Internal control and risk management
Tieto’s internal control framework supports the execution of the strategy and ensures regulatory compliance. The foundation for internal control is set by the risk management framework, financial control, internal audit and supporting policies.
The aim of Tieto’s internal control framework is to assure that operations are effective and well aligned with the strategic goals. The internal control framework is intended to ensure correct, reliable, complete and timely financial reporting and management information. The framework endorses ethical values, good corporate governance and risk management practices.
The activities related to internal control and risk management are part of Tieto’s management practices and integrated into the business and planning processes.
Risk Management Framework
Tieto uses systematic risk management to develop the efficiency and control of business operations as well as their profitability and continuity.
The risk management framework consists of the risk management organization, related policies, operating principles and tools. The risk management organization develops and maintains the company’s risk management framework, including risk reporting, risk management governance and follow-up of risk exposures consisting of strategic, financial, operational and compliance risks.
Each process owner is responsible for the continuous development and improvement of the established procedures, including controls and risk management. The Chief Risk Officer (CRO) has the responsibility to arrange and lead Tieto’s risk management. The Internal Audit (IA) assures the efficiency of the framework and risk management in business operations. The ARC monitors the adequacy of the company’s risk management, financial control, and internal audit functions.
Tieto has also determined its compliance management system, including the compliance organization, steering model and annual plan for compliance-related activities. The Group Compliance Officer is responsible for ensuring the effectiveness and functionality of the governance model and coordinating the compliance work.
Continuous development of the risk framework
The main changes and improvements in 2016 were connected to the new Tieto organization, which was in effect as from 1 July. This required changes in the Tieto Risk Management database to accommodate the new organization structure and remap the risks to the correct units. Also, the follow-up of the project risk management was improved to reduce administrative and manual work. Systematic risk management has contributed to a more mature risk management culture.
The development of the risk management framework is carried out in close cooperation with Risk Coaches in the units and approved by Tieto Leadership Team and validated by the ARC.
The purpose of internal control over financial reporting is to ensure the correctness of financial reporting, including interim and annual reports and the compliance of financial reporting with regulatory requirements.
The ARC has the oversight role in Tieto’s external financial reporting.
Financial reporting process and responsibilities
Tieto has a common accounting and reporting platform. Group consolidation and reporting are based on the reporting system, which facilitates common control requirements for all legal entities reporting to the Group. Financial reporting consists of monthly performance reports, including all the key performance indicators, rolling forecasts and interim financial reports.
Financial reports are regularly reviewed by Finance Partners in the units, the Leadership Teams and the Board of Directors. The follow-up is based on a thorough comparison of the actual figures with the set objectives, forecasts and previous periods. If the figures deviate, the Leadership Team members are responsible for initiating corrective actions.
Tieto’s Internal Audit function carries out both business- and control-related audit activities.
Business audit activities aim to ensure the efficiency and appropriateness of Tieto’s operations. Control-related audit activities are intended to assess and assure the adequacy and effectiveness of internal controls and the risk management framework within Tieto. Internal audits are planned and carried out independently but in coordination with other control functions and the external auditors. Audits can also be initiated due to fraud attempts, misconduct or other breaches of laws or the company’s policies and rules. Internal Audit reports to the Chief Financial Officer (CFO), the President and CEO and the ARC. The annual audit plan and the annual internal audit report are approved by the ARC.