The objective of internal controls at Neste is to provide a reasonable assurance with regard to the financial reporting and the preparation of financial statements in accordance with the applicable laws and regulations and the internal requirements. Additionally, internal controls support the business in the achievement of its operational and strategic objectives by acting as performance accelerators in business processes.
The system of internal controls at Neste is based on the framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Management sets its level of risk appetite by defining the Group-level control objectives. Control objectives state the Group’s minimum control requirements for the control activities in financial and business processes in order to mitigate the underlying key risks and establish the desired level of assurance for correct financial reporting, adherence with the regulations and policies, and prevention of fraud. Group level control objectives are endorsed by the Executive Committee and Audit Committee and reflect the top management guidelines, auditor reports, policies and regulations Neste complies with. Neste internal control requirements are defined in Neste Internal Control Principle, Neste Access Risk Management Principle and standards on Controls over Financial Reporting (COFR), Segregation of Duties, etc.
Under the Finnish Companies Act, the Board of Directors is responsible for ensuring that there is adequate control over the Company’s accounts and finances. Responsibility for arranging this control is delegated to the President and CEO, who is required to ensure that the Company’s accounts are in compliance with the law and that its financial management has been arranged in a reliable manner.
The internal control at Neste is based on the corporate structure whereby the operations are organized into organizational units. The heads of business units and finance function are responsible for establishing and maintaining appropriate, up-to-date, effective and adequate controls over financial reporting. Operational management owns the risks and controls and is responsible that controls and deficiency related corrective actions are implemented.
In order to provide additional assurance, Neste has established an Internal Control function, which is responsible for coordinating the Group-wide internal control development and monitoring. The Head of Internal Control reports on its activities on a regular basis to the Executive Committee and to the Board of Directors’ Audit Committee which monitors the effectiveness of the Company’s Internal Control. Internal Control follows up and verifies that actions are taken by the respective operational management.
Internal Control Principle emphasizes the importance of internal controls and clarifies the responsibilities of the Three Lines for establishing effective controls in business processes. Neste’s values and management system containing the formal Code of Conduct are the foundation of the control environment. The President and CEO and corporate management are responsible for emphasizing the importance of ethical principles and correct financial reporting.
As a prerequisite for risk assessment, the organization’s objectives need to be established. With respect to financial reporting, the general objective is to have reliable reporting and ensure that transactions are recorded and reported completely and correctly. The assessment of risk includes risks related to fraud.
Additional information on risk management principles is available in the Risk Management section of the Annual Report.
Neste control activities include instructions, guidelines and procedures to ensure that the actions identified by management to address the relevant risks are carried out effectively. The most important guidelines related to financial reporting systems and practices are documented in Neste Internal Control Principle, Access Risk Management Principles, the Controls over Financial Reporting standard (COFR), Process charts, month end workflows and detailed Finance Instructions.
Key control activities are documented in a global control catalog covering each business or financial process. Group-level policies and guidelines are documented in the Neste Management System.
Neste corporate-level communication practices support the completeness and correctness of financial reporting. Neste personnel have access to adequate information and communication regarding accounting and reporting principles and guidelines. The main means of communicating the relevant matters for appropriate financial reporting consist of internal control training, detailed Finance Instructions containing accounting principles and guidelines for forecasting and reporting, info sessions, on-the-job training, process walk-throughs, and postings on internal channels and pages.
Neste business units prepare regular financial and management reports for the management review, including analysis and comments of financial performance. The Executive Committee and the Board of Directors receive financial reports monthly. Interim Reports and Financial Statements are reviewed in Audit Committee meetings, and thereafter by the Board of Directors.
Management regularly monitors the effectiveness of the controls, as a control that was initially effective can become ineffective due to changes in the operating environment. Changes can also take place in the controls due to changed processes, IT systems or personnel.
The Board of Directors and the Audit Committee regularly review the financial performance including reviewing whether there is an adequate level of process to evaluate the risks and effectiveness of controls related to the financial reporting process at all levels of the organization. The Audit Committee oversees the Company’s finances, financial reporting, risk management, as well as he Internal Control and Internal Audit functions, as part of the Company’s corporate governance. Internal control deficiencies are communicated in a timely manner to those parties responsible for taking corrective action, and to management and the Board’s Audit Committee as appropriate.
Corporate Internal Audit assesses annually the operational model and practices of internal control over Neste’s financial reporting as part of business and process-level audits.
The Internal Control function also conducts separate tests to assess the adequacy of internal controls in business processes, recommends corrections and reports the gaps to the respective management teams.