The Supervisory Board and the Executive Board have overall responsibility for the Group’s control environment. The Audit Committee appointed by the Supervisory Board is responsible for monitoring the internal control and risk management systems related to the financial reporting process on an ongoing basis.
The Company has a number of policies and procedures in key areas of financial reporting, including the Finance Manual, the Controller Manual, the Chart of Authority, the Risk Management Policy, the Treasury Policy, the Information Security Policy, the Global Expense Policy and the Business Ethics Policy. The policies and procedures apply to all subsidiaries, and similar requirements are set out in collaboration with the partners in joint ventures.
The internal control and risk management systems are designed to mitigate rather than eliminate the risks identified in the financial reporting process. Internal controls related to the financial reporting process are established to detect, mitigate and correct material misstatements in the consolidated financial statements.
The monitoring of risk and internal controls in relation to the financial reporting process are anchored by the reporting of the maturity level of the control environment using the Company’s financial control framework.
The risk assessment process related to the risk in relation to the financial reporting process is assessed annually and approved by the Audit Committee.
The risk related to each accounting process and line item in the consolidated financial statements is assessed based on quantitative and qualitative factors. The associated financial reporting risks are identified based on the evaluation of the likelihood of them materialising and their potential impact.
The identified areas are divided into areas with high, medium or low risk. High-risk areas are line items that include significant accounting estimates, including goodwill and special items, and the sales and purchase process. The Company’s financial control framework reporting covers relevant Group companies and functions to the level where high-risk areas are at least 80% covered and medium-risk areas at least 60%. Low-risk areas are not covered.
The Group has implemented a formalised financial reporting process for the strategy process, budget process, quarterly estimates and monthly reporting on actual performance. The accounting information reported by all Group companies is reviewed both by controllers with regional or functional in-depth knowledge of the individual companies/functions and by technical accounting specialists. In addition, significant Group companies have controllers with extensive commercial and/or supply chain knowledge and insight.
Based on the risk assessment, the Group has established minimum requirements for the conduct and documentation of IT and manual control activities to mitigate identified significant financial reporting risks. The Company’s financial control framework covers 132 controls relating to 23 accounting processes and areas.
The relevant Group companies and functions must ensure that the Company’s financial control framework is implemented in their business and that individual controls are designed to cover the predefined specific risk. The local management is responsible for ensuring that the internal control activities are performed and documented, and is required to report compliance quarterly to the Group’s finance organisation.
The entities in the Group are dependent on IT systems. Any weaknesses in the system controls or IT environment are compensated for by manual controls in order to mitigate any significant risk relating to the financial reporting.
The Group has established information and communication systems to ensure that accounting and internal control compliance is established, including a Finance Manual, a Controller Manual and internal control requirements.
In addition, the Group has implemented a formalised reporting process for reporting monthly, quarterly, budget and estimate figures from all countries and functions.
The Audit Committee’s monitoring covers both the internal control environment and business risk. Monitoring of the internal control environment is covered by the Company’s financial control framework. The business risk is assessed and reviewed at multiple levels in the Group, including periodic review of control documentation, controller visits and audits performed by Group Internal Audit.
Additionally, business risks are discussed and monitored at business review meetings between ExCom, regional management and local management at which potential financial impacts are identified.
The Audit Committee’s Terms of Reference outline its roles and responsibilities concerning supervision and monitoring of the internal control and risk management systems related to financial reporting. Monitoring is performed on the basis of periodic reporting from the finance organisation, internal and external audit.