Internal control over financial reporting

The Sandvik organization manages a well-established financial reporting process aimed at ensuring a high level of internal control.

The internal control system aligns with the conceptual framework of COSO, which is based on five key components that provide an effective framework for describing and designing the internal control system implemented in the organization. The five components are Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring and Follow-up. The application of the COSO framework is described below.

Sandvik’s Board of Directors is ultimately responsible for the governance of risk management including internal control over financial reporting.

Control environment

Sandvik internal control over financial reporting forms an integral part of the operations, described in The Sandvik Way, which also includes risk assessments, policies, procedures and compliance.

The Sandvik Financial Reporting Policies and Procedures govern control over financial reporting. These documents contain detailed instructions regarding accounting policies and financial reporting procedures to be applied by all Sandvik reporting entities.

A Sandvik Financial Internal Control Framework has been developed and includes key components such as well-defined roles and responsibilities, internal control procedures and the risk and control matrix which defines a mandatory minimum of control activities that contribute to the mitigation of risks to acceptable levels. Internal control implementation projects continued during 2021 and will be completed in the first quarter of 2022.

Risk assessment and risk management

The Enterprise Risk Management (ERM) process at Sandvik includes the area of financial reporting. Read more about the Enterprise Risk Management (ERM) program. Key risks noted in local assessments and observations made by Internal and External Audit are also taken into consideration to ensure that adequate controls exist to mitigate these risks.

Control activities

Mandatory control activities include business process controls, IT controls and corporate governance controls focusing on compliance with policies and procedures. Internal controls are tailored per each operational entity based on risks and applicability. Entity management and process owners are responsible for ensuring that internal controls are operated as per agreed design.

At Group level, Group Control manages the reporting process to ensure the completeness and accuracy of financial reporting and compliance with IFRS requirements.

Controllers in the divisions and business areas perform analytical reviews and investigations, conduct business trend analyses and update forecasts.

Information and communication

Policies and procedures related to financial reporting are updated and communicated on a regular basis to all entities.

Results of monitoring and status of improvement activities related to internal controls are included in the CFO report which is part of the agenda for the Audit Committee meetings.

Quarterly interim reports are published externally and are supplemented by investor meetings attended by members of the Group Executive Management.

Monitoring and follow-up

Entity management as well as local and global process owners are responsible for testing the effectiveness of internal controls through self-assessments on a quarterly basis and according to the requirements in the Sandvik Internal Control Framework. Results of the self-assessment testing of controls including test evidence are reported and consolidated in a Governance, Risk and Compliance IT tool. The tool also requires reporting of action plans with the purpose to remediate ineffective controls.

Business areas and divisions are to monitor the remediation of ineffective controls. The Audit Committee monitors the effectiveness of internal controls related to financial reporting presented by management with potential deficiencies and suggested actions.

The Board reviews all quarterly interim reports as well as the Annual Report prior to publishing. The Audit Committee reports to the Board regarding internal control matters including matters for resolution. Minutes from Audit Committee meetings are made available to Board members.

Internal audit

Internal Audit is subordinated to the Audit Committee and the Vice President of Internal Audit reports to the Audit Committee.

Internal audits include, as a basis, the Group’s policies for corporate governance, risk management and internal control regarding areas such as financial reporting, compliance with the Code of Conduct and IT.

The outputs of the audits include action plans and programs for improvement. Findings are reported to the business area management and to the Audit Committee.

Internal audit interacts with external audit on a periodic basis to discuss and share audit plans and audit results.