72 Sustainability Report 2014 Year in review PRISA, a global group ƒƒ The existence of a procedure to identify the scope of consolidation, taking into account, among other things, the possible existence of complex corporate structures, or special purpose entities. One important procedure is determining the Group’s scope of consolidation, which is performed on a monthly basis by the Consolidation Department, under the Corporate Finance Department, in collaboration with the Legal Department. ƒƒ When the process takes into account the effects of other types of risk (operational, technological, financial, legal, reputational, environmental, etc.) to the extent they might affect the financial statements. Risk assessment takes into account the risk profile of each business unit, determined by its contribution to the consolidated financial statements, and the evaluation of specific risks including those deriving from the nature of its activities, centralization or decentralization of operations, and risks specific to the industry or the sector in which it operates, whenever these have a potential impact on the financial statements. ƒƒ Which governing body of the entity oversees the process. The system is monitored and overseen, as mentioned above, by the Audit Committee and, ultimately, by the Board of Directors. Control activities Procedures for reviewing and authorizing financial information and description of ICFR, to be published in the securities markets, and documentation describing the flow of activities and controls (including those relating to fraud risk) of different types of transactions that may materially affect the financial statements, including procedures to close the accounts and for the specific review of the relevant estimates, evaluations and projections. The Group makes available documentation describing the flow of activities and controls related to the processes identified as significant in each business unit and at a corporate level. The key risks and associated controls are then identified. Documentation of control activities is carried out using risk matrices and process controls. Using these matrices, activities are classified as preventive or detective in nature, and depending on the coverage of associated risk, standard or key. In each significant business unit there is a documented procedure for dealing with closing accounting, as well as specific processes concerning relevant forecasts and estimates, according to the nature of the activities and risks associated with each business unit. In relation to the review and approval process of financial reporting, there is a tiered and phased certification process that deals with the effectiveness of the model for internal control over financial reporting. Initially, the CEOs and managing directors of the business units and companies that are considered significant confirm, in writing, the effectiveness of defined controls for all critical processes, and the reliability of financial information. Following these confirmations, and based on the report on the testing of controls performed internally, the CEO and the CFO certify the effectiveness of the Group’s model for internal control over financial reporting in accordance with section 404 of the Sarbanes-Oxley Act. Also, in relation to this process, as mentioned above, there are procedures enabling the governing bodies to review and approve all financial information to be disclosed to the securities markets, including specific monitoring of significant risks by the Audit Committee. Policies and procedures of internal control over information systems (including, access security, change control, operation thereof, business continuity and segregation of duties) that support the relevant processes of the organization in relation to the development and publication of financial information. Controls for system processes and applications that support critical business processes are intended to maintain the integrity of the systems and data and ensure their operation over time. Information systems controls are fundamentally access controls, segregation of duties, and development or modification of computer applications. The Group annually. analyzes and evaluates the controls and procedures associated with all those applications that support critical business processes. Policies and internal control procedures for overseeing the management of outsourced activities, as well as the appraisal, calculation or valuation of activities commissioned from independent experts, which may materially affect the financial statements. With regards to outsourced activities, the principal service that is outsourced is information technology to Indra. For the monitoring of this service, the Group has defined a governance model that consists of various meetings and committees, of defined periodicity and content. Specifically, there are weekly operational meetings covering service and demand, for monitoring and tracking incidents and requests, attended by the Directors of Systems of the business units and those managers responsible for service from Indra. Fortnightly, there is a meeting of the Operational Service Committee, in which the heads of Group’s transversal systems participate, and where applications, infrastructure and
Informe Anual EN
To see the actual publication please follow the link above