Internal Control

Framework

Issued January 2014

 Content

Introduction 3
1. Internal Control Framework 4
2. ICF steps 6
3. 2014 Reporting process 9
4. ICF 3.0 11
5. Roles and Responsibilities 12
6. ICF Tooling 13
7. Useful information 15

2
Introduction
Background
Enclosed are the instructions of Friesland Campina’s Internal Control
Framework (ICF). These instructions cover the most important procedures,
responsibilities, timing and other relevant aspects relating to the ICF in 2014.
These instructions are issued by the Internal Control Competence Centre
(ICC Centre), which falls under the responsibility of Enterprise Risk
Management (ERM).

Important Notice
Please make sure that these instructions are distributed to all employees in
your organization involved in the ICF process and that they are fully
understood and followed.

Questions
In case of questions about the content of these instructions, please do not
hesitate to contact the ICC Centre (ICFCorp@FrieslandCampina.com) or
your Business Group Risk & Control Manager.

3
 1. Internal Control Framework
FrieslandCampina’s Internal Control Framework
(ICF) is important to ensure ourselves and key
stakeholders that relevant and effective controls in
business processes are in place.

ICF stands for Internal Control Framework. Internal controls are the measures put in place by
FrieslandCampina, to ensure its objectives are achieved. The objective of the ICF is to ensure
ourselves and key stakeholders that relevant and effective controls in business processes are in
place, so that the following risks remain within the agreed defined materiality or risk appetite:
 Losses in money and goods flows: financial loss resulting from a physical loss,
obsolescence or misuse of assets (including products, materials and money), or
from a change in value of assets or liabilities. Missing opportunities is not regarded
as a financial loss.
 Financial reporting risks: Risk of unintentional errors or omissions leading to
incomplete, inaccurate and/or untimely reporting of legally required financial
information to regulatory agencies.
 Fraud: An intentional act of a person(s) employed or contracted, aimed at obtaining
illegal personal or company gains or aimed at deceiving financial statement users
through the misstatement of information, either by falsifying, omitting, adding or
removing data.
 Breach of external (financial) laws or regulations: Failure to comply with
external (financial) laws or regulations, which may result in a financial or business
sanction or in a loss of reputation.
 Breach of authorization policies: Failure to comply with authorization policies,
which may result in undesirable business transactions which are not being
authorized in line with company policy.

4
The risk appetite as mentioned on the previous page is the level of risk that FrieslandCampina is
prepared to accept. FrieslandCampina’s risk appetite for each organizational level is presented below:

Next to ensuring ourselves and key stakeholders that relevant and effective controls in business
processes are in place, ICF also serves as a basis for the Management Statement. FrieslandCampina
has committed itself to comply with the Dutch Corporate Governance Code (“Code Frijns”). This code
requires - amongst others - that FrieslandCampina’s management needs to assure that the controls
are working effectively. ICF is therefore necessary to support risk management and provide
reasonable assurance for the Management Statement as included in the Annual Report of
FrieslandCampina. The Management Statements as provided by the OpCo’s and BG’s serve as a
basis for the Executive Board Management Statement as included in the Annual Report of
FrieslandCampina.

