Tasks and Responsabilities

4.1. External audit and Financial Reporting

The tasks carried out by the Audit Commission in relation to the external audit and the company’s financial reporting are summarized in the following table:

During 2012, the Board of Directors and the General Meeting of shareholders approved the appointment of Deloitte as auditor of the financial statements of Abengoa and the consolidated financial statements of Abengoa and its subsidiaries for the year ended December 31, 2012 and the two following years. This appointment was also endorsed by the audit Commissions, boards of directors and general meetings or assemblies shareholders of the relevant group companies.

In addition, other firms collaborate in performing the audit, especially in small companies both in Spain and abroad, although the scope of their work is not significant for the group overall.

The Audit Commission’s functions include ensuring the independence of the external auditor, proposing the appointment or renewal thereof to the Board of Directors and approving its fees.

SOX (Sarbanes-Oxley Act) internal control audit work has been assigned to these same audit firms following the same criteria. This is because, according to PCAOB (Public Accounting Oversight Board) rules, the firm that issues the opinion on the financial statements must also be the firm that evaluates internal control processes over the preparation of the these same statements, given that this internal control is a key factor in “integrated audits”.

Abengoa follows a policy of having an external annual audit performed on all group companies, even if they are not obliged to do so because they do not meet the legal requirements.

A total of 20 new companies have been audited this year round, more than 85% of which are being audited by one of the four main international audit firms or “Big Four”.

The following table provides a breakdown of the global fees agreed upon with the external auditors for the 2014 audit, including reviews of periodic reporting and the SOX audit:

When assigning non-audit work to any of the “Big Four” audit firms, the company has a prior verification procedure in place so as to detect any possible incompatibilities that would prevent the firm from performing the work under the rules of the U.S. SEC (Securities Exchange Commission) or Spanish ICAC (Instituto de Contabilidad y Auditoría de Cuentas).

Additionally, Abengoa’s condition like entity registered in Nasdaq forces us to carry out with the procedures established by the regulators of the mentioned market and concretely with the Law Sarbanes Oxley, developed later by the Securities and Exchange Commission (SEC). In this respect, the Audit Commission must pass in advance to his provision, all the services contracted with the auditor. During 2013 there have pre-be approved by the Commission the following services given by the external auditor:

• Audit services (audit reports, limited reviews, comfort letters, etc.)
• Services related to the audit (Due Diligence, report RSC, etc.)
• Fiscal Services
• Others (courses, seminars, etc.)

The following table reveals the fees payable to the Big Four audit firms for non-audit work performed in 2014:

The following table reveals the fees payable to the Big Four audit firms for non-audit work performed in 2014:

Like in past years, during 2014 a survey was conducted on the satisfaction with the service received from the main auditor during the 2013 audit. A series of conclusions have been drawn from this survey and will help to improve the work carried out jointly with the external auditor.

The Audit Commission is, furthermore, responsible for supervising the results of the work of the external auditors. Therefore, it is promptly informed of their conclusions and of any incidents noted in their audits.

When required to do so, the external auditor has attended Audit Commission meetings to report on its areas of competency, which are essentially the following:

• Reviewing the financial statements of the consolidated group and its component companies and issuing an audit opinion thereon.
• Evaluation of the internal control system and issuance of an audit opinion under PCAOB (Public Company Accounting Oversight Board) standards, (SOX -Sarbanes-Oxley Act- compliance).
• Matters of special interest for certain matters or specific or significant transactions, the external auditor is required to provide its opinion on the criteria adopted by the company so as to reach a consensus.
• Independent verification reports prepared by external auditors.

Thus, external auditors issued 7 reports in 2014, all forming an integral part of the annual report:

• Audit report on the consolidated accounts of the group, in accordance with applicable law.
• Voluntary audit report on internal control compliance under PCAOB (Public Company Accounting Oversight Board) standards, pursuant to the requirements imposed by section 404 of the Sarbanes-Oxley Act (SOX).
• Voluntary reasonable assurance audit report on the Corporate Governance Report, with Abengoa being the first listed company in Spain to obtain a report of this nature.
• Voluntary reasonable assurance audit report on the Corporate Social Responsibility Report.
• Voluntary audit report on the design and application of the Risk Management System pursuant to ISO 31000 standards.
• Voluntary verification report in the areas of corruption.
• Verification report on the allocation of funds obtained from the issuance of the “Green Bond”.

 

4.2. Internal Audit

The Audit Commission’s functions include “supervision of the internal audit service” and “awareness and knowledge of the financial reporting process, internal control systems and the risks for the company”.

