Introduction

The Audit Committee was created by the Board of Directors of Abengoa, S.A. on December 2, 2002 in accordance with art. 44 of the Bylaws with a view to incorporating the provisions of Act 44/2002 on Reform Measures of the Financial System (Ley 44/2002) relating to Audit Committees. Abengoa also has a corporate governance system in place that remains compliant at all times with applicable law and best practices.

According to good governance practices, the Board of Directors must have a number of specialized committees in place so as to ensure that it performs its duties effectively. This structure helps to diversify the workload, while allowing motions and resolutions on certain material issues to be heard first by a specialized and independent body with specific professional expertise, which can therefore filter accordingly and report on its decisions, the aim being to guarantee the required objectivity and ensure that motions are discussed thoroughly before being passed by the Board of Directors.

As an independent body, the Audit Committee is able to oversee the affairs of Abengoa companies, thus ensuring that they conduct their business ethically and responsibly. This duty is undoubtedly its main role at present and will continue to be so in the future.

The Audit Committee is essentially the nucleus of this drive towards responsibility, and leads by example by publishing its Audit Committee Activity Report every year. Its duties, structure and rules of internal functioning are set forth in the Regulations of the Board of Directors and in its own internal regulations. Generally speaking, the committee has been heavily involved since its inception in those areas that fall within its remit, as has been explained in the company’s published annual reports and disclosures on corporate governance.

The 2013 Audit Committee Activity Report details the activities and initiatives of the committee in furtherance of the duties entrusted to it under its different fields of activity: review of economic and financial information subject to regulation, control of material risks, oversight of the management model, monitoring the independence of the financial auditor and appraising the business of the Internal Audit Division.

The Audit Committee Activity Report for the year 2013 has been approved at the meeting held by the Audit Committee on February 18, 2014, and presented to the Board of Directors on February 20, 2014. It will then be made available to the company’s shareholders on occasion of the publication of Abengoa’s annual report and, at the latest, by the time the General Shareholders Meeting is announced.

Internal regulations of the Audit Committee    

The Internal Regulations of the Audit Committee were approved by the Board of Directors on February 24, 2003 and contain the following provisions:

Composition and appointment of members

The Audit Committee will have a permanent and minimum membership of three directors. At least two of these must be non-executive directors, thus maintaining the majority of non-executive members envisaged under the aforementioned Act 44/2002.

Members will be appointed to office for a maximum term of four years, which may be renewed for further four-year maximum terms.

Chairman and Secretary

The Audit Committee shall initially elect one of its non-executive directors as Chairman.

The Secretary to the Board of Directors shall act as Secretary to the Audit Committee.

The powers and duties of the Audit Committee are as follows:

• To report on the annual accounts and half-yearly and quarterly financial statements that must be submitted to regulatory bodies and market watchdogs, with mention made of the internal control systems, the control mechanisms to monitor implementation and compliance through internal audit procedures and, where appropriate, the accounting principles applied.
• To report to the Board of Directors on any changes in accounting principles, balance sheet risk and off-balance sheet risk.
• To report to the General Shareholders Meeting on those matters raised by shareholders that fall within its remit.
• To propose the appointment of the external financial auditors to the Board of Directors, for subsequent referral on to the General Shareholders Meeting.
• To oversee internal audit services. The Committee will enjoy full access to internal auditing and shall report on the process of selection, appointment, reappointment, removal and remuneration of the internal audit director and on the department’s budget.
• To be fully aware of the company’s financial information reporting process and internal control systems.
• To liaise with the external audit firm so as to receive information on any matters that could jeopardize the latter’s independence and any other matters relating to the financial auditing process.
• To summon directors to committee meetings, at its discretion, in order to report on any such matters the Audit Committee deems fit.
• To draw up an annual report on the activities of the Audit Committee, which must be published along with the annual accounts for the fiscal year.

Meetings and announcement

The Audit Committee shall meet as often as required and, in any event, at least once a quarter in order to exercise and discharge its duties, as detailed in the previous section. As a general rule, meetings will be held at the company’s headquarters, although members may decide to hold a particular meeting elsewhere.

The Audit Committee will also meet when a meeting is convened by the Chairman acting on his or her own initiative or at the request of any committee members. Members may also ask the Chairman to include certain items on the agenda for the next meeting. Notice of the meeting must be given in writing, including the agenda, no less than three days prior to the scheduled date. However, business can also be transacted at a meeting of the Audit Committee when all the members are present and agree to hold a meeting.

Quorum

There will be a quorum present at meetings of the Audit Committee when the majority of its members are present. Members may only appoint a non-executive director as their proxy.

Resolutions will be carried by the majority vote of Committee members in attendance. In the event of a tie, the Chairman will have the casting vote.

Composition, appointments and member profiles

The Audit Committee is formed by non-executive directors and its current composition, together with the date on which each member was appointed, is as follows:

On November 19, 2013, and due to the intensification of their other professional duties, Professor José B. Terceiro Lomba resigned as chairman and member of the Audit Committee, assuming the chairmanship of Professor José Borrell Fontelles. The Audit Committee wishes to express its appreciation for the work done during the past ten years.