5
2. ICF steps
The FrieslandCampina Internal Control Framework
implementation consist of four steps, which are
interrelated. These steps are: Risk assessment,
Control Selection, Control Assessment Design and
Self assessment. In this section the different steps
and the 2014 approach related to these steps are
explained.
2.1 Set up, maintain and improve
Internal Control
2.1.1 Risk Assessment
Under ICF 2.0 Risk Assessment is a process by
which high levels of risk are identified and rated
on probability and impact. As a result internal
controls should be put in place to mitigate the
risk.
Responsibilities
Under ICF 2.0 the risk assessment is performed
by the local entity. On request the ICC or the
BG Risk & Control Manager can support the risk
assessment during a risk session. The results of
the risk assessment are reviewed by the BG
Risk & Control Manager.
Approach 2014
The entities which have not yet implemented
ICF (newly acquired entities etc.) and
subsequently have to implement ICF in 2014
have been identified during meetings between
the ICC Centre and the BG Risk & Control
Managers. Implementation timelines for these
entities will be / have been agreed up-on with
the respective BG’s. In general, newly acquired
entities are required to implement ICF within 6
months after an audit has been performed by
CIA. For entities who have already implemented
ICF no separate risk assessments are required
in 2014. The implications regarding ICF 3.0
implementation on the risk assessment are
described in chapter four.
6
2.1.2 Control Selection
Under ICF 2.0 in the control selection step the
relevant controls are selected from the ICF
Roadmap by the local entity to mitigate the
identified risks.
Responsibilities
Under ICF 2.0 the control selection is performed
by the local entity. Usually this is done
simultaneously with the risk assessment.
On request the ICC Centre or the BG Risk &
Control Manager can support the control
selection process. The results are reviewed by
BG Risk & Control Manager.
Approach 2014
No controls have been added to the ICF 2.0
framework for 2014, nor have any controls been
changed. The implications regarding ICF 3.0
implementation are described in chapter four.
2.1.3 Control- and self-assessment
design
The control- and self-assessment design
describes how the ICF control is locally
embedded and how it can be assessed
independently to ensure the control worked
effectively during the assessment year.
Responsibilities
Under ICF 2.0 the control- and self-assessment
design is described by the local entity. All
changes in control- and self-assessment
designs will be reviewed by the BG Risk &
Control Manager.
Approach 2014
Please note that changes to control- and
assessment designs will only be processed by
the ICAT helpdesk if these have been approved
by BG Risk & Control Managers.
Finally, it’s important to stress that – once a
self-assessment has been documented – iCAT
doesn’t allow any changes to be made to the
control- and self-assessment (other than
changes in the control owner and self-assessor)
during the ICF year.
The implications regarding ICF 3.0
implementation are described in chapter four.
2.2 Execution of self-assessments
Self-assessment is a systematic and periodic
review of internal controls as described by the
ICF entity. The self-assessment process allows
the entity to discern clearly its strengths and
improvement areas. Action plans should be
made for these improvement areas.
Responsibilities
Self-assessments are performed by the local
entity. Name and function of the self-assessor
is indicated in the control- and self-assessment
design of each specific control. For the self-
assessments performed, both an internal review
as well as an independent review by CIA will be
performed. Internal self-assessment reviews will
be performed by the Local ICF Coordinators (if
applicable) and the BG Risk & Control
Managers. On request, the ICC Centre can
support these reviews on BG level.
Approach 2014
The 2014 ICF year will run from December 1st,
2013 until November 30, 2014 (12 months).
This will mean that December 2013 will be
included in the 2014 self-assessments and that
December 2014 will be included in the 2015
self-assessments.
In 2014, no changes will be made to the self-
assessment approach compared to 2013.
2.3 Periodic reporting on control
implementation and self-
assessments
ICF reporting (including the progress and
outcomes of the ICF process, follow-up on
action plans and the outcomes of the SA quality
review) takes place on a quarterly basis.
7

Responsibilities
Local ICF entities are required to report on their
ICF process on a quarterly basis to the BG Risk
& Control Managers. The BG Risk & Control
Managers will compile these reports into a
consolidated report on BG level which should
be submitted to the ICC Centre. The ICC Centre
prepares a consolidated report on Friesland
Campina level. Both the local, as well as the
consolidated BG reporting should be done by
means of standard reporting templates, which
have been distributed by the ICC Centre.
Approach 2014
The 2014 reporting process (including reporting
calendar) is included in chapter three.
2.4 Monitor and follow-up of deficiencies
in Internal Control
For each not compliant and not compliant but
risk mitigated control an action plan needs to be
prepared in iCAT. The follow-up on these action
plans is included in the quarterly ICF reporting.
Responsibilities
The self-assessor is responsible for the
preparation of an action plan in iCAT.
In the action plan an action owner should be
assigned. The action owner will be resonsible
for the actual implementation of the action plan.
In the quarterly ICF reporting, the Local ICF
Coordinator will have to report on the progress
of implementing the action plans (refer to
chapter three).
Approach 2014
Due to technical constraints, closing of action
plans in iCAT can only be done by the iCAT
helpdesk. In case an action plan can be closed
in iCAT, the Local ICF Coordinator should send
a request to the iCAT helpdesk to close the
action plan. In the request not only the control
number, but also the year in which the action
plan was prepared should be included. Please
note that only requests send by Local ICF
Coordinators (or BG Risk & Control Managers)
will be executed by the iCAT helpdesk.
8
 3. 2014 Reporting process
In 2014 (like in 2013), ICF entities are required to
report on the ICF progress and outcomes on a
quarterly basis. Next to this, Management
Statements will be required during HY and YE
reporting.

