Risk management, internal control and internal audit functions at Nokia
Main features of risk management systems
We have a systematic and structured approach to risk management. Key risks and opportunities are primarily identified against business targets either in business operations or as an integral part of strategy and financial planning. Risk management covers strategic, operational, financial and hazard risks. Key risks and opportunities are analyzed, managed and monitored as part of business performance management with the support of risk management personnel and the centralized Enterprise Risk Management function.
The principles documented in the Nokia Enterprise Risk Management Policy, which is approved by the Audit Committee of the Board, require risk management and its elements to be integrated into key processes. One of the core principles is that the business or function head is also the risk owner, although all employees are responsible for identifying, analyzing and managing risks, as appropriate, given their roles and duties. Our overall risk management concept is based on managing the key risks that would prevent us from meeting our objectives, rather than solely focusing on eliminating risks. In addition to the principles defined in the Nokia Enterprise Risk Management Policy, other key policies reflect implementation of specific aspects of risk management.
Key risks and opportunities are reviewed by the Group Leadership Team and the Board in order to create visibility on business risks as well as to enable prioritization of risk management activities. Overseeing risk is an integral part of the Board’s deliberations. The Board’s Audit Committee is responsible for, among other matters, risk management relating to the financial reporting process and assisting the Board’s oversight of the risk management function. The Board’s role in overseeing risk includes risk analysis and assessment in connection with financial, strategy and business reviews, updates and decision-making proposals.
Description of internal control procedures in relation to the financial reporting process
The management is responsible for establishing and maintaining adequate internal control over financial reporting for Nokia. Our internal control over financial reporting is designed to provide reasonable assurance to the management and the Board regarding the reliability of financial reporting and the preparation and fair presentation of published financial statements.
The management conducts a yearly assessment of Nokia’s internal controls over financial reporting in accordance with the Committee of Sponsoring Organizations framework (the “COSO framework”, 2013) and the Control Objectives for Information and related technology of internal controls. The assessment is performed based on a top-down risk assessment of our financial statements covering significant accounts, processes and locations, corporate-level controls and information systems’ general controls.
As part of its assessment the management has documented:
- the corporate-level controls, which create the “tone from the top” containing the Nokia values and Code of Conduct and which provide discipline and structure to decision-making processes and ways of working. Selected items from our operational mode and governance principles are separately documented as corporate-level controls;
- the significant processes, structured under so-called financial cycles. Financial cycles have been designed to: (i) give a complete end-to-end view of all financial processes; (ii) identify key control points; (iii) identify involved organizations; (iv) ensure coverage for important accounts and financial statement assertions; and (v) enable internal control management within Nokia;
- the control activities, which consist of policies and procedures to ensure the management’s directives are carried out and the related documentation is stored according to our document retention practices and local statutory requirements; and
- the information systems’ general controls to ensure that sufficient IT general controls, including change management, system development and computer operations, as well as access and authorizations, are in place.
Further, the management has also:
- assessed the design of the controls in place aimed at mitigating the financial reporting risks;
- tested operating effectiveness of all key controls; and
- evaluated all noted deficiencies in internal controls over financial reporting in the interim and as of year-end.
In 2017, Nokia has followed the procedures as described above and has reported on the progress and assessments to the management and to the Audit Committee of the Board on a quarterly basis.
Description of the organization of the internal audit function
We also have an internal audit function that acts as an independent appraisal function by examining and evaluating the adequacy and effectiveness of our system of internal control. Internal audit reports to the Audit Committee of the Board. The head of the internal audit function has direct access to the Audit Committee, without involvement of the management. Internal Audit staffing levels and annual budget are approved by the Audit Committee. All authority of the internal audit function is derived from the Board. Internal audit aligns to the business regionally and by business and function.
Annually, an internal audit plan is developed with input from the management, including key business risks and external factors. This plan is approved by the Audit Committee of the Board. Audits are completed across the business focused on country level, customer level, IT system implementation, IT security, operations activities or at a Group function level. The results of each audit are reported to the management identifying issues, financial impact, if any, and the correcting actions to be completed. Quarterly, internal audit communicates the progress of the internal audit plan completion, including the results of the closed audits.
Internal audit also works closely with our Ethics and Compliance office to review any financial concerns brought to light from various channels and, where possible, works with Enterprise Risk Management to ensure priority risk areas are reviewed through audits.
In 2017, the internal audit plan was completed and all results of these reviews were reported to the management and to the Audit Committee of the Board.