Internal Control and Risk Management

In a group the size of Abengoa, with more than 600 companies operating in over 70 countries worldwide and boasting over 24,000 employees, a common business management system is an absolute necessity as it enables us to work effectively and in a coordinated and consistent manner.

The current scene is characterized by dizzying growth in technology, rapid social, economic and political changes and the overriding need to generate value.

To tackle the threats stemming from this situation, while also harnessing business opportunities as they arise, Abengoa believes that risk management is an essential activity and function for adopting strategic decisions, and that the company must have criteria and approaches in place to pave the way for secure and sustainable business growth.

Abengoa’s Risk Management Model comprises two core elements:


Both elements combine to form an integrated system that enables the company to manage risks and controls suitably throughout all levels of the organization.

It is essentially a living system that requires constant updates to keep it in line with the business reality.

a) Business Risk

Abengoa manages its risks through the following model, which aims to pinpoint the potential risks of a business:


The procedures aimed at eliminating business risks are channeled through the so-called Common Management Systems (CMS), which represent a shared culture for Abengoa’s different lines of business. They identify risks, define the necessary hedging transactions and establish control activities. The Common Management Systems are made up of eleven rules, which define exactly how each of the potential risks included in Abengoa’s risk model must be managed.

The Common Management Systems implement the necessary business and risk management processes in Abengoa, encompass all business groups and areas of activity and involve the different levels of responsibility and hierarchy. The CMS incorporate a host of specific procedures covering any action that could lead to a risk for the company, whether economic or non-economic.

Through the Common Management Systems, the company can also:

  • Streamline day-to-day management, applying procedures geared towards financial efficiency, cutting costs and standardizing and ensuring the compatibility of information and management systems.
  • Promote synergies and value creation throughout Abengoa’s different business groups.
  • Reinforce corporate identity, with all Abengoa companies adhering to the shared values.
  • Attain growth through strategic development, seeking innovation and new options in the medium and long term.

b) Risks associated with the reliability of financial information

In 2004, Abengoa began the process of adapting its structure of internal control over financial information to the requirements set forth in Section 404 of the SOX Act. This process of alignment was completed in 2007, although it continues to be implemented in new company acquisitions as they occur every year.

The SOX Act was passed in the United States in 2002 in order to ensure transparency in management and the accuracy and reliability of the financial information published by companies listed on the U.S. stock market (SEC registrants). This law makes it mandatory for these companies to submit their internal control system to a formal audit by their financial auditor, which must also issue an independent opinion on the control system in place.

According to the instructions of the Securities and Exchange Commission (SEC), SOX Act compliance is mandatory for companies and groups that are listed on the U.S. stock markets. Even though only one of its Business Units - Information Technologies (Telvent) - is subject to SOX-compliance, Abengoa considers it necessary to comply with these requirements as a group, as they complement the risk control model employed by the company.

At Abengoa, we have always viewed this legal requirement as an opportunity for improvement. Far from limiting ourselves to the bare minimum required by law, we have striven to optimize our internal control structures, control procedures and the assessment procedures we apply.

The initiative arose in response to the group’s rapid growth over the last few years, coupled with our anticipated future growth. The purpose is to be able to continue ensuring investors that our financial reports are accurate, timely and complete.

With the aim of complying with the requirements under Section 404 of the SOX Act, Abengoa’s internal control structure has been redefined using a “top-down” approach based on risk analysis.

This risk analysis encompasses a preliminary identification of significant risk areas and an assessment of the company’s controls over them, starting with top-level executives - corporate and supervisory controls – and subsequently moving down to the operational controls in place in each process.

Our focus is as follows:


Our risk management work encompasses the following aspects:


The company has identified 53 different processes that could potentially have an impact on the process of generating financial information within the company. As a whole, there are over 400 control activities tagged as key that undergo continuous oversight by the group’s internal audit team.

Similarly, the company’s internal control system is subject to assessment by the external auditors, who issue an audit opinion under PCAOB (Public Company Accounting Oversight Board) standards, which are applicable to listed companies in the United States (SEC registrants).

