Introduction

The Audit Committee was created by the Board of Directors of Abengoa, S.A. on December 2, 2002 in accordance with art. 44 of the Bylaws with a view to incorporating the provisions of Act 44/2002 on Reform Measures of the Financial System (Ley 44/2002) relating to Audit Committees. Abengoa also has a corporate governance system in place that remains compliant at all times with applicable law and best practices.

According to good governance practices, the Board of Directors must have a number of specialized committees in place so as to ensure that it performs its duties effectively. This structure helps to diversify the workload, while allowing motions and resolutions on certain material issues to be heard first by a specialized and independent body with specific professional expertise, which can therefore filter accordingly and report on its decisions, the aim being to guarantee the required objectivity and ensure that motions are discussed thoroughly before being passed by the Board of Directors.

As an independent body, the Audit Committee is able to oversee the affairs of Abengoa companies, thus ensuring that they conduct their business ethically and responsibly. This duty is undoubtedly its main role at present and will continue to be so in the future.

The Audit Committee is essentially the nucleus of this drive towards responsibility, and leads by example by publishing its Audit Committee Activity Report every year. Its duties, structure and rules of internal functioning are set forth in the Regulations of the Board of Directors and in its own internal regulations. Generally speaking, the committee has been heavily involved since its inception in those areas that fall within its remit, as has been explained in the company’s published annual reports and disclosures on corporate governance.

The 2011 Audit Committee Activity Report details the activities and initiatives of the committee in furtherance of the duties entrusted to it under its different fields of activity: review of economic and financial information subject to regulation, control of material risks, oversight of the management model, monitoring the independence of the financial auditor and appraising the business of the Internal Audit Division.

The Audit Committee Activity Report for the year 2012 has been approved at the meeting held by the Audit Committee on February 20, 2013, and presented to the Board of Directors on February 21, 2013. It will then be made available to the company’s shareholders on occasion of the publication of Abengoa’s annual report and, at the latest, by the time the General Shareholders Meeting is announced.

Internal regulations of the Audit Committee

The Internal Regulations of the Audit Committee were approved by the Board of Directors on February 24, 2003 and contain the following provisions:

Composition and appointment of members

The Audit Committee will have a permanent and minimum membership of three directors. At least two of these must be non-executive directors, thus maintaining the majority of non-executive members envisaged under the aforementioned Act 44/2002.

Members will be appointed to office for a maximum term of four years, which may be renewed for further four-year maximum terms.

Chairman and Secretary

The Audit Committee shall initially elect one of its non-executive directors as Chairman.

The Secretary to the Board of Directors shall act as Secretary to the Audit Committee.

The powers and duties of the Audit Committee are as follows:

ƒƒ To report on the annual accounts and half-yearly and quarterly financial statements that must be submitted to regulatory bodies and market watchdogs, with mention made of the internal control systems, the control mechanisms to monitor implementation and compliance through internal audit procedures and, where appropriate, the accounting principles applied.

• ƒƒTo report to the Board of Directors on any changes in accounting principles, balance sheet risk and off-balance sheet risk.
• ƒƒTo report to the General Shareholders Meeting on those matters raised by shareholders that fall within its remit.
• ƒƒTo propose the appointment of the external financial auditors to the Board of Directors, for subsequent referral on to the General Shareholders Meeting.
• ƒƒTo oversee internal audit services. The Committee will enjoy full access to internal auditing and shall report on the process of selection, appointment, reappointment, removal and remuneration of the internal audit director and on the department’s budget.
• ƒƒTo be fully aware of the company’s financial information reporting process and internal control systems.
• ƒƒTo liaise with the external audit firm so as to receive information on any matters that could jeopardize the latter’s independence and any other matters relating to the financial auditing rocess.
• ƒƒTo summon directors to committee meetings, at its discretion, in order to report on any such matters the Audit Committee deems fit.
• ƒƒTo draw up an annual report on the activities of the Audit Committee, which must be published along with the annual accounts for the fiscal year.

Meetings and announcement

The Audit Committee shall meet as often as required and, in any event, at least once a quarter in order to exercise and discharge its duties, as detailed in the previous section. As a general rule, meetings will be held at the company’s headquarters, although members may decide to hold a particular meeting elsewhere.

The Audit Committee will also meet when a meeting is convened by the Chairman acting on his or her own initiative or at the request of any committee members. Members may also ask the Chairman to include certain items on the agenda for the next meeting. Notice of the meeting must be given in writing, including the agenda, no less than three days prior to the scheduled date. However, business can also be transacted at a meeting of the Audit Committee when all the members are present and agree to hold a meeting.

Quorum

There will be a quorum present at meetings of the Audit Committee when the majority of its members are present. Members may only appoint a non-executive director as their proxy.

Resolutions will be carried by the majority vote of Committee members in attendance. In the event of a tie, the Chairman will have the casting vote.

