According to the Finnish Limited Liability Companies Act and the Finnish Corporate Governance Code, the Board of Directors is responsible for ensuring that the company's internal controls are properly organized. The purpose of this section is to provide shareholders and other parties with a description of how internal control and risk management of financial reporting is organized in Outokumpu. As a listed company, the Group has to comply with a variety of regulations. To ensure that all the stated requirements are met, Outokumpu has introduced principles for financial reporting and internal control and distributed them throughout the company's organization
The foundation of Outokumpu's control environment is the business culture established within the Group and its associated methods of operation. The basis for the company's compliance and control routines is provided by Group policies and principles, which define the way in which Outokumpu's organization operates. These policies and principles include, for example, the Group's Corporate Responsibility Policy and Ethical Principles. The Outokumpu Code of Conduct describes the Group's basic values and offers standardized, practical guidelines for managers and employees to follow. Outokumpu's compliance program is described at our website.
The Outokumpu performance management process is a key management activity and an important factor in enabling an efficient control environment. In all sections of the Group's operations, planning activities and the setting of both operational and financial targets are executed in accordance with Outokumpu's overall business targets. Management follow-up of related achievements is carried out through monthly management reporting routines and in performance review meetings.
Outokumpu operates in accordance with the risk management policy approved by the Group's Board of Directors, and the Audit Committee regularly monitors the Group's risk map. The policy defines the objectives of risk management activities, the approaches to be taken and areas of responsibility. As well as supporting the Outokumpu strategy, risk management activities help in defining a balanced risk profile from the perspective of shareholders and other stakeholders, such as customers, suppliers, personnel and lenders. More information on risk management.
Outokumpu's control process for financial reporting is based on Group policies, principles and instructions relating to financial reporting, as well as on the responsibility and authorization structure within the Group. Policies relating to financial reporting are usually owned and approved by the CEO and the CFO. Financial reporting in Outokumpu is carried out in a harmonized way using a common chart of accounts.
Financial reporting is prepared in accordance with International Financial Reporting Standards (IFRS). The Outokumpu Accounting Principles (OAP) are Outokumpu's application guidance as regards IFRS. The aim of the OAP and other financial reporting policies and instructions included in the Outokumpu Controller's Manual is to ensure that uniform financial processes and reporting practices are used throughout the Group. Policies and instructions for financial reporting are reviewed on a regular basis and revised when necessary. During the 2016 financial year, Outokumpu has evaluated the implications of the new and revised IFRS standards to enter into force in the near future and implemented the changes required in the ESMA guidelines on Alternative Performance Measures. In 2015, the key changes included the review of the useful lives of its property, plant and equipment. In 2017, Outokumpu will prepare for the implementation of the new IFRS 15 and IFRS 9 standards as of the beginning of 2018 and IFRS 16 standard as of the beginning of 2019 and continue to follow other changes in IFRS standards closely. No major impact on the financial reporting due to the implementation of new standards is expected in 2017.
Financial statements by the parent company and stand-alone Finnish subsidiaries are prepared in accordance with generally accepted accounting principles in Finland, while foreign subsidiaries follow local accounting principles. Outokumpu also complies with regulations regarding financial reporting published by the Financial Supervisory Authority (FINFSA) Nasdaq Helsinki and the European Securities and Markets Authority (ESMA).
Identification and assessment of risks related to financial reporting
Risk management processes connected with the Group's financial reporting are coordinated by Outokumpu's Treasury and Risk Management function. Related risks are classified as operational risks and can arise as a consequence of inadequate or failed internal processes, employee actions, systems or other events such as misconduct or crime. The aim of the Outokumpu risk management process is to identify, evaluate, control and mitigate such risks.
Major risks are reported to and evaluated by the Audit Committee on a regular basis. Outokumpu's risk management process includes arranging workshops on the identification of key risks, including operational risks, for business areas and Group functions. Deliverables include risk maps, risk identification plans and a financial assessment of the Group's ability to bear risk.