Our Internal Control Model

Abengoa believes that an appropriate internal control system must ensure that all relevant financial information is reliable and known to the management. We therefore believe that the model developed in line with SOX requirements complements and forms part of our Common Management Systems, the main purpose of which is to control and mitigate business risks.

Oversight and Control of the Risk Management Model

Abengoa’s oversight and control of the risk management model is structured around the Joint Audit Services. These bring together the audit teams of the companies, business groups and corporate services, which coordinate their actions and are ultimately accountable to the Audit Committee of the Board of Directors.

Our chosen conceptual reference framework is the COSO model, because it is most similar to the approach required under SOX. Under this model, internal control is defined as the process carried out in order to provide a reasonable degree of security in relation to the attainment of objectives, such as compliance with laws and regulations, reliability of financial information and operational effectiveness and efficiency.

Internal Control Environment in Information Systems

Abengoa’s information systems are intended to support the company’s own general control environment. Management of Abengoa information systems is based on the various reference frameworks described below.

Common Management Systems: IT Resource Management

The Common Management Systems contain internal regulations regarding IT Resource Management. These rules are intended to fulfill four objectives:

1/ To report on the main characteristics of the corporate information systems

2/ To standardize, through the definition of technological norms, the necessary features of the hardware and software utilized at Abengoa, and to define the operational procedure to be followed in order to obtain them

3/ To standardize and ensure appropriate service levels for Abengoa’s IT systems and communications, and to increase the availability, performance, security and development of the underlying technological infrastructures

4/ To heighten security (understood in terms of confidentiality, integrity and availability) of the technological infrastructures involved, as well as their performance and efficiency

Information Systems

In relation to internal control of the Information Systems, the most relevant aspects are the automatic control activities and the Information System Management process, all of which have been reinforced as a product of SOX implementation.

The automatic control activities are control mechanisms belonging to the numerous applications that make up Abengoa’s Information Systems. They minimize and prevent errors in data entry, approvals, etc. The automatic controls help to ensure the integrity and reliability of our financial information.

The Computer System Management process centers on more specific aspects of the information systems. Based on management frameworks and best market practices, such as Cobit and ITIL (Information Technology Infrastructure Library), it meets the control requirements stipulated under SOX regarding program development, program modification, operations within computer environments and system and data access.

The process involves a combination of manual and automatic activities throughout all Systems areas, including project management and control, development, support, incident management, supplier and client management, physical security, logical security and business continuity.

Information Security Management System (ISMS)

With the aim of managing security measures for Abengoa’s communications and corporate information systems, the company has an Information Security Management System (ISMS), which acts as a tool enabling us to fulfill our security-related objectives, with security understood to include:

  • Confidentiality: Only authorized individuals may access the information.
  • Integrity: The information and its processing methods are accurate and complete.
  • Availability: Authorized users have access to information whenever they need it.

This system, which is certified under ISO 27001 criteria, encompasses a policy on security, risk analysis and security controls in the following areas:

  • Administrative (security policy, classification of assets, security in relations with third parties, security aspects relating to human resources).
  • Technical (physical security, security in operations and communications, access control; software development, acquisition and maintenance).
  • Operational (incident management, continuity management).
  • Regulatory (compliance with applicable regulations and law).
  • Continuous cycle of improvement to integrate security into the work-related duties of all employees.

The management reviews the ISMS annually and fresh risk analyses are conducted in tandem to take on board possible changes to the IT environment and new threats to the information systems.

The ISMS continuous improvement cycle makes use of corporate mechanisms of preventive and corrective action, thus entrenching the system even further into the business.

Control applications: Separation of Duties Application (SDA)

In addition to the previously described management framework, Abengoa has a raft of applications in place to support this control environment, noteworthy among which is the Separation of Duties Application (SDA).

This system pursues the following objectives:

  • To ensure that system access is limited to authorized individuals only.
  • To provide a framework for defining any incompatible duties in processes that have an impact on the generation of financial information.
  • To establish a secure framework for granting access to systems, ensuring that there is due separation of duties in the tasks performed by each user.

The system thus ensures that when assigning an individual to a workstation, he or she will not perform duties that are mutually incompatible. In other words, SDA provides an efficient and effective system for managing users and company access.