The basis for the risk management and internal control systems used in the Zumtobel Group is formed by the internationally recognised standard guidelines issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Consequently, these systems overlap and influence each other during their daily application.
Risk management is viewed as an independent strategic process that focuses on the interaction with risks and opportunities. The more risk management deals with the global risks to which companies are exposed, the more it becomes an independent process. The more it deals with the risks arising from individual corporate processes, the more it merges with the internal control system.
In accordance with § 243a (2) of the Austrian Corporate Code as well as Rules 69 and 70, the management report must disclose the major elements of the internal control system and risk management system related to accounting processes. The relevant information can be found in the Group Management Report under sections 1.7 (Internal Control System) and 1.8 (Risk Management).
The corporate internal audit department of Zumtobel Group AG is a staff department that reports directly to the Management Board. The head of the department provides regular reports to the Audit Committee on the planning for and the most important results of its activities.
The internal audit charter approved by the Management Board represents the working basis for all internal audit activities. This charter and the entire audit process in the Zumtobel Group are based on the international standards defined by the Institute of Internal Auditors (IIA). Compliance with these standards is reviewed and confirmed at least every five years by an external specialist, where by the last review took place in March 2016.
The standard corporate internal audits are defined in an annual schedule, which is approved by the Management Board and coordinated with the Audit Committee. It is the result of the Group-wide structured identification and analysis of qualitative and quantitative risk factors relating to processes, units and projects.
The preparation of the audit schedule is closely coordinated with risk management and covers the content-related review of the risk trends and efficiency in operating processes as well as the monitoring of compliance with legal regulations and internal guidelines. The activities of corporate internal audit also include ad hoc audits at the request of the Management Board and, depending on the team’s available expertise, consulting projects.