5. Accounting-Related Internal Control and Risk Management System
In accordance with section 289 (4) and section 315 (4) German Commercial Code (HGB), United Internet AG is obliged to describe the main features of its accounting-related internal control and risk management system in its Management Report.
United Internet AG regards risk management as part of its internal control system (ICS). The ICS is understood as an ongoing process comprising organizational, controlling, and monitoring structures to ensure permanent compliance with legal and corporate requirements.
The Management Board of United Internet AG is responsible for the scope and structure of its ICS and takes account of the Company’s specific requirements. The monitoring of the ICS’s effectiveness is one of the duties of the Supervisory Board of United Internet AG, which is regularly informed by the Management Board about the status of the ICS and the findings of the Company’s Internal Audit system. Within the United Internet Group, the Corporate Audit department is responsible for independently auditing the appropriateness, effectiveness, and functionality of the ICS and has been granted extensive rights with regard to information, examination, and access in order to exercise its duties. Its audits are based on a risk-oriented audit plan which also includes regular audits of subsidiaries. In addition, the Corporate Audit department conducts fundamental audits regarding the proper functioning of important asset and inventory stock-taking. In addition, those areas of ICS of relevance for financial reporting are audited with regard to efficiency by the external auditors as part of their risk-oriented audit approach.
The accounting-related ICS is continuously being developed and comprises principles, procedures, and measures to secure the effectiveness, economic efficiency, and compliance of the accounting system and to ensure that the relevant laws and standards are observed. During preparation of the Consolidated Financial Statements, the ICS is used in particular to ensure the application of International Financial Reporting Standards (IFRS), as endorsed by the European Union, and the additional provisions under commercial law pursuant to section 315e of the German Commercial Code (HGB). When preparing the Annual Financial Statements and Management Report, the ICS also helps ensure that regulations under commercial law are observed.
However, a fundamental aspect of every ICS, irrespective of its particular design, is that it cannot provide absolute safety that material misstatements in accounting are avoided or detected. This may be due, for example, to incorrect discretionary decisions of individuals, faulty controls, or criminal acts.
The following statements refer solely to the fully consolidated subsidiaries included in the Annual Financial Statements of United Internet AG, for which United Internet AG has the direct or indirect possibility of determining their financial and monetary policy in order to derive a benefit from the activity of these companies.
The task of United Internet AG’s risk management system includes setting measures to detect and assess risks, reduce them to an acceptable level, and monitor recognized risks. A risk management system requires organized action to deal suitably with uncertainty and threats and urges employees to utilize the regulations and instruments required to ensure compliance with the risk management principles. In addition to operative risk management, it also includes the systematic early recognition, management, and monitoring of risks. The accounting-related risk management system focuses on the risk of false statements in accounting and external reporting.
Specific accounting-related risks may arise, for example, from the conclusion of unusual or complex transactions. Business transactions which cannot be processed in a routine manner are also exposed to latent risks. It is necessary to grant a limited circle of people certain scope for discretion in the recognition and measurement of assets and liabilities, which may result in further accounting-related risks.
The accounting-related ICS comprises internal controls, defined on the basis of risk aspects, for those processes which are relevant for financial reporting as well as those processes that support the IT systems. Special emphasis is placed on IT security, change management, and operational IT processes. Organizational, preventive, and detective controls are applied, which can be conducted manually or with the aid of IT. The effectiveness and efficiency of the accounting-related ICS requires highly developed employee skills. Regular training, the “four-eye principle”, and the functional separation of administrative, executive, and approval processes are indispensable for the United Internet Group. The Corporate Accounting division and other accounting departments are responsible for the management of the accounting processes. Laws, accounting standards, and other pronouncements are continuously analyzed with regard to their relevance and impact on accounting. The Group companies are responsible for the orderly and timely execution of the accounting-related processes and systems and are supported by the accounting departments accordingly.
If significant control weaknesses or opportunities for improvement are detected, they are assessed and countermeasures are developed with the persons responsible to improve the effectiveness of the ICS. Implementation of the measures is monitored by the Corporate Audit department and may be the subject of subsequent audits. In order to ensure the high quality of the accounting-related ICS, the Corporate Audit department is closely involved during all stages.