Risk and opportunity management approach Main risk eventsMain risks and opportunitiesEmerging risks

Internal control framework

Senior management is accountable for the effectiveness of the internal control environment within their area of responsibility and are required to perform self-assessments on the design and operating effectiveness of our internal control environment. This is regularly measured and monitored by the Risk Management and Internal Control department (RMIC), and the results are discussed in the Internal Control Committee (ICC) meetings.

The ICC is composed of the CFO, the director Audit & Security, the director Group Finance, and the director Accounting & Reporting. The external auditor also attends the ICC meetings. The ICC met five times in 2023. Risk management and internal control reports are discussed with the Board of Management and the Audit Committee of the Supervisory Board. As part of this process, management is required to follow up on risks deemed to be inadequately mitigated by internal controls. In some cases, this may require additional actions, including performing and evaluating compensating controls and activities, to reduce the risks of a misstatement in the financial and non-financial reporting.

In 2023, we continued to invest in improving the design and effectiveness of our internal controls related to both financial and non-financial reporting, aiming for a good balance between preventive and detective controls. We are satisfied that the number of IT-related controls we can rely on increased in 2023. These relate to application controls, interface controls, and IT-dependent manual controls. In 2024, we will extend the use of IT-related controls to other risk processes for a more robust and mature internal control framework. In addition, the implementation of SAP4Hana, an ERP system, will influence numerous IT automated controls in our IC framework. RMIC will collaborate with the business to evaluate the need for new controls and the implications of these changes on the existing automated control design.

We have conducted comprehensive maintenance activities as part of our ongoing commitment to enhancing our privacy framework, initially implemented in 2018. These activities included a baseline assessment by management to ensure the accuracy and completeness of the processing activities recorded in our central OneTrust register. Additionally, for high-risk processing activities, we conducted a Data Protection Impact Assessment (DPIA). In 2024, we will continue to refine and optimise our privacy framework.

For 2024, our key focus will be on implementing CSRD which may require new or revised internal controls. We will continue to optimise the existing controls related to the identified material topics, their associated (K)PIs and other disclosures that are required under the ESRS standards.

Next Previous