Internal Controls and Assurance

Neste establishes internal control procedures across the business operations in order to provide a reasonable assurance and mitigation of risks that may adversely affect the reliability of financial information, prevention of fraud, compliance with external laws and internal policies, and effectiveness and efficiency of operations.

Internal control procedures established in business operations contain, inter alia, policies and instructions, risk identification and related process control to mitigate risk, segregation of duties including authorization management, day-to-day supervisory controls and monitoring to ascertain these procedures are present and functioning.

The Three Lines Model is implemented to ensure there are adequate controls to manage the risk of adverse effect to business objectives from any major setback. The first line, operational management, owns the risks and controls and is therefore responsible that controls and deficiency related corrective actions are implemented.

Ultimately, every employee acts as the first line, by acting ethically, following the policies, and performing the controls respective to the business activity the employee handles.

Functions that oversee risks and control implementation constitute the second line, thus providing additional assurance to the stakeholders.

Internal Audit provides independent assurance and constitutes the third line.

Neste has set up an internal control function, Neste Internal Control, to provide additional assurance and lead the group-wide internal control development and monitoring in business operations.

Neste Internal Control works closely with business and process owners in designing and implementing effective controls, by providing insight and keeping in view all relevant financial and operational risks, as well as mitigation parameters such as completeness, accuracy and segregation of duties. The Internal Control function provides the necessary guidance and training for defining and documenting the internal controls. It monitors the adequacy and effectiveness of controls and, on a regular basis, carries out internal control testing in co-operation with the group-wide business process owner network and reports the control assessment results to the Executive Committee and Audit Committee.

Building effective internal controls in the business processes is an ongoing process. As the business is changing, and the competition landscape and other threats evolve, it is necessary to review the adequacy of the controls in business processes and develop the necessary new controls that mitigate the risks. The internal control development process follows the strategy and risk review rhythm, annually or semiannually, as the revised strategy and business environment could potentially necessitate the need for new mitigation controls.

Internal Control function activities follow COSO* principles and its elements of internal control framework: 1. Control Environment; 2. Risk Assessment; 3. Control Activities; 4. Monitoring; and, 5. Information and Communication.

*COSO is The Committee of Sponsoring Organizations of the Treadway Commission and referred to by many companies worldwide for thought leadership in development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. COSO is established by The Institute of Internal Auditors, The Association of Accountants and Financial Professionals in Business, American Accounting Association, American Institute of Certified Public Accountants, and Financial Executives International.