Amadeus IT Holding, S.A. and Subsidiaries - Investor relations at ...

More documents

Recommendations

Info

Use of estimates and assumptions, as determined by Management, is required in the preparation of the consolidated annual accounts in accordance with IFRS-EU. The estimates and assumptions made by management affect the carrying amount of assets, liabilities, income and expense. The estimates and assumptions are based on the information available at the date of issuance of the consolidated annual accounts, past experience and other factors which are believed to be reasonable at that time. 3.2. Internal control policies and procedures for IT systems (including secure access, control of changes, system operation, continuity and segregation of duties) giving support to key company processes regarding the preparation and publication of financial information. Internal Internal Control Control on on IT IT systems systems The Group has implemented an internal control model over IT systems that support processes related to the preparation of financial information. This model is based on COSO and COBIT (ISACA recommendations) and includes the IT General Control’s matrix and policies and procedures relating to the security required for IT systems. In order to build the IT General Controls (hereinafter ITGC) matrix, the Group has defined the systems to be included in the scope of the model, that contribute to elaborate the Consolidated Financial Statements of the Company, and ensure the quality and reliability of the information reported to the markets. The ITGC matrix is aligned with control models for other business cycles prepared by Amadeus, and structured on the following control areas: • Data Center and Operations • Access Security • System Change Control • Disaster recovery plan These control areas include 25 control activities and 98 controls. They are classified as automated or manual, preventive or detective, and key or non-key. These control activities are applied into the different systems in scope, along the main sites as described above. The ITCG Matrix includes the next detailed processes into the defined control areas: Data Center and Operations Control policies and procedures provide reasonable assurance that: • Operations are initiated by authorized individuals, scheduled appropriately, monitored and deviations are identified and solved, and that written procedures are in place to properly restart and rerun production jobs. • Critical data is consistently backed up and stored in a secure location to ensure that financial data remains complete, accurate and valid. Access security Control policies and procedures provide reasonable assurance that: • Facilities are appropriately managed to protect the integrity of financial information and physical access to computer equipment, storage media, and program documentation is limited to properly authorized individuals. • The configuration of programs and systems security is appropriately managed to safeguard against unauthorized modifications to programs and data that result in incomplete, inaccurate, or invalid processing or recording of financial information. • Systems security is appropriately administered and logged to safeguard against unauthorized access to or modifications of programs and data, that result in incomplete, inaccurate, invalid processing or recording of financial information. • Segregation of Duties (SoD) is reviewed on a periodical basis in order to monitor the secure access to the financial systems (SAP) and asses the control environment that mitigate the financial information risks. 9
Systems change control Control policies and procedures provide reasonable assurance that: • changes to the Amadeus System’s application software are properly authorized, tested, approved, implemented and documented. • programs and systems changes are appropriately managed to minimize the likelihood of disruption, unauthorized alterations and errors which impact the accurate, complete, and valid processing and recording of financial information. Disaster recovery plan Control policies and procedures provide reasonable assurance that recovery plans are documented and consistently tested. Security Security policies policies The Company has implemented the following policies that have been communicated to all employees and published in the Group’s intranet: • Information classification • Guidelines for appropriate use of systems and financial information • User management procedures • Incident management procedures Internal control over information systems policies are overseen by the Corporate Information Security Area. Its mission is to propose, make advertising, implement, maintain and control a security management framework to mitigate the risk of compromising the assets of Amadeus affecting the availability, confidentiality and integrity of the services and data from Amadeus, the corporate image or the brand of Amadeus. This security management framework applies to all Amadeus companies. It is