The objective of internal control in Neste Oil is to ensure efficient implementation of the Company’s strategy and effective operations, assure compliance with both internal instructions and laws and regulations, achieve appropriate financial reporting, and prevent fraud and other misconduct.
The main responsibility for internal control lies with the line organizations of business areas and common functions. Identifying the main risks of processes and defining adequate control points are essential to ensuring an appropriate level of control. In addition to daily monitoring, line organizations are responsible for evaluating their level of internal control by reviewing and assessing their processes, and develop their systems by taking corrective actions as needed.
Line management also has primary responsibility for organizing sufficient control to ensure compliance with the Company’s overall management practices, policies, principles, and instructions.
Neste Oil’s internal control framework is based on the COSO (The Committee of Sponsoring Organizations of the Treadway Commission) framework.
Roles and responsibilities
Under the Finnish Companies Act, the Board of Directors is responsible for ensuring that there is adequate control over the Company’s accounts and finances. Responsibility for arranging this control is delegated to the President & CEO, who is required to ensure that the Company’s accounts are in compliance with the law and that its financial management have been arranged in a reliable manner.
The heads of business areas and common functions are responsible for establishing and maintaining approriate, up-to-date, effective and adequate controls in their operations. Responsibility for the practical implementation of this is delegated to each organizational level. Managers at each of these levels are responsible for implementing corporate principles and instructions in their organization, and for assessing the effectiveness of controls as often as needed.
To ensure sufficient control and support the line organization, Neste Oil’s controllers and their teams have an independent role in controlling their business line. In certain areas, such as credit and counterparty risks, the Finance Department has risk control responsibility. In respect of financial reporting, Finance has a key role in control activities. Other corporate functions also play a role in assisting, assuring, and monitoring the operation of internal control procedures, such as HSEQ audits.
Internal Audit has overall responsibility for evaluating that internal control processes and procedures operate adequately and effectively.
The Audit Committee oversees the Company’s finances, financial reporting, risk management, and internal auditing as part of the company's corporate governance.
Neste Oil’s values and management systems are the foundation of the control environment and provide the background for shaping people’s awareness and understanding of control issues. With respect to financial reporting control environment covers:
- the President & CEO and corporate management are responsible for underlining the importance of ethical principles and correct financial reporting
- the Audit Committee, appointed by the Board of Directors, is responsible for overseeing the financial reporting process and related controls
- clearly defined financial reporting roles, responsibilities, and authorities provide a clear framework for everyone, and
- the structure of the organization and the resources allocated within it (segregation of duties, adequate financial reporting competencies recruited and retained) are designed to provide effective control over financial reporting.
The Group’s risk management governance is based on the 'three lines of defense' model, which distinguishes between:
- business areas and common functions owning and managing risk
- risk management specialists responsible for controlling, consulting, and developing systems, and
- the Audit Committee, which provides independent assurance of the overall efficacy of the Company’s risk management.
There are three risk assessment elements at Neste Oil. An Enterprise Risk Management (ERM) process provides a systematic approach for identifying threats and opportunities related to strategic targets and business plans. Risk manuals consist of risk principles, guidelines, and instructions. Risk awareness across the organization is based on proactive thinking and behavior among individual employees.
As a prerequisite for risk assessment, the organization’s objectives need to be established. With respect to financial reporting, the general objective is to have reliable reporting and ensure that transactions are recorded and reported completely and correctly.
Based on risk assessment, the requirement for internal control has been included in the Principle and Instruction for Control of Financial Reporting.
More information on Neste Oil's risk management and risks related to Neste Oil's business can be found in the Risk management section of the Annual Report.
Control activities are instructions, guidelines, and procedures established and executed to help ensure that the actions identified by management as necessary to address the relevant risks are carried out effectively. Policies and other principles to be followed are documented in Neste Oil’s management systems. The most important areas from the standpoint of financial reporting are included in the Controller’s Manual.
Neste Oil’s entity-level and process-level control activities with respect to reliable financial reporting are described in the Principle and Instruction for Control over Financial Reporting. These establish the minimum control requirements and also include control activities related to transactions in specific processes, as well as controls carried out as part of the monthly reporting process. Typical control activities include authorizations, automatic or manual reconciliations, third-party confirmations, control reports, access controls to IT systems, and analytical reviews.
Information and communication systems enable Neste Oil’s personnel to capture information on management and internal control. With respect to financial reporting, this means that personnel have access to adequate information and communication regarding accounting and reporting principles.
The main means of communicating the matters relevant for appropriate financial reporting are the Controller’s Manuals used at common function and business area levels, which include instructions covering accounting principles, planning, estimating, and reporting, as well as periodic controllers’ meetings.
Monitoring is a key component of the internal control system and enables management and the Board of Directors and the Audit Committee to determine whether the other components of the system are functioning as they should and to ensure that internal control deficiencies are identified and communicated in a timely manner to those responsible for taking corrective action, and to management and the Board as appropriate.
Effective monitoring is based on an evaluation of controls, their content and evaluation on the fact whether they are effective in mitigating the risks identified. The efficacy of controls is monitored regularly as part of management activities, as the efficacy of controls can diminish over time due to changes in the operating environment that affect the risks that controls are designed to mitigate, or due to changes in the control activities themselves caused by changes in processes, IT, or personnel.
During 2013, the internal control and monitoring of price and foreign exchange risks were further developed. This was organized as a project and work on responding to the findings began in early summer.
Neste Oil Group also had a project to implement the same financial applications and processes for all Group companies. This has improved the transparency from an internal control point of view.
Annual internal control process in 2014