Fiscal 2020 Universal Registration Document

5. Corporate governance

5.4.4 Group Internal Audit Department

The Senior Vice President Group Internal Audit reports directly to the Chairwoman of the Board, thus ensuring the independence of the Group Internal Audit Department within the organization. The Senior Vice President Group Internal Audit meets the Chairwoman of the Board on a monthly basis and works closely with the Chairwoman of the Audit Committee, holding informal meetings (approximately four times per year).

Sodexo’s Group Internal Audit activities are certified by the French Internal Audit and Internal Control Institute (IFACI). This internationally recognized certification attests to Sodexo’s compliance with and application of 30 general requirements of the Professional Internal Audit Standards (independence, objectiveness, competence, methodology, communication, supervision and continuous assurance program).

IFACI certification is a high-level confirmation of quality and performance that:

  • powerfully conveys Sodexo’s rigorous approach to evaluating its risk management and internal control processes;
  • benchmarks Sodexo’s processes against best market practices;
  • enables the Group to sustainably strengthen its internal audit practices.

The Internal Audit Department performs internal audits of Group entities based on an internal audit plan established annually.

The audit plan is based on the Group Risk Profile (which is established using the approach described under 5.4.2.2. Approach to Risk Assessment) and input from the Chairwoman of the Board of Directors, the Chief Executive Officer, the Chief Financial Officer and other key stakeholders from Sodexo. The Audit Committee reviews and approves this annual audit plan.

The responsibilities of the Internal Audit Department include:

  • ensuring, with the related functional teams, that employees throughout the organization are aware of and diligently apply Group policies;
  • ensuring that delegations of authority and procedures have been established and communicated to the appropriate levels of management, and checking that they are properly implemented;
  • helping to assess entities’ internal controls, issuing action plans designed to remedy identified control weaknesses, and monitoring implementation of these action plans.

The Internal Audit Department may also conduct special assignments at the request of the Chairwoman of the Board, the Audit Committee, the Chief Executive Officer or the Executive Committee.

During Fiscal 2020 , the Group Internal Audit Department, with an average of 25 staff, conducted 32 audits in 20 countries. The number of audits was strongly impacted by the Covid-19 crisis and travel restrictions. The Group Internal Audit team has conducted audit assignments remotely and has been re-deployed during this period to support the business. In addition, a network of some 85 internal control coordinators (many of whom report to the Finance Directors) is in place. This network is coordinated by a central internal control team and enables specific support to be given to internal audit engagements and to rectify weaknesses identified by the internal audit team.

The Internal Audit Department regularly tracks implementation of post-audit action plans by Group entities. An overall progress report is updated regularly and submitted on a semi-annual basis to the Chief Executive Officer, the Group Chief Financial Officer, the Chairwoman of the Board and the Audit Committee. All audits are followed up within a maximum of 12 months.

In Fiscal 2020, the Internal Audit Department carried out a survey of a sample of entities. The vast majority (94%) of them considered that the quality of audits was satisfactory.

The Group Internal Audit Department also conducts an independent evaluation of internal control.

Finally, the Internal Audit Department assesses the external auditors’ independence and reviews the annual budgets for external auditors’ fees (for both statutory audit work and other engagements) prior to their approval by the Audit Committee.

Risk management and the reinforcement of internal control are a permanent strategic priority for the Group.

Internal controls cannot provide an absolute guarantee that all risks have been eliminated. Sodexo nevertheless endeavors to ensure that the most effective internal control procedures feasible are in place in each of its entities.

In the preparation of this report, and in compliance with the recommendation issued by the French securities regulator, the French securities regulator (Autorité des marchés financiers – AMF), in July 2010, this report is prepared on the basis notably of the “Reference Framework” produced by the French Market Advisory Group and published by the AMF.