Prof. Mercedes Gracia Díez

Professor of Econometrics at the Universidad Complutense de Madrid and the Centro Universitario de Estudios Financieros. She has published many scientific publications in the Journal of Business and Economic Statistics, Review of Labor Economics and Industrial Relations, Applied Economics and Journal of Systems and Information Technology. She was manager of the Balance-Sheet Management Department at Caja Madrid from 1996 to 1999 and responsible for the economics and law division of the National Evaluation and Foresight Agency (Agencia Nacional de Evaluación y Prospectiva) from 1993-1996.

D. José Joaquín Abaurre Llorente

Audiovisual technician.

Alicia Velarde Valiente

Earned her honors degree in law from the San Pablo Center for University Studies attached to Universidad Complutense. She has been a member of the Spanish notary association since April of 1991. Since then, Alicia has worked at various notary’s office and has been at her current post in Oropesa (Toledo) since 2001. During the 1994-1995 academic year, she started to give classes in civil law at Universidad Francisco de Vitoria and continued to do so until 1999. She maintains close ties with the university today, and has been a lecturer in canon law under the doctorate program since 1999.

Ricardo Martinez Rico

Commercial Expert and State Economist. Degree in Business Administration from the University of Zaragoza, with honors. Has extended studies at the London School of Economics, Kennedy School of Harvard University and Wharton Business School. Founding partner and CEO of the Economic Team since 2008. Besides, member of the European Advisory Board created by President of American Employers (U.S. Chamber of Commerce of the United States) in Washington. In 2005-2006, he directed the Economic and Commercial Office of Spain in Washington and previously, in 2003, was appointed Secretary of State for Budget and Expenditure.

Miguel Ángel Jiménez-Velasco Mazarío

Miguel Angel holds a degree in law from the Universidad Autónoma de Barcelona (1989) and earned his master in company management and finance from the International Company Institute of Deusto University (Instituto Internacional de Empresas de la Universidad de Deusto) (1990-1991). He has been the legal manager of Abengoa since 1996 and was appointed Secretary and Advisory Lawyer to the Board of Directors in 2003.

Prof. José Borrell Fontelles

Professor at the Chair of foundations of Economic Analysis, Madrid Complutense University. Graduated from the Higher Technical School of Aeronautic Engineering, Madrid Polytechnic University ,PhD in Economic Sciences, Madrid Complutense University, Master in Operations Research at the Stanford University, Master in Energy Economics at the Paris French Petroleum Institute. He worked as an engineer at the Spanish Petroleum Company (1972-1981).From 1982 until 1996 he was appointed Budget General Secretary, Secretary of State for Finance, Minister for Public Works, Transport, Telecommunications and Environment. During the first half of the 2004-2009 legislature he was elected President of the European Parliament and in the second half Chairman of the Development Committee.

Activities performed during 2013

Meetings of the Audit Committee

The Audit Committee met on five occasions over the course of 2013, with all members in attendance at each meeting. These meetings, and the main issues discussed at them, are described below:

Madrid, February 20, 2013

• Economic information referred FY2012
• Presentation of the external auditor on the findings and conclusions of 2012 financial statements audit
• Overall assessment of internal control (SOX) made by the company
• Compliance of the internal audit plan during 2012
• Introductions of the internal audit plan for 2013
• Summary of external audit and consulting fees during 2012
• Information regarding the whistleblower channel

Madrid, April 30, 2013

• Economic information referred Q1 2013
• Compliance of the internal audit plan during Q1 2013
• Summary of external audit and consulting fees during Q1 2013
• Information regarding the whistleblower channel

Madrid, August 27, 2013

• Economic information referred S1 2013
• Presentation of the external auditor on the findings and conclusions of S1 2013 review of interim financial information
• Compliance of the internal audit plan during S1 2013
• Summary of external audit and consulting fees during S1 2013
• Information regarding the whistleblower channel

Madrid, November 7, 2013

• Economic information referred Q3 2013
• Presentation of the external auditor on the findings and conclusions of Q3 2013 review of interim financial information
• Compliance of the internal audit plan during Q3 2013
• Summary of external audit and consulting fees during Q3 2013
• Information regarding the whistleblower channel

 

 

*) During the year 2013, Professor D. José B. Terceiro Lomba, exercising his charge as Executive, has assisted to the Committee meetings celebrated.
Meeting its primary function of providing support to the Board of Directors, the main activities discussed and analyzed by the Audit Committee can be grouped into the following different areas of competency:

a) Internal audit

The Audit Committee’s functions include “supervision of the internal audit service” and “awareness and knowledge of the financial reporting process, internal control systems and the risks for the company”.

