Internal Control and Risk Management Related to Financial Reporting

Control functions and control environment

The company has a controller function tasked with verifying monthly reports. This controller function reports to the management, the Board of Directors and the Board’s Audit Committee regarding the financial performance of the company and its divisions.

The company uses a reporting system which compiles separate subsidiaries’ reports into the consolidated financial statements. There are written directives for completing the financial reports of subsidiaries. Compliance with these directives is monitored by the controller function. The company also has the necessary, separate reporting facilities for monitoring business operations and asset management.

The Group finance unit provides instructions for drawing up financial statements and interim financial statements, and compiles the consolidated financial statements. The finance unit has centralised control over the group’s funding and asset management, and is in charge of managing interest rate risk.

Internal risk control

As a general principle, authorisation is distributed in Digia in such a way that no individual may independently perform measures unbeknown to at least one other individual. For example, the company’s bookkeeping and asset management are managed by separate persons, and two authorised persons are needed to sign on behalf of the company.

The Group’s business is divided into business units lead by Senior Vice Presidents (SVPs) reporting to the CEO. Reporting and supervision are based on annual budgets that are reviewed monthly, on monthly income reporting and on updates of the latest forecasts.

The SVPs in charge of the divisions report to the Group Management Team on development matters, strategic and annual planning, business and income monitoring, investments, potential acquisition targets and internal organisation matters related to their areas of responsibility. Each division has its own management team.

Digia’s operational management and supervision take place according to the corporate governance system described above.

The Group’s administration unit is in charge of HR management and policy, as well as properties and the viability of working conditions in each facility. The legal affairs unit provides instructions for and monitors contracts made by the company and ensures the legality of the Group’s operations.

Financial Control Environment

Communications

The Group’s General Counsel is in charge of the company’s external communications and their correctness. External communications include financial reports and other stock exchange communications. The General Counsel is responsible for the publication of interim reports and financial statements, as well as for actions related to convening and holding Shareholders’ Meetings. Most communications take place through the company’s website and using stock exchange releases.

Risk management

The purpose of the company’s risk management process is to identify and manage risks in such a way that the company is able to meet its strategic and financial targets. Risk management is a continuous process, by which the major risks are identified, listed and assessed, the key persons in charge of risk management are appointed and risks are prioritised according to an assessment scale in order to compare the effects and mutual significance of risks.

The main operational risks handled by Digia’s risk management function are customer risk, personnel risk, project risk, data security risk, IPR risk and goodwill risk.

The company manages customer risk by actively developing its customer portfolio structure and avoiding any potential risk positions. Personnel risks are actively assessed and managed using a goal and development discussion process for key personnel. To improve personnel commitment, the company strives to improve the efficiency of internal communications systematically, using regular personnel events and increasing the visibility of management. Key project audits are carried out with a view to enhancing project risk management and securing the success of project deliveries to customers. In addition, the Group’s certified quality systems are regularly evaluated and the Group has increased the efficiency of its project delivery reporting practices in relation to corporate governance and finance. Data security risk is managed through data security audits and continuous development of working models, security practices and processes. Risks associated with the integration of businesses, shared operating models and best practices, as well as their integrated development, are managed according to plan under the supervision of the Group Management Team. Risks typical to software business, especially to international product business, relating to appropriate protection of company’s own IPRs and violation of IPRs of third parties are managed through extensive internal policies, standard contracts and appropriate follow-up and analysis. With respect to IFRS-compliant accounting policies, the Group actively monitors goodwill and the related impairment tests, as part of prudent and proactive risk management practices within financial management.

In addition to operational risks, the company is subject to financial risks. Digia Plc’s internal and external financing and the management of financial risks are coordinated by the finance function of the Group’s parent company. This function is responsible for the Group’s liquidity, sufficiency of financing, and the management of interest rate and currency risk. The Group is exposed to several financial risks during the normal course of its business. The objective of the Group’s risk management is to minimise the adverse effects of changes in the financial markets on the Group’s earnings. The primary types of financial risks are interest rate risk, credit risk and funding risk. The general principles of risk management are approved by the Board of Directors, and the Group’s finance function is responsible for their practical implementation together with the business divisions.