Internal control and risk management related to financial reporting
Control functions and control environment
The company has a controller function that reports to the CFO and is tasked with ensuring the accuracy of monthly financial reporting. The CFO reports on the financial performance of the company and its divisions to Management, the Board of Directors, and the Board’s Audit Committee.
The company uses a reporting system that compiles subsidiaries’ reports into consolidated financial statements. There are also written directives for completing the financial reports of subsidiaries. The company’s CFO monitors compliance with these instructions. The company also has the separate reporting facilities required for monitoring business operations and asset management.
The Group’s financial administration unit prepares the consolidated interim reports and consolidated Financial Statements. This financial administration unit has centralised control over the Group’s funding and asset management and is in charge of managing financial risks.
Internal control helps to ensure the reliability of the Digia Group’s financial reporting. Digia’s financial administration unit provides guidance on financial reporting matters. The Group’s business is divided into areas of responsibility led by Senior Vice Presidents (SVPs) reporting to the CEO. Reporting and supervision are based on annual budgets that are reviewed monthly, on monthly income reporting, and on updates of the latest forecasts. In addition, the company regularly monitors the profitability of projects.
The SVPs report to the Group Management Team on development matters, strategic and annual planning, business and income monitoring, investments, potential acquisition targets and internal organisation matters related to their areas of responsibility. Each area of responsibility also has its own management team.
Digia’s operational management and supervision adhere to the corporate governance system described above.
Digia has not yet established a separate function responsible for internal auditing. The need for an internal audit function is regularly assessed. With the company’s current business volume, its legal and financial management functions are able to handle internal auditing tasks.
Risk management and major risks
The purpose of the company’s risk management process is to identify and manage risks in a way that enables the company to attain its strategic and financial targets. Risk management is a continuous process by which the major risks are identified, listed and assessed, the key persons in charge of risk management are appointed, and risks are prioritised according to an assessment scale that compares the effects and mutual significance of risks. Part of this process involves identifying, planning and implementing risk management measures, and then monitoring their impact.
The main operational risks monitored under Digia’s risk management are related to customers, personnel, deliveries, IT, data security and protection, immaterial rights, human rights, environment and goodwill.
The company manages customer risks by actively developing its customer portfolio structure and avoiding any potential risk positions.
Personnel risks are evaluated and managed using a quarterly performance review and development discussion process in which key personnel participate. To enhance personnel commitment, the company strives to systematically improve the efficiency of internal communications via regular personnel events and by increasing the management’s visibility. Two major personnel-related risks are competence development and finding the correct expertise. These risks are managed by systematically developing our personnel’s competence and recruitment processes as well as through subcontractor management.
Internal – and as required also external – audits of major projects and continuous services are conducted with a view to enhancing project and service risk management and securing the success of customer deliveries. Digia uses a regularly audited ISO 9001-certified quality management system (Core Process Model), and the processes described in this system are utilised in all operations with a view to providing an optimal customer experience.
Audits are carried out to manage data security and protection risks, and the company also continually develops working models, practices, and processes that promote data security and protection. Security training is organised for all personnel. In 2020, we renewed our internal data security and data protection training package. This training must be retaken every year, not only by Digia personnel but also any subcontractors working on Digia’s premises.
As part of its sustainability programme, Digia has initiated systematic development efforts in both the area of human rights and environmental impacts with respect to its inspection and evaluation of potential risks in these areas.
The Management Team is tasked with systematically managing risks associated with business integration, shared operating models and best practices, as well as their integrated development. Typical risks in the software business include the appropriate protection of the company’s own immaterial property rights (IPRs) and violation of third parties’ IPRs. These are managed through extensive internal policies, standard contracts, and appropriate supervision and analysis.
With respect to IFRS-compliant accounting policies, the Group actively monitors goodwill and its associated impairment tests as a part of prudent and proactive risk management practices within financial management. Digia has assessed the corporate liability risks associated with its own operations and business relations, and has adequate and appropriate processes in place to predict and take precautions against these risks.
In addition to operational risks, the company is subject to financial risks. Digia Plc has centralised internal and external financing and the management of financial risks within the finance function of the Group’s parent company. This function is responsible for the Group’s liquidity, the sufficiency of financing, and the management of interest rate and currency risks. The Group is exposed to several financial risks in the normal course of business. The Group’s risk management seeks to minimise the adverse effects of changes in financial markets on the Group’s earnings. The primary types of financial risks are interest rate risk, credit risk, and funding risk. The general principles of risk management are approved by the Board of Directors, and the Group’s finance function together with the business segments is responsible for their practical implementation.