Internal control and risk management

The ultimate responsibility for accounting and financial administration lies with Basware Corporation’s Board of Directors. The Board is responsible for internal control, and the CEO is responsible for the practical arrangements and monitoring of the control system. The steering and monitoring of business operations is based on the reporting and business planning system covering the entire Group. The CEO and CFO give both Board and Executive Team meetings presentations of the Group's situation and development based on monthly reports.

Risk management and internal audit system

The Group's risk management is guided by legal requirements, business requirements set by the shareholders as well as the expectations of the customers, personnel and other important stakeholders. The goal of risk management is to systematically and extensively identify and acknowledge the risks involved in the company's operations as well as to make sure that the risks are appropriately managed when making business decisions.

The company’s risk management supports the attainment of strategic goals and ensures the continuity of business operations. Basware takes risks that are a natural part of its strategy and objectives. The company is not ready to take risks that might endanger the continuity of operations or that are uncontrollable or that can significantly harm the company’s operations.

In accordance with the company's risk management policy, risks are divided into six categories: risks related to business operations, products, personnel as well as legal, financial and data security risks. Responsibilities of risk management follow the distribution of liability throughout the organization and operations. Each group has a designated person in charge. In the process of risk management, the goal is to identify and evaluate the risks, after which a risk-specific plan is drawn up and concrete action is taken. Such actions may include avoiding the risk, diminishing the risk by different means or transferring the risk by insurance or agreements. The company has created a crisis communication plan as a part of its risk management process.

In accordance with Basware's risk management process, the Board of Directors receives an annual report of the most significant risks discovered during the assessment of risks. The Board analyses the risks from the point of view of shareholder value. According to the reporting conforming to the risk management process, the most significant risks in 2011 that have come to the Board's knowledge are associated with ensuring product leadership and maintaining the company's competitiveness in the changing competitive situation, improving new customer acquisition and increasing the transaction volume of the e-invoicing business, increasingly extensive utilization of the cost benefits offered by offshoring sites in business and support processes to improve profitability, successful preparation and implementation of merger and acquisition projects, strengthening the position of intellectual property rights as well as the measurement of significant balance sheet items and impairment testing.

Internal control is a process performed by the organization's Board of Directors, acting management and other employees to obtain a reasonable certainty of the attainment of goals. The framework of internal control at Basware is based on the international COSO model published by the Committee of Sponsoring Organizations of the Treadway Commission.

Control environment

The goal of Basware's internal control is to support the implementation of the Group strategy and ensure compliance with regulations. The system is based on Group-level policies, guidelines and processes and controls of business operations and support processes. Basware's strong ethics, values and operating culture form the basis of the internal control system. The operating culture is being built by the steering and control of the company's operations by the Board of Directors, the management methods of the company's management, the company's organizational structure and management system, effective utilization of global information system as well as the employees' competence and development. The company uses a global HR system.

The Group's centralized financial administration center and group accounting as well as controlling function, operating under the CFO, are responsible for the overall control system of financial reporting. Harmonized methods of financial reporting are applied in all Group companies, utilizing a uniform ERP system and harmonized account scheme, and also software for electronic procurement management, purchase invoices and travel expense reports and financial management. The entire Group applies the International Financial Reporting Standards (IFRS).

Risk assessment

The aim of financial reporting is to ensure that assets and liabilities belong to the company; all rights and liabilities of the company are presented in the financial statements; items in the financial statements have been classified, disclosed and described correctly; assets, liabilities, income and expenditure are entered in the financial statements at the correct amounts; all the transactions during the reporting period are included in the accounts; transactions entered in the accounts are factual transactions; and that the assets have been secured.

The risk management process includes an annual identification and analysis of risks related to financial reporting. In addition, the aim is to analyze and report all new risks immediately after they have been identified. Taking into account the quality and extent of the Group's business operations, the most significant risks associated with the reliability of financial reporting are associated with revenue recognition, processing of bad debt reservation, capitalization of product development expenses, impairment testing of assets (including goodwill, capitalized product development expenses and unfinished projects) and deferred tax assets.

Control functions

The correctness and reliability of financial reporting are ensured through compliance with the Group policies and guidelines. Controls that ensure the correctness of financial reporting include controls related to accounting transactions, controls related to the selection of and compliance with the accounting principles, information system controls and fraud controls.

The Group's net sales are recognized under the supervision of the centralized controlling function. The Group has written internal revenue recognition guidelines. Revenue recognition is based on the existence of obligatory sale and delivery documents. The amount of the Group's bad debt reservation is calculated monthly by the centralized financial administration service center. The calculation is based on the maturity distribution of trade receivables by sales company.

The capitalized amount of the Group's product development expenditure is calculated monthly by the centralized financial administration service center. The calculation is based on project-specific monitoring documentation of R&D activities. The Group has written guidelines on R&D expenditure. Goodwill is tested for impairment during the last quarter of the year. Key variables used in the calculations are the estimated change rates of net sales and costs. In addition, indications of impairment are continuously monitored. In specifying the company-specific deferred assets, the effective tax rate of each country is applied. The subsidiaries have accumulated unutilized tax losses for which deferred tax assets have not been recognized in line with the prudence concept. According to the transfer pricing principle applied since 2008, subsidiaries accumulate taxable income against which confirmed losses can be utilized in the future. We consider it probable that taxable income will be generated in the subsidiaries in the future against which the unutilized tax losses can be utilized. Deferred tax assets were recognized in the financial statements for 2012 for unutilized tax losses accumulated in previous years.

The Group's centralized financial administration service center and controlling function continuously develop global reliable, harmonized, scalable and efficient operating methods. The globally harmonized account scheme, high automation rate of the Group's shared information systems and the systems' integrated control points facilitate a cost-efficient internal control process with an audit trail for financial reporting. Information systems support compliance with the Group's acceptance authorizations for procurement proposals and purchase invoices among others. Basware's financial administration, including cash management and payment, are centralized at the Group's level, which strengthens the functionality of the controls further.

Personnel expenses account for a majority of Basware's expenditure. Actual and forecasted personnel expenses are monitored and the forecasts are updated at a very detailed level regularly. The controlling function is responsible for the calculation of commissions and bonuses globally in accordance with the bonus scheme in effect at any time, approved by the Board annually.

The result of business operations and attainment of annual goals is assessed monthly by Executive Team and Board meetings. Monthly management and Board reporting includes both actual and forecast data compared to the goals and actual results of previous periods. Financial reports generated for use by the business management monitor certain key indicators associated with the development of sales and trade receivables on a weekly and monthly basis.

Basware aims to complement its organic growth with acquisitions in accordance with its strategy. In making acquisitions, the company aims to follow due diligence and utilize its internal and external competence in the planning phase (e.g. due diligence), takeover phase (e.g. immediate adoption of Basware's information systems) as well as when integrating acquired functions with the company's operations (e.g., adoption of Basware's HR policies).