Internal control and risk management systems in relation to financial reporting

The internal control and risk management systems relating to financial reporting are designed to provide reasonable assurance regarding the reliability of financial reporting and to ensure compliance with applicable laws and regulations.

Fortum’s Board of Directors approves the Group Risk Policy, which sets the Group’s objective, principles and division of responsibilities for risk management activities also for the financial reporting process. The financial reporting process is embedded in the internal control framework, and the process level internal control structure has been created by using a risk-based approach. Fortum’s internal control framework includes the main elements from the framework introduced by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). 

Control environment

Fortum’s internal control framework supports the execution of the strategy and ensures regulatory compliance and reliability of the financial reporting. Fortum Code of Conduct, approved by the Board of Directors, is based on Fortum’s shared values and it describes the principles for business conduct. The internal control framework consists of group-level policies and processes as well as business and support processlevel controls.

The Audit and Risk Committee, appointed by the Board of Directors, oversees the financial reporting process and monitors the efficiency of the internal controls and risk management within the Group. Corporate Risk Management is responsible for reporting risk exposures and maintaining the company’s risk management framework.

Corporate Accounting and Control unit headed by the Corporate Controller is responsible for the overall control structure of the financial performance management process. The control process is based on Group policies, instructions and guidelines relating to financial reporting. Controllers Manual contains financial reporting instructions. This manual is regularly reviewed and updated. During 2011 the position of Head of process development has been established to support the finance organisation in ensuring a uniform way of working and monitoring the performance of the processes within the Finance function.

Fortum’s organisation is decentralized and a substantial degree of authority and responsibility is delegated to the divisions in form of control responsibilities. Some areas like commodity market risk control is more centralised. 

Risk assessment

Risks related to financial reporting are identified and analysed annually as part of the Fortum risk management process. Risks are reported in connection with the planning process and the follow-up of actions and improvements is integrated to operational management. The control risk assessment has been the basis for creating the process-level internal control framework and the same applies to the control points to prevent errors in the financial reporting process. This assessment includes risks related to fraud and irregularities, as well as to risks of loss or misappropriation of assets. The results of the control risk assessment and the process level controls are reported to the Audit and Risk Committee. 

Control activities

Control activities are applied in the business processes and, from a financial reporting perspective, they ensure that potential errors or deviations are prevented, discovered and corrected. In financial reporting, the Controllers Manual sets the standards.

The Corporate Accounting and Control unit defines the design of the control points, and internal controls covering the end-to-end financial reporting process. Responsibilities are assigned for the controls and also for ensuring their operating effectiveness. Fortum’s processes include controls regarding the initiation, approval, recording and accounting of financial transactions. Standardised way of working is also ensured by Fortum’s financial shared service center, which performs controls for the recognition, measurement and disclosure of financial information. The financial shared service center was awarded the ISO 9001:2008 certificate in December 2011.

All divisions have their own finance function ensuring that relevant analysises of the business performance are done such as volumes, revenues, costs, working capital, asset base and investments. These analysis are reviewed in different levels of the Group and ultimately by the Board of Directors. 

Information and communication

The Controller’s manual includes Fortum Accounting manual, Investment manual and reporting instructions and other policies relating to the financial reporting. It is stored on intranet site and is accessible to all involved in the financial reporting process. Monthly Core Controllers’ meetings, headed by the Corporate Controller, are steering the development projects within Finance and receiving updates from different expert forums within Finance. Regular Accounting Network Forum meetings are used to inform the finance community about upcoming changes in IFRS, new accounting policies and other changes. 

Follow-up

Financial results are followed up in the monthly reporting and reviewed monthly by the Fortum Management Team. Quarterly Performance Review meetings with the Fortum Management Team and division management are embedded in the Fortum Performance Management process. The financial performance is ultimately reviewed by the Audit and Risk Committee and the Board of Directors.

As part of the Fortum internal control framework, all divisions are assessing the effectiveness of the controls they are responsible for. Division-and corporate-level controller teams are responsible for assessing the financial reporting process and the Corporate Risk Management reviews these regularly. Internal control design and operating effectiveness are also assessed by Corporate Internal Audit. The audits are conducted based on the audit plan adopted by the Audit and Risk Committee. Audit results, including corrective actions and status, are regularly reported to the Audit and Risk Committee.