Which of the following is most likely to provide an auditor with the most assurance about the effectiveness of the operation of internal control?

Neste establishes internal control procedures across the business operations in order to provide a reasonable assurance and mitigation of risks that may adversely affect the reliability of financial information, prevention of fraud, compliance with external laws and internal policies, and effectiveness and efficiency of operations.

Internal control procedures established in business operations contain, inter alia, policies and instructions, risk identification and related process control to mitigate risk, segregation of duties including authorization management, day-to-day supervisory controls and monitoring to ascertain these procedures are present and functioning.

The operational management serves as the first line of defense to ensure there are adequate controls to manage the risk of adverse effect from any major setback. Operational management owns the risks and controls and is responsible that controls and deficiency related corrective actions are implemented.

Ultimately, every employee acts as first line of defense by acting ethically, following the policies, and performing the controls respective to the business activity the employee handles.

Functions that oversee risks and control implementation constitute the second line of defense thus providing additional assurance to the stakeholders. 

Internal Audit, external auditors and supervisory authorities provide independent assurance and constitute the third line of defense. 

Internal Audit recommends improvements in the control environment and supporting procedures. Internal controls are also assessed by the external auditor, in order to ensure that the financial statements give a true and fair view of the organization's financial position.

Neste has set up an Internal Control function to provide additional assurance and lead the group-wide internal control development and monitoring of the performance of internal controls in its business operations.

Internal Control team acts on the recommendations of the auditors for improving the quality of the controls and follows up and verifies the implementation of audit related remediation actions by business operational management.

Internal Control team works closely with the business and process owners in designing and implementing effective controls, by providing insight and keeping in view all relevant financial and operational risks, as well as mitigation parameters such as completeness, accuracy, segregation of duties, etc.

Internal Controls function provides the necessary guidance and training for defining and documenting the internal controls in a consistent manner, such as control catalogues, control design process, control templates, etc.

Internal Controls team monitors the adequacy and effectiveness of internal controls, accuracy and completeness of reporting, compliance with internal policies, and timely remediation of deficiencies. On regular basis, Internal Controls team carries out internal control reports the assessment results to Executive Committee and business unit leadership.

Building effective internal controls in the business processes is an ongoing process. As the business is changing, and the competition landscape and other threats evolve, it is necessary to review the adequacy of the controls in business processes and develop the necessary new controls that mitigate the risks. The internal control development process follows the strategy and risk review rhythm, annually or semiannually, as the revised strategy and business environment could potentially necessitate the need for new mitigation controls.

In cooperation with Risk Management team and business process owners, Internal Controls team reviews the key risks and evaluates the adequacy of the controls to mitigate those risks. 

Internal Controls function partners with Compliance function to ensure that the right actions are taken on topics related to compliance with applicable laws and regulations and internal policies. Similarly, Internal Controls team cooperates with other second line of defense functions, such as HR, Legal, Sustainability, Finance, etc., with common objectives.

Internal Control function operates based on two pillars:

1. Independence. Internal Controls function is established in the CFO's organization in order to ensure independence from business in its role to support and monitor the business first line of defense.
2. Accountability. Internal Control Function reports to ExCo minimum twice a year and as need basis to the Audit Committee.

Internal Control function activities follow COSO* principles and its five elements of internal control framework, that need to be in place and jointly contribute to the reduction of the risk.

1. Control Environment. A healthy control environment demonstrated by top management and everyone's commitment to act and behave in ethical way and with integrity constitutes the foundation for all other components of internal control.
2. Risk Assessment.  Risk analysis helps identify the relevant risks and form a basis for how the risks should be managed. Risk is identified on company and unit level, as well as on business process level.
3. Control Activities. The Controls Activities are comprised of the policies and procedures that help ensure management directives stipulated in control objectives are carried out.
4. Monitoring. Continuous control monitoring and separate assessments are run, in order to ensure the quality of controls and that deficiencies are evaluated and communicated and the remediation actions are taken.
5. Information and Communication. Management establishes systems or processes that support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities. Communication is done internally and externally.

*COSO is The Committee of Sponsoring Organizations of the Treadway Commission and referred to by many companies World-wide for thought leadership in development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. COSO is established by The Institute of Internal Auditors, The Association of Accountants and Financial Professionals in Business, American Accounting Association, American Institute of Certified Public Accountants, and, Financial Executives International.