Composition, appointments and member profiles

The Audit Committee is formed by a majority of non-executive directors and its current composition, together with the date on which each member was appointed, is as follows:

On february 23, 2012, and due to the intensification of their other professional duties, Professor Carlos Sebastián Gascón resigned as chairman and member of the Audit Committee, assuming the chairmanship of Professor Mercedes Gracia Diez. The Audit Committee wishes to express its appreciation for the work done during the past three years.

Prof. Mercedes Gracia Díez

Full Professor in Econometrics at CUNEF (University College for Financial Studies). BA in Economics at Universidad Autónoma de Madrid (1978) and Ph.D in Economics at New York University (1986). She has developed her academic carrier at Universidad Complutense de Madrid (on leave since 2011) and has scientific publications in international journals. She has been Chairperson of the Department of Balance Management in CajaMadrid (1996-1999) and Manager of the area of Economics and Law in the Spanish Commission of Science and Technology (1993-1996).

José Joaquín Abaurre Llorente

Audiovisual technician.

Prof. José B. Terceiro Lomba

Professor of Applied Economics at the Universidad Complutense de Madrid. He was the Undersecretary to the Presidency of the Government and has been awarded the CEOE Prize for Economics (Premio CEOE a las Ciencias Económicas) and the Rey Jaime I Prize for Economics.

Alicia Velarde Valiente:

Earned her honors degree in law from the San Pablo Center for University Studies attached to Universidad Complutense. She has been a member of the Spanish notary association since April of 1991. Since then, Alicia has worked at various notary’s office and has been at her current post in Tarancón (Madrid) since 2001. During the 1994-1995 academic year, she started to give classes in civil law at Universidad Francisco de Vitoria and continued to do so until 1999. She maintains close ties with the university today, and has been a lecturer in canon law under the doctorate program since 1999.

Ricardo Martinez Rico

Commercial Expert and State Economist. Degree in Business Administration from the University of Zaragoza, with honors. Has extended studies at the London School of Economics, Kennedy School of Harvard University and Wharton Business School. Founding partner and CEO of the Economic Team since 2008. Besides, member of the European Advisory Board created by President of American Employers (U.S. Chamber of Commerce of the United States) in Washington. In 2005-2006, he directed the Economic and Commercial Office of Spain in Washington and previously, in 2003, was appointed Secretary of State for Budget and Expenditure.

Miguel Ángel Jiménez-Velasco Mazarío

Miguel Angel holds a degree in law from the Universidad Autónoma de Barcelona (1989) and earned his master in company management and finance from the International Company Institute of Deusto University (Instituto Internacional de Empresas de la Universidad de Deusto) (1990-1991). He has been the legal manager of Abengoa since 1996 and was appointed Secretary and Advisory Lawyer to the Board of Directors in 2003.

Activities performed

Meetings of the Audit Committee during 2012

The Audit Committee met on five occasions over the course of 2012, with all members in attendance at each meeting. These meetings, and the main issues discussed at them, are described below:

Madrid, February 14, 2012

• ƒƒPresentation of PricewaterhouseCoopers Auditores,S.L. of their proposal of audit services for 2012
• ƒPresentation of Deloitte, S.L. of their proposal of audit services for 2012

Madrid, February 22, 2012

• ƒƒEconomic information referred FY2011
• ƒƒPresentation of the external auditor on the findings and conclusions of 2011 financial statements audit
• ƒƒOverall assessment of internal control (SOX) made by the company
• ƒƒCompliance of the internal audit plan during 2011
• ƒƒIntroductions of the internal audit plan for 2012
• ƒƒSummary of external audit and consulting fees during 2011
• ƒƒInformation regarding the whistleblower channel

Madrid, February 27, 2012

• ƒƒResolution regarding the designation of the new external auditor.

Madrid, May 3, 2012

• ƒƒEconomic information referred Q1 2012
• ƒƒCompliance of the internal audit plan during Q1 2012
• ƒƒSummary of external audit and consulting fees during Q1 2012
• ƒƒInformation regarding the whistleblower channel

Madrid, July 30, 2012

• ƒƒEconomic information referred S1 2012
• ƒƒPresentation of the external auditor on the findings and conclusions of S1 2012 review of interim financial information
• ƒƒCompliance of the internal audit plan during S1 2012
• ƒƒSummary of external audit and consulting fees during S1 2012
• ƒInformation regarding the whistleblower channel

Madrid, October 6, 2012

• ƒƒFormulation and approval of required documentation for confidential filing with the SEC in the U.S. to apply for listing of ADR shares B

Madrid, November 6, 2012

• ƒƒEconomic information referred Q3 2012
• ƒƒPresentation of the external auditor on the findings and conclusions of Q3 2012 review of interim financial information
• ƒƒCompliance of the internal audit plan during Q3 2012
• ƒƒSummary of external audit and consulting fees during Q3 2012
• ƒƒInformation regarding the whistleblower channel

 

Meeting its primary function of providing support to the Board of Directors, the main activities discussed and  analyzed by the Audit Committee can be grouped into the following different areas of competency:

a) Internal audit

The Audit Committee’s functions include “supervision of the internal audit service” and “awareness and knowledge of the financial reporting process, internal control systems and the risks for the company”.

