Abengoa’s information systems are intended to support the company’s own general control environment. Management of Abengoa information systems is based on the various reference frameworks described below.

Common Management Systems: IT Resource Management

The Common Management Systems contain internal regulations regarding IT Resource Management. These rules are intended to fulfill four objectives:

  • To report on the main characteristics of the corporate information systems.
  • To standardize, through the definition of technological norms, the necessary features of the hardware and software utilized at Abengoa, and to define the operational procedure to be followed in order to obtain them.
  • To standardize and ensure appropriate service levels for Abengoa’s IT systems and communications, and to increase the availability, performance, security and development of the underlying technological infrastructures.
  • To heighten security (understood in terms of confidentiality, integrity and availability) of the technological infrastructures involved, as well as their performance and efficiency.
Information Systems

In relation to internal control of the Information Systems, the most relevant aspects are the automatic control activities and the Information System Management process, all of which have been reinforced as a product of SOX implementation.

The automatic control activities are control mechanisms belonging to the numerous applications that make up Abengoa’s Information Systems. They minimize and prevent errors in data entry, approvals, etc. The automatic controls help to ensure the integrity and reliability of our financial information.

The Computer System Management process centers on more specific aspects of the information systems. Based on management frameworks and best market practices, such as Cobit and ITIL (Information Technology Infrastructure Library), it meets the control requirements stipulated under SOX regarding program development, program modification, operations within computer environments and system and data access.

The process involves a combination of manual and automatic activities throughout all Systems areas, including project management and control, development, support, incident management, supplier and client management, physical security, logical security and business continuity.

Information Security Management System (ISMS)

With the aim of managing security measures for Abengoa’s communications and corporate information systems, the company has an Information Security Management System (ISMS), which acts as a tool enabling us to fulfill our security-related objectives, with security understood to include:

  • Confidentiality: Only authorized individuals may access the information;
  • Integrity: The information and its processing methods are accurate and complete;
  • Availability: Authorized users have access to information whenever they need it.

This system, which is certified under ISO 27001 criteria, encompasses a policy on security, risk analysis, security controls in 11 areas, and a cycle of continuous improvement for integrating security into the work-related duties of all company employees.

The management reviews the ISMS on an annual basis, and risk analysis is repeated in each review, taking any changes to the computer environment into consideration, as well as any new threats to the information systems.

The security controls cover 11 general areas: administrative (policy on security, asset classification, security in relationships with third parties, security aspects involved in human resources), technical (physical security, security in operations and communications, access control, software development, acquisition and maintenance), operational (incident management, continuity management), and regulatory (compliance with legal requirements and provisions).

The ISMS continuous improvement cycle makes full use of corporate tools for preventive and corrective actions, thereby further integrating the system into the business.

Control Applications – “SDA”

In addition to the previously described management framework, Abengoa has a raft of applications in place to support this control environment, noteworthy among which is the Separation of Duties Application (SDA).

This system has the following objectives:

  • To ensure that system access is limited to authorized individuals only.
  • To provide a framework for defining any incompatible duties in processes that have an impact on the generation of financial information.
  • To establish a secure framework for granting access to systems, ensuring that there is due separation of duties in the tasks performed by each user.

The system thus ensures that when assigning an individual to a workstation, he or she will not perform duties that are mutually incompatible. In other words, SDA provides an efficient and effective system for managing users and company access.

Process of implementing the new Enterprise Resource Planning (ERP) - SAP

The company made significant inroads over 2009 in implementing the new ERP (SAP), with notable milestones including:

Design and construction of 90% of the corporate processes and specific processes for the Information Technologies, Bioenergy and Solar Business Groups.

Design work underway on the concessionaire model.

80% of the budget model designed and constructed.

The foregoing implemented in the following companies:

    • Telvent Portugal, Telvent Energía, Telvent Medio Ambiente.
    • Bioetanol Galicia, Abengoa Bioenergy France, Eco-Carburantes, Abengoa Bionergy Nebraska (in progress).
    • Abengoa Solar and Solar PV.

The schedule for implementation of the new ERP throughout the group is as follows:

16