Worldline - 2020 Universal Registration Document

RISK ANALYSIS Internal Control

A worldwide Performance management system (My Career) is in use to support individual development and coaching. Moreover, Balanced Score Cards are used to cascade business objectives. Through performance reviews, objectives are set and progress is measured to ensure continuous improvement for every individual in the organization. Through the global quality organization, Worldline has defined and implemented policies and processes for service delivery and support functions. Within the defined processes across the business, performance indicators, roles and responsibilities and internal controls are specified. These are part of and published in the Worldline management System and contribute to an appropriate control environment. Information Systems: Group Internal IT department is in place at Group level to provide common internal IT infrastructures and applications for Worldline staff worldwide. It supports functions like Finance (accounting and reporting applications), Human Resources (resourcing tool, global directory), Communication (Group website and intranet) or Procurement. Security and access to these infrastructures and applications as well as their reliability and performance are managed by this department and benefit from the core expertise and resources from the Group. System for risk management F.4.3.2 The Group operates a risk management system that facilitates the analysis and treatment of business risks throughout the life cycle of a product or service. Risk management is embedded in the Group’s decision-making and operating processes and is managed according to the risk management model as described in the risk management chapters of this document Section F.1. Those risk processes allow to identify and analyze main risks that may, as one of the risk mitigating solutions, call for focus and/or implementation of improved internal control. as described in the following Section F.5.3.3 “Control activities”. Control activities F.4.3.3 Key control activities of the Group are described in the risk and control matrix: “Book of Internal Controls” (BIC). This document not only covers the financial processes, but also various other areas such as delivery, procurement, human resources and risk and compliance activities ( e.g. security, legal, sustainability). The updated Book of Internal Control is released and distributed throughout the Group every year, taking into account new or changed services or processes and related control activities. This document evolves along with the processes evolution and the emerging risks (update at least once a year).

Some controls are part of specific frameworks, for specific purposes ( e.g. certifications, client assurance reports) and should be considered as sub-parts of the BIC ( e.g. Closing file, ISAE 3402, etc.). Monitoring F.4.3.4 Monitoring of the internal control system is the responsibility of the different levels of management and is also supported by Internal Audit missions. Monitoring is performed through the follow up of indicators (KPI’s), control self-assessment campaigns (through questionnaires) and control testing that might measure directly or indirectly the effectiveness of the process implementation and related controls. Group Internal Control specifically summarizes on a yearly basis the overview and results of control assessments on a consolidated level and the main actions defined to improve the internal control system. Results are presented in the Control Board meetings and QSRC Committees. On top of the control monitoring activities driven by Group Internal Control, assessments are performed by “independent auditors” including: ISO Auditors: following an audit plan covering ISO ● standards for quality (ISO 9001), Security (ISO 27001); Environment (ISO 14001) and IT service (ISO 20000); Financial Legal External Auditors are focused on the ● reliability of financial information; Service auditors (performing ISAE 3402audits) are focused ● key controls implemented to ensure the effectiveness of processes that support the services in scope of the ISAE3402 (for Worldline clients); Group Internal Audit (GIA): following a risk based annual audit plan, GIA assesses both Support Functions and Operations. Internal Audit is ensuring that the internal control procedures are properly applied and supports the development of internal control procedures. In 2020, Internal Audit carried out a total of 29 audit assignments (including investigations at the request of general management) assessing the functioning of internal control system: in the domain of support functions (Finance, Human Resources, Purchasing, Sales) and related to Operations/core business. All assignments have been finalized by the issuance of an audit report including action plans to be implemented by the related managerial unit. Furthermore, twice a year, a full review of open recommendations is performed by Internal Audit with concerned owners and reported up to the Group Executive Committee and to the Audit Committee. In 2020, 95% of audit recommendations have been implemented in due time.

F

Universal Registration Document 2020

355