Internal control over Financial Reporting
Statkraft has a system for Internal Control over Financial Reporting (ICFR) to ensure reliable and timely financial information in the monthly, quarterly and annual reports. The ICFR work is based on the COSO 2013 framework for internal control, published by the Committee of Sponsoring Organizations of the Treadway Commission.
Statkraft’s management system, “The Statkraft Way”, ensures a good control environment and contributes to achieving the Group’s goals and intentions. Internal control requirements have been incorporated into the relevant internal control area, for instance Health, Safety and Environment (HSE), Ethics, ICT security ), Corporate Responsibility and Financial Reporting.
A solid management system combined with a strong control environment is the fundament for further work with ICFR.
Internal Control over Financial Reporting
The Internal Control over Financial Reporting (ICFR) system shall ensure reliable and timely financial information. All subsidiaries are required to comply with the ICFR requirements as described in “The Statkraft Way” and in the Finance Manual. The same applies for associated companies, joint operations and joint ventures where Statkraft is responsible for the book-keeping and financial reporting. If a third party is responsible for the book-keeping and statutory reporting of the partly owned company, the responsible segment shall perform compensating controls.
The Board assumes the executive responsibility for having a well-functioning ICFR system in the Group. The activities related to ICFR are performed in the Group’s Governance, Risk and Compliance (GRC) system, BWise, which was implemented in 2015. BWise gives the possibility to efficiently real time monitor status on control performance throughout the whole organisation.
The main elements of the ICFR system are:
- Risk assessment and evaluation of control design
The Group's ICFR Network performs an annual assessment of the Group's risk of having errors in the financial reporting. The result of this risk assessment is documented in a financial reporting risk map presenting the likelihood of the risk to occur and the consequence in the financial report given that the risk occurs. The risk map is presented to the Audit Committee.
Business and support processes for handling the financial reporting risks are identified and assessed. The purpose of this work is to verify if Statkraft has the appropriate controls in place to mitigate risk sufficiently. For the identified controls, it is described how these shall be performed, documented and reviewed. In addition, it is described who is responsible for implementing them. All the activities are performed in BWise, and the control descriptions in BWise are available for all employees in the Finance Manual.
- Reporting of ICFR to Audit Committee
Twice a year, key elements within the ICFR system are reported to the Audit Committee. The result of the yearly assessment related to control design and operational effectiveness is reported in March.
- Continuous performance and monitoring
For each control, it is defined how often the control shall be performed and who is responsible for performing and reviewing the control in BWise. The controls shall be performed monthly, quarterly, half yearly or yearly and managers are responsible for compliance with the control descriptions and the ICFR requirements. Yearly, responsible managers perform an assessment on design and operational effectiveness of all controls. BWise makes it possible to perform real time monitoring on control performance throughout the whole organisation, and gives easy access to control documentation on entity, segment and group level.
- Test of control performance
Quarterly, and on sample basis, the ICFR department with ICFR monitors from all segments/areas review quality on control performance and compliance with the control descriptions. The result of this testing is presented to all control performers and reviewers, and reported to management.
- Reporting of ICFR to Audit Committee
The Group’s financial reporting risk assessment is reported in September. If a material breach of the ICFR requirements has occurred, this will be reported to the Audit Committee.
Vice President Internal Control (VP FRC) - Internal Control is responsible for managing the ICFR system and for assisting management in monitoring compliance with the ICFR requirements. VP FRC - Internal Control is responsible for training and supporting implementation of ICFR requirements. VP FRC – Internal Control reports to the Senior Vice President Financial reporting and accounting who in turn reports to the CFO.