Internal control and risk management related to financial reporting
Control functions and control environment
The company has a controller function that reports to the CFO and is tasked with ensuring the accuracy of monthly financial reporting. The CFO reports on the financial performance of the company and its divisions to Management, the Board of Directors, and the Board’s Audit Committee.
The company uses a reporting system that compiles subsidiaries’ reports into consolidated financial statements. There are also written directives for completing the financial reports of subsidiaries. The company’s CFO monitors compliance with these instructions. The company also has the separate reporting facilities required for monitoring business operations and asset management.
The Group’s financial administration unit provides instructions for drawing up financial statements and interim financial statements, and compiles the consolidated financial statements. This financial administration unit has centralised control over the Group’s funding and asset management, and is in charge of managing interest rate risks.
Internal control helps to ensure the reliability of the Digia Group’s financial reporting. Digia’s financial administration unit provides guidance on financial reporting matters.
The Group’s business is divided into areas of responsibility led by Senior Vice Presidents (SVPs) reporting to the CEO. Reporting and supervision are based on annual budgets that are reviewed monthly, on monthly income reporting, and on updates of the latest forecasts.
The SVPs report to the Group Management Team on development matters, strategic and annual planning, business and income monitoring, investments, potential acquisition targets and internal organisation matters related to their areas of responsibility. Each area of responsibility also has its own management team.
Digia’s operational management and supervision adhere to the corporate governance system described above.
Digia has not established a separate function responsible for internal auditing. The need for an internal audit function is regularly assessed. With the company’s current business volume, its legal and financial management functions are able to handle internal auditing tasks.
Risk management and major risks
The purpose of the company’s risk management process is to identify and manage risks in a way that enables the company to attain its strategic and financial targets. Risk management is a continuous process by which the major risks are identified, listed and assessed, the key persons in charge of risk management are appointed, and risks are prioritised according to an assessment scale that compares the effects and mutual significance of risks. Part of this process involves identifying, planning and implementing risk management measures, and then monitoring their impact.
The main operational risks monitored under Digia’s risk management are related to customers, personnel, deliveries, IT, data protection, data privacy and information security, immaterial rights, and goodwill.
The company manages customer risks by actively developing its customer portfolio structure and avoiding any potential risk positions.
Personnel risks are evaluated and managed using a quarterly performance review and development discussion process in which key personnel participate. To enhance personnel commitment, the company strives to systematically improve the efficiency of internal communications via regular personnel events and by increasing the management’s visibility. Two major personnel-related risks are competence development and finding the correct expertise. These risks are systematically managed by developing our personnel’s competence and through continual recruitment management and subcontractor management.
Internal – and as required also external – audits of major projects and continuous services are conducted with a view to enhancing project and service risk management and securing the success of customer deliveries. The Group’s certified quality systems are also regularly evaluated. During 2018, the Group increased the efficiency of its project delivery reporting practices. During 2018 the project management operating model has been further developed and this work continues also in 2019.
Audits are carried out to manage data security and data privacy risks, and the company also continually develops working models, practices and processes that promote data security and data privacy. Security training for all personnel is organised as required.
The Management Team is tasked with systematically managing risks associated with business integration, shared operating models and best practices, as well as their integrated development. Typical risks in the software business relate to appropriate protection for the company’s own immaterial property rights (IPRs) and violation of third parties’ IPRs. These are managed through extensive internal policies, standard contracts, and appropriate supervision and analysis.
With respect to IFRS-compliant accounting policies, the Group actively monitors goodwill and its associated impairment tests as a part of prudent and proactive risk management practices within financial management.
Digia has assessed the corporate liability risks associated with its own operations and business relations, and has adequate and appropriate processes in place to predict and take precautions against these risks.
In addition to operational risks, the company is subject to financial risks. Digia Plc has centralised internal and external financing and the management of financial risks within the finance function of the Group’s parent company. This function is responsible for the Group’s liquidity, the sufficiency of financing, and the management of interest rate and currency risks. The Group is exposed to several financial risks in the normal course of business. The Group’s risk management seeks to minimise the adverse effects of changes in financial markets on the Group’s earnings. The primary types of financial risks are interest rate risk, credit risk, and funding risk. The general principles of Digia’s risk management are approved by the Board of Directors, and the Group’s finance function and business divisions are jointly responsible for their practical implementation.