In a group the size of Abengoa, with more than 620 companies operating in 70 countries worldwide and boasting over 24,000 employees, a common business management system is an absolute necessity as it enables us to work effectively on a coordinated and consistent basis.

Abengoa manages its risks through the following model, which seeks to pinpoint potential risks within a business:

strategic risk

Our Risk Management model is composed of two fundamental elements:

business risks

Both elements combine to form an integrated system that enables the company to manage risks and controls suitably throughout all levels of the organization.

It is essentially a living system that requires constant updates to keep it in line with the business reality.

Business Risks

The procedures aimed at eliminating business risks are channeled through the so-called Common Management Systems (CMS).

The CMS serve to identify not only the risks included in the current model, but also the monitoring activities used to mitigate them. They therefore put the internal rules for action into practice and represent a shared culture in the management of Abengoa’s businesses.

There are currently eleven internal rules, which, in turn, consist of 28 subsections, which define exactly how each of the potential risks included in Abengoa’s risk model should be managed.

The CMS incorporate a host of specific procedures covering any action that could lead to a risk for the company, whether economic or non-economic.

The Common Management Systems are available to all employees electronically, regardless of territory or job category.

For such purpose, they contain, among other things, a raft of authorization forms, which must be completed and filed so as to obtain official approval for any actions that may affect the company’s finances, or acts associated with any other kind of indirect risk (image, investor relations, press releases, information systems, access to applications, etc). All forms that are submitted follow a cascading approval system as they flow through the company’s approval bodies, business groups, corporate departments, with ultimate approval resting with the Chairman’s Office.

Similarly, the CMS contain specific appendices to provide further clarification on how to proceed in specific cases. They tackle an wide range of aspects, ranging from models for analyzing and evaluating investments to rules governing corporate identity.

  • Streamline day-to-day management, applying procedures geared towards financial efficiency, cutting costs and standardizing and ensuring the compatibility of information and management systems.
  • Promote synergies and value creation throughout Abengoa’s different business units.
  • Reinforce corporate identity, with all Abengoa companies adhering to the shared values.
  • Attain growth through strategic development, seeking innovation and new options in the medium and long term.

The Systems extend to the entire organization on three levels:

  • All Business Units and areas of activity.
  • All levels of responsibility.
  • All types of transactions.

Meeting the provisions of the Common Management Systems is compulsory throughout the entire organization and, therefore, such provisions must be known to all the members thereof. Any possible exemptions from the duty to comply with the Systems must be communicated to the party concerned and duly authorized through the corresponding authorization forms.

board directors

The Common Management Systems are submitted to an ongoing process of updating, which allows best practices to be incorporated into each of their fields of action. To enhance awareness, successive updates are immediately notified throughout the company via electronic channels.

The CMS mitigate the risks associated with company business (business risks) throughout all possible levels.

Abengoa has appointed heads for each of the rules that make up the CMS, who ensure at all times that the procedures encompassing all the actions to be carried out in their respective areas are fully implemented, the aim being to hedge against any aspects that could give rise to an economic or non-economic risk for Abengoa. These heads are the people in charge of updating the CMS on a permanent basis and making them available to the entire company.

Furthermore, those responsible for each of the rules that make up the Common Management Systems must verify and certify compliance with said rules. Official certification for each year is issued and presented to the Audit Committee in January of the following year.

Risks Associated with the Reliability of Financial Information

In 2004, Abengoa began the process of adapting its structure of internal control over financial information to the requirements set forth in Section 404 of the SOX Act. This process of alignment was completed in 2007, although it continues to be implemented in new company acquisitions as they occur every year.

The SOX Act was passed in the United States in 2002 in order to ensure transparency in management and the accuracy and reliability of the financial information published by companies listed on the U.S. stock market (SEC registrants). This law makes it mandatory for these companies to submit their internal control system to a formal audit by their financial auditor, which must also issue an independent opinion on the control system in place.

According to the instructions of the Securities and Exchange Commission (SEC), SOX Act compliance is mandatory for companies and groups that are listed on the U.S. stock markets. Even though only one of its Business Units - Information Technologies (Telvent) - is subject to SOX-compliance, Abengoa considers it necessary to comply with these requirements not only in the case of this Nasdaq-listed subsidiary, but for all Group companies, as these requirements complement the risk control model employed by the company.

