Risk management and control

The objective of the internal control and risk management systems associated with Elisa's financial reporting process is to obtain reasonable assurance that the company's financial statements and financial reporting are reliable, that they have been prepared in compliance with laws, regulations and generally accepted accounting principles, and that they provide a true and fair view of the financial situation of the company. Internal control and risk management procedures are integrated into the company’s operations and processes. Elisa’s internal control can be described using the international COSO framework.

Control environment

Elisa's control environment is based on the company's values, policies, guidelines and practices, as well as goal-oriented management. Elisa's key processes have been documented, and they are both controlled and developed systematically.

Annual business and strategy planning processes and targets, as well as rolling monthly financial forecasts, represent a key element in Elisa's business and performance management. Financial results are assessed against the forecast, the annual plan, the previous year’s results and the strategic plan.

Targets are set for the Elisa Group and for each unit, and individual targets are specified in semi-annual appraisals based on the scorecard and performance-based bonus system.

Risk assessment

Risk assessment is an integral part of Elisa's planning process. The purpose of risk assessment is to identify and analyse risks that could affect the achievement of specified targets and to identify measures to reduce those risks.

The key risks associated with the accuracy of financial reporting have been identified in a process-specific risk analysis. Risk assessment also covers risks related to misuse and the resulting financial losses, as well as the misappropriation of the company's other assets.

Controls

Control measures consist of automatic and manual reconciliation, control and instructions integrated into the processes, with the objective of ensuring the accuracy of financial reporting and the management of the risks involved. The reporting control mechanism processes have been documented. Key control mechanisms also include access rights management of information systems, authorisation, and the controlled and tested implementation of information system changes.

The financial development of business operations is constantly monitored on a unit basis. Financial management discusses any exceptional items and recognitions at its meetings and investigates the causes and reasons for any changes in the rolling monthly forecasts. Financial reporting is also ensured by comprehensive and analytical reporting of operative metrics, drivers and key figures, and continuous development of the reporting.

Auditing

The Board of Directors’ Audit Committee is tasked with supervising the proper organisation of the company’s accounting and financial administration, internal and financial auditing, and risk management. Elisa's Board of Directors reviews and approves the interim reports and financial statement releases. Elisa’s Board of Directors and Executive Board monitor the Group’s and the business units’ results and performance on a monthly basis. Elisa's Finance unit is responsible for the internal auditing of the financial reporting and continuously evaluates the functionality of controls. In addition, Elisa’s internal auditing function controls the reliability of financial reporting within the framework of its annual audit plan.

Risk management

The company classifies risks into strategic, operational, insurable and financial risks. Insurable risks are identified, and insurance is taken out through an external insurance broker to deal with these risks. The insurance broker assists the company when the amount and likelihood of insurable risks are estimated.

Financial communication and training

Key instructions, policies and procedures are available to the personnel on the company's intranet and through other shared media. In addition, regular information and training are provided to the financial organisation, particularly regarding any changes in accounting, reporting and disclosure requirements.

Elisa's valid Disclosure Policy is available on the company's website at www.elisa.com

Internal auditing

The purpose of internal auditing is to estimate the appropriateness and profitability of the company's internal control system and risk management, as well as the management and administration processes. Internal auditing supports the development of the organisation and improves the management of the supervision obligation of the Board of Directors.

Internal auditing is also intended to support the organisation in achieving its goals by evaluating and investigating its functions and by monitoring compliance with corporate regulations. For this purpose, internal auditing produces analyses, assessments, recommendations and information for use by the company’s senior management. Reports on completed audits are submitted to the CEO and the management of the unit audited, as well as to the Audit Committee, when necessary.

Internal auditing is based on international internal auditing standards (IIA). Internal auditing is independent of the rest of the organisation. The starting point for internal auditing is business management, and the work is coordinated with financial auditing. An annual auditing plan and auditing report are presented to the Board of Directors’ Audit Committee. Internal auditing may also carry out separately agreed audits on specific issues at the request of the Board of Directors and Elisa’s Executive Board.