The systems for internal control and risk management of financial reporting are designed to provide reasonable assurance about the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles, applicable laws and regulations, and other requirements for listed companies. The internal control and risk management activities are included in Nordea’s planning and resource allocation processes. Internal control and risk management of financial reporting at Nordea can be described in accordance with the COSO Framework as follows below.
Internal control and risk management
The control environment constitutes the basis for Nordea’s internal control and centres around the culture and values established by the Board and Group Leadership Team, and the organisational structure, with clear roles and responsibilities.
A clear and transparent organisational structure is of importance for the control environment. Nordea’s business structure aims to support the overall strategy, ensuring strong business momentum and meeting increased requirements on capital and liquidity. The business and the organisation are under continuous development.
The primary governance principle is the adherence to the three Lines of Defence (“3LoD”) model which provides foundation for a clear division of roles and responsibilities in the organisation. A proper 3 LoD governance is in place ensuring that the segregation of duties is defined and established between risk management and risk control. According to the Group Board Directive on Internal Governance, the 1st LoD refers to all units and employees that are neither in the 2nd nor in the 3rd LoD. The 1st LoD is responsible for daily risk management and for compliance with applicable rules. The 2nd LoD consist of the Group Risk and Group Compliance, being independent control functions. The 3rd LoD consists of Group Internal Audit (GIA), which is an independent internal audit function.
Clear roles and responsibilities are crucial in the governance of Internal Control over Financial Reporting, where the risk owners in the business areas and Group Finance are responsible for the risk management activities. A risk management function supports the CFO in maintaining a group wide set of controls, defined at Nordea as Accounting Key Controls (AKC), in line with the risk framework, which covers the controlling of risks and the risk identification process, which to a large extent is based on the actual business and financial closing processes in place. An independent risk control function resides in the 2nd LoD and is responsible for identifying, controlling and reporting on financial reporting risk. In addition, the internal audit function provides the Board with an assessment of the overall effectiveness of the governance, risk management and control processes.
The Board bears ultimate responsibility for limiting and monitoring Nordea’s risk exposure. Risk management is considered to be an integral part of running the business and the main responsibility for performing risk assessments regarding financial reporting risks rests with the business organisation. Performing risk assessments close to the business increases the possibility of identifying the most relevant risks. In order to govern the quality, control functions stipulate in governing documents when and how these assessments are to be performed. Examples of risk assessments are the recurring Control Self-Assessment and the event-driven Change Risk Management and Approval process.
Risk assessment in relation to reliable financial reporting involves the identification and analysis of risks of material misstatements. Financial reporting risk (FRR) control work in Nordea focuses on risks and processes which could lead to material financial misstatements, i.e. misstatements that if they occurred would significantly and adversely affect Nordea. The scope of the Account Key Control (AKC) is therefore areas where risks of material financial misstatements exists, i.e. where the judgment of a reasonable person relying upon the report would have been changed or influenced by the inclusion or correction of the misstated item. Structured risk assessment procedures determine in which divisions, locations and/or processes risks for material financial misstatements exist and therefore need to be monitored under the AKC framework to ensure reasonable assurance of the reliability of Nordea’s external financial reporting. The 2nd LoD control function for FRR reviews the risk assessment process and outcome, and provides additional input for the overall risk picture of FRR.
The heads of the respective units are primarily responsible for managing risks, associated with the units’ operations and financial reporting processes. This responsibility is primarily supported by the Group Accounting Manual (GAM), the Financial Control Principles and various governing bodies, such as the Group Valuation Committee. The GAM includes a standard reporting package used by all entities to ensure consistent use of Nordea’s principles and coordinated financial reporting. Fundamental internal control principles in Nordea are the segregation of duties and the four-eyes principle when approving for instance transactions and authorisations.
The Accounting Key Controls (AKC) control structure is based on Transaction Level Controls (TLC) that are identified through analysing risks based on high level processes with an end-to-end product focus. After deciding on the TLCs an analysis is performed to determine what systems/applications are in scope for AKCs where specific IT General Controls are governed. The analysis aims at scoping in the major systems where there is a risk that data, which is not detected in the TLC control structure could become corrupt.
The quality assurance vested in the management reporting process, where detailed analysis of the financial outcome is performed, constitutes one of the most important control mechanisms associated with the reporting process. The reconciliations constitute another set of important controls where Nordea works continuously to further strengthen the quality.
Group Finance is responsible for ensuring that the Group Accounting Manual and the Financial Control Principles are up-to-date and that changes are communicated with the responsible units. These governing documents are broken down into guidelines and standard operating procedures in the responsible units. Accounting specialists from Group Finance provide accountants and controllers with information on changes in order to inform of existing and updated rules and regulations with an impact on Nordea.
Key criteria applied when communicating financial information to the market is “correct, relevant, consistent, reliable and timely”. The information is to be disclosed in such a way that the information is made available to the public in a fast and on a non-discriminatory manner.
Nordea interacts with relevant subject-matter experts to ensure fulfilment of financial reporting objectives. Nordea actively participates in relevant national forums, for example forums established by the Financial Supervisory Authorities, Central Banks and associations for financial institutions.
The Accounting Key Control (AKC) reporting procedures provide management at different levels in the organisation with information related to the performance and assessment of the identified AKCs in the form of Process Owner reports and Management Dashboard reports with a summarised assessment of the outcome and any high-risk areas.
Nordea has established a process with the purpose of ensuring a proper monitoring of the quality of the financial reporting and the follow-up regarding possible deficiencies. This interactive process aims to cover all COSO-components in the Framework.
The Risk and Control Self-Assessment process conducted in each Business Area and Group Function. It covers identification and assessment of risks and controls, which also includes risks and controls related to financial reporting.
Group Finance has also established specific quarterly reporting regarding Internal Control over Financial Reporting to the Group CFO covering risk management and high-risk areas. The 2nd LoD control function for FRR reports specifically on financial reporting risk to the Board Audit Committee on a quarterly basis.
The Board of Directors, the Board Audit Committee, the Board Risk Committee, the Board Operations and Sustainability Committee, and Group Internal Audit have important roles in respect to overseeing and monitoring the internal control of financial reporting at Nordea Group. Further information is presented here.