Worldline - Registration Document 2016

Practices of administrative and management bodies Internal Control

and emerging risks. continue to evolve, according to growing maturity of processes several of Worldline’s clients. framework has been used to issue “ISAE3402” reports 1 for detailing control activities related to client service. This An IT control framework (part of the BIC) has been defined, Monitoring Group and local management, and is also supported by Internal Monitoring of the internal control system is the responsibility of Audit missions. deviations are reported. and reviewed at Group level. Action plans are initiated when through questionnaires completed by Regional Business Units, Control self-assessments are performed by the main Functions processes. action plans for continuously improving internal control defined, in partnership with Group and local management, development of internal control procedures. Internal Audit also control procedures are properly applied and supports the Internal Audit is ensuring, through its reviews, that the internal division or country. report including action plans to be implemented by the related assignments have been finalized by the issuance of an audit Purchasing, Sales) and 7 related to Operations/core business. All domain of support functions (Finance, Human Resources, assessing the functioning of internal control system: 12 in the (including investigations at the request of general management) In 2016, Internal Audit carried out a total of 19 audit assignments recommendations have been implemented in due time. Committee and to the Audit Committee. In 2016, 87% of audit concerned owners, and reported up to the Group Executive recommendations is performed by Internal Audit with Twice a year, a full review of high & medium open assessment has therefore been included in the audit plan. “payments institution” status for Worldline Belgium. An annual meeting the compliance requirements to maintain the Internal audit has also actively contributed to help the business performed by independent auditors for the main service Audits on Service Organization Controls (SOC) have been or general ledger accounting processing. the areas of payroll processing, accounts payable management providers who run processes on behalf of Worldline, notably in

financial reporting sessions. instructions, issued regularly, and especially for budgeting and This bottom-up communication is accompanied by top-down Systemfor riskmanagement identify, analyze and manage risks. Although risk management Risk management refers to means deployed in Worldline to this document. management, as described in Section 4.5, “Risk management” of specific formal initiatives have been undertaken concerning risk is part of a manager’s day to day decision making process, legal and compliance risks. to perform the Legal Risk Mapping, targeting more specifically may impact the Company. The ERM methodology is also used management assessment, identifying the key challenges that Risk management activities include a yearly Enterprise risk management function (including a Group Risk Management Operational risks on projects are managed by the risk Risks related to logical or physical security are managed by the reproduced for R&D projects with a dedicated organization. and challenging contracts). Similarly, the same process has been Committee who meets monthly to review the most significant risks, and a regular follow up of mitigation actions. All risk management activities include an assessment of the key described in the next section “control activities”. Book of Internal Control), on the basis of main risks identified, as Control activities have also been implemented (through the process to achieve a convenient level of internal control. procedures by addressing the key control objectives of each the general management, complements the different Internal Control (BIC). This document, sent out to all entities by Worldline key control activities are aligned with the Atos Book of activities (Security, Legal, Sustainability). Product lifecycle, HR Management) and Risk & Compliance operational processes (Opportunity to Order, Order to Cash, It covers not only the financial processes, but also the various released and distributed throughout the Group in January 2016, An updated version of the Book of Internal Control has been improvements in various processes. This framework will in order to take into account additional controls and some Security Function. Control activities

16

organization used for auditor’s report on internal control of a service to a third party. Activities of the Group typically have an impact on the control environment of its clients (through information systems), which may require the issuance of “ISAE3402 reports” for the controls ensured by the Group. ISAE3402 (International Standards for Assurance Engagements (ISAE) No. 3402). A global assurance standard for reporting on controls at a service 1

153

Worldline 2016 Registration Document