3.1 ICF Reporting Management Statements will have to be signed

ICF reporting will take place on a quarterly
basis. Local ICF entities are required to report
on the progress and outcomes of the ICF
process (including follow-up on action plans) as
well as the outcomes of the SA quality review to
their BG Risk & Control Managers, who will
compile these reports into a consolidated report
on BG level which should be submitted to the
ICC Centre. The ICC Centre prepares a
consolidated report including analysis, which is
presented to the Executive Board, CIA, the
External Auditor and the Audit Committee of
FrieslandCampina. Both the local, as well as the
consolidated BG reporting should be done by
means of standard reporting templates, which
have been distributed by the ICC Centre.
3.2 Management Statements
Management Statements (as well as exceptions
analyses) will be required only for HY- and YE
reporting. Therefore no Management
Statements are required for the Q1 and Q3
reporting.
Document to deliver to ICC
on OpCo and BG level. For the Management
Statement a protected Word version will be
distributed by the ICC Centre via the BG Risk &
Control Managers. The exceptions analysis
template (in which the potential impact of all not
compliant and not compliant but risk mitigated
MSC will be assessed) will be included in the
HY- and YE reporting template.
3.3 Reporting timetable
The reporting tables for 2014 are presented on
the next page. iCAT will be opened from
January 20th 2014 until December 24th, 2014
(as of which date iCAT will be closed). The
reporting dates will be evaluated after each
reporting period, and might therefore be subject
to (minor) changes during the year.
An overview of the reporting requirements per
quarter is presented below. The ICF reporting
calendars for Q1-Q3 2014 are presented on the
next page. Currently, the 2014 Q4 reporting
deadlines are not yet final. These will be
distributed in due time.
For every Entity For every BG

SA review template including

sample selection and quality X X
conclusion
Status Report
X X
Every Quarter
Action plan (included in status
report template)
X X

Exception Analysis (included in

status report template)
X X

Extra for Q2 and Q4

Signed Management Statement
X X
9

 
:

10
4. ICF 3.0
In the course of 2013, the ICF 3.0 project was
initiated. One of the main reasons for initiating
this project was to align and embed the ICF with
the standard Summit processes.

4.1 Introduction 4.3 Implications for 2014 – OpCo’s

In the course of 2013, the ICF 3.0 project was
initiated. The main reason for initiating this
project was to align the ICF with the standard
Summit processes. The most significant
changes of ICF 3.0 compared to the current ICF
are:
 ICF will be fully aligned with
Summit processes;
 ICF 3.0 will make use of
standardized control- and
assessment designs. This will
imply that all entities will
implement similar control- and
assessment designs;
During 2014, the following entities are
scheduled to implement ICF 3.0:
 Entities scheduled to implement
Summit in 2014;
 Entities which have implemented
Summit prior to 2014 (retrofits).
Currently the ICF 3.0 set is being finalized. The
ICC Centre is in close contact with all the above
entities regarding the timelines and procedures
regarding the implementation of ICF 3.0. In
2014, none of the other entities are required to
implement ICF 3.0. For these entities, the
current set of controls will remain applicable.

 Selection method of controls which

need to be implemented will be
process-based. This implies that
all controls for processes in place
will have to be implemented
mandatory.
 ICF 3.0 will make more use of
automated controls.

4.2 Implications for 2014 – Corporate

Departments
Corporate Departments will implement the ICF
3.0 controls relevant for their departments in
Q1, 2014. With each Corporate Department,
specific meetings have been / will be set-up in
which the implementation of the ICF 3.0
controls will be discussed.