At Abengoa, we have always viewed this legal requirement as an opportunity for improvement. Far from limiting ourselves to the bare minimum required by law, we have striven to optimize our internal control structures, control procedures and the assessment procedures applied.

The initiative arose in response to the group’s rapid growth over the last few years, coupled with our anticipated future growth. The purpose is to be able to continue ensuring investors that our financial reports are accurate, timely and complete.

With the aim of complying with the requirements under Section 404 of the SOX Act, Abengoa’s internal control structure has been redefined using a “top-down” approach based on risk analysis.

This risk analysis encompasses a preliminary identification of significant risk areas and an assessment of the company’s controls over them, starting with top-level executives - corporate and supervisory controls – and subsequently moving down to the operational controls in place in each process.

Our focus is as follows:


Our work encompasses the following aspects:


In this regard, the company has defined 53 Management Processes, which are pooled together in Corporate Cycles and Cycles Common to Business Groups.


These processes identify and perform a host of control activities (manual, automatic, configurable and inherent) that ensure the integrity of the financial information prepared by the company.

These controls have likewise been set up in the areas of System Changes, Transactions and Security and in Separation of Duties, which complement the Information Security Management System by providing applications with a high level of security.

These processes and their 450-plus associated control activities, which have been tagged as relevant, are subject to both internal and external audits.

Our Internal Control Model

Abengoa believes that an appropriate internal control system must ensure that all relevant financial information is reliable and known to the management. We therefore believe that the model developed in line with the SOX requirements complements and forms part of our Common Management Systems, the main purpose of which is to control and mitigate business risks.


Our chosen conceptual reference framework is the COSO model, because it is most similar to the approach required under SOX. This model has also been presented to the Audit Committee. Under this model, internal control is defined as the process carried out in order to provide a reasonable degree of security in relation to the attainment of objectives, such as compliance with laws and regulations, reliability of financial information and operational effectiveness and efficiency.

Oversight and control of the Risk Management Model

Abengoa’s oversight and control of the risk management model is structured around the Joint Audit Services. These bring together the audit teams of the companies, Business Units and corporate services, which coordinate their actions and are ultimately accountable to the Audit Committee of the Board of Directors.

Objectives of the Internal Auditing Function

Among its strategic objectives, we would highlight the following:

  • Forestalling the audit risks to which group companies, projects and activities are exposed, such as fraud, capital losses, operational inefficiencies and, in general, any risks that may affect the healthy running of the business.
  • Controlling the manner in which the corporate Common Management Systems are applied.
  • Promoting the creation of rules and procedures geared towards efficient management.
  • Creating value for Abengoa by fostering the need to create synergies and monitor optimal management practices.
  • Aligning criteria and working approaches with the external auditors, while seeking the highest level of efficiency and profitability in both functions.
  • Following our decision to adopt the Sarbanes-Oxley Act requirements as described above, the internal audit team must ensure the security and reliability of the financial information by checking the controls in place for such purpose and making sure they work as intended.

In order to fulfill these strategic objectives, the Joint Audit Services have the following specific objectives:

  • Assessing the audit risk of Abengoa companies and projects by following an objective procedure.
  • Defining standard internal auditing and internal control working regulations in order to develop the pertinent work plans, with the scope thereof suited to each situation. This methodology, which is based on assessing audit risk, allows us to determine the work plans we need to perform.
  • Guiding and coordinating the process of planning the audit and internal control work of the companies and Business Groups, defining a suitable procedure for providing notice of such work and communicating with the parties involved, and establishing a coding system for the work, so that it can be appropriately controlled and monitored.
  • Defining the process for communicating the results of each audit work, along with the affected parties and the format of the documents employed for such purpose.
  • Reviewing application of the plans, appropriate performance and supervision of the work, prompt distribution of the results and monitoring of the recommendations and the implementation thereof.
  • Reviewing the proper operation of the manual and automatic controls identified in the processes, together with evidence of control in order to ensure security when obtaining financial information.

Following the doctrine of The Institute of Internal Auditors and its Spanish branch, the Instituto de Auditores Internos, the ultimate aim of this structure is to provide the management of Abengoa and of each of its Business Units with an extra “control” flow of information, running parallel to the normal hierarchical flow, but with permanent horizontal information channels in place between each of the hierarchical levels of the companies and business units and the pertinent Internal Audit services, all applying clear and transparent criteria and safeguarding the confidential information involved.

This structure is illustrated in the following diagram: