Auditing, Internal Control & Risk Management


To safeguard the interests of shareholders and the general public, an independent auditor is appointed at the Annual General Meeting following a recommendation from the Supervisory Board based on a proposal from the Audit Committee. Before making its recommendation, the Supervisory Board undertakes a critical evaluation of the auditor’s independence, competence etc. 

The auditor reports any significant findings regarding accounting matters and any significant internal control deficiencies to the Supervisory Board via the Audit Committee and through its written long-form audit reports, which are issued at least twice a year. The auditor takes part in all Audit Committee meetings and, as a minimum, the Supervisory Board meeting at which the Annual Report is discussed and approved. 

Internal Control and Risk Management Related to the Financial Reporting Process

Overall Control Environment

The Supervisory Board and the Executive Board have overall responsibility for the Group’s control environment. The Audit Committee appointed by the Supervisory Board is responsible for monitoring the internal control and risk management systems related to the financial reporting process on an ongoing basis. 

The Company has a number of policies and procedures in key areas of financial reporting, including the Finance Manual, the Controller Manual, the Chart of Authority, the Risk Management Policy, the Treasury Policy, the Information Security Policy, the Global Expense Policy and the Business Ethics Policy. The policies and procedures apply to all subsidiaries, and similar requirements are set out in collaboration with the partners in joint ventures.

The internal control and risk management systems are designed to mitigate rather than eliminate the risks identified in the financial reporting process. Internal controls related to the financial reporting process are established to detect, mitigate and correct material misstatements in the consolidated financial statements.  

The monitoring of risk and internal controls in relation to the financial reporting process are anchored by the reporting of the maturity level of the control environment using the Company’s financial control framework.

Risk Assessment

The risk assessment process related to the risk in relation to the financial reporting process is assessed annually and approved by the Audit Committee.

The risk related to each accounting process and line item in the consolidated financial statements is assessed based on quantitative and qualitative factors. The associated financial reporting risks are identified based on the evaluation of the likelihood of them materialising and their potential impact. 

The identified areas are divided into areas with high, medium or low risk. High-risk areas are line items that include significant accounting estimates, including goodwill and special items, and the sales and purchase process. The Company’s financial control framework reporting covers relevant Group companies and functions to the level where high-risk areas are at least 80% covered and medium-risk areas at least 60%. Low-risk areas are not covered.

Control Activities

The Group has implemented a formalised financial reporting process for the strategy process, budget process, quarterly estimates and monthly reporting on actual performance. The accounting information reported by all Group companies is reviewed both by controllers with regional or functional in-depth knowledge of the individual companies/functions and by technical accounting specialists. In addition, significant Group companies have controllers with extensive commercial and/or supply chain knowledge and insight.

Based on the risk assessment, the Group has established minimum requirements for the conduct and documentation of IT and manual control activities to mitigate identified significant financial reporting risks. The Company’s financial control framework covers 132 controls relating to 23 accounting processes and areas. 

The relevant Group companies and functions must ensure that the Company’s financial control framework is implemented in their business and that individual controls are designed to cover the predefined specific risk. The local management is responsible for ensuring that the internal control activities are performed and documented, and is required to report compliance quarterly to the Group’s finance organisation.

The entities in the Group are dependent on IT systems. Any weaknesses in the system controls or IT environment are compensated for by manual controls in order to mitigate any significant risk relating to the financial reporting.

Information & Communication

The Group has established information and communication systems to ensure that accounting and internal control compliance is established, including a Finance Manual, a Controller Manual and internal control requirements.

In addition, the Group has implemented a formalised reporting process for reporting monthly, quarterly, budget and estimate figures from all countries and functions. 


The Audit Committee’s monitoring covers both the internal control environment and business risk. Monitoring of the internal control environment is covered by the Company’s financial control framework. The business risk is assessed and reviewed at multiple levels in the Group, including periodic review of control documentation, controller visits and audits performed by Group Internal Audit.

Additionally, business risks are discussed and monitored at business review meetings between ExCom, regional management and local management at which potential financial impacts are identified. 

The Audit Committee’s Terms of Reference outline its roles and responsibilities concerning supervision and monitoring of the internal control and risk management systems related to financial reporting. Monitoring is performed on the basis of periodic reporting from the finance organisation, internal and external audit.

