INTERNAL CONTROLS OVER FINANCIAL REPORTING

In accordance with the Swedish Companies Act and the Swedish Corporate Governance Code, the Board of Directors is responsible for internal controls over financial reporting. The Board continuously reviews the performance of internal controls and initiates activities to foster continuous improvement of internal controls.

Telia Company’s risk management framework includes internal controls over financial reporting, and is in line with the COSO framework for internal controls. It consists of interrelated areas, which are control environment, risk assess­ment, control activities, information and communication, and monitoring. To establish a consistent approach to and a group-common view of risks related to incorrect financial reporting, group-wide risk catalogues have been implemented in all major entities in which Telia Company has management responsibility. The internal controls function within Group Finance is responsible for developing and maintaining the IT-based tool for managing the risk catalogues.

Internal control is an integral part of Telia Company’s corporate governance and enterprise risk management which involves boards of directors, executive management and employees on all organizational levels. It is a process which includes methods and processes to:

  • Safeguard the group’s assets
  • Ensure the reliability and correctness of financial reporting
  • Secure compliance with applicable legislation and guidelines
  • Ensure that objectives are met and continuous improvement of operational efficiency

The objective for Telia Company’s financial reporting is to be in line with the highest professional standards and to be full, fair, accurate, punctual and understandable.

Control environment

The most essential parts of Telia Company’s control environment are the group policies with related group instructions and detailed group directives. Management at all levels is responsible for ensuring that the organization complies with the Delegation of Obligations and Authority issued by the CEO, the financial governing documents, the reporting framework and other group requirements. Group Finance staff is responsible for monthly monitoring and, if significant, communication of changes in legislation, listing requirements and financial reporting standards affecting financial group instructions or directives.

Management in each entity or group function is responsible for ensuring that:

  • Monthly and quarterly financial statements comply with Telia Company’s accounting policies
  • Financial reports are delivered on time
  • Activities to mitigate the risks, as specified in the group risk catalogues, have been implemented and are performed
  • Required reconciliations are properly performed
  • Material business and financial risks are identified and reported

The Telia Company financial shared services unit supports harmonized and standardized financial accounting processes and controls across large wholly-owned business units.

Risk assessment

Telia Company has a risk-based approach towards internal controls over financial reporting. Risk management related to financial reporting is incorporated in the group-common risk management framework as described in section “Enterprise risk management (ERM) framework.” As such, assessment and management of risks that may result in inaccurate financial reporting is a natural part of the daily work. The group risk catalogues are used as a baseline. Risk assessments are performed from both a top-down and a bottom-up perspective. The results of the risk assessments are documented in the group risk catalogues.

Control activities

All business processes across Telia Company include controls regarding the initiation, approval, recording and accounting of financial transactions. Major processes, including related risks and key controls, are described and documented in a common and structured way, based on the requirements set in the group risk catalogues. Controls are either automated or manual and designed to ensure that necessary actions are taken to either prevent or detect material errors or misstatements and to safeguard the assets of the company. Controls for the recognition, measurement and disclosure of financial information are included in the financial closing and reporting process, including controls for IT applications used for accounting and reporting.

Information and communication

Group policies, instructions and directives, the reporting framework guidelines and other requirements regarding accounting and reporting as well as performing internal controls are made accessible to all employees concerned, through the use of Telia Company’s regular internal communication channels. Employees at group level continuously engage in internal training activities to ensure harmonization within important areas such as revenue recognition, distinction between capital and operating expenditure, etc.

The internal controls function within Group Finance are continuously performing monitoring activities and compile and share the results with management teams on region and country level. Sharing gives a good opportunity for benchmarks and learning.

Telia Company promotes an open, honest and transparent flow of information, especially regarding the performance of internal controls. Control performers are encouraged to disclose any issues concerning their controls in the monthly reporting, so that a problem can be taken care of before it, possibly, causes errors or misstatements.

Monitoring

Telia Company has implemented a structured process for performance monitoring of internal controls over financial reporting. This process includes all countries, regions and group functions and consists of a self-assessment of the risk mitigating activities. The internal controls function within Group Finance monitors the process on a monthly basis. On behalf of Group Executive Management, the internal controls function carries out an annual risk-based compliance review of key risks in order to evaluate the quality of self-assessments, risk mitigation and the overall internal control environment.

The results of the self-assessments and the compliance review are communicated to the management of all relevant entities, to the GREC meetings and to the Board of Directors’ Audit Committee. The Audit Committee also receives reports directly from both external and internal auditors. The reports are discussed and follow-up observations are made by the Committee. Both the external and internal auditors are present at the Committee meetings.

At least once a year, the entire Board of Directors meets with the external auditors, in part without the presence of management.