In order to oversee the sufficiency, suitability and efficient working of the internal control and risk management systems, the committee received regular information in 2012 from the head of internal audit in relation to:

• ƒƒThe annual internal audit plan and the degree to which it had been met: progress and conclusions on the  internal audit work performed, which essentially comprises the tasks of auditing financial statements, internal control SOX audits, common management systems audits, reviews of critical projects and construction work, and reviews of special areas, among others.
• ƒƒThe degree of implementation of issued recommendations.
• ƒƒA description of the main areas reviewed and the most significant conclusions, which include audited and sufficiently mitigated risks.
• ƒƒOther more detailed explanations requested by the Audit Committee.

During 2012, the Audit Committee recorded and supervised the performance of 572 tasks by the internal audit department. The tasks not included under the Plan related principally to general reviews of companies and projects that had not been envisaged in the initial planning.

As a result of the work performed, 388 recommendations were issued, most of which had been implemented by year end.

One factor that had a decisive impact on the number of recommendations issued was the performance of internal control compliance audits under PCAOB (Public Company Accounting Oversight Board) standards, in accordance with the requirements of section 404 of the Sarbanes-Oxley Act (SOX).

The following graph shows the different types of internal audit work conducted over the course of 2012:

Internal audit function at Abengoa

Internal audit function originated as an independent global function, reporting to the Audit Committee of the Board of Directors, with the principal objective of supervising Abengoa’s internal control and material risk management systems.

Structure and team

Abengoa’s internal audit function is structured around the joint audit services, which act in coordination. To discharge its functions and carry on its activities, the service has a structure based on multidisciplinary teams, formally  organized by geographical area, which work under a common annual work plan and share out the workload on the basis of their respective areas of expertise, all in accordance with best international practices.

Internal audit team is formed by 41 auditors, distributed among the different business groups.

• ƒƒThe average age of Abengoa’s internal audit team is currently around 31.
• ƒƒThe gender distribution was 60% (men) and 40% (women) respectively.
• ƒƒAverage length of professional experience is seven years.
• ƒƒApproximately 65 % of the auditors have prior experience in one of the “Big Four” external audit firms.

The profile of Abengoa’s internal auditors reflects the company’s commitment to employing personnel fully qualified to carry out the audit functions. Abengoa’s internal auditors seek at all times to provide excellent service when performing their work and become heavily involved in the business projects they are carrying out, with the overriding objective of creating value for the organization.

General objectives of the internal audit function are the following:

• ƒƒForestalling the audit risks to which group companies, projects and activities are exposed, such as fraud, capital losses, operational inefficiencies and, in general, any risks that may affect the healthy running of the business.
• ƒMaintaining the supporting role of rules and suitable and efficient management procedures in accordance with the corporate common management systems
• ƒƒCreating value for Abengoa and its business groups, fostering the creation of synergies and monitoring optimal management practices.
• ƒƒCoordinating working criteria and approaches with the external auditors, seeking the greatest efficiency and profitability between the two functions.
• ƒƒAnalyzing and processing complaints received and notifying the conclusions of the work to the Audit Committee.
• ƒEvaluating the companies’ audit risk through an objective procedure.
• ƒƒDeveloping annual work plans with the suitable scopes for each situation.

Evaluation of the internal audit function

During 2011, Abengoa finished a process of independent evaluation of the internal audit activity in accordance with the standards of the Institute of Internal Auditors.

The aim of evaluating the internal audit function was to assess the organization, processes and performance in the internal audit field, in order to fix parameters to improve internal audit effectiveness and efficiency and thus deal with an increasingly demanding competitive and regulatory environment. The task of assessing the internal audit function centers on three key elements:

• ƒƒMission of the internal audit function in order to comply with the company’s requirements and expectations.
• ƒƒProfessionals of the internal audit function.
• ƒƒInfrastructures and operations used by the internal audit function in furtherance of its work.

Following the work conducted by an independent expert, the report concluded that Abengoa’s internal audit function is compliant with the international standards for the professional practice of Internal Auditing of the Institute of Internal Auditors (IIA).

b) External audit

The auditor of the consolidated and non-consolidated annual accounts of Abengoa, S.A. is Deloitte, S.L. which is also the group’s main auditor.

In late 2011, the Audit Committee of Abengoa agreed, in accordance with the provisions of its rules, opening a selection process for the appointment of auditor of annual accounts and consolidated Abengoa and its subsidiaries for 2012.