In order to oversee the sufficiency, suitability and efficient working of the internal control and risk management systems, the committee received regular information in 2013 from the head of internal audit in relation to:

• The annual internal audit plan and the degree to which it had been met: progress and conclusions on the internal audit work performed, which essentially comprises the tasks of auditing financial statements, internal control SOX audits, common management systems audits, reviews of critical projects and construction work, and reviews of special areas, among others.
• The degree of implementation of issued recommendations.
• A description of the main areas reviewed and the most significant conclusions, which include audited and sufficiently mitigated risks.
• Other more detailed explanations requested by the Audit Committee.

During 2013, the Audit Committee recorded and supervised the performance of 533tasks by the internal audit department. The tasks not included under the Plan related principally to general reviews of companies and projects that had not been envisaged in the initial planning.

As a result of the work performed, 388 recommendations were issued, most of which had been implemented by year end.

One factor that had a decisive impact on the number of recommendations issued was the performance of internal control compliance audits under PCAOB (Public Company Accounting Oversight Board) standards, in accordance with the requirements of section 404 of the Sarbanes-Oxley Act (SOX).

The following graph shows the different types of internal audit work conducted over the course of 2013:

Internal audit function at Abengoa

Internal audit function originated as an independent global function, reporting to the Audit Committee of the Board of Directors, with the principal objective of supervising Abengoa’s internal control and material risk management systems.

Structure and team

Abengoa’s internal audit function is structured around five functional areas:

• Internal control audit (SOX)
• Financial audit
• Projects audit
• Concessions audit
• Preventive fraud audit

Additionally, each business group count with a responsible person in the audit department in order to participate in a coordinated way with the strategy definition, planning, and communication of recommendations. To discharge its functions and carry on its activities. The service has a structure based on multidisciplinary teams, formally organized by geographical area, which work under a common annual work plan and share out the workload on the basis of their respective areas of expertise, all in accordance with best international practices.

Internal audit team is formed by 46 auditors, distributed among the different business groups.

• The average age of Abengoa’s internal audit team is currently around 31.
• The gender distribution was 60% (men) and 40% (women) respectively.
• Average length of professional experience is seven years.
• Approximately 70 % of the auditors have prior experience in one of the “Big Four” external audit firms.

The profile of Abengoa’s internal auditors reflects the company’s commitment to employing personnel fully qualified to carry out the audit functions. Abengoa’s internal auditors seek at all times to provide excellent service when performing their work and become heavily involved in the business projects they are carrying out, with the overriding objective of creating value for the organization.

General objectives of the internal audit function are the following:

• Forestalling the audit risks to which group companies, projects and activities are exposed, such as fraud, capital losses, operational inefficiencies and, in general, any risks that may affect the healthy running of the business.
• Maintaining the supporting role of rules and suitable and efficient management procedures in accordance with the corporate common management systems.
• Creating value for Abengoa and its business groups, fostering the creation of synergies and monitoring optimal management practices.
• Coordinating working criteria and approaches with the external auditors, seeking the greatest efficiency and profitability between the two functions.
• Analyzing and processing complaints received and notifying the conclusions of the work to the Audit Committee.
• Evaluating the companies’ audit risk through an objective procedure.
• Developing annual work plans with the suitable scopes for each situation.

b) External audit

The auditor of the consolidated and non-consolidated annual accounts of Abengoa, S.A. is Deloitte, S.L. which is also the group’s main auditor.

During 2012, the Board of Directors and the General Meeting of shareholders approved the permanent appointment of Deloitte as auditor of the financial statements of Abengoa and the consolidated financial statements of Abengoa and its subsidiaries for the year ended December 31, 2012 and the two following years. This appointment was also endorsed by the audit committees, boards of directors and general meetings or assemblies shareholders of the relevant group companies.

In addition, other firms collaborate in performing the audit, especially in small companies both in Spain and abroad, although the scope of their work is not significant for the group overall.

The Audit Committee’s functions include ensuring the independence of the external auditor, proposing the appointment or renewal thereof to the Board of Directors and approving its fees.

SOX (Sarbanes-Oxley Act) internal control audit work has been assigned to these same audit firms following the same criteria. This is because, according to PCAOB (Public Accounting Oversight Board) rules, the firm that issues the opinion on the financial statements must also be the firm that evaluates internal control processes over the preparation of the these same statements, given that this internal control is a key factor in “integrated audits”.

Abengoa follows a policy of having an external annual audit performed on all group companies, even if they are not obliged to do so because they do not meet the legal requirements.

A total of21 new companies have been audited this year round, more than 85% of which are being audited by one of the four main international audit firms or “Big Four”. The following table provides a breakdown of the global fees agreed upon with the external auditors for the 2013 audit, including reviews of periodic reporting and the SOX audit.

When assigning non-audit work to any of the “Big Four” audit firms, the company has a prior verification procedure in place so as to detect any possible incompatibilities that would prevent the firm from performing the work under the rules of the U.S. SEC (Securities Exchange Commission) or Spanish ICAC (Instituto de Contabilidad y Auditoría de Cuentas).