Operational Risk Management

At the Carlsberg Group, we consider effective risk management an integral part of our business operations as it reduces uncertainty, helps the Group achieve its strategic objectives and facilitates value creation for all stakeholders.

The Group’s comprehensive approach to risk management involves the identification, assessment, prioritisation and economic management of risks that might prevent the Group from achieving its strategic objectives. The Risk Management Policy sets out the requirements for the risk management process in the Group.

Risk Management Framework

The Group’s risk management framework is a systematic process of risk identification, analysis and evaluation, providing a comprehensive overview of strategic risks and enabling us to mitigate and monitor the most significant risks.

Our risk management approach is top-down and covers all major entities across regions, markets and functions. The framework is based at the strategic level to ensure that the risks related to carrying out the Group’s strategy – both short-term and long-term – are identified and that relevant preventive actions are taken.

Risk Management Governance Structure

Ultimately, the Supervisory Board is responsible for risk management. The Supervisory Board has appointed the Audit Committee to act on behalf of the Supervisory Board, and the Committee monitors the overall strategic risk exposure and individual risk factors associated with the Group’s activities. Monitoring is mainly performed in connection with the quarterly reporting process. The Audit Committee adopts guidelines for key areas of risk, monitors developments and ensures that plans are in place for the management of individual risk factors, including commercial and financial risks.

The Executive Committee (ExCom) is responsible for reviewing the overall risk exposure associated with the Group’s activities. Risks are assessed according to a two-dimensional heat map rating system that estimates the impact of the risk on net revenue or brand/image and the likelihood of the risk materialising. Based on this assessment, ExCom updates the existing heat map to reflect changes in perceived risks to the business, and a number of high-risk issues for the coming year are identified. In addition, any risks in relation to the Group strategy for the subsequent three-year period are identified and appropriate actions are agreed upon. In accordance with the Risk Management Policy, ExCom identifies owners of short-term and long-term risks, who are then responsible for mitigating the risks through a programme of risk-reducing activities.

Local entities and Group functions are responsible for the identification, evaluation, qualification, recording and reporting of the management of strategic risks at local level. Local-level risk assessment follows the same principles as Group-level risk assessment and is based upon the heat map described above. The local risk review is carried out regularly, following which local risk owners are appointed and given responsibility for mitigating the risks through a programme of risk-reducing activities. A formal procedure is in place for ongoing identification, assessment and reporting during the year of any new or emerging risks that are determined to have a material impact upon the business.

Group Internal Audit is responsible for facilitating and following up on risk-reducing activities/action plans for the most significant risks in the Carlsberg Group.

The financial risks, including foreign exchange, interest rate, and credit and liquidity risks, are described in sections 4.5-4.7 of the consolidated financial statements.

Risk Assessment 2015

Local risk management workshops and heat mapping were carried out during the third quarter of 2014. In the fourth quarter of 2014, ExCom carried out the annual risk management workshop to evaluate the adequacy of the existing heat map. The review resulted in a revision of the identified risks, and a revised set of high risks for 2015 was identified.

The correlation between the high risks identified at Group and local level was significant, which indicates that the strategy and associated risks at local and regional level are aligned with the overall Group strategy.

The high risks identified for 2015, placed in the upper-right quartile of the risk heat map, were the Russian economy, duties and regulation, value realisation of BSP1, and the ability to increase prices and trade term pressure. 

Other risks identified for 2015, though not classified as high risks, were value realisation of the recent acquisitions in China, delivery of cost savings and satisfactory customer service levels by the Carlsberg Supply Company (CSC), the ability of employees and the organisation as a whole to successfully incorporate changes in structure and ways of working, particularly in Western Europe, and possible relative underinvestment in key brands.

The Group closely monitors and undertakes risk-reducing activities to minimise the likelihood and potential impact of the identified risks.

Risk Assessment 2016-2019

During the annual risk management workshop, ExCom also evaluated the strategic risks facing the Carlsberg Group for 2016-2019. 

The identified strategic high risks included recruitment into the beer category and the image of beer in Europe, taxes and regulation, lack of top-line growth, new ways of working and change management in connection with key change projects such as BSP1, and economic downturn. Our strategy levers and the associated priorities address the strategic risks.

Want to Learn More?

Click below to explore further