INTERNAL CONTROL

General training
Contents
1. Training objectives
2. Introduction to Internal Control
3. Internal Control at SKF
4. SKF Internal Control Standards (SICS)
5. SICS and you!
6. Q&A Session
1. TRAINING OBJECTIVES
Learning objectives

After completing this training, you should be able to:

✓ Understand basic internal control concepts

✓ Be conscious of the SKF Internal Control

Standard (SICS) and its implications

✓ Have knowledge of the various resources and

supports available to enable you in ensuring
SICS is a success!
2. INTRODUCTION TO INTERNAL CONTROL
Introduction
Controls are all around us and are embedded in our day-to-day life. Often, they are so integrated in our routine
we don't even realize they are controls.
Can you think of any controls in your daily life?

Speed limits and traffic signs are put up to ensure people When performing a payment, you might have to show ID
drive safely and in line with regulations. to confirm that the card is yours and/or enter a PIN code
to authorize the transaction.

Traffic cameras or surveillance cameras are installed to Prior to making a purchase, perhaps you compare the
monitor that people comply with laws and don't commit price of the product at several stores or compare brands
any illegal actions (such as drive over the speed limit or before you make your purchase.
steal anything from a store, for example).

All of these are just some examples of controls or control activities in our day to day lives, but there are many more!

Note: In some cases, the controls take place before the transaction and are meant to prevent a risk from materializing (such as speed limits and rules being
established to avoid accidents caused by reckless driving). Alternatively, some controls are put in place to monitor that the "preventive" controls are
followed. In other words, they are meant to detect irregular transactions. An example of a "detective" control could be traffic controls to check for people
driving under the influence or when an invoice is reviewed prior to payment, ensuring that the amount invoiced is correct.
Risks and controls – Putting theory into practice…
Controls are defined and put in place
in response to risks. This means that
before controls are established, an
analysis was performed to identify
and evaluate the risks affecting the
organization.
At SKF, the risk assessment is
performed by Management. An
example of one of the risks identified
during the assessment is
that "unauthorized payments are
made".
Why is it a risk for payments to be unauthorized?
• The amount being paid could be inaccurate or inappropriate, for example, causing
us to overpay or pay the wrong amount.
• Also, it could be a fraudulent transaction (payment for non-existent goods or
services).
How is this risk managed?
As part of the SICS Framework, control activities were designed and implemented in the
organization to address this risk.
Examples of SICS controls mitigating the risk of unauthorized payments include:
• Changes to the item master file (price lists) are logged and approved.
• All purchase orders, delivery plans and order points are approved.
• Controls exist to ensure that purchase order, receiving report and invoice entries
are matched (3-way match).
• All invoices must be approved by an authorized person, different from the
requester, before payment.
• All supplier payments must be approved.
What types of controls are there?
Controls come in various forms...
Entity Level Controls (ELCs)
• Influence the whole organization
(entity) and do not focus on one
specific transaction.
• Examples include:
• Code of Conduct,
• Authorization Matrix,
• Finance Competence,
• Segregation of Duties,
• HR policies…
Transaction Level Controls
• Transaction level controls generally
refer to “control activities” in specific
processes
• Examples include:
• Journal entry review and approval prior to
posting,
• Checks to ensure payment runs have been
reviewed and approved per the
Authorization Matrix,…
Communication of responsibilities
Based on the risk assessment performed, it is decided what controls need to be put in place. For this, the
relevant manager responsible for the process (”Process Responsible”) needs to be informed about the new
control.
The Process Responsible then:

✓ Assigns an appropriate individual to perform

the control (”Control Owner”)
✓ Informs and trains the Control Owner on the
control requirements
✓ Monitors that the control is performed
appropriately

Clear and timely communication is important for effective controls.

Monitoring of controls
In addition to making sure control requirements are properly
communicated, internal control systems also need to be monitored – a
process that assesses the quality of the system’s performance over time.

• Monitoring of controls should be on-going and specific.

• Any weaknesses or improvements noted, should be communicated to

the appropriate stakeholders and corrected. This helps strengthen the
internal control system.

Monitoring is not only responsibility of Internal Control, Internal Audit and External Auditors. Each Process
Responsible should monitor that:

• All applicable controls within their local process have been assigned a Control Owner
• The Control Owner is performing the controls appropriately and timely
3. INTERNAL CONTROL AT SKF
Why is internal control important?
The obvious parts:
• Compliance with laws and regulations
• Ensure correct financial reporting
• Minimizing risks and safeguarding of assets

…and other benefits are:

• Improved operational performance through efficiency
• Process governance and control
• System authorization control
What is the role of SKF’s Internal Control function?

Maintain SICS (SKF Drive activities to improve

Work closely together with the Global Process
Internal Control efficiency in the areas of
Owners and organization to ensure and support
Standard) internal control at SKF
that adequate internal controls are integrated in
the global standardized processes

Support and verify that controls are implemented

locally and that control owners are assigned and
Verify that open issues from previous
duly trained
audits/testing are being addressed.
4. SKF INTERNAL CONTROL STANDARD (SICS)
SKF Internal Control Standard (SICS) (1)
What is SICS?

