Nokia 2015 Annual Report Download - page 88

Download and view the complete annual report

Please find page 88 of the 2015 Nokia annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 216

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216

86 NOKIA IN 2015
Risk management, internal control and internal
audit functions at Nokia
Main features of risk management systems
We have a systematic and structured approach to risk management
across business operations and processes. Key risks and opportunities
are primarily identied against business targets either in business
operations or as an integral part of long- and short-term planning.
Keyrisks and opportunities are analyzed, managed, monitored and
identied as part of business performance management with the
support of risk management personnel. Our overall risk management
concept is based on managing the key risks that would prevent us from
meeting our objectives, rather than solely focusing on eliminating
risks. The principles documented in the Nokia Risk Management Policy,
which is approved by the Audit Committee of the Board, require risk
management and its elements to be integrated into key processes.
One of the main principles is that the business or function head is also
the risk owner, although all employees are responsible for identifying,
analyzing and managing risks, as appropriate, given their roles and
duties. Risk management covers strategic, operational, nancial and
hazard risks. Key risks and opportunities are reviewed by the Group
Leadership Team and the Board in order to create visibility on business
risks as well as to enable prioritization of risk management activities.
Inaddition to the principles dened in the Nokia Risk Management
Policy, specic risk management implementation is reected in other
key policies.
The Board’s Audit Committee is responsible for, among other matters,
risk management relating to the nancial reporting process and
assisting the Board’s oversight of the risk management function.
Overseeing risk is an integral part of Board deliberations. The Board’s
role in overseeing risk includes risk analysis and assessment in
connection with nancial, strategy and business reviews, updates and
decision-making proposals. Additionally, certain signicant risks are
selected as priority risks that are monitored by the Board regularly. We
have an Enterprise Risk Management (“ERM”) function within the CFO
organization. ERM regularly reviews risk evaluations with the internal
controls function, and the internal controls function utilized the ERM
analysis in planning its priority areas.
Description of internal control procedures in relation to the nancial
reporting process
The management is responsible for establishing and maintaining
adequate internal control over nancial reporting for Nokia. Our
internal control over nancial reporting is designed to provide
reasonable assurance to the management and the Board regarding
the reliability of nancial reporting and the preparation and fair
presentation of published nancial statements.
The management conducts a yearly assessment of Nokia’s internal
controls over nancial reporting in accordance with the Committee of
Sponsoring Organizations framework (the “COSO framework”, 2013)
and the Control Objectives for Information and related technology of
internal controls. In 2015, the assessment was performed based on a
top-down risk assessment of our nancial statements covering
signicant accounts, processes and locations, corporate level controls
and information systems’ general controls.
As part of its assessment the management documented:
the corporate-level controls, which create the “tone from the top”
containing the Nokia values and Code of Conduct and provide
discipline and structure to decision making processes and ways of
working. Selected items from our operational mode and governance
principles are separately documented as corporate level controls;
the significant processes, including eight financial cycles and
underlying IT cycle, identified by us to address control activities
implementing the top down risk based approach. These cycles
include revenue cycle, inventory cycle, purchase cycle, treasury
cycle, human resources cycle, accounting and reporting cycle, tax
cycle and IT cycle. Financial cycles have been designed to: (i) give
acomplete end-to-end view of all financial processes; (ii) identify
keycontrol points; (iii) identify involved organizations; (iv) ensure
coverage for important accounts and financial statement assertions;
and (v) enable internal control management within Nokia;
the control activities, which consist of policies and procedures to
ensure the management’s directives are carried out and the related
documentation is stored according to our document retention
practices and local statutory requirements; and
the information systems’ general controls to ensure that sufficient
IT general controls, including change management, system
development and computer operations, as well as access and
authorizations, are in place.
Further, the management also:
assessed the design of the controls in place aimed at mitigating the
financial reporting risks;
tested operating effectiveness of all key controls;
evaluated all noted deficiencies in internal controls over financial
reporting in the interim and as of year-end; and
performed a quality review on assessment documentation and
provided feedback for improvement.
In conclusion, the management has assessed the eectiveness of our
internal control over nancial reporting, at December 31, 2015, and
concluded that such internal control over nancial reporting is eective.
Description of the organization of the internal audit function
We also have an internal audit function that acts as an independent
appraisal function by examining and evaluating the adequacy and
eectiveness of our system of internal control. Internal audit resides
within the Chief Financial Ocer’s organization and reports to the
Audit Committee of the Board. The head of the internal audit function
has direct access to the Audit Committee, without involvement of the
management. All authority of the internal audit function is derived
from the Board of Directors. Internal audit aligns to the business
regionally and by business and function.
Annually, an internal audit plan is developed with input from the
management, key business risks, and external factors. This plan is
approved by the Audit Committee of the Board. Audits are completed
across the business focused on country level, customer level, IT system
implementation, operations activities or at a Group function level.
Theresults of each audit are reported to the management identifying
issues, nancial impact, if any, and the correcting actions to be completed.
Quarterly, internal audit communicated the progress of the internal
audit plan completion including the results of the closed audits.
Internal audit also works closely with our Ethics and Compliance oce
to review any nancial concerns brought to light from various channels.
In 2015, the internal audit plan was completed and all results of these
reviews were reported to the management and to the Audit
Committee of the Board.
Corporate governance statement continued