Additionally, Abengoa’s condition like entity registered in NASDAQ forces us to carry out with the procedures established by the regulators of the mentioned market and concretely with the Law Sarbanes Oxley Act, developed later by the Security and Exchange Commission (SEC). In this respect, the Audit committee must pass in advance to his provision, all the services contracted with the auditor.

During 2013 there have pre-be approved by the Committee the following services given by the external auditor:

• Audit services (audit reports, limited reviews, comfort letters, etc.)
• Services related to the audit (Due Diligence, report RSC, etc.)
• Fiscal Services
• Others (courses, seminars, etc.)

The following table reveals the fees payable to the Big Four audit firms for non-audit work performed in 2013:

The following table reveals the fees payable to the Big Four audit firms for non-audit work performed in 2013:

 

Like in past years, during 2013 a survey was conducted on the satisfaction with the service received from the main auditor during the 2012 audit. A series of conclusions have been drawn from this survey and will help to improve the work carried out jointly with the external auditor.

The Audit Committee is, furthermore, responsible for supervising the results of the work of the external auditors. Therefore, it is promptly informed of their conclusions and of any incidents noted in their audits.

When required to do so, the external auditor has attended Audit Committee meetings to report on its areas of competency, which are essentially the following:

• Reviewing the financial statements of the consolidated group and its component companies and issuing an audit opinion thereon.

Although the auditors must issue their opinion on the financial statements as of December 31 each year, the work they conduct within each of the companies includes a review up to an earlier date, which is typically the end of the third quarter (September), in order to anticipate any significant transactions or other matters that have arisen up to said date.

Since 2008, Abengoa has been voluntarily submitting its half-yearly statements to a limited review issued by the corresponding auditor. The quarterly financial statements also undergo a review process so that the information required by official bodies can be duly disclosed. Likewise, the consolidated financial statements of each the five business groups are audited: Abeinsa, Abengoa Bioenergy, Abengoa Water and Abengoa Solar.

• Evaluation of the internal control system and issuance of an audit opinion under PCAOB (Public Company Accounting Oversight Board) standards, (SOX -Sarbanes-Oxley Act- compliance).

The specific PCAOB rules require a number of additional audit procedures to be conducted. The Security Exchange Commission (SEC) delegates to the PCAOB the preparation and issuance of the standards to be met by external auditors when evaluating internal control processes as part of an integrated audit.

In 2013, the external auditors carried out an integrated audit under PCAOB standards. As a result of this work, the external auditors likewise issued a report containing the conclusions of their internal control assessment. This opinion is additional to the one included in the audit report on the annual financial statements, although the PCAOB allows both opinions to be included in the same document.

 

• Matters of special interest.

For certain matters or specific or significant transactions, the external auditor is required to provide its opinion on the criteria adopted by the company so as to reach a consensus.

• Independent verification reports prepared by external auditors.

One of the cornerstones of the company’s strategy is its commitment to transparency and rigor. To reinforce this commitment, some years ago the company fixed the objective that all information appearing in the Annual Report should be verified externally.

Therefore, 2007 witnessed the first audit on the company’s Corporate Social Responsibility Report. In 2008, this was extended to the Greenhouse Gas Emissions Report and in 2009, the Corporate Governance Report underwent an external audit process.

The company is not satisfied with a limited assurance verification report pursuant to ISAE 3000 standards, but intends to continue progressing towards a reasonable assurance verification report, which is the most demanding type of verification to which a company can aspire.

Thus, external auditors issued five reports in 2013, all forming an integral part of the annual report:

• Audit report on the consolidated accounts of the group, in accordance with applicable law.
• Voluntary audit report on internal control compliance under PCAOB (Public Company Accounting Oversight Board) standards, pursuant to the requirements imposed by section 404 of the Sarbanes-Oxley Act (SOX).
• Voluntary reasonable assurance audit report on the Corporate Governance Report, with Abengoa being the first listed company in Spain to obtain a report of this nature.
• Voluntary reasonable assurance audit report on the Corporate Social Responsibility Report.
• Voluntary audit report on the design and application of the Risk Management System pursuant to ISO 31000 standards.

c) Internal control

The Audit Committee’s main objectives concerning internal control over the preparation of financial reporting are:

• Determining the risks of a possible material error in the financial reporting caused by fraud or possible fraud risk factors.
• Analyzing the procedures for assessing the efficiency of internal control in relation to financial reporting.
• Capacity of internal controls over the processes that affect Abengoa and its business groups.
• Identifying material internal control deficiencies and weaknesses in relation to financial reporting and response capacity.
• Supervising and coordinating any significant changes made to the internal controls related to the quarterly financial reporting.
• Performing the quarterly processes of closing the financial statements and differences identified in relation to the processes performed at year end.
• Rolling out plans and monitoring the actions implemented to correct the differences identified in the audits.
• Measures to identify and correct possible internal control weaknesses in relation to the financial reporting.
• Analyzing procedures, activities and controls that seek to guarantee the reliability of financial reporting and prevent fraud.