This process involved the four audit firms with greater visibility and recognition in the sector (Big4). However, two of them were unable to submit proposal for failing to meet the requirements of independence required by current regulations since some of their works performed are incompatible with the role of auditor. As a result, the Audit  Committee proposed to the Board of Directors for submission to the General Meeting of Shareholders the  appointment of Deloitte, S.L., in consideration of the financial offer very competitive and his career, which has been highly appreciated by the committee itself.

During 2012, the Board of Directors and the General Meeting of shareholders approved the permanent appointment of Deloitte as auditor of the financial statements of Abengoa and the consolidated financial statements of Abengoa and its subsidiaries for the year ended December 31, 2012 and the two following years. This appointment was also endorsed by the audit committees, boards of directors and general meetings or assemblies shareholders of the relevant group companies.

In addition, other firms collaborate in performing the audit, especially in small companies both in Spain and abroad, although the scope of their work is not significant for the group overall.

The Audit Committee’s functions include ensuring the independence of the external auditor, proposing the  appointment or renewal thereof to the Board of Directors and approving its fees.

 
SOX (Sarbanes-Oxley Act) internal control audit work has been assigned to these same audit firms following the same criteria. This is because, according to PCAOB (Public Accounting Oversight Board) rules, the firm that issues the opinion on the financial statements must also be the firm that evaluates internal control processes over the preparation of the these same statements, given that this internal control is a key factor in “integrated audits”.

Abengoa follows a policy of having an external annual audit performed on all group companies, even if they are not obliged to do so because they do not meet the legal requirements.

A total of 49 new companies have been audited this year round, more than 85% of which are being audited by one of the four main international audit firms or “Big Four”. The following table provides a breakdown of the global fees
agreed upon with the external auditors for the 2012 audit, including reviews of periodic reporting and the SOX audit:
 

When assigning non-audit work to any of the “Big Four” audit firms, the company has a prior verification procedure in place so as to detect any possible incompatibilities that would prevent the firm from performing the work under the rules of the U.S. SEC (Securities Exchange Commission) or Spanish ICAC (Instituto de Contabilidad y Auditoría de Cuentas).

The following table reveals the fees payable to the Big Four audit firms for non-audit work performed in 2012:

The following table reveals the fees payable to the Big Four audit firms for non-audit work performed in 2012:

In 2012, a survey was conducted on the satisfaction with the service received from the main auditor during the 2011 audit. A series of conclusions have been drawn from this survey and will help to improve the work carried out jointly with the main auditor.

The Audit Committee is, furthermore, responsible for supervising the results of the work of the external auditors. Therefore, it is promptly informed of their conclusions and of any incidents noted in their audits.

When required to do so, the external auditor has attended Audit Committee meetings to report on its areas of competency, which are essentially the following:

• ƒƒReviewing the financial statements of the consolidated group and its component companies and issuing an audit opinion thereon.
  
  Although the auditors must issue their opinion on the financial statements as of December 31 each year, the work they conduct within each of the companies includes a review up to an earlier date, which is typically the end of the third quarter (September), in order to anticipate any significant transactions or other matters that have arisen up to said date.
  
  Since 2008, Abengoa has been voluntarily submitting its half-yearly statements to a limited review issued by the corresponding auditor.
  
  The quarterly financial statements also undergo a review process so that the information required by official bodies can be duly disclosed.
  
  Likewise, the consolidated financial statements of each the five business groups are audited:
  Abeinsa, Befesa, Abengoa Bioenergy, Abengoa Water and Abengoa Solar.
• ƒƒEvaluation of the internal control system and issuance of an audit opinion under PCAOB (Public Company Accounting Oversight Board) standards, (SOX -Sarbanes-Oxley Actcompliance). The specific PCAOB rules require a number of additional audit procedures to be conducted. The Security Exchange Commission (SEC) delegates to the PCAOB the preparation and issuance of the standards to be met by external auditors when evaluating internal control processes as part of an integrated audit.
  
  In 2012, the external auditors carried out an integrated audit under PCAOB standards. As a result of this work, the external auditors likewise issued a report containing the conclusions of their internal control assessment. This opinion is additional to the one included in the audit report on the annual financial statements, although the PCAOB allows both opinions to be included in the same document.

• ƒƒMatters of special interest.
  
  For certain matters or specific or significant transactions, the external auditor is required to provide its opinion on the criteria adopted by the company so as to reach a consensus.
• ƒƒIndependent verification reports prepared by external auditors.
  One of the cornerstones of the company’s strategy is its commitment to transparency and rigor. To reinforce this commitment, some years ago the company fixed the objective that all information appearing in the Annual Report should be verified externally.
  
  Therefore, 2007 witnessed the first audit on the company’s Corporate Social Responsibility Report. In 2008, this was extended to the Greenhouse Gas Emissions Report and in 2009, the Corporate Governance Report underwent an external audit process.
  
