Professional Documents
Culture Documents
ICF Manual 2014
ICF Manual 2014
ICF Manual 2014
Framework
Introduction 3
1. Internal Control Framework 4
2. ICF steps 6
3. 2014 Reporting process 9
4. ICF 3.0 11
5. Roles and Responsibilities 12
6. ICF Tooling 13
7. Useful information 15
2
Introduction
Background
Enclosed are the instructions of Friesland Campina’s Internal Control
Framework (ICF). These instructions cover the most important procedures,
responsibilities, timing and other relevant aspects relating to the ICF in 2014.
These instructions are issued by the Internal Control Competence Centre
(ICC Centre), which falls under the responsibility of Enterprise Risk
Management (ERM).
Important Notice
Please make sure that these instructions are distributed to all employees in
your organization involved in the ICF process and that they are fully
understood and followed.
Questions
In case of questions about the content of these instructions, please do not
hesitate to contact the ICC Centre (ICFCorp@FrieslandCampina.com) or
your Business Group Risk & Control Manager.
3
1. Internal Control Framework
FrieslandCampina’s Internal Control Framework
(ICF) is important to ensure ourselves and key
stakeholders that relevant and effective controls in
business processes are in place.
ICF stands for Internal Control Framework. Internal controls are the measures put in place by
FrieslandCampina, to ensure its objectives are achieved. The objective of the ICF is to ensure
ourselves and key stakeholders that relevant and effective controls in business processes are in
place, so that the following risks remain within the agreed defined materiality or risk appetite:
Losses in money and goods flows: financial loss resulting from a physical loss,
obsolescence or misuse of assets (including products, materials and money), or
from a change in value of assets or liabilities. Missing opportunities is not regarded
as a financial loss.
Financial reporting risks: Risk of unintentional errors or omissions leading to
incomplete, inaccurate and/or untimely reporting of legally required financial
information to regulatory agencies.
Fraud: An intentional act of a person(s) employed or contracted, aimed at obtaining
illegal personal or company gains or aimed at deceiving financial statement users
through the misstatement of information, either by falsifying, omitting, adding or
removing data.
Breach of external (financial) laws or regulations: Failure to comply with
external (financial) laws or regulations, which may result in a financial or business
sanction or in a loss of reputation.
Breach of authorization policies: Failure to comply with authorization policies,
which may result in undesirable business transactions which are not being
authorized in line with company policy.
4
The risk appetite as mentioned on the previous page is the level of risk that FrieslandCampina is
prepared to accept. FrieslandCampina’s risk appetite for each organizational level is presented below:
Next to ensuring ourselves and key stakeholders that relevant and effective controls in business
processes are in place, ICF also serves as a basis for the Management Statement. FrieslandCampina
has committed itself to comply with the Dutch Corporate Governance Code (“Code Frijns”). This code
requires - amongst others - that FrieslandCampina’s management needs to assure that the controls
are working effectively. ICF is therefore necessary to support risk management and provide
reasonable assurance for the Management Statement as included in the Annual Report of
FrieslandCampina. The Management Statements as provided by the OpCo’s and BG’s serve as a
basis for the Executive Board Management Statement as included in the Annual Report of
FrieslandCampina.
5
2. ICF steps
The FrieslandCampina Internal Control Framework
implementation consist of four steps, which are
interrelated. These steps are: Risk assessment,
Control Selection, Control Assessment Design and
Self assessment. In this section the different steps
and the 2014 approach related to these steps are
explained.
Responsibilities
Under ICF 2.0 the control selection is performed
by the local entity. Usually this is done
simultaneously with the risk assessment. 2.2 Execution of self-assessments
On request the ICC Centre or the BG Risk &
Control Manager can support the control
selection process. The results are reviewed by Self-assessment is a systematic and periodic
BG Risk & Control Manager. review of internal controls as described by the
ICF entity. The self-assessment process allows
the entity to discern clearly its strengths and
Approach 2014 improvement areas. Action plans should be
No controls have been added to the ICF 2.0 made for these improvement areas.
framework for 2014, nor have any controls been
changed. The implications regarding ICF 3.0 Responsibilities
implementation are described in chapter four.
Self-assessments are performed by the local
entity. Name and function of the self-assessor
2.1.3 Control- and self-assessment is indicated in the control- and self-assessment
design design of each specific control. For the self-
assessments performed, both an internal review
The control- and self-assessment design as well as an independent review by CIA will be
describes how the ICF control is locally performed. Internal self-assessment reviews will
embedded and how it can be assessed be performed by the Local ICF Coordinators (if
independently to ensure the control worked applicable) and the BG Risk & Control
effectively during the assessment year. Managers. On request, the ICC Centre can
support these reviews on BG level.
Responsibilities
Under ICF 2.0 the control- and self-assessment Approach 2014
design is described by the local entity. All The 2014 ICF year will run from December 1st,
changes in control- and self-assessment 2013 until November 30, 2014 (12 months).
designs will be reviewed by the BG Risk & This will mean that December 2013 will be
Control Manager. included in the 2014 self-assessments and that
December 2014 will be included in the 2015
self-assessments.
