WORLDLINE_REGISTRATION_DOCUMENT_2017

Risk Factors [GRI 102-15] and [GRI 102-11] Internal Control [GRI 102-16] [GRI 102-17] [GRI 102-25] [GRI 102-33] [GRI 102-34] [GRI 103Socioeconomic compliance]

Formal information reporting lines have been defined, following the operational and the functional structures. This formal link, based on standard formats, concerns both financial and non-financial information. The Group participates to the various committees set by the Atos group, such as for operational risks (through Risk Management Committees), treasury (with Payments and Treasury Security Committee), or financial restructuring (Equity Committee). This information escalation is accompanied by top-down instructions, issued regularly, and especially for budgeting and financial reporting sessions. C – Systemfor riskmanagement Risk management refers to means deployed in Worldline to identify, analyze and manage risks. Although risk management is part of a manager’s day to day decision making process, specific formal initiatives have been undertaken concerning risk management, as described in Section F.5, “Risk management activities” of this document. Risk management activities include a yearly Enterprise risk management assessment, identifying the key challenges that may impact the Company. The ERM methodology is also used to perform the Legal and Compliance Risk Mapping. Operational risks on projects are managed by the risk management function (including a Group Risk Management Committee who meets monthly to review the most significant and challenging contracts). Similarly, the same process has been reproduced for R&D projects with a dedicated organization. Risks related to logical or physical security are managed by the Security Function and coordinated at Group level. All risk management activities include an assessment of the key risks, and a regular follow up of mitigation actions. Control activities have also been implemented (through the Book of Internal Control), on the basis of main risks identified, as described in section F.5 “Risk management activities”. D – Control activities Worldline key control activities are aligned with the Atos Book of Internal Control (BIC). This document, sent out to all entities complements the different procedures by addressing the key control objectives of each process to achieve a convenient level of internal control.

It covers not only the financial processes, but also the various operational processes as contract management (Opportunity to Order, Order to Cash, Product lifecycle, HR management) and Risk & Compliance activities (Security, Legal, Sustainability). An updated version of the Book of Internal Control has been released and distributed throughout the Group in January 2016, in order to take into account additional controls and some improvements in various processes. This framework will continue to evolve, according to growing maturity of processes and emerging risks. An IT control framework (part of the BIC) has been defined, detailing control activities related to client service. This framework has been used to issue “ISAE 3402” reports 1 for several of Worldline’s clients. E – Monitoring Monitoring of the internal control system is the responsibility of the different levels of management, and is also supported by Internal Audit missions. Control self-assessments are performed by the main Functions through questionnaires completed by Regional Business Units, and reviewed at Group level. Action plans are initiated when deviations are reported. Internal Audit is ensuring, through its reviews, that the internal control procedures are properly applied and supports the development of internal control procedures. Internal Audit also defined, in partnership with Group and local management, action plans for continuously improving internal control processes. In 2017, Internal Audit carried out a total of 31 audit assignments (including investigations at the request of general management) assessing the functioning of internal control system: 9 in the domain of support functions (Finance, Human Resources, Purchasing, Sales) and 22 related to Operations/core business. All assignments have been finalized by the issuance of an audit report including action plans to be implemented by the related division or country. Furthermore, twice a year, a full review of open recommendations is performed by Internal Audit with concerned owners, and reported up to the Group Executive Committee and to the Audit Committee. In 2017, 90% of audit recommendations have been implemented in due time. Internal audit also actively contributes to help the business meeting the compliance requirements to maintain the “payments institution” status for Worldline concerned entities. An annual assessment of the Group’s control environment has therefore been included in the audit plan. Audits on Service Organization Controls (SOC) have been performed by independent auditors for the main service providers who run processes on behalf of Worldline, notably in the areas of payroll processing, purchases or general ledger accounting processing.

F

ISAE 3402 (International Standards for Assurance Engagements (ISAE) No. 3402). A global assurance standard for reporting on controls at a service 1 organization used for auditor’s report on internal control of a service to a third party. Activities of the Group typically have an impact on the control environment of its clients (through information systems), which may require the issuance of “ISAE 3402 reports” for the controls ensured by the Group.

287

Worldline 2017 Registration Document