  The company is not satisfied with a limited assurance verification report pursuant to ISAE 3000 standards, but intends to continue progressing towards a reasonable assurance verification report, which is the most demanding type of verification to which a company can aspire.

Thus, external auditors issued five reports in 2012, all forming an integral part of the annual report:

• ƒƒAudit report on the consolidated accounts of the group, in accordance with applicable law.
• ƒVoluntary audit report on internal control compliance under PCAOB (Public Company Accounting Oversight Board) standards, pursuant to the requirements imposed by section 404 of the Sarbanes-Oxley Act (SOX).
• ƒƒVoluntary reasonable assurance audit report on the Corporate Governance Report, with Abengoa being the first listed company in Spain to obtain a report of this nature.
• ƒƒVoluntary reasonable assurance audit report on the Corporate Social Responsibility Report.
• ƒƒVoluntary audit report on the design and application of the Risk Management System pursuant to ISO 31000 standards.

c) Internal control

The Audit Committee’s main objectives concerning internal control over the preparation of financial reporting are:

• ƒƒDetermining the risks of a possible material error in the financial reporting caused by fraud or possible fraud risk factors.
• ƒƒAnalyzing the procedures for assessing the efficiency of internal control in relation to financial reporting.
• ƒƒCapacity of internal controls over the processes that affect Abengoa and its business groups.
• ƒƒIdentifying material internal control deficiencies and weaknesses in relation to financial reporting and response capacity.
• ƒƒSupervising and coordinating any significant changes made to the internal controls related to the quarterly financial reporting.
• ƒƒPerforming the quarterly processes of closing the financial statements and differences identified in relation to the processes performed at year end.
• ƒƒRolling out plans and monitoring the actions implemented to correct the differences identified in the audits.
• ƒƒMeasures to identify and correct possible internal control weaknesses in relation to the financial reporting.
• ƒƒAnalyzing procedures, activities and controls that seek to guarantee the reliability of financial reporting and prevent fraud.

Internal Control Model

In February 2010, the Spanish National Stock Market Commission (CNMV) published a document titled “Internal Control over Financial Reporting in Listed Companies” (ICFR), which contains two new legal obligations that listed companies must meet from 2011 onwards:

• ƒƒAudit Committees will be responsible for supervising financial reporting and the efficiency of the company’s internal control and risk management systems.
• ƒƒCompanies will have to report to the markets on their systems of internal control over financial reporting through the Annual Corporate Governance Report.

CNMV document is based on COSO and incorporates 30 recommended practices divided into five components areas:

• ƒƒ Internal control environment
• ƒƒ Financial reporting risk assessment
• ƒƒ Control activities
• ƒƒ Information and communication, and
• ƒƒ Supervision of system operation

Since 2007, Abengoa has been voluntarily submitting its internal control systems to external evaluation, with the issuance of an audit opinion under PCAOB standards and a compliance audit under section 404 of the Sarbanes-Oxley Act (SOX).

This means that Abengoa has been complying strictly with the reference indicators included in the Spanish CNMV’s ISFR document for four straight years now.

Abengoa believes that a proper internal control system would ensure that all relevant financial information is reliable and known to the management. It therefore believes that the model developed and tailored to SOX provides the ideal partner for the common management systems, the main aim of which is to control and mitigate business risks.

ƒƒThe COSO model has been used as the conceptual framework, since this model most closely mirrors the approach required by SOX, which has also been presented to the Audit Committee. In this model, internal control is defined as the process carried out in order to provide reasonable assurance of the attainment of certain objectives, such as compliance with laws and regulations, the reliability of financial reporting and the effectiveness and efficiency of operations.

 

• ƒƒInternal environment: this is essentially the basis for all the other components of risk management as it provides discipline and structure. The internal environment influences the strategy and targets in place by effectively structuring business activities and pinpointing, assessing and interpreting risks. Put differently, the internal environment affects the functioning of the control activities, information, communication systems and the oversight functions.
• ƒƒDefinition of objectives: Within the context of mission and vision, the management defines strategic objectives. These objectives must be in place before the management is able to identify the events potentially capable of frustrating attainment thereof. Risk management enables the management to have a process whereby objectives can be harmonized with the company’s mission and vision, and to ensure that these are compatible with the degree of accepted risk.
• ƒIdentification of events: The company must be vigilant of events that could have a positive or negative bearing on the company. Negative impacts require assessment and an appropriate response from the management. When identifying possible events, the management must pay due heed to both internal and external factors.
• ƒƒRisk assessment: Risk assessment allows the company to address potential events that could affect its ability to reach its objectives. The approach to assessing risks involves a combination of qualitative and quantitative techniques.
• ƒƒRisk response: When faced with significant risks, the management must generate potential responses. After having created a risk response, the management must calibrate the new risk to the residual basis. There will always be a residual risk, not only because resources are limited, but also because of future uncertainties and limitations inherent in other activities.
• ƒƒControl activities: These are the policies and procedures that help to ensure that the company’s response to risk is correctly implemented. Control activities take place throughout all levels and functions of the company structure.
• ƒƒInformation and communication: Information, both internal and external, must be identified, secured and communicated in due time and form if we are to be able to assess risks and provide an appropriate response. Given that information is generated from different sources (internal, external) and has different characteristics (quantitative, qualitative), the company must be sure to secure the most relevant information, which must be processed and conveyed such that it reaches all relevant sectors, thereby allowing us to assume responsibilities.
• ƒƒOversight: Risk management must be supervised, and this oversight may be conducted in real time or a posteriori, the former proving the most effective means.

