INTERNAL CONTROL

General training for Finance Operational Centers (FOCs)

Contents
1. Training objectives
2. Introduction to Internal Control
3. Internal Control at SKF
4. SKF Internal Control Standards (SICS)
5. SICS and you!
6. Q&A Session
1. TRAINING OBJECTIVES
Learning objectives

After completing this training, you should be able to:

✓ Understand basic internal control concepts

✓ Be conscious of the SKF Internal Control

Standard (SICS) and its implications

✓ Have knowledge of the various resources and

supports available to enable you in ensuring
SICS is a success!
2. INTRODUCTION TO INTERNAL CONTROL
Introduction
Controls are all around us and are embedded in our day-to-day life. Often, they are so integrated in our routine
we don't even realize they are controls.
Can you think of any controls in your daily life?

Speed limits and traffic signs are put up to ensure people When performing a payment, you might have to show ID
drive safely and in line with regulations. to confirm that the card is yours and/or enter a PIN code
to authorize the transaction.

Traffic cameras or surveillance cameras are installed to Prior to making a purchase, perhaps you compare the
monitor that people comply with laws and don't commit price of the product at several stores or compare brands
any illegal actions (such as drive over the speed limit or before you make your purchase.
steal anything from a store, for example).

All of these are just some examples of controls or control activities in our day to day lives, but there are many more!

Note: In some cases, the controls take place before the transaction and are meant to prevent a risk from materializing (such as speed limits and rules being
established to avoid accidents caused by reckless driving). Alternatively, some controls are put in place to monitor that the "preventive" controls are
followed. In other words, they are meant to detect irregular transactions. An example of a "detective" control could be traffic controls to check for people
driving under the influence or when an invoice is reviewed prior to payment, ensuring that the amount invoiced is correct.
Risks and controls – Putting theory into practice…
Controls are defined and put in place
Why is it a risk for payments to be unauthorized?
in response to risks. This means that • The amount being paid could be inaccurate or inappropriate, for example, causing
before controls are established, an us to overpay or pay the wrong amount.
analysis was performed to identify
and evaluate the risks affecting the • Also, it could be a fraudulent transaction (payment for non-existent goods or
organization. services).

At SKF, the risk assessment is How is this risk managed?

performed by Management. An As part of the SICS Framework, control activities were designed and implemented in the
example of one of the risks identified organization to address this risk.
during the assessment is
that "unauthorized payments are Examples of SICS controls mitigating the risk of unauthorized payments include:
made". • Changes to the item master file (price lists) are logged and approved.
• All purchase orders, delivery plans and order points are approved.
• Controls exist to ensure that purchase order, receiving report and invoice entries
are matched (3-way match).
• All invoices must be approved by an authorized person, different from the
requester, before payment.
• All supplier payments must be approved.
What types of controls are there?
Controls come in various forms...

Entity Level Controls (ELCs) Transaction Level Controls

• Influence the whole organization • Transaction level controls generally
(entity) and do not focus on one refer to “control activities” in specific
specific transaction. processes
• Examples include: • Examples include:
• Code of Conduct, • Journal entry review and approval prior to
• Authorization Matrix, posting,

• Finance Competence, • Checks to ensure payment runs have been

reviewed and approved per the
• Segregation of Duties, Authorization Matrix,…
• HR policies…
Communication of responsibilities
Based on the risk assessment performed, it is decided what controls need to be put in place. For this, the
relevant manager responsible for the process (”Process Responsible”) needs to be informed about the new
control.
The Process Responsible then:

✓ Assigns an appropriate individual to perform

the control (”Control Owner”)
✓ Informs and trains the Control Owner on the
control requirements
✓ Monitors that the control is performed
appropriately

Clear and timely communication is important for effective controls.

Monitoring of controls
In addition to making sure control requirements are properly
communicated, internal control systems also need to be monitored – a
process that assesses the quality of the system’s performance over time.

• Monitoring of controls should be on-going and specific.

• Any weaknesses or improvements noted, should be communicated to

the appropriate stakeholders and corrected. This helps strengthen the
internal control system.

Monitoring is not only responsibility of Internal Control, Internal Audit and External Auditors. Each Process
Responsible should monitor that:

• All applicable controls within their local process have been assigned a Control Owner
• The Control Owner is performing the controls appropriately and timely
3. INTERNAL CONTROL AT SKF
Why is internal control important?
The obvious parts:
• Compliance with laws and regulations
• Ensure correct financial reporting
• Minimizing risks and safeguarding of assets

…and other benefits are:

• Improved operational performance through efficiency
• Process governance and control
• System authorization control
What is the role of SKF’s Internal Control function?

Maintain SICS (SKF Drive activities to improve

Work closely together with the Global Process
Internal Control efficiency in the areas of
Owner and organization to ensure and support
Standard) internal control at SKF
that adequate internal controls are integrated in
the global standardized processes

Support and verify that controls are implemented

locally and that control owners are assigned and
Verify that open issues from previous
duly trained
audits/testing are being addressed.
4. SKF INTERNAL CONTROL STANDARD (SICS)
SKF Internal Control Standard (SICS) (1)
What is SICS?