In addition to the Board of Directors and Audit Committee, operational management teams in Outokumpu are responsible for ensuring that internal controls relating to financial reporting are in place at all Outokumpu units. The aim of control activities is to discover, prevent and correct potential errors and deviations in financial reporting. Control activities also aim to ensure that authorization structures are designed and implemented in such a way that conflicting divisions of work do not exist (i.e. one person performing an activity and also being responsible for controlling that activity). Control activities consist of different kinds of measures and include reviews of financial reports by Group management and in business area management teams, the reconciliation of accounts, analyses of the logic behind reported figures, forecasts compared to actual reported figures, and analyses of the Group's financial reporting processes, among others. A key component is the monitoring of monthly performance against financial and operational targets. These control activities take place at different levels of the organization. The most important accounting items in Outokumpu are the valuation and reporting of inventories and other items of working capital. Also, in difficult market situations, asset impairment calculations and related sensitivity analyses are increasingly important. These items are carefully monitored and controlled, both within business areas and at Group level, on a regular basis.
Information technology and solutions play an important role in guaranteeing that the Group's internal controls have a solid foundation. The Group's consolidation system has been renewed in 2015 to ensure timely and uniform financial and management reporting from the Group entities and an effective closing process within the whole Group. Outokumpu is also running a business transformation program to develop and improve business capabilities. This will be achieved mainly by harmonizing and improving the Group's core business processes and implementing supporting IT systems (e.g. ERP) that will be common to the whole Group.
As part of this program, internal controls based on systems and processes will also be enhanced and evaluated.
Information and communication
Group-wide policies and principles are available to all Outokumpu employees. Instructions relating to financial reporting are communicated to all the parties involved. The main communication channels employed are Outokumpu's intranet and other easily accessible databases. Face-toface controller meetings are also organized. Senior controller meetings are organized on a quarterly basis or more frequently when this is considered necessary to share information and discuss issues of topical interest to the Group.
Outokumpu has established different networks and communities in which financial reporting and internal control issues and related instructions are discussed and reviewed. These networks usually consist of personnel from the business areas and Group functions. The aim of these networks, communities and common instructions is to ensure that unified financial processes and reporting practices are used throughout the Group. The networks and communities play an important role in establishing the effectiveness of internal controls relating to financial reporting and in developing Outokumpu policies, instructions and processes.
Both management in all Outokumpu companies and personnel in the accounting and controlling functions are responsible for the follow-up and monitoring of internal controls connected with financial reporting. Through its activities, the Internal Audit function monitors as well as ensures a proper control environment across the group. The Risk Management function and external auditors are also engaged in follow-up and control activities. The findings of the follow-up procedures are reported to the Audit Committee and the Outokumpu Leadership Team on a regular basis.
Internal Audit is an independent and objective assurance, control, and consulting function designated to add value, to improve operations, and to monitor and support the organization in the achievement of its objectives. Through a systematic, disciplined approach, Internal Audit determines whether governance processes, the internal control system, and the risk management system, as designed and represented by the Board of Directors and the Leadership Team, are effective and efficient.
With a strong commitment to integrity and accountability, Internal Audit provides value to governing bodies and senior management as an objective and direct source of correct, reliable information and independent advice. Internal Audit also monitors adherence to Group principles, policies and procedures, and investigates fraudulent and noncompliant behaviors and activities. Internal Audit performs its function on behalf of and directly reports to the Audit Committee and to the Leadership Team, but is functionally assigned to the CEO. The annual internal audit plan is approved by the Audit Committee.
In 2016, Internal Audit performed 20 scheduled operational audits, including an extended compliance audit in the Nordic region, an evaluation and consulting on delivery performance in the Americas, and audits of various sales offices around the world. The results of all the audits carried out, including their risk appraisals are reported and distributed in writing. In view of the Outokumpu Code of Conduct and the Corporate Responsibility Policy, a previously identified potential risk in the context of sales intermediary agreements has been resolved successfully. The key risk areas to be focused on 2017 are master data management, process controls, and data protection.
The confidential whistleblowing hotline ("Helpline") available on the company intranet and via the internet is set up to anonymously inform Internal Audit and the Audit Committee of suspicions of financial misconduct or unethical behavior. No cases were reported via the Helpline in 2016.
Of 6 unscheduled investigations of potential misconduct recognized through other channels, no incidents of discrimination or human rights violations were noted. Internal Audit observed cases of unfair behavior and incurred or alleged theft, among them stealing material out of a closed-down melt shop; however, none of these cases was financially material. Various noted attempts of misconduct via faked emails resulted in no harm to the company.