31
provide the basis for monitoring performance compared to the
business plan. These plans also contain an annual assessment
of the main risks, mitigation plans and financial sensitivities.
Internal control in Operating Companies
Best practice processes are continuously developed and
implemented on a Group-wide basis, supported by Common IT
Systems with embedded key control frameworks. This ensures
the integrity of information processing in supporting the
day-to-day transactions and financial and management
reporting. Whereas the Heineken common systems are
continuously rolled out to more Operating Companies, the
application of these common processes are in progress
for the most recent acquisitions. Internal Audit is strongly
involved in monitoring key controls embedded in main
business processes and assessing their effectiveness based
on a common audit approach.
Information Technology
Heineken's worldwide operations are highly dependent on the
availability and integrity of its (common) information systems.
Many IT processes and infrastructures are now centralised and
outsourced to professional outsourcing partners. To ensure the
confidentiality and integrity of information and the availability
of information systems, Heineken's Operating Companies and
the Central IT services must comply with a strict information
security policy, which is aligned with the ISO 27001:2005
standard. An IT risk management system is in place for all sites
including; IT risk identification and monitoring, annual policy
compliance assessments, progress of improvement monitoring
and internal audits. The IT risk management system also
includes clear agreements on assurance from IT outsourcing
partners. The increased harmonisation and centralisation of IT
systems augment central enforcement of security measures
across Operating Companies and has a positive impact on the
level of control.
Code of Business Conduct and Whistle-blowing
The Code of Business Conduct and Whistle-blowing procedure
is applicable to all majority-owned subsidiaries, regional offices
and head office and implementation is in progress for recent
acquisitions. Compliance is supported through continuous
monitoring of effectiveness and compliance reviews. Employees
may report suspected cases of serious misconduct to their direct
superior, the local Trusted Representative or anonymously to an
independently run confidential helpline. The Integrity Committee
oversees the functioning of the Whistle-blowing procedure and
reports bi-annually to the Executive Board and Audit Committee
on reported cases and effectiveness of the procedure. In the year
under review, Heineken introduced an improved case management
system and an e-learning tool to support training requirements.
On-going training is being performed at Operating Company
level to further increase awareness and understanding.
Supervision
The Executive Board oversees the adequacy and functioning of
the entire system of risk management and internal control,
assisted by Global functions. Internal Audit provides independent
assurance and advice on the Risk Management and Internal
Control Systems. Assurance Meetings at both local and regional
level oversee the adequacy and operating effectiveness of the
Risk Management and Internal Control Systems in their respective
environments. Regional Management and Internal Audit
participate in the local meetings in order to ensure effective
dialogue and transparency. The outcome and effectiveness
of the Risk Management and Internal Control Systems are
evaluated with the Executive Board and the Audit Committee.
Financial reporting
The risk management and control systems over financial
reporting contain clear accounting policies, a standard chart
of accounts and Assurance Letters signed by regional and local
management. The Heineken common systems and embedded
control frameworks are implemented in a large number of the
Operating Companies and support common accounting and
regular financial reporting in standard forms. Testing of key
controls relevant for financial reporting is part of the Common
Internal Audit Approach in Operating Companies on common
systems. The external audit activities provide additional
assurance on the financial reporting. Within the scope of the
external auditors' financial audit assignment, they also report on
internal control issues through their management letters, and
they attend the regional and certain local assurance meetings.
In 2010, special attention was given to the integration of
financial reporting of the acquired beer operations of FEMSA
(Fomento Económico Mexicano, S.A.B. de C.V.), which included
the application of Heineken's Accounting Policies.
The internal risk management and control systems, as described
in this section, provide a reasonable assurance that the financial
reporting does not contain any errors of material importance.
The risk management and control systems worked properly
in the year under review.
This statement cannot be construed as a statement in
accordance with the requirements of Section 404 of the US
Sarbanes-Oxley Act, which is not applicable to Heineken N.V.
Main risks
On the explicit understanding that this is not an exhaustive
list, Heineken's main risks are described below, including the
mitigation measures. The risks derived from the main risks are
economic downturn, volatility of input costs, exchange rates,
political instability, availability and cost of capital and increasing
legislation affecting the business and are considered the most
significant risks. The main Company risks have been discussed
with the Supervisory Board and are annually reviewed.
Strategic risks
Heineken Brand and Company reputation
As both the Group and its most valuable brand carry the
same name, reputation management is of utmost importance.
Heineken enjoys a positive corporate reputation and our
Heineken N.V. Annual Report 2010