Worldline - 2019 Universal Registration Document

RISK ANALYSIS Internal Control

Some controls are part of specific frameworks, for specific purposes (e.g. certifications, client assurance reports) and should be considered as sub-parts of the BIC (e.g. Closing file, ISAE 3402, etc.). Monitoring F.5.3.4 Monitoring of the internal control system is the responsibility of the different levels of management and is also supported by Internal Audit missions. Monitoring is performed through the follow up of indicators (KPI’s), control self-assessment campaigns (through questionnaires) and control testing that might measure directly or indirectly the effectiveness of the process implementation and related controls. Group Internal Control specifically summarizes on a yearly basis the overview and results of control assessments on a consolidated level and the main actions defined to improve the internal control system. Results are presented in the Control Board meetings and QSRC committees. On top of the control monitoring activities driven by Group Internal Control, assessments are performed by “independent auditors” including: ISO Auditors: following an audit plan covering ISO ● standards for quality (ISO 9001), Security (ISO 27001); Environment (ISO14001) and IT service (ISO 20000); Financial Legal External Auditors are focused on the ● reliability of financial information; Service auditors (performing ISAE 3402audits) are focused ● key controls implemented to ensure the effectiveness of processes that support the services in scope of the ISAE3402 (for Worldline clients); Group Internal Audit (GIA): following a risk based annual audit plan, GIA assesses both Support Functions and Operations. Internal Audit is ensuring, that the internal control procedures are properly applied and supports the development of internal control procedures. In 2019, Internal Audit carried out a total of 34 audit assignments (including investigations at the request of general management) assessing the functioning of internal control system: in the domain of support functions (Finance, Human Resources, Purchasing, Sales) and related to Operations/core business. All assignments have been finalized by the issuance of an audit report including action plans to be implemented by the related managerial unit.

Furthermore, twice a year, a full review of open recommendations is performed by Internal Audit with concerned owners and reported up to the Group Executive Committee and to the Audit Committee. In 2019, 93% of audit recommendations have been implemented in due time. Internal audit also actively contributes to help the business meeting the compliance requirements to maintain the “payments institution” status for concerned entities. An annual assessment of the Group’s control environment has therefore been included in the audit plan. Communication of relevant and F.5.3.5 reliable information The Company’s processes, meetings and governance structures (Worldline Governance Framework) ensure that relevant and reliable information is effectively communicated in a timely manner to relevant players within the Company, thereby enabling them to exercise their responsibilities. Top-down and bottom-up communication channels are defined within each function, to cascade instructions and get feedback on their execution. Worldline distributes information throughout the organization, including management’s messages on objectives and quality of service, through a number of media, including but not limited to: Regular management communication; ● Internal newsletters; ● Group intranet (Source); ● Knowledge Management tool (SharePoint). ● Information is distributed on a need to know basis, and policies for information classification and information security have been developed. Formal reporting lines have been defined, following the operational and the functional structures. This formal reporting, based on standard formats, concerns both financial and non-financial information as well as operational performance. Dedicated committees are setup for sharing and reporting information (e.g. Quality, Security, Risk & Compliance Committees, Control Board meetings, Audit, Risk & Compliance Committees, Quality Review Meetings, Local Executive Committee, Local Management Committees, etc.). External communication with clients is organized through operational meetings, agreed service reporting, customer satisfaction surveys and workshops.

F

347 Universal Registration Document 2019