Internal Control and Risk Management Related to Financial Reporting

Internal Control and Risk Management Related to Financial Reporting

Control functions and control environment

Control functions

The company has a controller function tasked with verifying monthly reports. This controller function reports on the financial performance of the company and its divisions to Management, the Board of Directors, and the Board's Audit Committee.

The company uses a reporting system that compiles subsidiaries' reports into consolidated financial statements. There are also written directives for completing the financial reports of subsidiaries. Compliance with these directives is monitored by the controller function. The company also has the separate reporting facilities required for monitoring business operations and asset management.

The Group's finance unit provides instructions for drawing up financial statements and interim financial statements, and compiles the consolidated financial statements. The finance unit has centralised control over the Group's funding and asset management, and is in charge of managing interest rate risks.

Internal risk control

As a general rule, authorisation is distributed in such a way that no individual may independently perform measures unbeknown to at least one other individual. For example, the company’s bookkeeping and asset management are managed by separate persons, and two authorised persons are required to sign on behalf of the company.

The Group's business is divided into areas of responsibility led by Senior Vice Presidents (SVPs) reporting to the CEO. Reporting and supervision are based on annual budgets that are reviewed monthly, on monthly income reporting, and on updates of the latest forecasts.

The SVPs report to the Group Management Team on development matters, strategic and annual planning, business and income monitoring, investments, potential acquisition targets and internal organisation matters related to their areas of responsibility. Each area of responsibility also has its own management team.

Digia's operational management and supervision adhere to the corporate governance system described above.

The Group's administration unit is in charge of HR management and policy, real estate properties, and ensuring appropriate working conditions at all locations. The legal affairs unit guides and monitors agreements made by the company, and ensures the legality of the Group’s operations.

Digia has not yet established a separate function responsible for internal control. With the company’s current business volume, its legal and financial management functions are able to handle internal control tasks.

Risk management

The purpose of the company’s risk management process is to identify and manage risks in a way that enables the company to attain its strategic and financial targets. Risk management is a continuous process by which the major risks are identified, listed and assessed, the key persons in charge of risk management are appointed, and risks are prioritised according to an assessment scale that compares the effects and mutual significance of risks.

The main operational risks monitored under Digia’s risk management are related to customers, personnel, projects, data security, immaterial rights, and goodwill.

The company manages customer risks by actively developing its customer portfolio structure and avoiding any potential risk positions.

Personnel risks are evaluated and managed using a quarterly performance review and development discussion process in which key personnel participate. To enhance personnel commitment, the company strives to systematically improve the efficiency of internal communications via regular personnel events and by increasing the management’s visibility.

Key project audits are carried out with a view to enhancing project risk management and securing the success of project deliveries to customers. The Group's certified quality systems are also regularly evaluated and the Group has increased the efficiency of its project delivery reporting practices for corporate governance and finance.

Data security audits are carried out to manage data security risks. The company also continually develops working models, practices and processes that promote data security. The Management Group is tasked with systematically managing risks associated with business integration, shared operating models and best practices, as well as their integrated development. Typical risks in the software business relate to the appropriate protection of the company’s own immaterial property rights (IPRs) and violation of third parties’ IPRs. These are managed through extensive internal policies, standard contracts, and appropriate supervision and analysis.

With respect to IFRS-compliant accounting policies, the Group actively monitors goodwill and its associated impairment tests as a part of prudent and proactive risk management practices within financial management.

In addition to operational risks, the company is subject to financial risks. Digia Plc has centralised internal and external financing and the management of financial risks within the finance function of the Group’s parent company. This function is responsible for the Group’s liquidity, the sufficiency of financing, and the management of interest rate and currency risks. The Group is exposed to several financial risks in the normal course of business. The Group’s risk management seeks to minimise the adverse effects of changes in financial markets on the Group’s earnings. The primary types of financial risks are interest rate risk, credit risk, and funding risk. The general principles of Digia’s risk management are approved by the Board of Directors, and the Group’s finance function and business divisions are jointly responsible for their practical implementation.