The GfK Group’s internal control system comprises the principles, structures, processes and measures introduced by the company’s management, which are set to ensure the commercial success of the GfK Group, the correctness and reliability of internal and external financial reporting as well as compliance with the appropriate laws and standards.
The structure of our control system follows the concept developed in the financial industry of the “Three Lines of Defense.” The first “line” consists of the managers who deal with risk management as well as control and compliance in their daily activities. The second “line” is drawn by specialists in Legal and Compliance, Risk Management and Controlling, who together organize these tasks professionally across the entire Group. The third “line” is formed by internal and external auditors engaged by the Management Board as well as the Audit Committee, who check the effectiveness of our internal control system. In this way, we unite the three levels of control into a single and effective tool that regulates our activities.
Control environment and control activities
The control environment of the GfK Group is essentially characterized by the existing Code of Conduct and the resulting attitudes and actions of each employee. A key basis for this is the company’s guidelines (Code of Conduct, corporate values), which every employee is obligated to adhere to. These guidelines are continuously developed by departments such as Legal and Compliance. In 2013, GfK launched a worldwide compliance e-learning program to complement the existing training measures in the area of Compliance. The program was repeated in 2015 and expanded with a test for all employees and an essential GfK guideline (the F2 Authorization Guideline). Participation in the Code of Conduct e-learning program is obligatory for every employee throughout the whole world. On the GfK intranet,where information regarding the program is kept, every employee can consult all of the GfK guidelines published throughout the world.
Another key element in our internal scope of control are our guidelines. The GfK guidelines describe the essential standardized processes of the GfK Group and thus contribute to the maintenance of high standards of quality in the work we deliver as well as to compliance with fundamental ethical and moral values. They are continuously revised as necessary.
In this way, we significantly expanded the internal guidelines applicable to data protection, which is a sensitive concern for the market research industry. In order to further minimize the risks in this area, we also carried out obligatory training activities worldwide.
Activities in the past year were also consolidated internationally and across all segments with regard to quality management. We also make use of these measures in our communications with customers in order to raise awareness of GfK’s competitive advantages.
Risk management is conducted on a continuous basis at GfK.The consistent definition and organization of the risk management process as well as the reports for the Management Board are the responsibility of the Risk Management division. Every employee is called upon to monitor the risk situation within the scope of her or his responsibilities. For new or previously identified risks, there are so-called risk owners, who, using certain early warning signs and defined indicators, evaluate, monitor and control the actual risk. If a change in the risk position is identified, countermeasures can be applied promptly.
Monitoring functions and related controls at GfK are carried out and recorded via the Contre-Rôle System. Certain business transactions must be approved by both operational and financial management. In this way, we ensure that guidelines and internal processes are adhered to and that decisions are made which are appropriate from an operational and financial point of view. All payment processes as well as business processes that are necessary for the proper preparation and publication of the accounts are controlled and documented.
The Internal Audit department plays an important role in this regard. In addition to the regular monitoring of compliance with laws and the company’s own internal guidelines, our audits also address the documentation and risk analysis of financial and operational processes. Audit findings, risks, the effects of audit findings and recommendations are recorded in audit reports. The timely implementation of these recommendations is controlled on a quarterly basis by Internal Audit and is reported to the Management Board and regional Management accordingly (follow-up process). The delayed implementation of recommendations will be tracked within the framework of a defined escalation process.
Additional special audits are conducted as and when necessary. Both external and internal specialists are engaged for this purpose. As in the previous year, Data Quality and Privacy audits were regularly conducted in the 2016 financial year. These serve to check adherence to external as well as internal quality and data protection standards.
Disciplinary measures based on audit findings and violations are strictly applied by the company’s management.
Another of our risk assessment tools is the Control Self-Assessment (CSA). The CSA is completed by selected companies and evaluated by an internal audit. The selection is based on predefined selection criteria. The tool collects information regarding the most important business segments and their risks in 115 questions.
The internal audit plan is approved by the Audit Committee based on the recommendation of the Management Board. The selection of the companies to be audited is based on predefined selection criteria. The current CSA findings, among other factors, are also taken into account in this process. In addition, the Audit Committee determines additional focal points of its own which the auditor of the annual financial statements must take into account in their audit.