Internal Control Model

In February 2010, the Spanish National Stock Market Commission (CNMV) published a document titled “Internal Control over Financial Reporting in Listed Companies” (ICFR), which contains two new legal obligations that listed companies must meet from 2011 onwards:

• Audit Committees will be responsible for supervising financial reporting and the efficiency of the company’s internal control and risk management systems.
• Companies will have to report to the markets on their systems of internal control over financial reporting through the Annual Corporate Governance Report.

CNMV document is based on COSO and incorporates 30 recommended practices divided into five components areas:

• Internal control environment
• Financial reporting risk assessment
• Control activities
• Information and communication, and
• Supervision of system operation

Since 2007, Abengoa has been voluntarily submitting its internal control systems to external evaluation, with the issuance of an audit opinion under PCAOB standards and a compliance audit under section 404 of the Sarbanes-Oxley Act (SOX).

This means that Abengoa has been complying strictly with the reference indicators included in the Spanish CNMV’s ISFR document for four straight years now.

Abengoa believes that a proper internal control system would ensure that all relevant financial information is reliable and known to the management. It therefore believes that the model developed and tailored to SOX provides the ideal partner for the common management systems, the main aim of which is to control and mitigate business risks.

The COSO model has been used as the conceptual framework, since this model most closely mirrors the approach required by SOX, which has also been presented to the Audit Committee. In this model, internal control is defined as the process carried out in order to provide reasonable assurance of the attainment of certain objectives, such as compliance with laws and regulations, the reliability of financial reporting and the effectiveness and efficiency of operations.

 

 

• Internal environment: this is essentially the basis for all the other components of risk management as it provides discipline and structure. The internal environment influences the strategy and targets in place by effectively structuring business activities and pinpointing, assessing and interpreting risks. Put differently, the internal environment affects the functioning of the control activities, information, communication systems and the oversight functions.
• Definition of objectives: Within the context of mission and vision, the management defines strategic objectives. These objectives must be in place before the management is able to identify the events potentially capable of frustrating attainment thereof. Risk management enables the management to have a process whereby objectives can be harmonized with the company’s mission and vision, and to ensure that these are compatible with the degree of accepted risk.
• Identification of events: The company must be vigilant of events that could have a positive or negative bearing on the company. Negative impacts require assessment and an appropriate response from the management. When identifying possible events, the management must pay due heed to both internal and external factors.
• Risk assessment: Risk assessment allows the company to address potential events that could affect its ability to reach its objectives. The approach to assessing risks involves a combination of qualitative and quantitative techniques.
• Risk response: When faced with significant risks, the management must generate potential responses. After having created a risk response, the management must calibrate the new risk to the residual basis. There will always be a residual risk, not only because resources are limited, but also because of future uncertainties and limitations inherent in other activities.
• Control activities: These are the policies and procedures that help to ensure that the company’s response to risk is correctly implemented. Control activities take place throughout all levels and functions of the company structure.
• Information and communication: Information, both internal and external, must be identified, secured and communicated in due time and form if we are to be able to assess risks and provide an appropriate response. Given that information is generated from different sources (internal, external) and has different characteristics (quantitative, qualitative), the company must be sure to secure the most relevant information, which must be processed and conveyed such that it reaches all relevant sectors, thereby allowing us to assume responsibilities.
• Oversight: Risk management must be supervised, and this oversight may be conducted in real time or a posteriori, the former proving the most effective means.

d) Governance and Compliance

To carry out its responsibilities, the Audit Committee has the following supervision tools at different levels of the organization:

Company management implemented a code of professional conduct, the guiding philosophy of which is honesty, integrity and good judgment on the part of employees, managers and directors, as reflected in Abengoa’s Annual Corporate Governance Report, which provides details of the company’s governing structure, risk control systems, the degree to which recommendations on governance are followed and the reporting instruments; and in which the management’s commitment to maintaining an appropriate internal control and risk management system, good corporate governance and ethical conduct on the part of the organization and its employees can be seen.

This code of conduct is available to all employees through the Abengoa intranet and is regularly updated. Besides, welcome manual of Abengoa and the different business groups make express reference to the code of professional conduct.

All departments, mainly human resources and internal audit, strive to ensure compliance with the code and notify management of any irregular conduct they may detect so that the appropriate measures can be adopted.

Whistleblowing channel

The system of Abengoa’s internal control is provided with diverse mechanisms and procedures that allow to mitigate the risk of fraud.

In this way, following the guidelines set out in section 301 of the Sarbanes-Oxley Act (“The Act”), the audit committee of the board of directors of Abengoa S.A. (“the company”) has agreed to establish procedures to:

• The receipt, retention, and treatment of complaints received by the company regarding accounting, internal accounting controls, or auditing matters;
• The submission by employees of the company, on a confidential and anonymous basis, of good faith concerns regarding questionable accounting or auditing matters.

