Internal control and risk management

Tieto’s internal control framework supports the execution of the strategy and ensures regulatory compliance. The foundation for internal control is set by the risk management framework, financial control, internal audit and supporting policies.

The aim of Tieto’s internal control framework is to assure that operations are effective and well aligned with the strategic goals. The internal control framework is intended to ensure correct, reliable, complete and timely financial reporting and management information. The framework endorses ethical values, good corporate governance and risk management practices.

The activities related to internal control and risk management are part of Tieto’s management practices and integrated into the business and planning processes.

Risk Management Framework

Tieto uses systematic risk management to develop the efficiency and control of business operations as well as their profitability and continuity.

Risks

The risk management framework consists of the risk management organization, related policies, operating principles and tools. The risk management organization develops and maintains the company’s risk management framework, including risk reporting, risk management governance and follow- up of risk exposures consisting of strategic, financial, operational and compliance risks.

Each process owner is responsible for the continuous development and improvement of the established procedures, including controls and risk management. The Chief Risk Officer (CRO) has the responsibility to arrange and lead Tieto’s risk management. The Internal Audit (IA) assures the efficiency of the framework and risk management in business operations. The ARC monitors the adequacy of the company’s risk management, financial control, and internal audit functions.

Tieto has also specified its compliance management system, including the compliance organization, steering model and annual plan for compliance-related activities. The Group Compliance Officer is responsible for ensuring the effectiveness and functionality of the governance model and coordinating the compliance work. In 2017, the company continued a project to improve on-boarding practices in the area of third party risk management.

Continuous development of the risk framework

During 2017 the main improvements were a complete upgrade of the Tieto GRC (Governance Risk and Compliance) platform and implementation of EU General Data Protection Regulation (GDPR) privacy risk assessment to the GRC platform. In addition, Tieto implemented and launched a completely new Security Incident management reporting and handling module as part of the GRC framework and started to design a new business continuity module, to endorse the risk management and internal control work in the business units.

The development of the risk management framework is carried out in close cooperation with Risk Coaches, Security Managers, Quality Partners and persons responsible for Privacy in the units, and approved by the Tieto Leadership Team and validated by the ARC.

Financial control

The purpose of internal control over financial reporting is to ensure the correctness of financial reporting, including interim and annual reports and the compliance of financial reporting with regulatory requirements.

The ARC has the oversight role in Tieto’s external financial reporting.

Financial reporting process and responsibilities

Tieto has a common accounting and reporting platform. Group consolidation and reporting are based on the reporting system, which facilitates common control requirements for all legal entities reporting to the Group. Financial reporting consists of monthly performance reports, including all the key performance indicators, rolling forecasts and interim financial reports.

Financial reports are regularly reviewed by Finance Partners in the units, the Leadership Team and the Board of Directors. The follow-up is based on a thorough comparison of the actual figures with the set objectives, forecasts and previous periods. If the figures deviate, the Leadership Team members are responsible for initiating corrective actions.

Internal audit

Tieto’s Internal Audit function carries out both business- and control-related audit activities.

Business audit activities aim to ensure the efficiency and appropriateness of Tieto’s operations. Control-related audit activities are intended to assess and assure the adequacy and effectiveness of internal controls and the risk management framework within Tieto. Internal audits are planned and carried out independently but in coordination with other control functions and the external auditors. Audits can also be initiated due to escalations, fraud attempts, misconducts or other breaches of laws or the company’s policies and rules. Internal Audit reports to the Chief Financial Officer (CFO), the President and CEO and the ARC. The annual audit plan and the annual internal audit report are approved by the ARC.