Neste establishes internal control procedures across the business operations in order to provide a reasonable assurance and mitigation of risks that may adversely affect the reliability of financial information, prevention of fraud, compliance with external laws and internal policies, and effectiveness and efficiency of operations.
Internal control procedures established in business operations contain, inter alia, policies and instructions, risk identification and related process control to mitigate risk, segregation of duties including authorization management, day-to-day supervisory controls and monitoring to ascertain these procedures are present and functioning.
The Three Lines Model is implemented to ensure there are adequate controls to manage the risk of adverse effect to business objectives from any major setback. The first line, operational management, owns the risks and controls and is therefore responsible that controls and deficiency related corrective actions are implemented.
Ultimately, every employee acts as the first line, by acting ethically, following the policies, and performing the controls respective to the business activity the employee handles.
Functions that oversee risks and control implementation constitute the second line, thus providing additional assurance to the stakeholders.
Internal Audit provides independent assurance and constitutes the third line.
Neste has set up an internal control function, Neste Internal Control, to provide additional assurance and lead the group-wide internal control development and monitoring in business operations.
Neste Internal Control works closely with business and process owners in designing and implementing effective controls, by providing insight and keeping in view all relevant financial and operational risks, as well as mitigation parameters such as completeness, accuracy and segregation of duties. The Internal Control function provides the necessary guidance and training for defining and documenting the internal controls. It monitors the adequacy and effectiveness of controls and, on a regular basis, carries out internal control testing in co-operation with the group-wide business process owner network and reports the control assessment results to the Executive Committee and Audit Committee.
Building effective internal controls in the business processes is an ongoing process. As the business is changing, and the competition landscape and other threats evolve, it is necessary to review the adequacy of the controls in business processes and develop the necessary new controls that mitigate the risks. The internal control development process follows the strategy and risk review rhythm, annually or semiannually, as the revised strategy and business environment could potentially necessitate the need for new mitigation controls.
Internal Control function activities follow COSO* principles and its elements of internal control framework: 1. Control Environment; 2. Risk Assessment; 3. Control Activities; 4. Monitoring; and, 5. Information and Communication.
*COSO is The Committee of Sponsoring Organizations of the Treadway Commission and referred to by many companies worldwide for thought leadership in development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. COSO is established by The Institute of Internal Auditors, The Association of Accountants and Financial Professionals in Business, American Accounting Association, American Institute of Certified Public Accountants, and Financial Executives International.
Controls over Financial Reporting
The objective of internal controls at Neste is to provide a reasonable assurance with regard to the financial reporting and the preparation of financial statements in accordance with the applicable laws and regulations and the internal requirements. Additionally, internal controls support the business in the achievement of its operational and strategic objectives by acting as performance accelerators in business processes.
The system of internal controls at Neste is based on the framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Management sets its level of risk appetite by defining the Group-level control objectives. Control objectives state the Group’s minimum control requirements for the control activities in financial and business processes in order to mitigate the underlying key risks and establish the desired level of assurance for correct financial reporting, adherence with the regulations and policies, and prevention of fraud. Group level control objectives are endorsed by the Executive Committee and Audit Committee and reflect the top management guidelines, auditor reports, policies and regulations Neste complies with. Neste internal control requirements are defined in Neste Internal Control Principle, Neste Access Risk Management Principle and standards on Controls over Financial Reporting (COFR), Segregation of Duties, etc.
Under the Finnish Companies Act, the Board of Directors is responsible for ensuring that there is adequate control over the Company’s accounts and finances. Responsibility for arranging this control is delegated to the President and CEO, who is required to ensure that the Company’s accounts are in compliance with the law and that its financial management has been arranged in a reliable manner.
The internal control at Neste is based on the corporate structure whereby the operations are organized into organizational units. The heads of business units and finance function are responsible for establishing and maintaining appropriate, up-to-date, effective and adequate controls over financial reporting. Operational management owns the risks and controls and is responsible that controls and deficiency related corrective actions are implemented.
In order to provide additional assurance, Neste has established an Internal Control function, which is responsible for coordinating the Group-wide internal control development and monitoring. The Head of Internal Control reports on its activities on a regular basis to the Executive Committee and to the Board of Directors’ Audit Committee which monitors the effectiveness of the Company’s Internal Control. Internal Control follows up and verifies that actions are taken by the respective operational management.
Internal Control Principle emphasizes the importance of internal controls and clarifies the responsibilities of the Three Lines for establishing effective controls in business processes. Neste’s values and management system containing the formal Code of Conduct are the foundation of the control environment. The President and CEO and corporate management are responsible for emphasizing the importance of ethical principles and correct financial reporting.
As a prerequisite for risk assessment, the organization’s objectives need to be established. With respect to financial reporting, the general objective is to have reliable reporting and ensure that transactions are recorded and reported completely and correctly. The assessment of risk includes risks related to fraud.
Additional information on risk management principles is available in the Risk Management section of the Annual Report.
Neste control activities include instructions, guidelines and procedures to ensure that the actions identified by management to address the relevant risks are carried out effectively. The most important guidelines related to financial reporting systems and practices are documented in Neste Internal Control Principle, Access Risk Management Principles, the Controls over Financial Reporting standard (COFR), Process charts, month end workflows and detailed Finance Instructions.
Key control activities are documented in a global control catalog covering each business or financial process. Group-level policies and guidelines are documented in the Neste Management System.
Neste corporate-level communication practices support the completeness and correctness of financial reporting. Neste personnel have access to adequate information and communication regarding accounting and reporting principles and guidelines. The main means of communicating the relevant matters for appropriate financial reporting consist of internal control training, detailed Finance Instructions containing accounting principles and guidelines for forecasting and reporting, info sessions, on-the-job training, process walk-throughs, and postings on internal channels and pages.
Neste business units prepare regular financial and management reports for the management review, including analysis and comments of financial performance. The Executive Committee and the Board of Directors receive financial reports monthly. Interim Reports and Financial Statements are reviewed in Audit Committee meetings, and thereafter by the Board of Directors.
Management regularly monitors the effectiveness of the controls, as a control that was initially effective can become ineffective due to changes in the operating environment. Changes can also take place in the controls due to changed processes, IT systems or personnel.
The Board of Directors and the Audit Committee regularly review the financial performance including reviewing whether there is an adequate level of process to evaluate the risks and effectiveness of controls related to the financial reporting process at all levels of the organization. The Audit Committee oversees the Company’s finances, financial reporting, risk management, as well as he Internal Control and Internal Audit functions, as part of the Company’s corporate governance. Internal control deficiencies are communicated in a timely manner to those parties responsible for taking corrective action, and to management and the Board’s Audit Committee as appropriate.
Corporate Internal Audit assesses annually the operational model and practices of internal control over Neste’s financial reporting as part of business and process-level audits.
The Internal Control function also conducts separate tests to assess the adequacy of internal controls in business processes, recommends corrections and reports the gaps to the respective management teams.