d) Governance and Compliance

To carry out its responsibilities, the Audit Committee has the following supervision tools at different levels of the organization:

 

Company management implemented a code of professional conduct, the guiding philosophy of which is honesty, integrity and good judgment on the part of employees, managers and directors, as reflected in Abengoa’s Annual Corporate Governance Report, which provides details of the company’s governing structure, risk control systems, the degree to which recommendations on governance are followed and the reporting instruments; and in which the  management’s commitment to maintaining an appropriate internal control and risk management system, good
corporate governance and ethical conduct on the part of the organization and its employees can be seen.

This code of conduct is available to all employees through the Abengoa intranet and is regularly updated. Besides, welcome manual of Abengoa and the different business groups make express reference to the code of professional conduct.

All departments, mainly human resources and internal audit, strive to ensure compliance with the code and notify management of any irregular conduct they may detect so that the appropriate measures can be adopted.

Whistleblowing channel

Following the guidelines set out in section 301 of the Sarbanes-Oxley Act (“The Act”), the audit committee of the board of directors of Abengoa S.A. (“the company”) has agreed to establish procedures to:

• ƒƒThe receipt, retention, and treatment of complaints received by the company regarding accounting, internal accounting controls, or auditing matters;
• ƒƒThe submission by employees of the company, on a confidential and anonymous basis, of good faith concerns regarding questionable accounting or auditing matters.

Therefore, Abengoa has two whistleblowing channels:

• ƒƒAn internal channel, which is available to all employees, so that they can report any alleged accounting or audit irregularity or breaches of the code of conduct. Issues are reported by e-mail or post.
• ƒƒAn external cannel, available to anyone outside the company, so that they can report any alleged irregularities, fraudulent actions or breaches of Abengoa’s code of conduct through the company’s website (www.abengoa.es and www.abengoa.com).

Whistleblowing policy guarantees no reprisals for whistleblowers, who may submit complaints on a confidential basis. However, both the channel internal and external complaints may be sent on the basis of confidentiality for the complainant or anonymously.

The aim of Abengoa in creating these channels has been to provide a specific means of communicating with management and the governing bodies, which may be used as a tool to inform them of any possible irregularity, non-compliance, unethical or illegal conduct or breach of the rules that govern the group.

For each complaint received, a specific work is performed by the internal audit team. Within the internal audit department, Abengoa has a specific unit dedicated to the investigation of complaints received through the various channels and the implementation of preventive nature works on fraud. Besides, in cases that involve highly technical matters, the company secures the assistance of independent experts, thus ensuring at all times that it has the sufficient means of conducting a thorough investigation and guaranteeing sufficient levels of objectivity when performing the work.

Foreign Corrupt Practices Act (FCPA)

The honesty, integrity and sound judgment of employees, executives and directors is essential to the company’s reputation and success.

In pursuit of these principles, Abengoa adhered to the United Nations Global Compact in 2002. It upholds each of the ten principles enshrined in the initiative and works to integrate them fully into the strategy and policies governing the day-to-day running of the company. In relation to principle nº 10: “Businesses should work against corruption in all its forms, including extortion and bribery”, Abengoa has various procedures in place to prevent any kind of corruption within the company.

In the fight against extortion, fraud and bribery, Abengoa upholds the provisions of the US Foreign Corrupt Practices Act (FCPA).

In particular, the FCPA criminalizes acts by companies and their executives, directors, employees and representatives to pay, promise, offer or authorize payment of anything of value to any foreign civil servant, foreign political party, heads of foreign political parties with the aim of achieving or maintaining business operations, or of obtaining any kind of improper gain.

The FCPA complements the requirements imposed by section 404 of the US Sarbanes Oxley Act (SOX).

Supervision and control of the risk management model

During 2012, Abengoa continued to grow, carrying on activities in more than 70 countries. To deal with this growth in a safe and controlled manner, Abengoa has a common business management system that allows it to work on an efficient, coordinated and consistent basis.

In forthcoming years, we will be faced with an environment characterized by greater regulatory requirements. In order to deal with this scenario, Abengoa considers risk management an indispensable activity and function for strategic decision making.

