The Internal Control Framework covers the whole Group and includes Group Board, Group CEO and senior executive management responsibilities regarding internal control, all Group functions and business areas, including outsourced activities and distribution channels. Under the Internal Control Framework, all business areas, Group functions and units are responsible for managing the risks they incur when conducting their activities and responsible for having controls in place that aim to ensure compliance with internal and external requirements. As part of the Internal Control Framework, Nordea has established Group control functions with appropriate and sufficient authority, independence and access to the Group Board to fulfil their mission in line with the Risk Management Framework.
The Internal Control Framework ensures effective and efficient operations, adequate identification, measurement and mitigation of risks, prudent conduct of business, sound administrative and accounting procedures, reliability of financial and non-financial information and compliance with applicable laws, regulations, standards, supervisory requirements and Group internal rules. The internal control process is carried out by the governing bodies, management, risk management functions and other staff at Nordea. The internal control process is based on five main components: control environment, risk assessment, control activities, information and communication as well as monitoring.
The internal control process aims to create the necessary fundamentals for the entire organisation to contribute to the effectiveness and high quality of internal controls through, for instance, clear definitions, assignment of roles and responsibilities and common tools and procedures.
Group Internal Audit (GIA) is an independent function commissioned by the Board. The Board Audit Committee (BAC) is responsible for guidance on and evaluation of GIA within the Nordea Group. The Chief Audit Executive (CAE) has the overall responsibility for GIA. The CAE reports on a functional basis to the Board and the BAC and reports on an administrative basis to the President and Group CEO. The Board approves the appointment and dismissal of the CAE.
The purpose of GIA is to support the Board and the GLT in protecting the assets, reputation and sustainability of the organisation. GIA does this by assessing whether all significant risks are identified and appropriately reported by management and the risk functions to the Board, its committees and the GLT, by assessing whether all significant risks are adequately controlled and by challenging the GLT to improve the effectiveness of governance, risk management and internal controls. GIA does not engage in consulting activities unless approved by the BAC. Consulting activities are the range of services, beyond assurance services, performed specifically at the request of management for a pre-defined scope and provided to assist management in meeting its objectives.
All activities and entities of the Group fall within the scope of GIA. GIA makes a risk-based decision as to which areas within its scope should be included in the audit plan approved by the Board. GIA must operate free from interference in determining the scope of internal auditing, in performing its audit work and in communicating its results. This means for example that GIA, via the CAE, is authorised to inform the financial supervisory authorities of any matter without further approval. The CAE has unrestricted access to the President and Group CEO and the Chair of the BAC and should meet with the Chair of the BAC throughout the year, including without the presence of executive management. GIA is authorised to conduct all investigations and obtain all information required to discharge its duties. This includes the right to sufficient and timely access to the organisation’s records, systems, premises and staff. GIA has the right to attend and observe the meetings of the Board committees,the GLT, overall committees and forums for the Nordea Group and other key management decision-making forums when relevant and necessary.
According to the Articles of Association, the auditor of the Company must be an audit firm with the auditor in charge being an authorised public accountant. The term of office of the auditor expires at the end of the Annual General Meeting following the election. The current auditor of the Company is PricewaterhouseCoopers Oy. Jukka Paunonen, Authorised Public Accountant, has been the auditor in charge since the 2023 Annual General Meeting.