Therefore, Abengoa has two whistleblowing channels:

• An internal channel, which is available to all employees, so that they can report any alleged accounting or audit irregularity or breaches of the code of conduct. Issues are reported by e-mail or post.
• An external cannel, available to anyone outside the company, so that they can report any alleged irregularities, fraudulent actions or breaches of Abengoa’s code of conduct through the company’s website (www.abengoa.com).

Whistleblowing policy guarantees no reprisals for whistleblowers, who may submit complaints on a confidential basis. However, both the channel internal and external complaints may be sent on the basis of confidentiality for the complainant or anonymously.

This politic apply to any employee of the Group, consultants, or suppliers with direct relation and commercial interest or legitimate professional. The types of denunciations that can be brought are:

• Actions related to suppliers. Breach of the procedures of market related to the selection of suppliers.
• Undue appropriation and detour of resources. Fraudulent empowerment of goods property of the company for own use or with intention of enriching itself.
• Countable aspects. Record of commercial and financial transactions on a  contradict form to the countable generally accepted practices.
• Falsification of documents. To modify contracts, reports or documents for own benefit or with the aim to cause detriment to Abengoa.
• Utilization of privileged information. Breaking or infraction of the legal procedure, relative to the stock markets. Utilization not authorized of the information of the company, of his clients or suppliers.
• Others.

The aim of Abengoa in creating these channels has been to provide a specific means of communicating with management and the governing bodies, which may be used as a tool to inform them of any possible irregularity, non-compliance, unethical or illegal conduct or breach of the rules that govern the group.

For each complaint received, a specific work is performed by the internal audit team. Within the internal audit department, Abengoa has a specific unit dedicated to the investigation of complaints received through the various channels and the implementation of preventive nature works on fraud. Besides, in cases that involve highly technical matters, the company secures the assistance of independent experts, thus ensuring at all times that it has the sufficient means of conducting a thorough investigation and guaranteeing sufficient levels of objectivity when performing the work.

Foreign Corrupt Practices Act (FCPA)

The honesty, integrity and sound judgment of employees, executives and directors is essential to the company’s reputation and success.

In pursuit of these principles, Abengoa adhered to the United Nations Global Compact in 2002. It upholds each of the ten principles enshrined in the initiative and works to integrate them fully into the strategy and policies governing the day-to-day running of the company. In relation to principle nº 10: “Businesses should work against corruption in all its forms, including extortion and bribery”, Abengoa has various procedures in place to prevent any kind of corruption within the company.

In the fight against extortion, fraud and bribery, Abengoa upholds the provisions of the US Foreign Corrupt Practices Act (FCPA).

In particular, the FCPA criminalizes acts by companies and their executives, directors, employees and representatives to pay, promise, offer or authorize payment of anything of value to any foreign civil servant, foreign political party, heads of foreign political parties with the aim of achieving or maintaining business operations, or of obtaining any kind of improper gain. In conformity with FCPA, the payments realized to foreign civil servants indirectly generate legal responsibility as the payments realized in direct form. The Company or his civil servants or employees will be able to be considered to be responsible for the payments realized by commercial partners, as for example representatives of sales, advisers, agents, contractors, subcontractors, or others, in those cases in which the Company should realize a payment or should transfer another value to a commercial partner wittingly, or when motives for thinking should exist, of that it will be in use, in total or partial form, for realizing an undue payment to a foreign civil servant (this disposition is applied even in the cases in which the commercial partner is not subject to the FCPA). Also responsibility can exist in case the Company has knowledge of facts that suggest a “high probability” of which the commercial partner will deliver the totality or part of the value received to a foreign civil servant with a corrupt intention. In consequence, Abengoa will have to manage with precaution in his relations with commercial partners and have certain guarantee of which these will fulfill with all the laws anticorruption applicable.

The FCPA complements the requirements imposed by section 404 of the US Sarbanes Oxley Act (SOX). It applies all the actions realized by the commercial partners addressed to Abengoa and all his civil servants, the directors and employees of complete and partial time. This politics will be applied likewise to all the subsidiaries controlled by Abengoa. All the commercial partners who represent Abengoa (including advisers, agents, representatives of sales, distributors and independent contractors) and who interact with foreign civil servants in Abengoa’s name will have to expire with all the pertinent parts of this politics.

 

Oversight and control of the risk management model

During 2013, Abengoa continued to grow, carrying on activities in more than 70 countries. To deal with this growth in a safe and controlled manner, Abengoa has a common business management system that allows it to work on an efficient, coordinated and consistent basis.

In forthcoming years, and principally with the consideration of being a company registered in NASDAQ, we will be faced with an environment characterized by greater regulatory requirements. In order to deal with this scenario, Abengoa considers risk management an indispensable activity and function for strategic decision making.

Abengoa is aware of the importance of managing its risks in order to carry out appropriate strategic planning and attain the defined business objectives. To do this, it applies a philosophy formed by a set of shared beliefs and attitudes, which define how risk is considered, starting with the development and implementation of the strategy and ending with the day-to-day activities.