Approach 2014
Please note that changes to control- and
assessment designs will only be processed by In 2014, no changes will be made to the self-
the ICAT helpdesk if these have been approved assessment approach compared to 2013.
by BG Risk & Control Managers.
Finally, it’s important to stress that – once a 2.3 Periodic reporting on control
self-assessment has been documented – iCAT implementation and self-
doesn’t allow any changes to be made to the assessments
control- and self-assessment (other than
changes in the control owner and self-assessor)
during the ICF year. ICF reporting (including the progress and
The implications regarding ICF 3.0 outcomes of the ICF process, follow-up on
implementation are described in chapter four. action plans and the outcomes of the SA quality
review) takes place on a quarterly basis.
7
Responsibilities
Responsibilities
The self-assessor is responsible for the
Local ICF entities are required to report on their
preparation of an action plan in iCAT.
ICF process on a quarterly basis to the BG Risk
& Control Managers. The BG Risk & Control In the action plan an action owner should be
Managers will compile these reports into a assigned. The action owner will be resonsible
consolidated report on BG level which should for the actual implementation of the action plan.
be submitted to the ICC Centre. The ICC Centre In the quarterly ICF reporting, the Local ICF
prepares a consolidated report on Friesland Coordinator will have to report on the progress
Campina level. Both the local, as well as the of implementing the action plans (refer to
consolidated BG reporting should be done by chapter three).
means of standard reporting templates, which
have been distributed by the ICC Centre. Approach 2014
Due to technical constraints, closing of action
plans in iCAT can only be done by the iCAT
Approach 2014 helpdesk. In case an action plan can be closed
The 2014 reporting process (including reporting in iCAT, the Local ICF Coordinator should send
calendar) is included in chapter three. a request to the iCAT helpdesk to close the
action plan. In the request not only the control
number, but also the year in which the action
plan was prepared should be included. Please
2.4 Monitor and follow-up of deficiencies note that only requests send by Local ICF
in Internal Control Coordinators (or BG Risk & Control Managers)
will be executed by the iCAT helpdesk.
For each not compliant and not compliant but
risk mitigated control an action plan needs to be
prepared in iCAT. The follow-up on these action
plans is included in the quarterly ICF reporting.
8
3. 2014 Reporting process
In 2014 (like in 2013), ICF entities are required to
report on the ICF progress and outcomes on a
quarterly basis. Next to this, Management
Statements will be required during HY and YE
reporting.
:
10
4. ICF 3.0
In the course of 2013, the ICF 3.0 project was
initiated. One of the main reasons for initiating
this project was to align and embed the ICF with
the standard Summit processes.
11
5. Roles and Responsibilities
Everyone in Friesland Campina has responsibility for internal
control to some extent. In the overview below the ICF
organizational structure is presented, which includes the roles
and responsibilities regarding the ICF within
FrieslandCampina.
12
6. ICF Tooling
The ICF is supported by iCAT (Internal Control Assessment
Tool). iCAT is a software tool especially designed for
FrieslandCampina to facilitate management in managing their
internal controls, based on the FrieslandCampina Internal
Control Framework, and supports documenting the results of
self-assessments.
6.1 iCAT
The Internal Control Framework is supported by iCAT.
In iCAT the local control- and assessment designs are approved and
made available for all users. The self-assessment results and supporting
evidence need to be uploaded in iCAT by the self-assessor. After
completion all documentation is available for review and sharing.
13
• Control and Self Assessment design status:
gives an overview of the complete control- and self-assessment
design details for the selected controls. This report is most useful
when exporting to Excel for further editing;
• User rights:
shows the users who have access to the database as well as their
roles;
• Overview control and self-assessment designs:
gives the totals for all databases, the number of controls in approved,
edit and evaluate status;
• Examples control and self-assessment designs:
report which allows users to view examples of control and self-
assessment designs for all databases the user is assigned to.
The iCAT helpdesk will assist users in for instance the following
circumstances:
• Granting, changing or removing access rights;
• Releasing approved controls;
• Un completing self-assessments;
• Closing action plans;
• All sorts of technical issues regarding iCAT.
The iCAT helpdesk will try to reply on all e-mails within 5 working days
(during reporting periods the iCAT helpdesk will try to reply within 2
working days).
14
7. Useful information
A lot of information (manuals, templates etc.) is available for
executing the different steps in ICF. In this chapter an overview
of the available information is presented.
Available information
The following ICF related information can be found on the Intranet site of the ERM department
(http://our.frieslandcampina.biz / disciplines / Enterprise Risk Management):
• Corporate Manual
• ICF Manual 2014
• ICF 2.0 Roadmaps
• ICF reporting template and ICF consolidation template
• iCAT Manuals (control owner, control assessor, reviewer and reporting)
• Self-assessment training
• Self-assessment template (to be used for documenting assessments)
• Self-assessment review guidelines and template (to be used for quality review of assessments)
• Frequently asked questions
Contact
Should you have any further questions, please contact:
15