11
5. Roles and Responsibilities
Everyone in Friesland Campina has responsibility for internal
control to some extent. In the overview below the ICF
organizational structure is presented, which includes the roles
and responsibilities regarding the ICF within
FrieslandCampina.

12
6. ICF Tooling
The ICF is supported by iCAT (Internal Control Assessment
Tool). iCAT is a software tool especially designed for
FrieslandCampina to facilitate management in managing their
internal controls, based on the FrieslandCampina Internal
Control Framework, and supports documenting the results of
self-assessments.

6.1 iCAT
The Internal Control Framework is supported by iCAT.
In iCAT the local control- and assessment designs are approved and
made available for all users. The self-assessment results and supporting
evidence need to be uploaded in iCAT by the self-assessor. After
completion all documentation is available for review and sharing.

6.2 Roles in iCAT

In iCAT several roles are designed to support the Internal Control
Process, namely Control Owner, Control Assessor, Reviewer, Reader,
Internal (CIA) and External (external auditors).
For the Self assessment design in iCAT following roles are relevant:
(1) The Control owner is responsible for performing the control activity;
(2) The Control Assessor is responsible for checking the existence and
proper working of the internal controls by performing self-
assessments and documenting these in iCAT.
For every control in iCAT, a Control Owner and a Control Assessor need
to be assigned.

6.3 Reports in iCAT

In iCAT several reports are available to support the monitoring of the
Internal Control Framework, namely:
• Action Plans:
an overview of all action plans prepared per iCAT database;
• My Outstanding Tasks:
an overview of all uncompleted activities assigned to the user in
iCAT;
• Design Form Status:
a list stating per database which controls are in the approved,
evaluate or edit status as well as which employees are assigned as
Control Owner and Self assessor to these controls;
• Assessment Status:
provides a summarized overview of the conclusion of the performed
self-assessments;
• Design Form Detail:
gives the total number of controls in approved, edit and evaluate
status;

13
• Control and Self Assessment design status:
gives an overview of the complete control- and self-assessment
design details for the selected controls. This report is most useful
when exporting to Excel for further editing;
• User rights:
shows the users who have access to the database as well as their
roles;
• Overview control and self-assessment designs:
gives the totals for all databases, the number of controls in approved,
edit and evaluate status;
• Examples control and self-assessment designs:
report which allows users to view examples of control and self-
assessment designs for all databases the user is assigned to.

6.4 iCAT helpdesk

The ICC Centre provides support to iCAT users. In case of iCAT related
questions or technical problems, users can contact the iCAT helpdesk
by sending an e-mail to: ICAT@frieslandcampina.com. In order to be
able to answer all questions as efficient and effective as possible, users
are requested to address all questions to the iCAT helpdesk, and not to
individual ICC Centre team members.

The iCAT helpdesk will assist users in for instance the following
circumstances:
• Granting, changing or removing access rights;
• Releasing approved controls;
• Un completing self-assessments;
• Closing action plans;
• All sorts of technical issues regarding iCAT.

The iCAT helpdesk will try to reply on all e-mails within 5 working days
(during reporting periods the iCAT helpdesk will try to reply within 2
working days).

14
7. Useful information
A lot of information (manuals, templates etc.) is available for
executing the different steps in ICF. In this chapter an overview
of the available information is presented.

Available information
The following ICF related information can be found on the Intranet site of the ERM department
(http://our.frieslandcampina.biz / disciplines / Enterprise Risk Management):
• Corporate Manual
• ICF Manual 2014
• ICF 2.0 Roadmaps
• ICF reporting template and ICF consolidation template
• iCAT Manuals (control owner, control assessor, reviewer and reporting)
• Self-assessment training
• Self-assessment template (to be used for documenting assessments)
• Self-assessment review guidelines and template (to be used for quality review of assessments)
• Frequently asked questions

Contact
Should you have any further questions, please contact:

ICC Centre: ICFCorp@Frieslandcampina.com

iCAT helpdesk: iCAT@frieslandcampina.com

or contact your BG Risk & Control Manager or Local ICF Coordinator

15