• SICS is a part of SKF's system for corporate governance and must be seen together with other Group policies and
instructions.
• Its objective is to assure that a basic and consistent system of internal control is maintained throughout the SKF
Group.
• It is applicable to all Regions, Sub-regions, Legal Units, Operating Units, Finance Operations Centres including
outsourced functions, as well as all other functions within the SKF Group.

What is its purpose?

SICS is designed to provide reasonable minimum assurance regarding:
• Safeguarding of assets
• Reliability of financial information
• Compliance with laws and regulations
SKF Internal Control Standard (SICS) (2)
What does SICS cover?

The controls described in SICS are primarily focused on financial internal control, covering
processes such as Accounting & Reporting (including R2R), Purchasing (including P2P), Sales
(including O2C), and HR-Payroll, among others.

Control over areas such as production quality, environment, health & safety, research &
development and other areas are not covered. Refer to other Group policies and instructions for guidance.

Process Responsibles and Control Owners in each of the areas are responsible for the
documentation and performance of those controls that are or should be performed (regardless of
whether or not they are included in SICS).

IT controls are covered by SICS; however, they are responsibility of the SKF IT Function.
(Examples of IT controls: system changes, computer operations, access management).
How is the SICS structured?

SKF Internal
Control Standard
(SICS)

Entity Level Transaction Level

IT Controls
Controls (ELCs) Controls

*IT Control Framework is

responsibility of SKF IT. For
guidance, refer to the IT Audit
Communication Site.
SKF ELC in a nutshell – “7 good habits”
Make sure that:

✓ The Code of Conduct is communicated as a “living” document (Spider 365)

✓ The Authorization Policy is updated and communicated to everyone concerned

✓ Duties and responsibilities are communicated clearly and understood

✓ Personnel is provided with regular & relevant training

✓ There is an effective Segregation of Duties (SoD) - not only on paper

✓ Management sets the good examples!

✓ There is a culture of open discussions, transparency and trust Reminder: ELCs are controls that influence the
entire entity and not just a specific transaction,
such as the Code of Conduct, Authorization
Matrix or Policies.
SKF Transaction Level Controls
As part of SICS, Transaction Process Name You might also hear it be referred to as… Abbreviations
Level Controls are mapped Accounting & • Central Accounting & Reporting / Local • CAR / LAR
to the corresponding Reporting Accounting & Reporting • R2R (or RTR)
• Record to Report
business process to which
Revenue • Order to Cash • LRE
they belong.
• O2C (or OTC)
Procurement • Purchase to Pay • LAP
• P2P (or PTP)
Internal Trade • Central Internal Trade / Local Internal • CIN / LIN
Trade
• Intercompany Transactions
Treasury • Central Treasury / Local Treasury • CTR / LTR
Manufacturing & • Manufacturing • LMF
Fixed Assets
Payroll - • LPA
How is SICS evaluated and monitored?
In addition to the on-going monitoring by Operations (Process Responsibles, managers,…), SICS is
also assessed through:
Control Testing, either performed by IC Team or through Self-
Assessment Questionnaires, with the main purpose of
supporting the Operations to improve their internal control
system.
The Audit Committee of the
SKF Board of Directors and
Group Compliance &
Follow-up of issues, both new issues as a result of current
Assurance, including the
period monitoring activities as well as open issues from
prior periods Internal Control function, will
monitor the adherence to the
standards throughout the SKF
organisation.
Regular reporting to stakeholders over results of control
testing, issue remediation status as well as overall SICS
adherence
5. SICS AND YOU!
What is your role in SICS?

• Process flows are rarely

isolated to a single
team/location.
• Transactions flow between
various locations and all areas
must play their part to
maintain proper controls.
• Internal controls must span
the entire process, start to
end and will only be as strong
as the weakest link in the
chain.
How does SICS affect you?

Control Ownership @ the Control Ownership @ the Key role in upholding SICS Issue Remediation
Legal Unit FOC • Even if a control activity doesn’t • The Issue Coordinators
• Legal Units will continue to be • As part of the transfer of fall under your ownership, we all (defaulted to the Process
responsible for certain control activities to the FOC, certain must do our part to ensure that Responsible) are responsible for
activities that do not transfer to control activities also shift from controls are properly in place. remediating issues assigned to
the FOC. the local team to the FOC. • For example: verifying at the them, this includes defining a
FOC that a transaction was remediation plan and ensuring it
• Despite the transfer of activities, • After stabilization phase of the
approved by authorized is carried out.
it is expected that the controls transfer, it is expected that the
are in place and functioning. control is in place and personnel and rejecting the • Issue remediation includes both
functioning. transaction, if needed. open issues from prior periods
• Control documentation
• For example: ensuring as well as any future issues
supporting activities performed • Control documentation
transactions are approved per noted.
must be duly archived and be supporting activities performed
available for testing. must be duly archived and be the corresponding Authorization • Remediation may require
available for testing. Policy prior to submitting the collaboration between Legal
transaction to the FOC/SSC for Units, FOC and/or SSC.
processing, even if the FOC/SSC
checks its appropriateness.
What is a “Process Responsible”, “Control Owner” and “Issue
Coordinator”?
Process Responsible
• Local responsible for ensuring the process is carried out per global process flowcharts and narratives (for example: Process Delivery Manager)
• Ensures and monitors that all necessary internal controls are in place, functioning effectively and have been assigned to an appropriate Control
Owner.
• Communicates expectations to Control Owners and ensures they receive necessary training to perform the control satisfactorily.
• Perform sign-off of adherence with process and controls – when requested.

