Corbion applies the 3-lines-of-defense model for internal controls. The first line (line management) is responsible for the operational effectiveness of the internal control framework. The second line coordinates, advises, and monitors line management regarding their responsibilities for internal control. The third line is internal audit independently reviewing the control framework.
Our internal control framework is not limited to the elements outlined below as these are a summary of controls implemented at local and corporate levels. We apply several control elements of which the effectiveness is self-assessed or monitored by the second and third lines of defense.
Business control framework
Business controls cover a broad range of policies, procedures, systems, and other measures. They provide reasonable assurance on the effectiveness and efficiency of our operational processes and ensure the output is as expected to support the realization of the company strategy and objectives. On entity level, important elements of the framework are the business planning process and management review.
Business planning, budgeting, and management review
Based on Corbion's strategy and plans, targets are set for the annual budget. After determining these budgets, the targets are rolled out to the responsibility areas (business units, operations, etc.) within Corbion.
Quarterly updated estimates are made based on a forecast until the end of the year. Forecasts are specifically discussed between responsibility area leaders and the Executive Committee during quarterly business review meetings. The Executive Committee monitors business performance on a monthly and quarterly basis using a defined set of key performance indicators and reviews of actual results versus budgets, quarterly estimates, and the previous year.
Local entities are visited frequently. Operational management meets at least once a month to discuss their business activities and related risks, the actual performance versus budget, and other significant matters in their respective areas.
Legal and regulatory review
Local management is responsible for compliance with laws and regulations. The Legal and Compliance Department is consulted by local management on an ongoing basis. Every six months, local management reports the main open legal issues with a potential gross exposure of each exceeding € 100,000 to Corporate Legal and Corporate Finance.
Internal control framework on financial reporting
Corbion is committed to maintaining high-quality, reliable financial reporting, and a good control environment. All reporting entities assess the operational effectiveness of their financial closing and reporting processes, at mid-year and end-of-year, confirming compliance with the relevant guidelines and IFRS. This, together with the Letters of Representation, provides reasonable assurance on the integrity of our financial reporting. Self-assessment also includes tax governance and treasury internal controls.
During 2019, our main legal entities performed quarterly assessments of the design and implementation of their key financial process controls. Improvement recommendations based on audit and self-assessment findings are followed up by local management, the status of which is being monitored regularly by the Executive Committee.
Letters of Representation
Every six months, managing directors and finance directors of each reporting entity or, where applicable, other senior staff, provide a Letter of Representation to the Board of Management. This letter represents compliance with financial reporting and internal controls.
Corbion considers paying taxes an important part of our corporate social responsibility. Based on this, and derived from our Code of Business Conduct as part of our corporate governance structure, we have adopted the following tax principles. These tax principles deal with all different types of taxes which we are obliged to report and pay in the jurisdictions in which we operate, including taxes on profits, value added taxes, wage taxes, duties, and various other taxes.
Business rationale/transfer pricing
Corbion's tax strategy follows from and is aligned with the business strategy and objectives. Consequently, we aim to pay the appropriate amount of tax depending on where value is created in each of the jurisdictions we operate in, following the normal course of commercial activity, and in accordance with domestic and international rules and standards. All our intercompany transfer pricing and policies are based on the "arm's length principle." Corbion abstains from setting up structures in countries on the EU list of non-cooperative tax jurisdictions or in countries which have been designated as uncooperative tax havens by the OECD Committee on Fiscal Affairs.
Relationship with tax authorities
We seek to develop mutually respectful relationships with the various national tax authorities based on trust and transparency. To accomplish this we aim for an open and constructive dialogue with the various tax authorities on the basis of disclosure of all relevant facts and circumstances. Within this context, Corbion may negotiate advance tax rulings or advance pricing agreements on the tax treatment of specific transactions in order to obtain advance certainty on the relevant tax consequences. In the Netherlands we concluded a so-called tax covenant (“horizontal monitoring”) with the Dutch tax authorities. Such covenant entails that the tax authorities can rely on Corbion to provide upfront disclosure of all relevant information, while it allows Corbion to get upfront confirmation of applicable tax treatment.
Within the governance framework, the conduct of the group's tax affairs and the management of tax risks are delegated to the group's tax department with support and assistance from the group and local finance departments. The Audit Committee supervises the activities of the Board of Management with respect to the tax governance framework.
We aim to act at all times in accordance with the letter and the spirit of all applicable tax laws in which we are guided by the relevant local and international standards. Compliance is monitored within a global tax control framework. Corbion complies with its statutory obligations and aims to file all required tax-relevant information with the appropriate tax authorities in a timely, transparent, and complete manner. Tax-related disclosures are made in accordance with the relevant domestic regulations, as well as applicable reporting requirements under IFRS.
Insurance is an integral part of our risk management approach as it is an instrument to manage the financial consequences of risks. The choice to obtain external insurance cover depends on the cost efficiency of the instrument. The coverage of insurances is monitored and benchmarked regularly.
IT general control framework
An information technology general control (ITGC) framework is in place which ensures the proper management of IT governance in general, projects and programs, computer operations, and access management.
From an IT security perspective, the Information Security Board (including senior management) sets the IT security roadmap. Risk-reducing initiatives in the past year included amongst others a company-wide security awareness program, multi-factor authentication, penetration tests, yearly disaster recovery plan testing of selected systems, and implementation of a security policy and a Security Operating Center. In addition, Corbion continued to strengthen the network segmentation. In case of data security incidents, the data breach committee is notified to ensure proper action and communication with authorities.
Internal audit supports the organization in accomplishing its objectives by providing a systematic, disciplined approach for the evaluation and improvement of the effectiveness of our internal control and governance processes. The Internal Audit Charter is approved by the Executive Committee, the Audit Committee, and the Supervisory Board. The objective of internal audit is to provide a broad range of audit services designed to assist the Executive Committee in controlling the business operations. Internal audit evaluates risks and assesses that the controls in place are adequate to mitigate the risks identified by management, identifying best practices, and recommending improvement opportunities to management. The audit plan is prepared, discussed, and agreed with relevant stakeholders. The plan has a rolling character so changes in priorities may be applied and the audit plan is updated and discussed periodically at the Executive Committee and the Audit Committee. A summary of all audit reports and the follow-up of open internal audit items are reported to and discussed with the Executive Committee and Audit Committee on a regular basis.
Our external financial audit engagement ensures that our financial statements give a true and fair view of our financial position as at 31 December 2019 and of our result and our cash flows for the year then ended. In 2019 the external auditor reviewed the sustainability indicators marked with "√ ". Contrary to the audit of our financial statements, this review is only aimed at obtaining a limited level of assurance.