based on best industry practices and covers organizational, political security measures of security and standards as well as methodologies for risk management. The Executive Committee of Amadeus has issued a Global statement on security of information: OASIS (Overall Statement on Information Security). This statement emphasizes the commitment of top management to establish, implement, operate and continually improve a System of Information Security Control to Amadeus based on: • the principles of information security, • best practices on information security control as it was described in ISO/lEC 27002, • the requirements for the System of Information Security Control as they were described in ISO/lEC 27001. The Director of the Corporate Information Security Area (Information Technology and Services- ITS) is responsible for the overall implementation of the System of Information Security Control of Amadeus. This includes a regular review of the System of Information Security Control policy of Amadeus and the security controls implemented by Amadeus. The corporate information security delegates carry out IT security audits on a regular basis, as well as on demand audits. There are Access Control policies based on the main principle of security based on the need to know. There are policies and procedures for the management of identity for the application of the system, aimed at the beginning of functions and roles-based access control. Segregation of duties analysis and audits are executed on system applications. 3.3. Internal control policies and procedures for overseeing the management of outsourced activities, and of the appraisal, calculation or valuation services commissioned from independent experts, when these may materially affect the financial statements. Internal Internal Control Control over over outsourced outsourced activities activities The Group has a common framework with the requirements for outsourcing activities. For all outsourced processes, Service Level Agreements (SLA) have to be defined, agreed and signed in the contract with the vendor. 10
Page 1:
Amadeus IT Holding, S.A. and Subsid
Page 4 and 5:
AMADEUS IT HOLDING, S.A. AND SUBSID
Page 6 and 7:
Page 8 and 9:
Page 10 and 11:
Page 12 and 13:
Page 14 and 15:
Page 16 and 17:
Page 18 and 19:
Page 20 and 21:
Page 22 and 23:
Page 24 and 25:
Page 26 and 27:
Page 28 and 29:
Page 30 and 31:
Page 32 and 33:
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89:
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
Page 114 and 115:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138 and 139:
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
FORM ANNUAL CORPORATE GOVERNANCE RE
Page 178 and 179:
A.3 Please complete the following t
Page 180 and 181:
A.8 Please complete the following t
Page 182 and 183:
B.1.2 Please complete the following
Page 184 and 185:
Central Bank to assume a role with
Page 186 and 187:
Reasons As a result of the placemen
Page 188 and 189:
B.1.8 Please detail any Board membe
Page 190 and 191:
Other Benefits Amount in thousands
Page 192 and 193:
B.1.13 Please identify the total am
Page 194 and 195:
Please specify whether the Board at
Page 196 and 197:
MR. ENRIQUE DUPUY DE LOME CHAVARRI
Page 198 and 199:
B.1.19 Please specify the procedure
Page 200 and 201:
B.1.24 Please specify whether the c
Page 202 and 203:
Please specify, if applicable, the
Page 204 and 205: Outgoing auditor Incoming auditor I
Page 206 and 207: Explanation of procedure its books,
Page 208 and 209: egulatory requirements, the proper
Page 210 and 211: l) issue a report annually, prior t
Page 212 and 213: OPERATION: The Nomination and Remun
Page 214 and 215: C. RELATED-PARTY TRANSACTIONS C.1.
Page 216 and 217: - To analyze, measure and evaluate
Page 218 and 219: shareholders and provided that said
Page 220 and 221: E.6 Please provide details of any a
Page 222 and 223: 7.- Report on the remuneration poli
Page 224 and 225: ) Identity of grantor and represent
Page 226 and 227: c) Transactions whose effect is equ
Page 228 and 229: 2. Transactions carried out at pric
Page 230 and 231: Complies 15. That when the number o
Page 232 and 233: Complies 25. Companies should organ
Page 234 and 235: 34. That whenever, due to resignati
Page 236 and 237: vii) Remuneration of executive Boar
Page 238 and 239: 50. That the Audit Committee shall
Page 240 and 241: It is the power of the Nomination a
Page 242 and 243: Section B.1.13 There are no indemni
Page 244 and 245: COMPLEMENTARY INFORMATION TO THE CO
Page 246 and 247: AMADEUS AMADEUS IT IT HOLDING, HOLD
Page 248 and 249: The Human Resources Unit is respons
Page 250 and 251: In 2011 Amadeus’ Finance Function
Page 252 and 253: In addition the Audit Committee has
Page 256 and 257: The SLA should include next minimum
Page 258 and 259: The Committee supports and oversees
Page 263 and 264: Key terms � “ACH”: refers to
show all

Amadeus IT Holding, S.A. and Subsidiaries - Investor relations at ...

Create successful ePaper yourself

Delete template?

Save as template?