Description of the internal control system
The Lufthansa Group’s internal control system (ICS) covers all the principles, procedures and steps intended to ensure effective, economical and accurate key processes and compliance with the relevant legal regulations. It is based on the COSO framework (Committee of the Sponsoring Organizations of the Treadway Commission). The framework defines the elements of a control system and sets the standards for measuring the appropriateness and effectiveness of the ICS.
The Lufthansa Group has an overarching, integrated ICS and risk management methodology with standardised processes to define the necessary controls, document them according to uniform rules and test them regularly to ensure that they are effective and appropriate.
The ICS aims to ensure the reliability of operating information, compliance with internal and external requirements and the avoidance of financial losses.
To achieve this objective, four principles are applied in the Internal Control System:
The principle of functional separation states that executive activities (e.g. purchasing), recording activities (e.g. financial accounting, inventory accounting) and administrative activities (e.g. inventory management) that are carried out within a business process (e.g. the purchasing process, from the calculation of requirements through to payment), should not be performed by the same person.
The principle of control states that in a well-functioning control system, risks to the objectives of the ICS should be mitigated by means of process-integrated and process-independent activities.
The need-to-know principle states that employees should only have access to the information they need for their work. This also covers the corresponding security measures for IT systems.
The transparency principle states that reference concepts must be established for processes, which enable an external party to judge whether those involved are working in accordance with the relevant reference concept. At the same time, this defines the expectations of the organisation’s leaders.
Overall responsibility for the ICS required to manage risk lies with the Executive Board of the Lufthansa Group, which defines the scope and the format of the systems in place based on the specific requirements of the Lufthansa Group.
The Executive Board has established a risk management and internal control organisation for the continued development and monitoring of the ICS process, and to drive the ongoing integration and harmonisation of the existing control activities in accordance with legal and operational requirements. It is led by the Head of Corporate Controlling.
This organisation consists of a central unit that acts as the process owner for the ICS and risk management process, and transfers its methodological competence to the wider organisation by means of policies. The annual review of the policy’s scope ensures that all material components are included in the ICS.
Each organisational unit covered by the ICS policy is obliged to take part in the ICS process, or is exempt from this obligation if it is not covered. Companies within its scope must provide an ICS officer and an ICS coordinator (a decentralised ICS unit) to implement the policy in the organisational unit and to operate the ICS. The decentralised ICS unit is obliged to implement an appropriate and effective ICS within its sphere of responsibility, based on the mandatory methodology for the Group.
Their different business activities mean that the scope of the activities to be performed by each unit varies. It depends partly on the materiality of the unit for the consolidated financial statements and the specific risks associated with the respective business segment.
In order to obtain a realistic opinion of the effectiveness of the internal control system at Group level, this organisation ensures its implementation and continued methodological development in the Lufthansa Group.
The results of the monitoring activities are reported annually in the Executive Board meetings to evaluate the Company’s overall risk situation. The Head of Corporate Controlling supports the Executive Board with the operation and monitoring of the ICS and with reporting to the Audit Committee of the Supervisory Board.
The central ICS unit is responsible for monitoring and coordinating the entire process so as to guarantee an appropriate and effective ICS within the Lufthansa Group.
This process ensures the scope of the ICS, that it is up-to-date and that the monitoring activities are carried out to the extent required.
The rule-based ICS process is represented by an ICS lifecycle. This consists of the steps illustrated below, which run sequentially or in parallel:
- Scoping phase
- Determination of target requirements
- Maintenance phase
- Effectiveness test
- Coordination of test results
- Activity monitoring
- Quality assurance of self-assessments
- ICS reporting
The ICS lifecycle is mapped in full in a governance risk and compliance IT tool.
The scope of the ICS is defined by a catalogue of topics. This not only includes topics related to financial reporting, but also additional processes and topics from general areas, such as Treasury, Taxes, IT, Compliance and operational topics.
In addition to the general requirements for an ICS-relevant topic (e.g. that it should capture the risks of a defective organisational structure or process documentation), elements specific to the function or contents must be added for each area or category by the central Group Functions or the Group companies.
The ICS of the Lufthansa Group and its constitutive elements are covered by regular audits by the Internal Audit function.
They take place either as part of the risk-based annual audit plan, or in the course of audits performed on request in the course of the year.
Mandatory ICS effectiveness audits are also carried out across the Group for all the topics in the ICS catalogue on the basis of the annual audit plan. These audits mostly take the form of self-assessments, and are also performed regularly by Internal Audit.
Any findings of limited effectiveness are documented as to-do activities with defined responsibilities and deadlines. The companies are responsible for implementation. These activities are monitored at the level of the company and the Group.
The central ICS unit prepares a report on the effectiveness of the ICS in the first quarter of the following year to comply with the legal requirements of Section 107 Paragraph 3 AktG. The report provides information to the Supervisory Board’s Audit Committee about the results of the effectiveness testing and the activities still to be completed from the previous reporting period.
The company ICS officer is responsible for internal reporting within the respective companies. Ideally this takes place in the first quarter of the following year, but may vary from one company to another.
The Executive Board of Deutsche Lufthansa AG is not aware of any material or systemic matters that are inconsistent with the suitability and effectiveness of the ICS as a whole. However, it must be remembered that, irrespective of the design, an ICS cannot provide absolute assurance.