 

 

Abengoa’s risk management system is shown in the following diagram:

 

Abengoa defines risk as any potential event that may prevent the company from reaching its business objectives. Abengoa considers that a risk arises as a loss of opportunities and/or strengths or the materialization of a threat and/or strengthening of a weakness.

Abengoa’s attitude in the face of risk is awareness, involvement and anticipation. The key principles of risk management at Abengoa are the following:

• In order to attain the business objectives fixed, risks must be managed at all levels of the company without exception.
• The Board of Directors will be responsible for supervising the efficiency of the entity’s internal control and risk management systems.
• Decisions are always taken on the basis of a consensus, with shared responsibility.
• Abengoa’s risk management system is fully integrated into:
  • The strategic planning process.
  • The definition of business objectives.
  • Day-to-day operations to attain said objectives.
• Risk management includes the identification and assessment of, response to, monitoring or follow-up of and reporting of risks in accordance with the procedures in place for these purposes.
• Responses to risks must be consist and must be well adapted to the conditions of the business and the economic environment.
• Management must regularly evaluate the assessment of its risks and the responses that have been designed.
• Monitoring will be conducted regularly and the conformity of the activities of identification, assessment, response, monitoring and reporting included in Abengoa’s Risk Management System will be reported.

The risk management process at Abengoa is a continuous cycle based on five key phases, as shown in the previous diagram:

• Identify
• Evaluate
• Respond
• Monitor
• Resport

In each phase, regular and consistent communication is necessary in order to achieve good results. Since it is a continuous cycle, permanent feedback is necessary in order to achieve a constant improvement in the risk management system. These processes are addressed to all the company’s risks.

Abengoa manages its risks using the following model, described in the company’s risk management manual, which is intended to identify the potential risks of a business:

Risk treatment and response criteria are contained within the common management systems and must be observed by all employees.

The responses designed and included within the different elements that make up the Abengoa’s risk management system pursue one of the following risk management scenarios:

• Elimination: the risk is completely eliminated.
• Reduction and control: the aim here is to reduce the risk as much as possible by using strategic or safety measures (diversification of supply, quality systems, maintenance, prevention, etc.).
• Transfer to a third party: the risk is transferred to a third party, so that Abengoa holds no responsibility for the risk, whether through an insurance company or another third party (supplier, subcontractor).
• Financial retention: if it has not been possible to otherwise control the risk, it is eventually accepted.

Abengoa’s risk management model comprises three core elements:

Those elements combine to form an integrated system that enables the company to manage risks and controls suitably throughout all levels of the organization.

a) Common management systems

The functional heads of each division must verify and certify compliance with these procedures. This annual certification is issued by the Audit Committee in January of the following year.

Objectives

• To identify possible risks which, although they are inherent to any business, must be identified, mitigated and monitored.
• To optimize the day-to-day management by applying procedures leading to financial efficiency, expense reduction and the homogenization and compatibility of information and management systems.
• To promote synergies and value creation throughout Abengoa’s different business groups.
• To reinforce corporate identity.
• To achieve growth through strategic development that seeks innovation and new options in the medium- and long-term.

The systems cover the whole organization at three levels:

• All the business groups and areas of activity.
• All levels of responsibility.
• All kinds of operations.

Common management systems represent a common culture for Abengoa’s different businesses and are composed of eleven rules defining how each of the potential risks included in Abengoa’s risk model should be managed. Through these systems, the risks and the appropriate way of hedging against them are identified and the control mechanisms defined.

Over recent years, the common management systems have evolved to adapt to the new situations and environments in which Abengoa operates, with the overriding aim of reinforcing risk identification, covering risks and establishing control activities. The summary of annual updates is shown in the graph below:

Besides, the summary of updates split by category of rule is the following:

 

b) Compulsory procedures (SOX)

The compulsory procedures are used to mitigate risks relating to the reliability of the financial information, employing a combined system of procedures and control activities in key areas of the company, which are intended to ensure the reliability of the financial information and prevent fraud.

As a result of our commitment to transparency, and so as to continue to ensure the reliability of the financial information prepared by the company, we have continued to reinforce our internal control structure, adapting it to the requirements established under section 404 of the United States Sarbanes-Oxley Act (SOX). For a further year, we have voluntarily submitted the internal control system of the whole group to an independent evaluation process conducted by external auditors under PCAOB (Public Company Accounting Oversight Board) audit standards.

SOX is a compulsory law for all listed companies operating in the United States and is intended to ensure the reliability of the financial reporting of these companies and protect the interests of their shareholders and investors by establishing an appropriate internal control system. Thus, although none of the business groups is required to meet SOX requirements, Abengoa deems it necessary to comply with these requirements throughout all of its component companies, since these requirements complement the risk control model used by the company.

The company has implemented an appropriate internal control system that relies on three tools:

• A description of the company’s relevant processes that could impact the financial information to be prepared. In this regard, 55 management processes have been defined and grouped into corporate cycles and common cycles used throughout all the business groups.
• A series of flow charts that provide a visual description of the processes.
• An inventory of the control activities in each process to ensure attainment of the control objectives.