Control Owner
• Performs the control execution
• Stores control evidence in a structured way (SharePoint etc. or in system), ensuring it is available when needed

Issue Coordinator
• The role is defaulted to Process Responsible (see above) but can be delegated by the Process Responsible to a different person.
• Responsible for leading and monitoring issue remediation efforts, ensuring:
o An appropriate action plan has been defined and implemented
o A reasonable completion date has been set for the action plan to be resolved
o The plan is monitored and adjusted until the issue is remediated
What type of documentation shall be retained?

The control documentation retained shall allow an independent reviewer (i.e., a manager
or Internal Control) to verify the control.

• What information/reports were used to perform the control?

• Was the completeness and accuracy of the information verified? How?
• What did the preparer review and how did they identify what needed follow-up?
• Is there evidence of any follow-up/additional inquiries performed?
• Did the reviewer (for example, a manager) verify that the control was performed
correctly and on time? What did they review?
• What was concluded as part of the review?
• Did the preparer and reviewer sign-off on the control?
Where can I see who is responsible for each activity?
Spider > Group
Finance Site

RACI Matrix shows the overall roles and

responsibilities of different departments,
including the FOC, Shared Service Center Tip: From the Group Finance Site,
you are also able to access SKF
(Cap Gemini) and other SKF functions for Group Finance Policies and
different processes. Instructions as well as training
resources archived within the
Finance Academy.
R = Responsible / A = Accountable / C = Contribute / I = Informed
For non-finance policies and
guidance, refer to SKF Group
Policies and Instructions.

Process narrative and flowchart documents

reflect the detailed procedures required for Links: The most recent version of the RACI Matrix and Global Process
Documentation can be found in Spider, within the Homepage of the
different processes. Controls are validated Group Finance Site.
and pointed out in Process Narrative and From there, you are redirected to the Code Master for the most up to
Flowchart. date RACI Matrix as well as the Global Finance Operations &
Development site for the most recent Process Documentation.
Where can I find SICS guidance or a list of all SICS controls?

Information and supports regarding SICS Spider > Group Compliance &
can be found in the Internal Control Assurance Communication Site
section of the Group Compliance & > Internal Control
Assurance Communication Site on Spider.

It should be noted however, that Process

and Control Owner should refer to the
GRC Tool for the most up to date control
information (ownership, descriptions,
issue management,…).

Note: The GRC Tool is used by SKF to manage the SICS and
for the reporting and follow up of the Internal and
External Audits. GRC 5.0 is in final development stages and
due to be deployed in 2021. User enablement trainings will
be provided for this updated version.
How will I know if there are any changes to SICS?

Changes to SICS are communicated through various channels:

Internal Control Communication Site

Townhall meetings **
(Group C&A Communication Site)

Finance Newsletters & Email notifications sent via GRC tool

Communications* (Coming soon!)

*To receive these newsletters and GCA notifications, make sure you are
listed as part of the Finance community in your GADD Profile!

** The recorded Townhall sessions and their corresponding decks can be

found within the Group Finance Communication Site on Spider.
When should I turn to the Internal Control team for support?
Here are some scenarios illustrating when you should reach out to your local Internal Control contact…

As part of my day-to-day, I notice that a

control activity in SICS is not performed as Maintaining an effective internal control environment
described. What should I do to address
this?
requires the participation of the entire organization.

SICS is a dynamic framework that must evolve with the

The process has changed and the control company. As a Process Responsible or Control Owner, your
in SICS no longer makes sense. What feedback is invaluable.
should I do?

If you see something that isn’t functioning correctly or as

I have questions about the control activity defined, discuss your concerns with your manager and/or
I am responsible for… local Internal Control contact.

I think there’s a way to optimize/improve Only TOGETHER can we ensure the strength of SKF SICS.
the control activity and related
documentation…
6. Q&A SESSION
Time for questions…
In case of any further EMEA:
questions, feel free to • Internal Control Manager North Europe – Sally Sharpe
reach out to your local • Internal Control Manager East Europe & MEA – Pawel Podgorski
Internal Control contact:
• Internal Control Managers Central Europe – Pawel Podgorski/Patricia Mehls
• Internal Control Manager South Europe – Marisa Castro

Americas:
• Regional Internal Control Manager North America – Ariel Morón
• Internal Control Manager Americas – Jennifer Foulke
• Internal Control Manager Latin America – Gabriela Pacifico

Asia:
• Internal Control Manager NEA – Anna Zheng
• Internal Control Manager ISEA – Anagha Godse