Amadeus IT Holding, S.A. and Subsidiaries - Investor relations at ...
Amadeus IT Holding, S.A. and Subsidiaries - Investor relations at ...
Amadeus IT Holding, S.A. and Subsidiaries - Investor relations at ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Use of estim<strong>at</strong>es <strong>and</strong> assumptions, as determined by Management, is required in the<br />
prepar<strong>at</strong>ion of the consolid<strong>at</strong>ed annual accounts in accordance with IFRS-EU. The estim<strong>at</strong>es<br />
<strong>and</strong> assumptions made by management affect the carrying amount of assets, liabilities,<br />
income <strong>and</strong> expense. The estim<strong>at</strong>es <strong>and</strong> assumptions are based on the inform<strong>at</strong>ion available<br />
<strong>at</strong> the d<strong>at</strong>e of issuance of the consolid<strong>at</strong>ed annual accounts, past experience <strong>and</strong> other factors<br />
which are believed to be reasonable <strong>at</strong> th<strong>at</strong> time.<br />
3.2. Internal control policies <strong>and</strong> procedures for <strong>IT</strong> systems (including secure access, control<br />
of changes, system oper<strong>at</strong>ion, continuity <strong>and</strong> segreg<strong>at</strong>ion of duties) giving support to<br />
key company processes regarding the prepar<strong>at</strong>ion <strong>and</strong> public<strong>at</strong>ion of financial<br />
inform<strong>at</strong>ion.<br />
Internal Internal Control Control on on <strong>IT</strong> <strong>IT</strong> systems<br />
systems<br />
The Group has implemented an internal control model over <strong>IT</strong> systems th<strong>at</strong> support processes<br />
rel<strong>at</strong>ed to the prepar<strong>at</strong>ion of financial inform<strong>at</strong>ion. This model is based on COSO <strong>and</strong> COB<strong>IT</strong><br />
(ISACA recommend<strong>at</strong>ions) <strong>and</strong> includes the <strong>IT</strong> General Control’s m<strong>at</strong>rix <strong>and</strong> policies <strong>and</strong><br />
procedures rel<strong>at</strong>ing to the security required for <strong>IT</strong> systems.<br />
In order to build the <strong>IT</strong> General Controls (hereinafter <strong>IT</strong>GC) m<strong>at</strong>rix, the Group has defined the<br />
systems to be included in the scope of the model, th<strong>at</strong> contribute to elabor<strong>at</strong>e the<br />
Consolid<strong>at</strong>ed Financial St<strong>at</strong>ements of the Company, <strong>and</strong> ensure the quality <strong>and</strong> reliability of<br />
the inform<strong>at</strong>ion reported to the markets.<br />
The <strong>IT</strong>GC m<strong>at</strong>rix is aligned with control models for other business cycles prepared by<br />
<strong>Amadeus</strong>, <strong>and</strong> structured on the following control areas:<br />
• D<strong>at</strong>a Center <strong>and</strong> Oper<strong>at</strong>ions<br />
• Access Security<br />
• System Change Control<br />
• Disaster recovery plan<br />
These control areas include 25 control activities <strong>and</strong> 98 controls. They are classified as<br />
autom<strong>at</strong>ed or manual, preventive or detective, <strong>and</strong> key or non-key. These control activities are<br />
applied into the different systems in scope, along the main sites as described above.<br />
The <strong>IT</strong>CG M<strong>at</strong>rix includes the next detailed processes into the defined control areas:<br />
D<strong>at</strong>a Center <strong>and</strong> Oper<strong>at</strong>ions<br />
Control policies <strong>and</strong> procedures provide reasonable assurance th<strong>at</strong>:<br />
• Oper<strong>at</strong>ions are initi<strong>at</strong>ed by authorized individuals, scheduled appropri<strong>at</strong>ely,<br />
monitored <strong>and</strong> devi<strong>at</strong>ions are identified <strong>and</strong> solved, <strong>and</strong> th<strong>at</strong> written procedures are<br />
in place to properly restart <strong>and</strong> rerun production jobs.<br />
• Critical d<strong>at</strong>a is consistently backed up <strong>and</strong> stored in a secure loc<strong>at</strong>ion to ensure<br />
th<strong>at</strong> financial d<strong>at</strong>a remains complete, accur<strong>at</strong>e <strong>and</strong> valid.<br />
Access security<br />
Control policies <strong>and</strong> procedures provide reasonable assurance th<strong>at</strong>:<br />
• Facilities are appropri<strong>at</strong>ely managed to protect the integrity of financial inform<strong>at</strong>ion<br />
<strong>and</strong> physical access to computer equipment, storage media, <strong>and</strong> program<br />
document<strong>at</strong>ion is limited to properly authorized individuals.<br />
• The configur<strong>at</strong>ion of programs <strong>and</strong> systems security is appropri<strong>at</strong>ely managed to<br />
safeguard against unauthorized modific<strong>at</strong>ions to programs <strong>and</strong> d<strong>at</strong>a th<strong>at</strong> result in<br />
incomplete, inaccur<strong>at</strong>e, or invalid processing or recording of financial inform<strong>at</strong>ion.<br />
• Systems security is appropri<strong>at</strong>ely administered <strong>and</strong> logged to safeguard against<br />
unauthorized access to or modific<strong>at</strong>ions of programs <strong>and</strong> d<strong>at</strong>a, th<strong>at</strong> result in<br />
incomplete, inaccur<strong>at</strong>e, invalid processing or recording of financial inform<strong>at</strong>ion.<br />
• Segreg<strong>at</strong>ion of Duties (SoD) is reviewed on a periodical basis in order to monitor<br />
the secure access to the financial systems (SAP) <strong>and</strong> asses the control<br />
environment th<strong>at</strong> mitig<strong>at</strong>e the financial inform<strong>at</strong>ion risks.<br />
9