Abengoa is aware of the importance of managing its risks in order to carry out appropriate strategic planning and attain the defined business objectives. To do this, it applies a philosophy formed by a set of shared beliefs and attitudes, which define how risk is considered, starting with the development and implementation of the strategy and ending with the day-to-day activities.

 

Abengoa’s risk management system is shown in the following diagram:

Abengoa defines risk as any potential event that may prevent the company from reaching its business objectives. Abengoa considers that a risk arises as a loss of opportunities and/or strengths or the materialization of a threat and/or strengthening of a weakness.

Abengoa’s attitude in the face of risk is awareness, involvement and anticipation. The key principles of risk management at Abengoa are the following:

• ƒƒIn order to attain the business objectives fixed, risks must be managed at all levels of the company without exception.
• ƒƒThe Board of Directors will be responsible for supervising the efficiency of the entity’s internal control and risk management systems.
• ƒƒDecisions are always taken on the basis of a consensus, with shared responsibility.
• ƒƒAbengoa’s risk management system is fully integrated into:
  
  • ƒƒThe strategic planning process.
  • ƒƒThe definition of business objectives.
  • ƒƒDay-to-day operations to attain said objectives.
• ƒƒRisk management includes the identification and assessment of, response to, monitoring or followup of and reporting of risks in accordance with the procedures in place for these purposes.
• ƒƒResponses to risks must be consist and must be well adapted to the conditions of the business and the economic environment.
• ƒƒManagement must regularly evaluate the assessment of its risks and the responses that have been designed.
• ƒMonitoring will be conducted regularly and the conformity of the activities of identification, assessment, response, monitoring and reporting included in Abengoa’s Risk Management System will be reported.

The risk management process at Abengoa is a continuous cycle based on five key phases, as shown in the following diagram:

In each phase, regular and consistent communication is necessary in order to achieve good results. Since it is a continuous cycle, permanent feedback is necessary in order to achieve a constant improvement in the risk management system. These processes are addressed to all the company’s risks.

Abengoa manages its risks using the following model, described in the company’s risk management manual, which is intended to identify the potential risks of a business:

Risk treatment and response criteria are contained within the common management systems and must be observed by all employees.

The responses designed and included within the different elements that make up the Abengoa’s risk management system pursue one of the following risk management scenarios:

• ƒƒElimination: the risk is completely eliminated.
• ƒƒReduction and control: the aim here is to reduce the risk as much as possible by using strategic or safety measures (diversification of supply, quality systems, maintenance, prevention, etc.).
• ƒƒTransfer to a third party: the risk is transferred to a third party, so that Abengoa holds no responsibility for the risk, whether through an insurance company or another third party (supplier, subcontractor).
• ƒFinancial retention: if it has not been possible to otherwise control the risk, it is eventually accepted.

Abengoa’s risk management model comprises three core elements:

Those elements combine to form an integrated system that enables the company to manage risks and controls suitably throughout all levels of the organization.

a) Common management systems

The functional heads of each division must verify and certify compliance with these procedures. This annual certification is issued by the Audit Committee in January of the following year.

Objectives

• ƒƒTo identify possible risks which, although they are inherent to any business, must be identified, mitigated and monitored.
• ƒƒTo optimize the day-to-day management by applying procedures leading to financial efficiency, expense reduction and the homogenization and compatibility of information and management systems.
• ƒƒTo promote synergies and value creation throughout Abengoa’s different business groups.
• ƒƒTo reinforce corporate identity.
• ƒƒTo achieve growth through strategic development that seeks innovation and new options in the medium- and long-term.

The systems cover the whole organization at three levels:

• ƒƒAll the business groups and areas of activity.
• ƒƒAll levels of responsibility.
• ƒƒAll kinds of operations.

Common management systems represent a common culture for Abengoa’s different businesses and are composed of eleven rules defining how each of the potential risks included in Abengoa’s risk model should be managed. Through these systems, the risks and the appropriate way of hedging against them are identified and the control mechanisms defined.

Over recent years, the common management systems have evolved to adapt to the new situations and environments in which Abengoa operates, with the overriding aim of reinforcing risk identification, covering risks and establishing control activities. The summary of annual updates is shown in the graph below:

Besides, the summary of updates split by category of rule is the following:

 

b) Compulsory procedures (SOX)

The compulsory procedures are used to mitigate risks relating to the reliability of the financial information, employing a combined system of procedures and control activities in key areas of the company, which are intended to ensure the reliability of the financial information and prevent fraud.

As a result of our commitment to transparency, and so as to continue to ensure the reliability of the financial information prepared by the company, we have continued to reinforce our internal control structure, adapting it to the requirements established under section 404 of the United States Sarbanes-Oxley Act (SOX). For a further year, we have voluntarily submitted the internal control system of the whole group to an independent evaluation process conducted by external auditors under PCAOB (Public Company Accounting Oversight Board) audit standards.