In order to oversee the sufficiency, suitability and efficient working of the internal control and risk management systems, the Commission received regular information in 2014 from the head of internal audit in relation to:

• The annual internal audit plan and the degree to which it had been met: progress and conclusions on the internal audit work performed, which essentially comprises the tasks of auditing financial statements, internal control SOX audits, common management systems audits, reviews of critical projects and construction work, and reviews of special areas, among others.
• The degree of implementation of issued recommendations.
• A description of the main areas reviewed and the most significant conclusions, which include audited and sufficiently mitigated risks.
• Other more detailed explanations requested by the Audit Commission.

During 2014, the Audit Commission recorded and supervised the performance of 631 tasks by the internal audit department. The tasks not included under the Plan related principally to general reviews of companies and projects that had not been envisaged in the initial planning.

As a result of the work performed, 444 recommendations were issued, most of which had been implemented by year end.

One factor that had a decisive impact on the number of recommendations issued was the performance of internal control compliance audits under PCAOB (Public Company Accounting Oversight Board) standards, in accordance with the requirements of section 404 of the Sarbanes-Oxley Act (SOX). Through COSO standards, have developed frameworks and guidelines on risk management company, internal control and detection of fraud designed to improve corporate governance and reduce the extent of fraud in organizations.

Internal audit function at Abengoa

Internal audit function originated as an independent global function, reporting to the Audit Commission of the Board of Directors, with the principal objective of supervising Abengoa’s internal control and material risk management systems.

Structure and team

Abengoa’s internal audit function is structured around seven functional areas:

1.  Internal control audit
2.  Financial audit
3.  Projects audit
4.  Concessions audit
5.  Preventive fraud audit
6.  Non-financial audit
7.  Information systems audit

Additionally, each business group count with a responsible person in the audit department in order to participate in a coordinated way with the strategy definition, planning, and communication of recommendations.

Internal audit team is formed by 56 auditors, distributed among the different business groups.

• The average age of Abengoa’s internal audit team is currently around 31.
• The gender distribution was 60% (men) and 40% (women) respectively.
• Average length of professional experience is seven years.
• Approximately 70 % of the auditors have prior experience in one of the “Big Four” external audit firms.

Common Management Systems

The Audit Commission’s main objectives concerning internal control over the preparation of financial reporting are:

• Determining the risks of a possible material error in the financial reporting caused by fraud or possible fraud risk factors.
• Analyzing the procedures for assessing the efficiency of internal control in relation to financial reporting.
• Efectiveness of internal controls over the processes that affect Abengoa and its business groups.
• Identifying material internal control deficiencies and weaknesses in relation to financial reporting and response capacity.
• Supervising and coordinating any significant changes made to the internal controls related to the quarterly financial reporting.
• Performing the quarterly processes of closing the financial statements and differences identified in relation to the processes performed at year end.
• Rolling out plans and monitoring the actions implemented to correct the differences identified in the audits.
• Measures to identify and correct possible internal control weaknesses in relation to the financial reporting.
• Analyzing procedures, activities and controls that seek to guarantee the reliability of financial reporting and prevent fraud.

Internal Control Model

Abengoa’s internal control structure is based on the integrated internal control framework established in the latest model from COSO (Commission of Sponsoring Organizations of the Treadway Commission) and complies with the requirements established in Section 404 of the US Sarbanes-Oxley Act (SOX).

According to this framework, companies must:

• Prepare annual objectives regarding the efficiency and effectiveness of operations, the reliability of financial reporting, legal compliance and safeguarding the company’s assets.
• Identify and evaluate the risks could comprise these objectives
• Define control activities to minimize the impact of these risks; and
• Implement supervision systems to evaluate the quality of this process.
• All of the above requires the support of an effective control environment and feedback with an effective reporting and communication system.

The new framework broadens the risk outlook to include negative or positive events, in other words threats or opportunities; identification of a tolerance level for the risk; as well as dealing with these events using risk portfolios.

In February 2010, the Spanish National Stock Market Commission (CNMV) published a document titled “Internal Control over Financial Reporting in Listed Companies” (ICFR), which contains two new legal obligations that listed companies must meet from 2011 onwards:

• Audit Commissions will be responsible for supervising financial reporting and the efficiency of the company’s internal control and risk management systems.
• Companies will have to report to the markets on their systems of internal control over financial reporting through the Annual Corporate Governance Report.

CNMV document is based on COSO and incorporates 87 recommended practices divided into five components areas:

• Internal control environment
• Financial reporting risk assessment
• Control activities
• Information and communication, and
• Supervision of system operation

Since 2007, Abengoa has been voluntarily submitting its internal control systems to external evaluation, with the issuance of an audit opinion under PCAOB standards and a compliance audit under section 404 of the Sarbanes-Oxley Act (SOX).

