Nordea's business is audited, internally as well as externally.

Internal audit Internal control framework External audit Auditor´s fee Internal audit

Internal audit

Group Internal Audit (GIA) is an independent function commissioned by the Board. The Board Audit Committee (BAC) is responsible for guidance on and evaluation of GIA within the Nordea Group. The Group Chief Audit Executive (CAE) has the overall responsibility for GIA. The CAE reports on a functional basis to the Board and the BAC and reports on an administrative basis to the Group CEO. The Board approves the appointment and dismissal of the CAE and decides, on proposal from the Board Remuneration Committee, on salary and other employment terms and conditions for the CAE.

The purpose of GIA is to support the Board and Group Executive Management (GEM) in protecting the assets, reputation and sustainability of the organisation. GIA does this by assessing whether all significant risks are identified and appropriately reported by management and the risk functions to the Board, its committees and GEM; by assessing whether all significant risks are adequately controlled; and by challenging GEM to improve the effectiveness of governance, risk management and internal controls.

GIA does not engage in consulting activity unless otherwise instructed by the BAC. 

All activities and entities of the Nordea Group fall within the scope of GIA. GIA makes a risk based decision as to which areas within its scope should be included in the audit plan approved by the Board.

GIA shall operate free from interference in determining the scope of internal auditing, in performing its audit work, and in communicating its results. This means for example that GIA, via the CAE, is authorised to inform the financial supervisory authorities on any matter without further approval. The CAE has unrestricted access to the Group CEO and Chairman of the BAC, and should meet with the Chairman of the BAC informally and formally throughout the year, including without the presence of executive management. GIA is authorised to carry out all investigations and obtain all information required to discharge its duties. This includes the right to sufficient and timely access to the organisation’s records, systems, premises and staff. GIA has the right to attend and observe Board Committees, GEM, overall committees and fora for the Nordea Group and other key management decision-making fora when relevant and necessary. 

Updated: February 2019

Internal control framework

Internal control framework

The Board is responsible for setting and overseeing an adequate and effective Internal Control Framework. The Internal Control Framework includes the control functions and the Risk Management Framework and covers the whole Nordea Group.

The Internal Control Framework is designed to ensure effective and efficient operations, adequate identification, measurement and mitigation of risks, prudent conduct of business, sound administrative and accounting procedures, reliability of financial and non-financial information reported or disclosed (both internally and externally) and compliance with laws, regulations, supervisory requirements and the Nordea Group Internal Rules. 

The internal control process is carried out by the Board, senior management, risk management functions and other staff at Nordea and is based on five main components: control environment, risk assessment, control activities, information and communication as well as monitoring. The internal control process aims to create the necessary fundamentals for the entire organisation to contribute to the effectiveness and high quality of internal control through, for instance, clear definitions, assignments of roles and responsibilities and common tools and procedures.

Roles and responsibilities with respect to internal control and risk management are divided into three lines of defence. In the first line of defence, the business organisation and Group Functions are risk owners, and thus responsible for conductiong their business within risk exposure limits and risk appetite and in accordance with the Internal Control Framework. 

As second line of defence, the Control Functions are responsible for maintaining the Internal Control Framework and for monitoring the implementation of the policies and procedures within this Framework. The second line of defence risk function is responsible for identifying, measuring, monitoring and reporting on all risks. Group Compliance is responsible for ensuring and monitoring compliance with internal and external rules and for establishing policies and processes to manage compliance risks and to ensure compliance. 

Group Internal Audit, which is the third line of defense, performs audits and provides the Board  with an assessment of the overall effectiveness of the governance, and risk and risk control framework, together with an analysis of themes and trends emerging from internal audit work and their impact on the organisation's risk profile.

Updated: February 2019

External audit

External audit

According to the Articles of Association, the auditor of Nordea Bank Abp shall be an audit firm with the auditor-in-charge being an Authorized Public Accountant (APA). The term of office for the auditor expires at the end of the annual general meeting following the election.

The current auditor of Nordea Bank Abp is PricewaterhouseCoopers Oy.  Mr. Juha Wahlroos, APA, has been assigned as the auditor-in-charge.

Updated: February 2019

Auditor´s fee

Auditor's fees of Nordea Bank Abp

EURmGroupParent company
Auditing assignments-10-7-3
Audit-related services-1-10
Tax advisory services0-10
Other assignments-1-20
Total PWC-12-11-3

* Oct-Dec 2018

Source: Annual Report 2018 of Nordea Bank Abp