Main features of the Group’s accounting-related internal control and risk management system
GfK’s accounting-related internal control system serves to ensure the correctness of financial reporting through compliance with all the appropriate regulations when preparing the consolidated financial statements and the Group Management Report.
The individual financial statements of all the consolidated subsidiaries in the GfK Group prepared in accordance with the International Financial Reporting Standards (IFRS) and generally audited by auditors provide the baseline data for preparing the consolidated financial statements.
When preparing the information for these individual financial statements, IFRS compliance is supported conceptually by the centrally managed and regularly updated IFRS accounting manual and by other guidelines on individual accounting issues, such as revenue recognition. In addition, the Group’s standard chart of accounts helps to ensure that the individual financial statements of all the subsidiaries are prepared in an IFRS-compliant manner. The rules in the accounting manual and the chart of accounts to be applied are laid down by the Group’s head office and are mandatory for all consolidated subsidiaries worldwide.
All financial information supplied by our subsidiaries is first run through automated plausibility and coherence control procedures in the consolidation system. In the event of unresolved blocks imposed by the control procedures, the financial information cannot be released for further processing by GfK Group Accounting. The financial information is then subjected to an additional control procedure by employees in this department who are involved in the process of the preparation of the consolidated financial statements. These employees are tested in terms of their specialist expertise and undergo continuous specialist training.
Changes to accounting standards, legislative amendments and Group guidelines on accounting and valuation methods are observed and analyzed by GfK Group Accounting. If any of these changes are relevant to the GfK Group, the corresponding guidelines and the reporting package for registration of the financial statement data by the subsidiaries are updated. The subsidiaries are informed about these updates by means of circulars that are sent out on a quarterly basis. These circulars give the companies details of all the important deadlines so that the punctual preparation of the consolidated financial statements is guaranteed.
Appropriate employees in GfK’s Group Accounting division are responsible for special tasks such as the calculation of the provisions for the long-term incentive plan for management, which requires specific specialist expertise. The values arrived at in this way are directly integrated into the undertakings’ financial statements produced for consolidation purposes, after which they can no longer be changed locally. This procedure ensures that specialist tasks throughout the whole Group are consistently carried out by specialists. The valuation of pension provisions as well as the purchase price allocation for large mergers and acquisitions will be carried out by external service providers with suitable expertise.
The consolidation processes are then executed in the consolidation system and monitored from a conceptual and scheduling point of view by the staff responsible in GfK Group Accounting. Manual and system-based controls are completed for all consolidation steps.
The dual-control principle is generally applied to the consolidation steps performed by GfK Group Accounting. Change analyses as well as detailed analyses of the content of selected items in the financial statements of the subsidiaries and the consolidated financial statements further raise the level of control.
In relation to the financial statements, the management and the finance managers of all the consolidated subsidiaries confirm the completeness and correctness of the financial information sent to the Group’s head office.
The Audit Committee of the Supervisory Board monitors the accounting process, including the audit of the financial statements as well as the efficacy of the control system and internal auditing. It discusses the consolidated financial statements, the Group Management Report and the annual financial statements and Management Report of GfK SE with the Management Board and the auditors, and checks the corresponding documents carefully.
Whistleblowing: Taking responsibility
We encourage every employee to report any suspected or confirmed violations of statutory or internal regulations. They can contact their respective superiors, Legal and Compliance, the Human Resources department of GfK SE or Internal Audit. For employees who want to preserve their anonymity, an external ombudsman is available as a point of contact.
Information and communication
We rely on open information and communication internally within GfK. All of the Group’s guidelines can be accessed from anywhere in the world on the gNet intranet. The relevant employees are informed whenever changes occur. Our comprehensive and regular risk management and financial reports ensure that the Management Board and Supervisory Board are kept fully informed of the Group’s risk position on a timely basis. In addition to these monthly standardized reports, the Management Board is directly informed using any means in the event of a sudden material risk, significant changes in the risk position and cases of fraud.