This means that Abengoa has been complying strictly with the reference indicators included in the Spanish CNMV’s ISFR document for four straight years now.

In forthcoming years, and principally with the consideration of being a company registered in NASDAQ, we will be faced with an environment characterized by greater regulatory requirements. In order to deal with this scenario, Abengoa considers risk management an indispensable activity and function for strategic decision making.

Abengoa is aware of the importance of managing its risks in order to carry out appropriate strategic planning and attain the defined business objectives. To do this, it applies a philosophy formed by a set of shared beliefs and attitudes, which define how risk is considered, starting with the development and implementation of the strategy and ending with the day-to-day activities.

Abengoa’s risk management system is shown in the following diagram

The risk management process at Abengoa is a continuous cycle based on five key phases, as shown in the previous diagram:

• Identify
• Evaluate
• Respond
• Monitor
• Report

In each phase, regular and consistent communication is necessary in order to achieve good results. Since it is a continuous cycle, permanent feedback is necessary in order to achieve a constant improvement in the risk management system. These processes are addressed to all the company’s risks.

Abengoa manages its risks using the following model, described in the company’s risk management manual, which is intended to identify the potential risks of a business:

Risk treatment and response criteria are contained within the common management systems and must be observed by all employees.

The responses designed and included within the different elements that make up the Abengoa’s risk management system pursue one of the following risk management scenarios:

• Elimination: the risk is completely eliminated.
• Reduction and control: the aim here is to reduce the risk as much as possible by using strategic or safety measures (diversification of supply, quality systems, maintenance, prevention, etc.).
• Transfer to a third party: the risk is transferred to a third party, so that Abengoa holds no responsibility for the risk, whether through an insurance company or another third party (supplier, subcontractor).
• Financial retention: if it has not been possible to otherwise control the risk, it is eventually accepted.

Analysis of the recoverability of assets and compliance with financial obligations

Internal Audit currently reviews the results of the asset recoverability analyses carried out by the different departments for all major projects, including specifically concession assets, industrial production plants and intangible assets. See Note 2.8 of the “Consolidated Financial Statements”. Compliance with the obligations established in financing agreements is also verified on a quarterly basis.

 

4.3. Risks and Internal Control

Abengoa’s risk management model comprises three core elements:

hose elements combine to form an integrated system that enables the company to manage risks and controls suitably throughout all levels of the organization.

A. Common management systems

The common management systems are the internal rules for Abengoa and its business groups and are used to assess and control risk. They represent a common culture for managing Abengoa’s businesses, sharing the accumulated knowledge while defining specific criteria and guidelines.

The common management systems include specific procedures for any type of action that could give rise to a risk for the organization, whether financial or non-financial. Furthermore, they are available to all employees in electronic format regardless of their geographical location or role.

The functional heads of each division must verify and certify compliance with these procedures. This annual certification is issued by the Audit Commission in January of the following year.

The systems cover the whole organization at three levels:

• All the business groups and areas of activity.
• All levels of responsibility.
• All kinds of operations.

Common management systems represent a common culture for Abengoa’s different businesses and are composed of eleven rules defining how each of the potential risks included in Abengoa’s risk model should be managed. Through these systems, the risks and the appropriate way of hedging against them are identified and the control mechanisms defined.

Over recent years, the common management systems have evolved to adapt to the new situations and environments in which Abengoa operates, with the overriding aim of reinforcing risk identification, covering risks and establishing control activities. The summary of annual updates is shown in the graph below:

B. Compulsory procedures (SOX)

The compulsory procedures are used to mitigate risks relating to the reliability of the financial information, employing a combined system of procedures and control activities in key areas of the company, which are intended to ensure the reliability of the financial information and prevent fraud.

SOX is a compulsory law for all listed companies operating in the United States and is intended to ensure the reliability of the financial reporting of these companies and protect the interests of their shareholders and investors by establishing an appropriate internal control system. Thus, although none of the business groups is required to meet SOX requirements, Abengoa deems it necessary to comply with these requirements throughout all of its component companies, since these requirements complement the risk control model used by the company.

The company has implemented an appropriate internal control system that relies on three tools:

• A description of the company’s relevant processes that could impact the financial information to be prepared. In this regard, 55 management processes have been defined and grouped into corporate cycles and common cycles used throughout all the business groups.
• A series of flow charts that provide a visual description of the processes.
• An inventory of the control activities in each process to ensure attainment of the control objectives.

