Group Internal Audit (GIA) is an independent function commissioned by the Board. The Board Audit Committee (BAC) is responsible for guidance on and evaluation of GIA within the Nordea Group. The Group Chief Audit Executive (CAE) has the overall responsibility for GIA. The CAE reports on a functional basis to the Board and the BAC and reports on an administrative basis to the Group CEO. The Board approves the appointment and dismissal of the CAE and decides, on proposal from the Board Remuneration and People Committee, on salary and other employment terms and conditions for the CAE.
The purpose of GIA is to support the Board and Group Leadership Team (GLT) in protecting the assets, reputation and sustainability of the organisation. GIA does this by assessing whether all significant risks are identified and appropriately reported by management and the risk functions to the Board, its committees and GLT by assessing whether all significant risks are adequately controlled and by challenging GLT to improve the effectiveness of governance, risk management and internal controls.
GIA does not engage in consulting activity unless otherwise instructed by the BAC.
All activities and entities of the Nordea Group fall within the scope of GIA. GIA makes a risk based decision as to which areas within its scope should be included in the audit plan approved by the Board.
GIA must operate free from interference in determining the scope of internal auditing, in performing its audit work, and in communicating its results. This means for example that GIA, via the CAE, is authorised to inform the financial supervisory authorities on any matter without further approval. The CAE has unrestricted access to the Group CEO and Chairman of the BAC, and should meet with the Chairman of the BAC informally and formally throughout the year, including without the presence of executive management. GIA is authorised to carry out all investigations and obtain all information required to discharge its duties. This includes the right to sufficient and timely access to the organisation’s records, systems, premises and staff. GIA has the right to attend and observe Board Committees, GLT, overall committees and forums for the Nordea Group and other key management decision-making forums when relevant and necessary.
The Board is responsible for setting and overseeing an adequate and effective Internal Control Framework, covering the whole Group. The framework sets out the responsibilities of the Group Board and the senior management regarding internal control, all Group functions and business areas, including outsourced activities and distribution channels. Under the Internal Control Framework, all business areas, Group functions and units are responsible for managing the risks they
incur in conducting their activities and for having controls in place that aim to ensure compliance with internal and external requirements. As part of the Internal Control Framework, Nordea has established Group control functions with appropriate and sufficient authority, stature and access to the Board to fulfil their mission as well as the Risk Management Framework.
The Internal Control Framework ensures effective and efficient operations, adequate identification, measurement and mitigation of risks, prudent conduct of business, sound administrative and accounting procedures, reliability of financial
and non-financial information (both internal and external) and compliance with applicable laws, regulations, supervisory requirements and Group internal rules.
The internal control process is carried out by the governing bodies, risk management functions, management and other staff at Nordea. The internal control process is based on five main components: control environment, risk assessment, control activities, information and communication as well as monitoring. The internal control process is created to ensure the necessary fundamentals for the entire organisation to contribute to the effectiveness and high quality of internal control through, for instance, clear definitions, assignments of roles and responsibilities and common tools and procedures. Roles and responsibilities with respect to internal control and risk management are divided into three lines of defence.
According to the Group Board Directive on Internal Governance, the first line of defence refers to all units and employees that are neither in the second nor in the third line of defence.
In the first line of defence, the business organisation and Group functions are risk owners and thus responsible for conducting their business within risk exposure limits and the risk appetite and in accordance with the Internal Control Framework.
The second line of defence consists of Group Risk, which is responsible for maintaining and monitoring the implementation of the Risk Management Framework as a fundamental part of the Internal Control Framework, and Group Compliance, which is responsible for maintaining and monitoring the implementation of the Compliance Risk Management Framework. To ensure effective risk management, the second line of defence has access to all business lines and other internal units that have the potential to generate risk as well as to relevant subsidiaries and branches and outsourced activities.
GIA, which is the third line of defence, performs audits and provides the Board with an assessment of the overall effectiveness of governance and the risk and control framework, together with an analysis of themes and trends emerging from internal audit work and their impact on the organisation’s risk profile.
According to the Articles of Association, the auditor of Nordea Bank Abp shall be an audit firm with the auditor-in-charge being an Authorized Public Accountant (APA). The term of office for the auditor expires at the end of the annual general meeting following the election.
The current auditor of Nordea Bank Abp is PricewaterhouseCoopers Oy. Mr. Jukka Paunonen, APA, has been assigned as the auditor-in-charge.
| EURm | 2021 | 2020 |
|---|---|---|
| Auditing assignments | -8 | -9 |
| Audit-related services 1 | -1 | -1 |
| Other assignments 1 | -1 | -1 |
| Total PWC | -10 | -11 |
1) PricewaterhouseCoopers Oy accounted for EUR 0.1m (EUR 0.1m) of "Audit-related services" and for EUR 0.6m (EUR 0.6m) of "Other assignments".
Source: Annual Report 2021 of Nordea Bank Abp