Our work comprises the following aspects:

At Abengoa, we have viewed this legal requirement as an opportunity for improvement and, far from being satisfied with the rules included in the Act, we have tried to develop and improve our own internal control structures, control procedures and the evaluation procedures in place.

This initiative arose in response to the swift expansion experienced by the group in recent years and projected future growth, the aim for us to continue preparing accurate, timely and complete financial reports for our investors.

In order to meet the requirements of section 404 of the SOX, Abengoa’s internal control structure has been redefined following a “Top-Down” approach based on risk analysis.

This risk analysis encompasses a preliminary identification of significant risk areas and an assessment of the company’s controls over them, starting with top-level executives - corporate and supervisory controls – then dropping to the operational controls present in each process.

Our approach is as follows:

• A top-down approach to risk assessment, helping us to identify the areas of greater risk.
• Integrating financial statement audits and internal control reviews, paying special attention to the company’s general control environment.
• A focus that combines section 404 of the SOX with existing internal audit work.
• A working plan that identifies the most relevant business areas and the most significant accounts in a way that ensures satisfactory coverage of the associated risks involved.
• Internal auditing teams made up of professionals with experience and expertise in the sector.
• Use of experienced experts to support the internal auditing teams as and when needed.

c) The universal risk model

it’s the universal risk model is the company’s chosen methodology for quantifying the risks that compose the risk management system.

Abengoa’s universal risk model is made up of 20 categories and a total of 56 principal risks for the business. Each categories are agrupated in four big areas (financial risks, strategic risks, compliance risks and operations risks).

After applying both probability and impact indicators to all the risks that make up Abengoa’s universal risk model, risks are grouped accordingly into four types, each with its own pre-determined risk management strategy:

• Minor risk: risks that occur frequently but have little economic impact. These are managed accordingly to reduce the likelihood of them arising, but only if managing them proves economically viable.
• Tolerable risk: risks that occur infrequently and have little economic impact. These risks and monitored to ensure that they remain at tolerable levels.
• Severe risk: frequent risk with a heavy impact. These risks are managed immediately, although due to the risk management processes implemented by Abengoa, it is unlikely that Abengoa will have to tackle this type of risk.
• Critical risk: risks that occur infrequently but have a very high economic impact. These risks have their own contingency plan, given the severity of their impact should they arise.

Furthermore, the model is checked of periodic form. These updates are a joint responsibility of the department of internal audit, the management of risks and the people in charge of every indicator in every area. During the exercise 2013, two reviews of the model have been realized: recounted to the calculations realized to the closing of the exercise 2012; and other one referred to the closing of the information of June, 2013.

The model operates across the IT platform Archer eGRC, that provides a general vision of the risks situation of an organizational concrete structure, facilitating the analysis and the comprehension of the calculation. It has been working in the automation of the information, by using the connection with other corporate applications. Likewise, Archer eGRC has turned into an application of report of information so that of a glimpse it could understand the form of calculation of the risks.

 

 

Outlook for 2014

One of Abengoa’s big landmark during 2013 has been becoming a SEC registrant entity and a listed entity at NASDAQ. This event supposes a challenge and responsibility as for internal control, transparency and management of risks.

Though Abengoa already was coming expiring with the requirements of the American regulation since 2007 in a voluntary form, from now onwards, we will be forced to publish financial information in the United States, to observe with major rigor the American regulation and to adopt our information systems and internal control for the requirements established by the SEC and the PCAOB.

Regarding those obligations, the main topics in connection with the activity of the Committee during 2014 will be the reinforcement of the model of management that has allowed us to reach these levels of business and management of risks:

• Reinforcement and adjustment of the common systems of management.
• Update and implementation of the compulsory procedures.
• Update the universal model of risks

During 2013 the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has updated its Integrated Framework of Internal Control (COSO I), in whose principles and components is based the environment of internal control implemented at Abengoa. The aim of this update has been the adjustment to the changes produced in the context of the business and the operations from its previous publication carried out in 1992. Moreover, it has allowed a transitional period up to his definitive entry into force on December 15, 2014, date in the one that it will replace to the previous version.

In this context, during 2014, we will carry out an analysis to identify the modifications needed by this new approach on the system of Abengoa’s internal control and to implement the necessary improvements to carry out with the components and principles of the COSO.

On the other hand, 2014 will be the year when the Forensic area will consolidate inside the function of internal audit. In this respect, we have initiated the path of follow-up of the best practices of the international area and the observation of the recommendations of the SEC and other expert organisms.

According to the latest global corruption barometer published by Transparency International, the exposure to possible misconduct is higher in several countries, as shown in the picture below. This study reflects the existence of countries and geographies where these behaviors are most frequent. This information, along with other internal indicators is used for work planning area of fraud prevention.

 

 

To summarise, 2014 appears with new and major challenges, which the Committee assumes with the firm conviction that its activity and dedication will contribute to a major guarantee to the shareholders of Abeng