Our work comprises the following aspects:

At Abengoa, we have viewed this legal requirement as an opportunity for improvement and, far from being satisfied with the rules included in the Act, we have tried to develop and improve our own internal control structures, control procedures and the evaluation procedures in place.

This initiative arose in response to the swift expansion experienced by the group in recent years and projected future growth, the aim for us to continue preparing accurate, timely and complete financial reports for our investors.

In order to meet the requirements of section 404 of the SOX, Abengoa’s internal control structure has been redefined following a “Top-Down” approach based on risk analysis.

This risk analysis encompasses a preliminary identification of significant risk areas and an assessment of the company’s controls over them, starting with top-level executives – corporate and supervisory controls – then dropping to the operational controls present in each process.

C. The universal risk model

The universal risk model is the company’s chosen methodology for quantifying the risks that compose the risk management system.

Abengoa’s universal risk model is made up of 20 categories and a total of 56 principal risks for the business. Each categories are agrupated in four big areas (financial risks, strategic risks, compliance risks and operations risks).

 

Furthermore, the model is checked of periodic form. These updates are a joint responsibility of the department of internal audit, the management of risks and the people in charge of every indicator in every area. During the exercise 2014, two reviews of the model have been realized based on:

• Probability of occurrence: Degree of frequency  wich is possible to ensure that a particular cause will result an event with negative impact on Abengoa.
• Impact on the Company: Set of negative effects on Abengoa´s strategic objectives.

 

4.4.Governance and Compliance

Self-assessment

Pursuant to Article 16.4.q) of the board of directors regulations, members of the Audit and Compliance Commission carried out their self-assessment at the meeting held on February 23, 2015, to evaluate the functioning of the Commission and the performance of the functions delegated to it by Abengoa’s bylaws and the board of directors regulations.

Consequently, the Commission believes that it satisfactorily complies with its responsibilities, since it has met on sufficient occasions with meeting agendas that encompass all of the areas subject to its review, and has made extensive presentations of the different issues involved, all within a framework of an open debate without any type of restriction.

Company management implemented a code of professional conduct, the guiding philosophy of which is honesty, integrity and good judgment on the part of employees, managers and directors, as reflected in Abengoa’s Annual Corporate Governance Report, which provides details of the company’s governing structure, risk control systems, the degree to which recommendations on governance are followed and the reporting instruments; and in which the management’s commitment to maintaining an appropriate internal control and risk management system, good corporate governance and ethical conduct on the part of the organization and its employees can be seen.

All departments, mainly human resources and internal audit, strive to ensure compliance with the code and notify management of any irregular conduct they may detect so that the appropriate measures can be adopted.

Whistleblowing channel

The system of Abengoa’s internal control is provided with diverse mechanisms and procedures that allow to mitigate the risk of fraud.

In this way, following the guidelines set out in section 301 of the Sarbanes-Oxley Act (“The Act”), the audit Commission of the board of directors of Abengoa S.A. (“the company”) has agreed to establish procedures to:

• The receipt, retention, and treatment of complaints received by the company regarding accounting, internal accounting controls, or auditing matters;
• The submission by employees of the company, on a confidential and anonymous basis, of good faith concerns regarding questionable accounting or auditing matters.
• Therefore, Abengoa has two whistleblowing channels:
• An internal channel, which is available to all employees, so that they can report any alleged accounting or audit irregularity or breaches of the code of conduct. Issues are reported by e-mail or post.
• An external cannel, available to anyone outside the company, so that they can report any alleged irregularities, fraudulent actions or breaches of Abengoa’s code of conduct through the company’s website (www.abengoa.com).

Whistleblowing policy guarantees no reprisals for whistleblowers, who may submit complaints on a confidential basis. However, both the channel internal and external complaints may be sent on the basis of confidentiality for the complainant or anonymously.

This politic apply to any employee of the Group, consultants, or suppliers with direct relation and commercial interest or legitimate professional.

For each complaint received, a specific work is performed by the internal audit team. Within the internal audit department, Abengoa has a specific unit dedicated to the investigation of complaints received through the various channels and the implementation of preventive nature works on fraud. Besides, in cases that involve highly technical matters, the company secures the assistance of independent experts, thus ensuring at all times that it has the sufficient means of conducting a thorough investigation and guaranteeing sufficient levels of objectivity when performing the work.

Foreign Corrupt Practices Act (FCPA)

The honesty, integrity and sound judgment of employees, executives and directors is essential to the company’s reputation and success.

