The Three Lines Model is implemented to ensure there are adequate controls to manage the risk of adverse effect to business objectives from any major setback. The first line, operational management, owns the risks and controls and is therefore responsible that controls and deficiency related corrective actions are implemented.
Ultimately, every employee acts as the first line, by acting ethically, following the policies, and performing the controls respective to the business activity the employee handles.
Functions that oversee risks and control implementation constitute the second line, thus providing additional assurance to the stakeholders.
Internal Audit provides independent assurance and constitutes the third line.
Neste has set up an internal control function, Neste Internal Control, to provide additional assurance and lead the group-wide internal control development and monitoring in business operations.
Neste Internal Control works closely with business and process owners in designing and implementing effective controls, by providing insight and keeping in view all relevant financial and operational risks, as well as mitigation parameters such as completeness, accuracy and segregation of duties. The Internal Control function provides the necessary guidance and training for defining and documenting the internal controls. It monitors the adequacy and effectiveness of controls and, on a regular basis, carries out internal control testing in co-operation with the group-wide business process owner network and reports the control assessment results to the Executive Committee and Audit Committee.
Building effective internal controls in the business processes is an ongoing process. As the business is changing, and the competition landscape and other threats evolve, it is necessary to review the adequacy of the controls in business processes and develop the necessary new controls that mitigate the risks. The internal control development process follows the strategy and risk review rhythm, annually or semiannually, as the revised strategy and business environment could potentially necessitate the need for new mitigation controls.
Internal Control function activities follow COSO* principles and its elements of internal control framework: 1. Control Environment; 2. Risk Assessment; 3. Control Activities; 4. Monitoring; and, 5. Information and Communication.