Internal risk and audit

We conduct internal auditing as part of our risk management, control and governance process.

Utilizing a Chief Internal Risk and Audit Executive (CAE) who reports functionally to the Board of Directors and administratively to the Chief Executive Officer (CEO), the CAE must alert the Board of Directors of fraud, corruption or other potentially damaging issues. Internal Auditors must not have any direct responsibility for any of the activities they review. They must also not create or implement procedures, systems or other activities that could be audited. Yara's internal audit charter is included below, along with more detailed information about Yara's internal and external audits.

Yara's Internal Risk and Audit Department is accountable to the Board and provides an annual assessment of the adequacy of Yara's processes for controlling its activities and managing its risks. The department shares information on the status and results of the annual audit plan and the sufficiency of department resources when appropriate.

Internal Risk and Audit has unrestricted access to all functions, records, property and personnel and has complete access to the board.

External auditor

Yara's external auditor also follows an annual plan. The external auditor participates in the meetings of the Audit Committee and the board meeting, approving the annual accounts and meeting with the board at least once annually without Yara executive management being present. Yara's external auditor's remuneration is shown in the Annual Report's consolidated financial statements.

Auditor information:

Deloitte AS
Dronning Eufemias gate 14
0191 Oslo
Norway

Phone +47 23 27 90 00
www.deloitte.com

Internal Risk and Audit Charter

Definition of Internal Risk and Audit

The Internal Risk and Audit function in Yara (YIRA) performs an independent, objective assurance and consulting activity designed to add value and improve Yara’s operations. It helps Yara accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

Independence and Accountability

The Chief Internal Risk and Audit Executive (CAE) reports functionally to the Board of Directors and administratively to the Chief Financial Officer (CFO). The CAE has, independent of the reporting lines described above, the right and duty to inform the Board of Directors of fraud/corruption or other issues that in his/her opinion may inflict significant damage to Yara.

Internal Auditors shall have no direct operational responsibility or authority over any of the activities they review. Accordingly, they shall not develop nor install systems or procedures, prepare records, or engage in any other activity, that may be audited.

The CAE is accountable to:

  • Provide assessment on the effectiveness and efficiency of the internal control, risk management and governance processes regarding the engagements in the audit plan
  • Report significant issues related to the processes for controlling the activities of Yara and its affiliates, including potential improvements to those processes, and provide information concerning such issues
  • Provide information periodically on the status and results of the audit plan and the sufficiency of department resources

Authority

YIRA is authorized to:

  • Have unrestricted access to all functions, records, physical properties and personnel relevant to the performance of engagements
  • Have full and free access to the Board of Directors and the Audit Committee of the Board of Directors
  • Allocate resources, set frequencies for the audits, determine scope of work and apply the techniques required to accomplish the set audit objectives
  • Obtain the necessary assistance of personnel in units of Yara where YIRA performs audits as well as other specialized services from Yara as well as from external service providers
  • Documents and information given to YIRA during an audit engagement will be handled in the same prudent and confidential manner as by those employees normally accountable for them

Responsibility

The CAE is responsible for:

  • Conducting independent risk assessments as a basis for the audit plan
  • Developing and maintaining a risk-based audit plan and submitting the plan and any adjustments to the Yara Management and the Board of Directors for approval
  • Coordinating the audit plan with the external auditors
  • Carrying out the audit plan, as approved, including, as appropriate, any special assignments or projects requested by members of the Yara Management and/or the Board of Directors
  • Maintaining a professional internal audit activity with sufficient competence, knowledge, skills and experience to meet the requirements of this Charter
  • Managing the co-sourcing agreement and the selected external service providers regarding internal audit
  • Issuing written reports following the completion of each audit engagement and to distribute as appropriate
  • Issuing periodic summary reports to the Yara Management, the Audit Committee and the Board of Directors covering the executed internal audit engagements
  • Monitoring the audit findings and recommendations communicated to management

Audit Scope

  • The scope of Internal Risk and Audit encompasses the examination and evaluation of the adequacy and effectiveness of Yara’s governance, risk management process, system of internal control structure, and the quality of performance in carrying out assigned responsibilities to achieve Yara’s stated goals and objectives.
  • It could include:
  • Reviewing the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information
  • Reviewing and assessing the economy, efficiency and effectiveness with which resources are employed
  • Reviewing the means of safeguarding assets and, as appropriate, verifying the existence of such assets
  • Reviewing the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations, which could have a significant impact on operations and reports and whether the organization is in compliance
  • Monitoring and evaluating the effectiveness of Yara's risk management system
  • Reviewing operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned
  • Reviewing specific operations at the request of members of the Yara Management and/or the Board of Directors, as appropriate
  • YIRA adheres to the standards of best professional practice, such as those published by the Institute of Internal Auditors.

Audit Planning

The Chief Internal Risk and Audit Executive submits annually an audit plan, together with a budget, to the Yara Management, the Audit Committee and the Board of Directors for approval. The audit plan is to be developed based on a prioritization of the audit universe using a risk-based methodology.

Significant deviations from the audit plan shall be communicated to Yara Management and/or the Audit Committee through periodic activity reports.

Periodic Assessment

The Chief Internal Risk and Audit Executive should annually assess whether the purpose, authority, and responsibility, as defined in this charter, continue to be adequate to enable the internal auditing activity to accomplish its objectives. The result of this annual assessment should be communicated to Yara Management, the Audit Committee and the Board of Directors.

Ownership and review cycle

This Corporate Governance document is maintained by the Chief Internal Risk and Audit Executive.

Based on the annual assessment of the Chief Internal Risk and Audit Executive, Yara Management, the Audit Committee and any subsequent changes adopted by the Board of Directors, new versions will be released by the Board Secretary.

Definitions

Yara International ASA and consolidated entities, their employees and others (e.g. contractors and consultants) that act under Yara's instructions.