According to the Finnish Limited Liability Companies Act and the Finnish Code of Corporate Governance, the Board of Directors is responsible for a company's internal controls. The purpose of this chapter is to provide shareholders and other parties with a description of how internal control and risk management of financial reporting is organised in Outokumpu.
As a listed company, the Group has to comply with a variety of regulations. To ensure that all the stated requirements are met, Outokumpu has introduced principles for financial reporting and internal control and distributed these throughout the company's organisation.
Control environment
The foundation for Outokumpu's control environment is the business culture established within the Group and its associated methods of operation. The basis for the company's control routines is provided by Group policies and principles which define the way in which Outokumpu's organisation operates. These policies and principles are for example the Group's Corporate Responsibility Policy, Ethical Principles and the Outokumpu Leadership Principles. Introduced in 2007, the Outokumpu Code of Conduct describes the Group's basic values and offers standardised, practical guidelines for managers and employees to follow. The Outokumpu performance management process is a key management activity and an important factor in enabling an efficient control environment. In all sections of the Group's operations, planning activities and the setting of both operational and financial targets are executed in accordance with Outokumpu's overall business targets. Management follow-up of related achievements is carried out through monthly management reporting routines and in performance review meetings.
Outokumpu operates in accordance with the risk management policy approved by the Group's Board of Directors. This policy defines the objectives of risk management activities, the approaches to be taken and areas of responsibility. As well as supporting Outokumpu strategy, risk management activities help in defining a balanced risk profile from the perspective of shareholders and other stakeholders such as customers, suppliers, personnel and lenders. The Outokumpu Board of Directors holds ultimate responsibility for risk management within the Group. The CEO and the Group Executive Committee are responsible for defining and implementing risk management procedures, and for ensuring that risks are both properly addressed and taken into account in strategic and business planning. Business units and Group functions are responsible for managing risks connected with their own operations.
More information on risk management within Outokumpu.
Outokumpu's control process for financial reporting is based on Group policies, principles and instructions relating to financial reporting as well as on the responsibility and authorisation structure within the Group. Policies relating to financial reporting are usually owned and approved by the CEO, the CFO or the Corporate Controller. Financial reporting in Outokumpu is carried out in a harmonised way using a common chart of accounts. Outokumpu Controller's Manual contains financial reporting policies and instructions. Policies and instructions for financial reporting are reviewed on a regular basis and revised when required.
Financial reporting is prepared in accordance with International Financial Reporting Standards (IFRS). Outokumpu Accounting Principles (OAP) are Outokumpu's application guidance on IFRS. The aim of OAP and other financial reporting instructions is to ensure that unified financial processes and reporting practices are used throughout the Group. Financial statements by the parent company and stand-alone Finnish subsidiaries are prepared in accordance with generally accepted accounting principles in Finland, while foreign subsidiaries follow local accounting principles. Outokumpu also complies with regulations regarding financial reporting published by the Financial Supervisory Authority (FIN-FSA) and NASDAQ OMX Helsinki.
Risk identification and assessment
Risk management processes connected with the Group's financial reporting are coordinated by the Treasury and Risk Management function. Related risks are classified as operational risks and can arise as a consequence of inadequate or failed internal processes, employee actions, systems or other events such as misconduct or crime. The aim of the Outokumpu risk management process is to identify, evaluate, control and mitigate such risks. Major risks are reported to and evaluated by the Audit Committee on a regular basis. Outokumpu's risk management process includes arranging workshops on the identification of key risks, including operational risks, for business units and other Group functions. Deliverables include risk maps and risk identification plans.
Internal audit
Outokumpu's Internal Audit function has an independent role and a twofold objective: to provide assurance and to offer consulting services which add value and improve the organisation's operations. Internal Audit's most important task is assisting the Audit Committee and the Executive Committee in fulfilling their control functions. To do this, Internal Audit identifies and monitors significant operational risks within the Group, ascertains the adequacy and effective operation of internal controls and provides the two committees with a direct source of correct and reliable information. Other tasks carried out by Internal Audit include monitoring the Group's principles, controls and policies and follow-up of the audit conclusions by the company's auditors.
The internal auditor reports to the Audit Committee and administratively to the CFO.
Control activities
In addition to the Board of Directors and Audit Committee, operational management teams in Outokumpu are responsible for ensuring that internal controls relating to financial reporting are in place at all Outokumpu units. The aim of control activities is to discover, prevent and correct potential errors and deviations in financial reporting. Control activities aim also to ensure that authorisation structures are designed and implemented in a way that conflicting division of work will not exist (one person performing an activity and also being responsible for controlling that activity). Control activities consist of different kind of measures and include reviews of financial reports by Group management and in business unit management teams, the reconciliation of accounts, analyses of the logic behind reported figures, forecasts compared to actual reported figures and analyses on the Group's financial reporting processes, to mention a few. A key component is the monitoring of monthly performance against financial and operational targets. These control activities take place at different levels in the organisation. The most important accounting items in Outokumpu are the valuation and reporting of inventories and other working capital items. These items are carefully monitored and controlled both in the units and at the Group level.
Information technology and solutions play an important role in guaranteeing that the Group's internal controls have a solid foundation. The harmonisation of IT systems to further improve Outokumpu's internal control environment is on-going.
Information and communication
Group-wide policies and principles are freely available to all Outokumpu employees. Instructions relating to financial reporting are communicated to all the parties involved. The main communication channels employed are Outokumpu's intranet and other easily-accessible databases. Face-to-face controller meetings are also organised.
Outokumpu has established different networks and communities in which financial reporting and internal control issues and related instructions are discussed and reviewed. These networks usually consist of personnel from business units and Group functions. The aim of these networks, communities and common instructions is to ensure that unified financial processes and reporting practices are used throughout the Group. The networks and communities play an important role in establishing the effectiveness of internal controls relating to financial reporting and in developing Outokumpu policies, instructions and processes.
Follow-up
Both management in Outokumpu companies and personnel in accounting and controlling functions are responsible for the follow-up and monitoring of internal controls connected with financial reporting. The Internal Audit and Risk Management functions also engage in follow-up and control activities. The findings of the follow-up procedures are reported to the Audit Committee and the Group Executive Committee on a regular basis.