SOX is a compulsory law for all listed companies operating in the United States and is intended to ensure the reliability of the financial reporting of these companies and protect the interests of their shareholders and investors by establishing an appropriate internal control system. Thus, although none of the business groups is required to meet SOX requirements, Abengoa deems it necessary to comply with these requirements throughout all of its component companies, since these requirements complement the risk control model used by the company.

The company has implemented an appropriate internal control system that relies on three tools:

• ƒƒA description of the company’s relevant processes that could impact the financial information to be prepared. In this regard, 41 management processes have been defined and grouped into corporate cycles and common cycles used throughout all the business groups.
• ƒƒA series of flow charts that provide a visual description of the processes.
• ƒƒAn inventory of the control activities in each process to ensure attainment of the control objectives.

Our work comprises the following aspects:

At Abengoa, we have viewed this legal requirement as an opportunity for improvement and, far from being satisfied with the rules included in the Act, we have tried to develop and improve our own internal control structures, control procedures and the evaluation procedures in place.

This initiative arose in response to the swift expansion experienced by the group in recent years and projected future growth, the aim for us to continue preparing accurate, timely and complete financial reports for our investors.

In order to meet the requirements of section 404 of the SOX, Abengoa’s internal control structure has been redefined following a “Top-Down” approach based on risk analysis.

This risk analysis encompasses a preliminary identification of significant risk areas and an assessment of the company’s controls over them, starting with top-level executives - corporate and supervisory controls – then dropping to the operational controls present in each process.

Our approach is as follows:

ƒƒA top-down approach to risk assessment, helping us to identify the areas of greater risk.

• ƒƒIntegrating financial statement audits and internal control reviews, paying special attention to the company’s general control environment.
• ƒƒA focus that combines section 404 of the SOX with existing internal audit work.
• ƒƒA working plan that identifies the most relevant business areas and the most significant accounts in a way that ensures satisfactory coverage of the associated risks involved.
• ƒƒInternal auditing teams made up of professionals with experience and expertise in the sector.
• ƒƒUse of experienced experts to support the internal auditing teams as and when needed.

c) The universal risk model

In 2011, Abengoa finished integrating its universal risk model, the company’s chosen methodology for quantifying the risks that compose the risk management system.

Abengoa’s universal risk model is made up of four categories, 20 sub-categories and a total of 56 principal risks for the business. Each these risks has an associated series of indicators that allow its probability and impact to be measured and the degree of tolerance to the risk to be defined, thus allowing for subsequent risk assessment and monitoring

 

The following diagram illustrates how Abengoa’s universal risk model works. The model is periodically reviewed and updated jointly by the internal audit departments, the heads of each area involved and the heads of risk management at corporate-level and for the different business groups.

After applying both probability and impact indicators to all the risks that make up Abengoa’s universal risk model, risks are grouped accordingly into four types, each with its own predetermined risk management strategy:

• ƒƒMinor risk: risks that occur frequently but have little economic impact. These are managed accordingly to reduce the likelihood of them arising, but only if managing them proves economically viable.
• ƒƒTolerable risk: risks that occur infrequently and have little economic impact. These risks and monitored to ensure that they remain at tolerable levels.
• ƒƒSevere risk: frequent risk with a heavy impact. These risks are managed immediately, although due to the risk management processes implemented by Abengoa, it is unlikely that Abengoa will have to tackle this type of risk.
• ƒƒCritical risk: risks that occur infrequently but have a very high economic impact. These risks have their own contingency plan, given the severity of their impact should they arise.

Abengoa completed implementation in 2011 of Archer eGRC, a technological solution enabling the company to automate the process of identifying, assessing, responding to, monitoring and reporting the risks that make up its universal risk model, thus helping to protect all the activities and sectors in which Abengoa is currently engaged.

During 2012, this application has been consolidated as a tool for calculation and reporting of identified risks. Since its introduction, Abengoa has been working on the application synchronization with other tools within the group with the aim of increasing process automation.

Outlook for 2013

2013 presents new challenges and opportunities for Abengoa and the Audit Committee in the performance of their duties and responsibilities.

The internal audit team will continue to exercise their functions to prevent, detect and propose control mechanisms to ensure the reliability of financial information prepared by the company with the aim of providing an Abengoa adequate internal control system.

Moreover, the approach will remain focused on maintaining the three pillars that make up the risk management model in Abengoa:

• ƒƒCommon management systems
• ƒƒCompulsory procedures
• ƒƒUniversal risk model

The role of the internal audit team in meeting international standards on auditor independence in the provision of non-audit services, the limits on the concentration of business and other situations of incompatibility, will be enhanced.

In conclusion, the Audit Committee intends to continue maintaining the same level of demand suggests that allows improving security guarantee for the shareholders to the reliability of financial reporting and other responsibilities entrusted.