Internal Control

Neste establishes internal control procedures across the business operations in order to provide a reasonable assurance and mitigation of risks that may adversely affect the reliability of financial information, prevention of fraud, compliance with external laws and internal policies, and effectiveness and efficiency of operations.

Internal control procedures established in business operations contain, inter alia, policies and instructions, risk identification and related process control to mitigate risk, segregation of duties including authorization management, day-to-day supervisory controls and monitoring to ascertain these procedures are present and functioning.

The Three Lines Model is implemented to ensure there are adequate controls to manage the risk of adverse effect to business objectives from any major setback. The first line, operational management, owns the risks and controls and is therefore responsible that controls and deficiency related corrective actions are implemented.

Functions that oversee risks and control implementation constitute the second line, thus providing additional assurance to the stakeholders.

Internal Audit provides independent assurance and constitutes the third line. In addition, external auditors provide assurance on the financial statements.

Neste has set up an internal control function, Neste Internal Control, to provide additional assurance and lead the group-wide internal control development and monitoring. Neste Internal Control provides insight in designing and implementing effective controls, by keeping in view all relevant financial and operational risks and mitigation parameters. The Internal Control function provides the necessary guidance and training for defining and documenting the controls. It monitors the adequacy and effectiveness of controls by utilizing technology for Continuous Control Monitoring and it reports the control assessment results to the Executive Committee and Audit Committee.

Internal Control function activities follow COSO* principles and its elements of internal control framework: 1. Control Environment; 2. Risk Assessment; 3. Control Activities; 4. Monitoring; and, 5. Information and Communication. Internal Control Framework is being completed with the sustainability controls, following the CSRD requirements and guidelines provided by COSO Sustainability Supplement on ICSR.

*COSO is The Committee of Sponsoring Organizations of the Treadway Commission and referred to by many companies worldwide for thought leadership in development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. COSO is established by The Institute of Internal Auditors, The Association of Accountants and Financial Professionals in Business, American Accounting Association, American Institute of Certified Public Accountants, and Financial Executives International.

Controls over Financial Reporting

Objectives

The objective of internal controls at Neste is to provide reasonable assurance concerning the reliability of the financial reporting and the preparation of the financial statements. Additionally, internal controls support the business in the achievement of its operational and strategic objectives by acting as performance accelerators in business processes.

The system of internal controls at Neste is based on the Committee of Sponsoring Organizations framework (the “COSO framework,” 2013).

Neste’s internal control requirements are defined in the Neste Internal Control Principle, Access Risk Management Principle and related standards. The Neste Internal Control function leads Group-wide control development and monitors the internal controls throughout Neste. The Internal Controls function provides the necessary guidance for designing and performing the controls effectively.

Control environment

The Board of Directors is responsible for ensuring that there is adequate control over the Company’s accounts and finances. Responsibility for arranging this control is delegated to the President and CEO, who is required to ensure that the Company’s accounts are in compliance with the law, and that its financial management has been reliably arranged.

The internal control at Neste is based on the corporate structure, whereby the operations are organized into organizational units. The heads of business units and the finance function are responsible for establishing and maintaining appropriate, up-to-date, effective and adequate controls of financial reporting. Operational management owns the risks and controls and is responsible for ensuring controls and deficiency-related corrective actions are implemented.

The Internal Control Principle emphasizes the importance of internal controls and clarifies the responsibilities of the Three Lines for establishing effective controls in business processes. Neste’s values and management system containing the formal Code of Conduct are the foundation of the control environment. The President and CEO and corporate management are responsible for emphasizing the importance of ethical principles and correct financial reporting.

Risk assessment

As a prerequisite for risk assessment, the organization’s objectives need to be established. With respect to financial reporting, the general objective is to have reliable reporting and ensure that transactions are recorded and reported completely and correctly. The assessment of risk includes risks related to fraud.

Additional information about risk management principles is available in the Risk Management section of the Annual Report.

Control activities

Neste control activities include instructions, guidelines and procedures to ensure that the actions identified by management to address the relevant risks are carried out effectively. The most important guidelines related to financial reporting systems and practices are documented in the Neste Internal Control Principle, Access Risk Management Principles, the Controls over Financial Reporting standard (COFR), Internal Control Process Standard, Process charts, month end workflows and detailed Finance Instructions.

Key control activities are documented in a global control catalog covering each business or financial process. Group-level policies and guidelines are documented in the Neste Management System. The control catalog is maintained in SAP GRC, the platform used for internal control management.

Information and communication

Neste corporate-level communication practices support the completeness and correctness of financial reporting. Neste personnel have access to adequate information and ommunication regarding accounting and reporting principles and control guidelines, including clarity on control responsibility and accountability. The main means of communicating the relevant matters for appropriate financial reporting consist of internal control training, detailed Finance Instructions containing accounting principles and guidelines for forecasting and reporting, information sessions, on-the-job training, process walkthroughs, and postings on internal channels and pages.

Neste business units prepare regular financial and management reports for the management review, including analysis of and comments on financial performance. The Executive Committee and the Board of Directors receive financial reports monthly. Interim Reports and Financial Statements are reviewed at Audit Committee meetings, and thereafter by the Board of Directors.

Monitoring

The Audit Committee oversees the Company’s finances, financial reporting, risk management, as well as the Internal Control and Internal Audit functions, as part of the Company’s corporate governance. Internal control deficiencies are communicated in a timely manner to those parties responsible for taking corrective action, and to management and the Board’s Audit Committee as appropriate.

The Internal Control function acts on behalf of the stakeholders to monitor the performance and assess the adequacy of the controls. Results are reported regularly to the Executive Committee.

Corporate Internal Audit assesses the operational model and practices of internal control over Neste’s financial reporting as part of business and process-level audits.