Integrated control and monitoring systema
Sound corporate governance based on sustainable value creation is particularly important for an international group such as Deutsche Telekom, with its many subsidiaries and associates. The Supervisory Board and the Board of Management are convinced that such corporate governance, taking both company and industry-specific issues equally into account, is an important building block for the future success of Deutsche Telekom AG. Accordingly, responsibility for compliance with the principles of sound corporate governance is vested in senior management.
Responsible, risk-appropriate handling of risks and opportunities is a core component of our corporate governance. The various systems implemented by the Board of Management (in particular the internal control system and the risk and opportunity management system including the compliance management system) to record and mitigate risks work together as part of a mutually complementary control and monitoring system and are subject to review by Internal Audit.
With this integrated system, Deutsche Telekom follows the “Three lines of defense” model. The operational units and their operational management, i.e., the risk owners, form the first line of defense. They are responsible for identifying, assessing, and continuously monitoring risks. The second line of defense primarily comprises the internal control system, the risk and opportunity management system, and the compliance management system, and it serves to manage and monitor the first line of defense. This includes defining requirements, guidelines, and processes, monitoring risks, and reporting to the Board of Management and to the Supervisory Board of Deutsche Telekom AG and its Audit Committee. The third line of defense is Internal Audit, which ensures the first and second lines of defense are audited and advised objectively and independently.
The most important features of the internal control system and the risk and opportunity management system including the compliance management system are described below.
Internal control system
Deutsche Telekom AG’s internal control system (ICS) is based on the internationally recognized COSO (Committee of Sponsoring Organizations of the Treadway Commission) Internal Control – Integrated Framework, COSO I, as amended on May 14, 2013. The ICS is an integral component of the functional management of the Group.
The Audit Committee of the Supervisory Board of Deutsche Telekom AG monitors the effectiveness of the ICS as required by § 107 (3) sentence 2 AktG in conjunction with § 107 (4) sentence 1 AktG. The Board of Management is responsible for defining the scope and structure of the ICS at its discretion in accordance with § 91 (3) AktG. The ICS supports the organizational implementation of the Board of Management’s decisions. This includes achieving the business targets, proper and reliable accounting, and compliance with significant legal requirements and regulations. Sustainability aspects, which are continuously developed on the basis of regulatory requirements, are also taken into consideration.
Internal Audit is responsible for independently reviewing the appropriateness and effectiveness of the ICS in the Group and at Deutsche Telekom AG, and, to comply with this task, has comprehensive information, audit, and inspection rights and is involved across all levels of the ICS process.
In addition to protecting against financial reporting risks, the ICS also ensures general management of operational risks and compliance. Its functional and process-related focus is adapted to the Group’s current risk situation on an annual basis. The ICS organization bundles and integrates the internal control processes and supports the Board of Management in designing, implementing, and maintaining an appropriate and effective control system. It comprises ICS Management at Group Headquarters and the local ICS management of each entity. Central ICS Management is responsible for managing and coordinating the ICS processes in their entirety.
The entities to be included in the ICS are also reviewed and identified annually on the basis of Deutsche Telekom’s statement of investment holdings. All material entities are fully integrated in the ICS process. This also means that the controls are documented in a Group-wide IT system and are reviewed for their appropriateness and effectiveness at least once a year. Consistent Group-wide minimum requirements for the entities’ control systems are defined based on the key Group functions. These include, for example, accounting, IT, procurement, HR, security, data privacy, taxes, compliance, and also corporate responsibility.
Effectiveness is regularly reviewed applying the dual-checking principle and, depending on the risk exposure of the controls within the functional unit, across departments or (additionally) by Internal Audit. The aim is to identify control gaps and non-effective controls, in particular to analyze the impact on financial reporting and to initiate and monitor suitable countermeasures.
The ICS process is completed with a cascaded approval process, starting with the function owners in the entities and the local finance and managing directors, through to Group level. The ICS Steering Committee, with the involvement of the Group’s most important function owners, then evaluates the results and makes recommendations to the Board of Management. Based on this, the Board of Management decides on the appropriateness and effectiveness of the ICS twice a year. The Audit Committee is informed in detail on the status and results of the ICS process at least three times a year and discusses the alignment of the ICS with management and the external auditors. Nevertheless, there are inherent limitations in every ICS. No control system – even if it is deemed to be appropriate and effective – can ensure that all relevant control risks are identified and are being completely and effectively addressed by means of controls.
All non-material entities exposed to risks with an extent that is deemed to be low from a Group perspective, are included in the Group-wide ICS as part of a simplified and standardized process. These entities must submit an annual self-declaration, based on a control risk catalog, on the maturity of the implemented controls and a statement on the effectiveness of the ICS in their entity. Internal Audit regularly reviews these self-declarations in a risk-oriented way. The ICS Steering Committee, the Board of Management, and the Audit Committee are informed at least once a year about the results of the self-assessments.
For information on the accounting-related internal control system, please refer to the section “Accounting-related internal control system.”
Risk and opportunity management system
Our risk and opportunity management system is based on the globally applicable risk management standard ISO 31000 “Risk management – Principles and guidelines.” It serves as a guide for internationally recognized risk management systems. A risk and opportunity management system is necessary from both a business point of view and on the basis of laws and regulations, in particular § 91 (2) and (3) of the German Stock Corporation Act (Aktiengesetz – AktG). Our risk and opportunity management system is organized on a decentralized basis. The Group Risk Governance unit defines the Group-wide methods, including the associated reporting system, and the segments are integrated via their own risk and opportunity management. The relevant owners in each of the segments are responsible for identifying, assessing, and continuously monitoring risks. This is also at the core of our risk culture, which includes the motto “Everyone is a risk manager.” In other words, every individual takes responsibility for their risks.
For further information on the risk and opportunity management system, please refer to the section “Risk and opportunity management system.”
Our compliance culture is a key component for corporate governance based on integrity and respect. We have expressed our Group-wide commitment to complying with ethical principles and both legal and statutory requirements. We have incorporated this pledge in our Guiding Principles and our Code of Conduct.
We implemented a compliance management system with the aim of minimizing risks arising from systematic infringements of legal or ethical standards that could result in regulatory or criminal liability on the part of the Company, its executive body members, or employees, or result in a significant loss of reputation. In particular, when we established the compliance management system to prevent corruption, we used the Principles for the Proper Performance of Reasonable Assurance Engagements Relating to Compliance Management Systems laid down in IDW Assurance Standard 980 as a basis. The Board of Management considers its overall responsibility for compliance as a key leadership task. Our Chief Compliance Officer is responsible for the design and management of the compliance management system. Compliance officers implement the compliance management system and our compliance goals locally at the level of our operating segments and national companies.
Statement of effectiveness
Based on regular discussions about the internal control system and the risk and opportunity management system, including the Group risk report and the ICS report, the Board of Management is not aware of any circumstances as of the date of preparation of the combined management report which contradict the appropriateness and effectiveness of these systems in their entirety. In addition, at the end of 2022/start of 2023, an external audit of risk and opportunity management was carried out in accordance with IDW Auditing Standard 981. Based on the information currently available, this audit did not uncover any reasons that cast doubt on the appropriateness or effectiveness.
a aInformation in this section is information extraneous to the management report as explained in the section “Introductory remarks.”