The Board of Directors and Executive Management set out general requirements for business processes and internal controls. A number of policies are defined by Executive Management and approved by the Board of Directors, including;
A description of Novo Nordisk's overall policies, positions and values can be found in the section Novo Nordisk Way.
Responsibility for maintaining sufficient and effective internal controls and risk management system in relation to the financial reporting is anchored with Executive Management. Executive Management ensures design and implementation of controls considered necessary to mitigate risks identified in relation to the financial reporting process.
The Audit Committee appointed by the Board of Directors monitors on an ongoing basis the assessment of risk and the design and operating effectiveness of the implemented internal controls in connection with the financial reporting process.
The internal audit function, Group Internal Audit, is reporting to the Audit Committee. The internal audit function provides independent and objective assurance primarily within internal control and governance.
The Audit Committee and Executive Management perform assessments of the risk exposure of Novo Nordisk, including the impact on the financial reporting and the financial reporting process. Quarterly, the Audit Committee have discussions with the CFO, Head of Finance, Head of Business Assurance, Head of Group Internal Audit, the external auditor and the General Counsel regarding:
The identified key risks in relation to the financial reporting are described in the statutory Annual Report for 2016 in the sections 'Novo Nordisk's key risks' and '1.1 Principal accounting policies and key accounting estimates'.
The internal control system which has been based on the COSO framework includes clearly defined organisational roles and responsibilities, reporting requirements and authorities.
Novo Nordisk is in compliance with the Sarbanes–Oxley Act section 404, which requires detailed documentation of the design and operation of financial reporting processes. Novo Nordisk must ensure that there are no material weaknesses in the internal controls that could lead to a material misstatement in its financial reporting.
The company's conclusion and the auditor's evaluation of these processes are included in its Form 20-F filing to the US Securities and Exchange Commission (SEC).
Novo Nordisk operates with a common global IT system that ensures uniformity and transparency in data used for the financial reporting and controlling. Information and communication systems to ensure accounting and internal control compliance are established including Accounting Manual, Internal Control requirements, Budgeting Manual and other relevant guidelines. This information is available for all employees in the Intranet.
Each month the Group's companies report financial data and comments on financial and commercial developments to the central accounting and controlling function. This information is used to prepare consolidated financial statements and reports for the Group's Executive Management. Financial reporting, including reporting from subsidiaries, are controlled on an ongoing basis. In connection with the preparation of the Annual Report, additional analysis and control activities are performed to ensure proper presentation in the Annual Report.
Test of internal controls over financial reporting by Group Internal Audit and External Auditors and Management's self-assessment of the controls are conducted as a part of the compliance with the Sarbanes–Oxley Act section 404. The result hereof is reported to the Audit Committee on a quarterly basis.