal restructuring operations. The Internal Control and Audit Department provides assistance on fraud prevention, awareness and also investigations on reported fraud cases within the BIC Group. The approach of the IC&A Department also includes Group information systems through reviews of IT (Information Technology) accesses and business continuity procedures. Twice a year, the IC&A Department presents the audit schedule to the External Auditors, provides updates and shares the reports resulting from site reviews. In addition, the IC&A Department coordinates site reviews with Group Finance and the External Auditors to ensure coverage of any specific areas. IC&A Department’s activities in 2018 a) A multi-year audit rotation schedule is in place to ensure that all sites and key processes are reviewed on average every three years. The 2018 schedule led the IC&A Department to perform 8 audits, in manufacturing and distribution entities, combining initial and follow-up visits. These audits were carried out in accordance with the methodology and procedures set by the IC&A Department, including in particular: performance of tests (walkthroughs and detailed testing) and ● interviews with the contributors of the cycles reviewed on a risk based approach; the issuance of a report after the audit, which lists ● recommendations for improvements to be considered by the

site/department, in accordance with a precise action plan and deadlines. The IC&A report is an excellent communication tool and plays an important role in the continuous improvement of controls within the Group. No significant issue was identified further to these reviews. The recommendations issued in the audit reports highlighted improvements required to certain controls to improve their effectiveness. Local Management has shared its response to these recommendations and proposed action plans, together with the related implementation dates and the responsibility for their execution. These implementations have been checked during follow-up visits performed by the IC&A Department. Furthermore, quarterly follow-up of action plans progress contributes to an efficient monitoring of the recommendations implementation related to significant audit issues. Dashboards are communicated quarterly to the representatives of the continents and categories. Finally, best practices in terms of internal control noted while performing these reviews are communicated and shared within the Group. If necessary, the General Manager of the subsidiary provides details of non-significant weaknesses for which corrective actions will be implemented the following year. These actions should ensure that reasonable confidence can be placed on the achievement of operational goals, the reliability of financial information reported and compliance with relevant laws and regulations in force. The IC&A Department collects the data provided by the subsidiaries and performs analyses to enhance the risk-based approach in the determination of the annual audit plan and the performance of audit work. The results will be shared with Group Statutory Auditors and the Audit Committee. A summary of the work performed by the IC&A Department during the year is presented to the Leadership Team, Audit Committee and Board of Directors. The analysis includes a summary of the main audit findings and recommendations as well as a summary of the risk analysis and action plans implementation progress. Perspectives and Action Plan for 2019 b) The IC&A Department will continue to focus on processes and efficiency improvements, testing of operational effectiveness of key controls and enhancing the overall review process. The annual audit schedule, prepared by the IC&A Department and validated by the Audit Committee and the Leadership Team, meets the multi-year rotation principle for site and processes reviews. Finally, the IC&A Department will maintain its coordination role for the continuous improvement of Group procedures and will continue to be involved in the risk management approach. The Risk Management Department 2.4.3.5. The Risk Management Department collects, analyzes and ranks the external and internal arising risks that could have an impact on the Group. It coordinates the risk monitoring in agreement with the Leadership Team.

59

• BIC GROUP - 2018 REGISTRATION DOCUMENT •