2 RISK FACTORS AND INTERNAL CONTROL Internal control and risk management
Participants in internal control and risk management 3.4. Everyone in the Group has a part to play in risk management and internal control, from the governance bodies and senior management to the employees of each Group company.
INTERNAL CONTROL AND RISK MANAGEMENT SYSTEM STAKEHOLDERS
Board of Directors / Audit Committee
2 ND LINE OF CONTROL
1 ST LINE OF CONTROL
3 RD LINE OF CONTROL
Departments Finance Industrial Human Resources Legal Sustainable Development and Corporate Responsibility
All entities All geographies All activities
- *) + " # " #) The internal control and risk management system is approved and overseen by Executive Management, thus at the Group’s highest level. As the top level of authority and responsibility for the internal control and risk management system, it monitors the system’s continuing effectiveness and takes any action required to remedy identified shortcomings and remain within acceptable risk tolerance thresholds. Executive Management ensures that all appropriate information is communicated in a timely manner to the Board of Directors and to the Audit Committee. * ) $"" )) $ ) $ ' $ ' )$'( The Group’s Audit Committee examines the main features of the internal control and risk management procedures selected and implemented by Executive Management to manage risks, including the organisation, roles and functions of the key actors, the approach, structure for reporting risks and monitoring the effectiveness of control systems. It has access to the elements necessary to reach an overall understanding of the procedures relating to the preparation and processing of accounting and financial information (presented in the following chapter). Each year, the Audit Committee reviews the results of the Group’s risk mapping exercise and holds regular meetings with the Internal Control Department to monitor the implementation and adaptation of the Group’s rules and the internal control process.
The Audit Committee also monitors the activity of the Internal Audit Department through the following actions: approval of the annual internal audit plan; p meeting with its Director once a year in the presence of the p Statutory Auditors, but without the presence of management; biannual review of the results of internal audit assignments and p follow-up on the implementation of action plans resulting from recommendations. Three lines of control In accordance with the AMF reference framework, the internal control and risk management system put in place by the Sopra Steria Group is structured around three lines of control, as presented below. First line of control: Front-line staff and operational p management The first line of control for the internal control and risk management system consists of: operational management, tasked with implementing the • system defined at Group level for the area under its responsibility. This line of control makes sure that the internal control rules and procedures are effectively implemented, fully understood and consistently applied within its scope of operations, the Group’s employees, who take due note of and apply all of • the rules set out within the organisation.