Internal control and audit
The management is responsible for establishing and maintaining adequate internal control over financial reporting for Nokia. Nokia’s internal control over financial reporting is designed to provide reasonable assurance to the management and the Board of Directors regarding the reliability of financial reporting and the preparation and fair presentation of published financial statements.
The management conducts a yearly assessment of Nokia’s internal controls over financial reporting in accordance with the Committee of Sponsoring Organizations framework (COSO - 2013 version) and the Control Objectives for Information and related Technology (CoBiT) of internal controls. For 2015, the assessment is performed based on a top-down risk assessment of Nokia’s financial statements covering significant accounts, processes and locations, corporate level controls and information systems’ general controls.
As part of its assessment the management documents:
- The corporate-level controls, which create the “tone from the top” containing Nokia values and Code of Conduct and provide discipline and structure to the decision making and ways of working. Selected items from Nokia’s operational mode and governance principles are separately documented as corporate level controls;
- The control activities, which consist of policies and procedures to ensure the management’s directives are carried out and the related documentation is stored according to Nokia’s document retention practices and local statutory requirements;
- The information systems’ general controls to ensure that sufficient information technology general controls, including change management, system development, computer operations as well as access and authorizations, are in place;
- The significant processes, including eight financial cycles and underlying IT cycle identified by Nokia to address control activities implementing a top-down risk based approach. These cycles include Revenue cycle, Delivery cycle, Investment cycle, Treasury cycle, Human Resources cycle, Accounting and Reporting cycle, Tax cycle, Asset cycle and IT cycle. Financial cycles have been designed to (i) give a complete end-to-end view to all financial processes (ii) identify key control points (iii) identify involved organizations, (iv) ensure coverage for important accounts and financial statement assertions and (v) enable internal control management within Nokia;
- The control activities, which consist of policies and procedures to ensure the management’s directives are carried out and the related documentation is stored according to Nokia’s document retention practices and local statutory requirements; and
- The information systems’ general controls to ensure that sufficient information technology general controls, including change management, system development and computer operations, as well as access and authorizations, are in place.
Further, the management also annually:
- assesses the design of controls in place to mitigate the financial reporting risks;
- tests operating effectiveness of all key controls;
- evaluates all noted deficiencies in internal controls over financial reporting as of year-end; and
- performs a quality review on assessment documentation and provides feedback for improvement.
We also have an internal audit function that acts as an independent appraisal function by examining and evaluating the adequacy and effectiveness of our system of internal control. Internal audit resides within the Chief Financial Officer’s organization and reports to the Audit Committee of the Board. The head of the internal audit function has direct access to the Audit Committee, without involvement of the management. All authority of the internal audit function is derived from the Board of Directors. Internal audit aligns to the business regionally and by business and function.
Annually, an internal audit plan is developed with input from the management, key business risks, and external factors. This plan is approved by the Audit Committee of the Board. Audits are completed across the business focused on country level, customer level, IT system implementation, operations activities or at a Group function level. The results of each audit are reported to the management identifying issues, financial impact, if any, and the correcting actions to be completed. Quarterly, internal audit communicated the progress of the internal audit plan completion including the results of the closed audits.
Internal audit also works closely with our Ethics and Compliance office to review any financial concerns brought to light from various channels. In 2015, the internal audit plan was completed and all results of these reviews were reported to the management and to the Audit Committee of the Board.