• SICS is a part of SKF's system for corporate governance and must be seen together with other Group policies and
instructions.
• Its objective is to assure that a basic and consistent system of internal control is maintained throughout the SKF
Group.
• It is applicable to all Regions, Sub-regions, Legal Units, Operating Units, Finance Operations Centres including
outsourced functions, as well as all other functions within the SKF Group.

What is its purpose?

SICS is designed to provide reasonable minimum assurance regarding:
• Safeguarding of assets
• Reliability of financial information
• Compliance with laws and regulations
SKF Internal Control Standard (SICS) (2)
What does SICS cover?

The controls described in SICS are primarily focused on financial internal control, covering
processes such as Accounting & Reporting (including R2R), Purchasing (including P2P), Sales
(including O2C), and HR-Payroll, among others.

Control over areas such as production quality, environment, health & safety, research &
development and other areas are not covered. Refer to other Group policies and instructions for guidance.

Process Responsibles and Control Owners in each of the areas are responsible for the
documentation and performance of those controls that are or should be performed (regardless of
whether or not they are included in SICS).

IT controls are covered by SICS; however, they are responsibility of the SKF IT Function.
(Examples of IT controls: system changes, computer operations, access management).
How is the SICS structured?

SKF Internal
Control Standard
(SICS)

Entity Level Transaction Level

IT Controls
Controls (ELCs) Controls

*IT Control Framework is

responsibility of SKF IT. For
guidance, refer to the IT Audit
Communication Site.
SKF ELC in a nutshell – “7 good habits”
Make sure that:

✓ The Code of Conduct is communicated as a “living” document (Spider 365)

✓ The Authorization Policy is updated and communicated to everyone concerned

✓ Duties and responsibilities are communicated clearly and understood

✓ Personnel is provided with regular & relevant training

✓ There is an effective Segregation of Duties (SoD) - not only on paper

✓ Management sets the good examples!

✓ There is a culture of open discussions, transparency and trust Reminder: ELCs are controls that influence the
entire entity and not just a specific transaction,
such as the Code of Conduct, Authorization
Matrix or Policies.
SKF Transaction Level Controls
As part of SICS, Transaction Process Name You might also hear it be referred to as… Abbreviations
Level Controls are mapped Accounting & • Central Accounting & Reporting / Local • CAR / LAR
to the corresponding Reporting Accounting & Reporting • R2R (or RTR)
• Record to Report
business process to which
Revenue • Order to Cash • LRE
they belong.
• O2C (or OTC)
Procurement • Purchase to Pay • LAP
• P2P (or PTP)
Internal Trade • Central Internal Trade / Local Internal • CIN / LIN
Trade
• Intercompany Transactions
Treasury • Central Treasury / Local Treasury • CTR / LTR
Manufacturing & • Manufacturing • LMF
Fixed Assets
Payroll - • LPA
How is SICS evaluated and monitored?
In addition to the on-going monitoring by Operations (Process Responsibles, managers,…), SICS is
also assessed through:
Control Testing, either performed by IC Team or through Self-
Assessment Questionnaires, with the main purpose of
supporting the Operations to improve their internal control
system.
The Audit Committee of the
SKF Board of Directors and
Group Compliance &
Follow-up of issues, both new issues as a result of current
Assurance, including the
period monitoring activities as well as open issues from
prior periods Internal Control function, will
monitor the adherence to the
standards throughout the SKF
organisation.
Regular reporting to stakeholders over results of control
testing, issue remediation status as well as overall SICS
adherence
5. SICS AND YOU!
What is your role in SICS?

• Process flows are rarely

isolated to a single
team/location.
• Transactions flow between
various locations and all areas
must play their part to
maintain proper controls.
• Internal controls must span
the entire process, start to
end and will only be as strong
as the weakest link in the
chain.
How does SICS affect you?
Control Ownership @ the
Legal Unit
• Legal Units will continue to be
responsible for certain control
activities that do not transfer to
the FOC.
• Despite the transfer of activities,
it is expected that the controls
are in place and functioning.
• Control documentation
supporting activities performed
must be duly archived and be
available for testing.
Control Ownership @ the
FOC
• As part of the transfer of
activities to the FOC, certain
control activities also shift from
the local team to the FOC.
• After stabilization phase of the
transfer, it is expected that the
control is in place and
functioning.
• Control documentation
supporting activities performed
must be duly archived and be
available for testing.
Key role in upholding SICS
• Even if a control activity doesn’t
fall under your ownership, we all
must do our part to ensure that
controls are properly in place.
• For example: verifying at the
FOC that a transaction was
approved by authorized
personnel and rejecting the
transaction, if needed.
• For example: ensuring
transactions are approved per
the corresponding Authorization
Policy prior to submitting the
transaction to the FOC/SSC for
processing, even if the FOC/SSC
checks its appropriateness.
Issue Remediation
• The Issue Coordinators
(defaulted to the Process
Responsible) are responsible for
remediating issues assigned to
them, this includes defining a
remediation plan and ensuring it
is carried out.
• Issue remediation includes both
open issues from prior periods
as well as any future issues
noted.
• Remediation may require
collaboration between Legal
Units, FOC and/or SSC.
What is a “Process Responsible”, “Control Owner” and “Issue
Coordinator”?
Process Responsible
• Local responsible for ensuring the process is carried out per global process flowcharts and narratives (for example: Team Lead or Manager)
• Ensures and monitors that all necessary internal controls are in place, functioning effectively and have been assigned to an appropriate Control
Owner.
• Communicates expectations to Control Owners and ensures they receive necessary training to perform the control satisfactorily.
• Perform sign-off of adherence with process and controls – when requested.

