Hydro's financial framework and control model
Our ICFR framework is primarily designed to provide reasonable assurance to our management and the Board of Directors regarding the preparation and fair presentation of our Financial Statements. We established our comprehensive ICFR framework in 2006 and continue to maintain it based on the “Committee of Sponsoring Organizations of the Treadway Commission (COSO) internal control - integrated framework” principles.
The five interrelated COSO principles are:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- The control environment is the foundation and reflects the tone set by top management, its overall attitude, awareness and actions.
- Risk assessment involves identification and analysis of relevant risk to the achievement of its objectives, which form basis for determining how the risks should be managed.
- Control activities are the activities executed in order to mitigate the assessed risks.
- Information and communication support the identification, capture and exchange of information in a timely manner for implementation for corrective actions.
- Monitoring activities evaluate the effectiveness and efficiency of the ICFR framework.
Hydro’s overall control environment relevant for financial reporting is covered by “Hydro-Wide Controls (HWC)”. HWC reflects the tone set by the top management, management’s and employees’ common attitudes, ethics, values, and competence.
Our ICFR model is implemented through a top-down and risk-based approach. Therefore, we emphasize in particular four higher-risk areas:
- Hydro Financial Reporting Risks
- Fraud Risks
- General Computer risks
- Financial Closing risks
The controls related to these areas are embedded into Hydro’s overall control environment – HWC, as illustrated below.
Examples of primary programs and controls of each focus area:
Hydro-Wide Controls (HWC): Hydro way, Steering Documents, Code of Conduct, Whistle blowing channel, HWC annual self assessment survey.
Hydro Financial Reporting Risks (HFRR): Yearly Risk Assessment of the most critical financial reporting risks including fraud.
Anti Fraud Program consists of Segregation of Duties, Authorization, and other mandatory/pervasive controls to prevent fraudulent activities.
Financial Closing controls cover the financial reporting process and management review of Financial Statements.
General Computer Controls (GCC): Controls for IT system access administration, operation, and change management.
Hydro's ICFR process
Hydro’s yearly ICFR process consists of the following activities:
- Yearly Risk Assessment
- Evaluation of the most critical financial reporting risks (HFRR) which pose a high risk to reliable financial reporting.
- Design update of risks and controls
- Analysis of changes that impact the ICFR environment to identify new and/or changed risks and controls.
- To assess operational effectiveness of the controls.
- Deficiency Handling
- Deficiencies are noted when weaknesses in internal controls are identified.
- Our goal is to remediate all identified deficiencies in a timely manner; deficiencies not fully resolved are assessed for their impact on the financial statements, if any.
- Annual Certification
- Annually, management at different layers in the organization is asked to certify that the necessary internal controls over financial reporting are implemented and working effectively.
Monitoring is a dynamic process and operates through the ICFR Process as described above. Based on the monitoring activities performed a status report is given to the disclosure committee on a quarterly basis.
The disclosure committee is an integral component of Hydro’s disclosure controls and procedures and assess Hydro’s compliance initiatives pertaining to ICFR. The disclosure committee reports quarterly a summary of its activities to the Audit Committee. Through reporting from the disclosure committee and Internal Audit, the Audit Committee takes an active role in ensuring the functioning of the ICFR framework.