Main features of internal control and risk management systems pertaining to the financial reporting process
The objective of internal control over financial reporting at Neste is to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with applicable laws and regulations and internal requirements of control activities.
The system of internal controls at Neste Corporation is based on the framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Management sets its level of risk appetite by defining the group level control objectives. Control Objectives set the Group’s minimum control requirements for the control activities in financial and business processes in order to mitigate the underlying key risks and establish the desired level of assurance for correct financial reporting, adherence with the regulations and policies, and prevention of fraud. Group level control objectives are endorsed by the Executive Committee and Audit Committee and reflect the top management guidelines, auditor reports, policies and regulations Neste complies with, as well as Neste’s Internal Control Principles and Control Requirements over Financial Reporting (COFR).
Under the Finnish Companies Act, the Board of Directors is responsible for ensuring that there is adequate control over the Company’s accounts and finances. Responsibility for arranging this control is delegated to the President and CEO, who is required to ensure that the Company’s accounts are in compliance with the law and that its financial management has been arranged in a reliable manner.
The internal control at Neste is based on the corporate structure whereby the operations are organized into business units and common functions. The heads of business units and finance function are responsible for establishing and maintaining appropriate, up-to-date, effective and adequate controls over financial reporting. Operational management hence owns the risks and controls and is responsible that controls and deficiency related corrective actions are implemented.
In order to provide additional assurance, Neste has established an Internal Control function, that is responsible for leading the group-wide internal control development and monitoring the performance of internal controls in business operations. Internal Control team acts on the recommendations of the auditors for improving the quality of the controls and follows up and verifies that actions for remediation are taken by the respective operational management.
Neste has prepared and established its own Internal Control Principles in accordance with COSO framework. Internal Control Principles emphasize the importance of internal controls and clarify the responsibilities of the three lines of defense for establishing effective controls in business processes. Neste’s values and management system containing formal Code of Conduct are the foundation of the control environment. President and CEO and corporate management are responsible for emphasizing the importance of ethical principles and correct financial reporting.
As a prerequisite for risk assessment, the organization’s objectives need to be established. With respect to financial reporting, the general objective is to have reliable reporting and ensure that transactions are recorded and reported completely and correctly. The assessment of risk includes risks related to fraud.
Additional information on risk management principles is available in the Risk Management section of the Annual Report.
Neste’s control activities include instructions, guidelines and procedures to ensure that the actions identified by management to address the relevant risks are carried out effectively. The most important guidelines related to financial reporting systems and practices are documented in Neste’s Internal Control Principles, Access Risk Management Principles, Control Over Financial Reporting documentation (COFR), Process charts, month end workflows and detailed Finance Instructions.
Key control activities are documented in respective control catalogs for each business or financial process.
Other group level policies and guidelines are documented in Neste’s management system.
Neste corporate level communication practices support completeness and correctness of financial reporting. Neste personnel have access to adequate information and communication regarding accounting and reporting principles and guidelines. The main means of communicating the relevant matters for appropriate financial reporting consist of internal control training, detailed Finance Instructions containing accounting principles and guidelines for forecasting and reporting, info sessions, on-job training, process walk-throughs, postings on internal channels and pages.
Neste’s business units prepare regular financial and management reports to the management review, including analysis and comments of financial performance. The Executive Committee receives financial reports monthly. Interim Reports are reviewed in Audit Committee meetings, and thereafter by the Board of Directors.
Management regularly monitors the effectiveness of the controls, as a control that was initially effective can become ineffective due to changes in the operating environment. Changes can also take place in the controls due to changed processes, IT systems or personnel.
The Board of Directors and the Audit Committee regularly review the financial performance including reviewing whether there is an adequate level of process to evaluate the risks and effectiveness of controls related to financial reporting process at all levels of the organization. The Audit Committee oversees the Company’s finances, financial reporting, risk management, as well as the Internal Control and Internal Audit functions, as part of the Company’s corporate governance. Internal control deficiencies are communicated in a timely manner to those parties responsible for taking corrective action, and to management and the Board as appropriate.
Corporate Internal Audit assesses annually the operational model and practices of internal control over financial reporting of Neste as part of business and process level audits.
Internal Control function also conducts separate tests to assess the adequacy of internal controls in business processes, recommends corrections and reports the gaps to respective management teams.