Control Owner
• Performs the control activity
• Stores control evidence in a structured way (SharePoint etc. or in system), ensuring it is available when needed

Issue Coordinator
• The role is defaulted to Process Responsible (see above) but can be delegated by the Process Responsible to a different person.
• Responsible for leading and monitoring issue remediation efforts, ensuring:
o An appropriate action plan has been defined and implemented
o A reasonable completion date has been set for the action plan to be resolved
o The plan is monitored and adjusted until the issue is remediated
What type of documentation shall be retained?

The control documentation retained shall allow an independent reviewer (i.e., a manager
or Internal Control) to verify the control.

• What information/reports were used to perform the control?

• Was the completeness and accuracy of the information verified? How?
• What did the preparer review and how did they identify what needed follow-up?
• Is there evidence of any follow-up/additional inquiries performed?
• Did the reviewer (for example, a manager) verify that the control was performed
correctly and on time? What did they review?
• What was concluded as part of the review?
• Did the preparer and reviewer sign-off on the control?
Where can I see who is responsible for each activity?
Spider > Group
Finance Site

RACI Matrix shows the overall roles and

responsibilities of different departments, Tip: From the Group Finance Site,
you are also able to access SKF
including the FOC, Shared Service Center Group Finance Policies and
Instructions as well as training
(Cap Gemini) and other SKF functions for resources archived within the
different processes. Finance Academy.

For non-finance policies and

R = Responsible / A = Accountable / C = Contribute / I = Informed guidance, refer to SKF Group Policies
and Instructions and other SKF
organizations’ sites on Spider (Group
Legal, Group Quality…).

Process narrative and flowchart documents

reflect the detailed procedures required for
different processes. Controls are validated
and pointed out in Process Narrative and
Flowchart.
Links: The most recent version of the RACI Matrix and Global Process
Documentation can be found in Spider, within the Homepage of the
Group Finance Site.
From there, you are redirected to the Code Master for the most up to
date RACI Matrix as well as the Global Finance Operations &
Development site for the most recent Process Documentation.
Where can I find SICS guidance or a list of all SICS controls?

Information and supports regarding SICS Spider > Group Compliance &
can be found in the Internal Control Assurance Communication Site
section of the Group Compliance & > Internal Control
Assurance Communication Site on Spider.

It should be noted however, that Process

and Control Owner should refer to the
GRC Tool for the most up to date control
information (ownership, descriptions,
issue management,…).

Note: The GRC Tool is used by SKF to manage the SICS and
for the reporting and follow up of the Internal and
External Audits. GRC 5.0 is in final development stages and
due to be deployed in 2022. User enablement trainings are
published on the Internal Control Communication Site and
People Portal.
How will I know if there are any changes to SICS?

Changes to SICS are communicated through various channels:

Internal Control Communication Site

Townhall meetings **
(Group C&A Communication Site)

Finance Newsletters & Email notifications sent via GRC tool

Communications* (Coming soon!)

*To receive these newsletters and GCA notifications, make sure you are
listed as part of the Finance community in your GADD Profile!

** The recorded Townhall sessions and their corresponding decks can be

found within the Group Finance Communication Site on Spider.
When should I turn to the Internal Control team for support?
Here are some scenarios illustrating when you should reach out to your local Internal Control contact…

As part of my day-to-day, I notice that a

control activity in SICS is not performed as Maintaining an effective internal control environment
described. What should I do to address
this?
requires the participation of the entire organization.

SICS is a dynamic framework that must evolve with the

The process has changed and the control company. As a Process Responsible or Control Owner, your
in SICS no longer makes sense. What feedback is invaluable.
should I do?

If you see something that isn’t functioning correctly or as

I have questions about the control activity defined, discuss your concerns with your manager and/or
I am responsible for… local Internal Control contact.

I think there’s a way to optimize/improve Only TOGETHER can we ensure the strength of SKF SICS.
the control activity and related
documentation…
6. Q&A SESSION
Time for questions…
In case of any further EMEA:
questions, feel free to • Internal Control Manager North Europe – Sally Sharpe
reach out to your local • Internal Control Manager East Europe & MEA – Pawel Podgorski
Internal Control contact:
• Internal Control Managers Central Europe – Pawel Podgorski/Patricia Mehls
• Internal Control Manager South Europe – Marisa Castro

Americas:
• Regional Internal Control Manager Americas – Ariel Morón
• Internal Control Manager North America – Jennifer Foulke
• Internal Control Manager Latin America – Gabriela Pacifico

Asia:
• Internal Control Manager NEA – Anna Zheng
• Internal Control Manager ISEA – Anagha Godse