In pursuit of these principles, Abengoa adhered to the United Nations Global Compact in 2002. It upholds each of the ten principles enshrined in the initiative and works to integrate them fully into the strategy and policies governing the day-to-day running of the company. In relation to principle nº 10: “Businesses should work against corruption in all its forms, including extortion and bribery”, Abengoa has various procedures in place to prevent any kind of corruption within the company.

In the fight against extortion, fraud and bribery, Abengoa upholds the provisions of the US Foreign Corrupt Practices Act (FCPA).

In particular, the FCPA criminalizes acts by companies and their executives, directors, employees and representatives to pay, promise, offer or authorize payment of anything of value to any foreign civil servant, foreign political party, heads of foreign political parties with the aim of achieving or maintaining business operations, or of obtaining any kind of improper gain. In conformity with FCPA, the payments realized to foreign civil servants indirectly generate legal responsibility as the payments realized in direct form. The Company or his civil servants or employees will be able to be considered to be responsible for the payments realized by commercial partners, as for example representatives of sales, advisers, agents, contractors, subcontractors, or others, in those cases in which the Company should realize a payment or should transfer another value to a commercial partner wittingly, or when motives for thinking should exist, of that it will be in use, in total or partial form, for realizing an undue payment to a foreign civil servant (this disposition is applied even in the cases in which the commercial partner is not subject to the FCPA). Also responsibility can exist in case the Company has knowledge of facts that suggest a “high probability” of which the commercial partner will deliver the totality or part of the value received to a foreign civil servant with a corrupt intention. In consequence, Abengoa will have to manage with precaution in his relations with commercial partners and have certain guarantee of which these will fulfill with all the laws anticorruption applicable.

The FCPA complements the requirements imposed by section 404 of the US Sarbanes Oxley Act (SOX). It applies all the actions realized by the commercial partners addressed to Abengoa and all his civil servants, the directors and employees of complete and partial time. This politics will be applied likewise to all the subsidiaries controlled by Abengoa. All the commercial partners who represent Abengoa (including advisers, agents, representatives of sales, distributors and independent contractors) and who interact with foreign civil servants in Abengoa’s name will have to expire with all the pertinent parts of this politics.

Protocol for Authorizing and Supervising related Transactions Between Abengoa, S.A.and Abengoa Yield plc.

On May, 26, 2014 the Board of Directors of Abengoa, S.A. approved based on the proposal by its Audit Commission, the Protocol for authorizing and supervising related transactions between Abengoa, S.A. and Abengoa Yield plc., the “Protocol corporate governance of Abengoa, S.A.

The purpose of this Protocol is to govern the procedure for authorizing and  supervising the execution and implementation of transactions to transfer assets or  provide services that are agreed between Abengoa and Yield.

This Protocol shall come into effect from the date of its approval and shall apply while   Abengoa holds a position of special relevance in the share capital of Yield, and  specifically until its holding has been reduced below the threshold of 50% and/or  Abengoa losses the control over Yield as established in the commercial law.   

All transactions between Abengoa and Yield included within the scope of application of  this regulation, under the terms defined in Article 1.1, must have a favorable report  from the Audit Commission prior to being submitted to the Board of Directors, and  which establishes the following aspects:   

• The opportunity and suitability of the transaction for Abengoa.   
• The conditions of all the agreements, regardless of their nature, that have been  signed between Abengoa and Yield in order to formalize or implement a Related  Transaction, directly or indirectly via the companies of their respective groups.  In general, and except for specific justifying circumstances, the agreements  through which Abengoa and Yield agree to undertake a Related Transaction shall  be documented in writing in one or several contracts that shall detail the terms  and conditions applicable to the transaction in question or to the service being  provided.
• The essential elements (price, term and subject) of the aforementioned  agreements, which must have been determined based on free-market criteria.
• That the Related Transaction is carried out or performed by the party that is  required to do so, directly or indirectly via the companies of its group, under  market conditions, meaning that the recipient party shall not benefit from financial  or any other conditions that are significantly more favorable than those that would  be accepted by a third-party under substantially equivalent conditions or that  could represent favorable treatment due to its status as a highly related party.
• The appropriateness of providing Yield with any type of confidential information,  ensuring that this information is effectively necessary to implement the agreement  in question and that the necessary measures have been taken to safeguard the  confidentiality of the information before it is disclosed.   
• That Related Transactions authorized by the corporate bodies of Yield have been  approved with the abstention of the directors of Yield that, if appropriate, may  have been appointed at Abengoa’s request.
• Abengoa and Yield shall duly notify the market about transactions carried out between them or between the companies of their respective groups, under the terms established in