Internal control and audit
Description of internal control procedures in relation to the financial reporting process
The management is responsible for establishing and maintaining adequate internal control over financial reporting for Nokia. Our internal control over financial reporting is designed to provide reasonable assurance to the management and the Board regarding the reliability of financial reporting and the preparation and fair presentation of published financial statements.
The management conducts a yearly assessment of Nokia’s internal controls over financial reporting in accordance with the Committee of Sponsoring Organizations framework (the “COSO framework”, 2013) and the Control Objectives for Information and Related Technology (COBIT) framework of internal controls. The assessment is performed based on a top-down risk assessment of our financial statements covering significant accounts, processes and locations, corporate-level controls and information systems’ general controls.
As part of its assessment the management has documented:
- the corporate-level controls, which create the “tone from the top” containing the Nokia values and Code of Conduct and which provide discipline and structure to decision-making processes and ways of working. Selected items from our operational mode and governance principles are separately documented as corporate-level controls;
- the significant processes: (i) give a complete end-to-end view of all financial processes; (ii) identify key control points; (iii) identify involved organizations; (iv) ensure coverage for important accounts and financial statement assertions; and (v) enable internal control management within Nokia;
- the control activities, which consist of policies and procedures to ensure the management’s directives are carried out and the related documentation is stored according to our document retention practices and local statutory requirements; and
- the information systems’ general controls to ensure that sufficient IT general controls, including change management, system development and computer operations, as well as access and authorizations, are in place.
Further, the management has also:
- assessed the design of the controls in place aimed at mitigating the financial reporting risks;
- tested operating effectiveness of all key controls; and
- evaluated all noted deficiencies in internal controls over financial reporting in the interim and as of year-end.
In 2020, Nokia has followed the procedures as described above and has reported on the progress and assessments to the management and to the Audit Committee of the Board on a quarterly basis.
Nokia has an internal audit function that acts as an independent appraisal function by examining and evaluating the adequacy and effectiveness of our system of internal control. Internal audit resides within the Chief Financial Officer’s organization and reports to the Audit Committee of the Board. The head of the internal audit function has direct access to the Audit Committee, without involvement of management. All authority of the internal audit function is derived from the Board of Directors. Internal audit aligns to the business by business group, regionally and by function.
Annually, an internal audit plan is developed with input from the management, key business risks, and external factors. This plan is approved by the Audit Committee of the Board. Audits are completed across the business focused on country level, customer level projects, IT system implementation, IT and physical security, operations processes and activities or at a Corporate function level. The results of each audit are reported to the management identifying issues, financial impact, if any, and the correcting actions to be completed. Quarterly, internal audit communicates the progress of the internal audit plan completion including the results of the closed audits.
Internal audit also works closely with our Ethics and Compliance office to review any financial concerns brought to light from various channels. In 2020, the internal audit plan was completed and all results of these reviews were reported to the management and to the Audit Committee of the Board.