According to the Finnish Limited Liability Companies Act and the Finnish Corporate Governance Code, the Board of Directors is responsible for ensuring that the company’s internal controls are properly organized.
The purpose of this section is to provide shareholders and other parties with a description of how internal control and risk management of financial reporting is organized in Outokumpu. As a listed company, the Group has to comply with a variety of regulations. To ensure that all the stated requirements are met, Outokumpu has introduced principles for financial reporting and internal control and deployed them throughout the company’s organization.
The foundation of Outokumpu's control environment is the business culture established within the Group and its associated methods of operation. The basis for the company's compliance and control routines is provided by Group policies and principles, which define the way in which Outokumpu's organization operates. These policies and principles include, for example, the Group's Corporate Responsibility Policy and Ethical Principles. The Outokumpu Code of Conduct describes the Group's basic values and offers standardized, practical guidelines for managers and employees to follow. More about Outokumpu's compliance program.
The Outokumpu performance management process is a key management activity and an important factor in enabling an efficient control environment. In all sections of the Group's operations, planning activities and the setting of both operational and financial targets are executed in accordance with Outokumpu's overall business targets. Management follow-up of related achievements is carried out through monthly management reporting routines and in performance review meetings.
Outokumpu operates in accordance with the risk management policy approved by the Group's Board of Directors, and the Audit Committee regularly monitors the Group's risk map. The policy defines the objectives of risk management activities, the approaches to be taken and areas of responsibility. In addition to supporting the Outokumpu strategy, risk management activities help in defining a balanced risk profile from the perspective of shareholders and other stakeholders, such as customers, suppliers, personnel and lenders. More information on risk management.
Outokumpu's control process for financial reporting is based on Group policies, principles and instructions relating to financial reporting, as well as on the responsibility and authorization structure within the Group. Policies relating to financial reporting are usually owned and approved by the CEO and the CFO. Financial reporting in Outokumpu is carried out in a harmonized way using a common chart of accounts.
Financial reporting is prepared in accordance with International Financial Reporting Standards (IFRS). The Outokumpu Accounting Principles (OAP) are Outokumpu's application guidance as regards IFRS. The aim of the OAP and other financial reporting policies and instructions included in the Outokumpu Controller's Manual is to ensure that uniform financial processes and reporting practices are used throughout the Group. Policies and instructions for financial reporting are reviewed on a regular basis and revised when necessary.
During the 2017 financial year, Outokumpu has evaluated the implications of the new and revised IFRS standards to enter into force in the near future, and specifically prepared for the implementation of the new IFRS 15 and IFRS 9 standards as of the beginning of 2018. In 2016, Outokumpu implemented the changes required in the ESMA (European Securities and Markets Authority) guidelines on Alternative Performance Measures. In 2018, Outokumpu will prepare for the implementation of the new IFRS 16 standard as of the beginning of 2019 and continue to follow other changes in IFRS standards closely. No major impact on the financial reporting due to the implementation of new standards is expected in 2018.
Financial statements by the parent company and stand-alone Finnish subsidiaries are prepared in accordance with generally accepted accounting principles in Finland, while foreign subsidiaries follow local accounting principles. Outokumpu also complies with the regulations regarding the financial reporting published by the Financial Supervisory Authority (FINFSA), Nasdaq Helsinki and ESMA.
Identification and assessment of risks related to financial reporting
Risks related to the Group’s financial reporting are classified as operational risks and can arise as a consequence of inadequate or failed internal processes, employee actions, systems, or other events such as misconduct or crime. The aim of the Outokumpu risk management process is to identify, evaluate,
control, and mitigate such risks.
Major risks are reported to and evaluated by the Audit Committee on a regular basis. Outokumpu’s risk management process includes arranging workshops on the identification of key risks, including operational risks, for business areas and Group functions. Deliverables include risk maps, risk identification plans, and a financial assessment of the Group’s ability to bear risk.
In addition to the Board of Directors and Audit Committee, operational management teams in Outokumpu are responsible for ensuring that internal controls relating to financial reporting are in place at all Outokumpu units. The aim of control activities is to discover, prevent, and correct potential errors and deviations in financial reporting. Control activities also aim to ensure that authorization structures are designed and implemented in such a way that conflicting divisions of work do not exist (i.e. one person performing an activity and also being responsible for controlling that activity). Control activities consist of different kinds of measures and include reviews of financial reports by Group management and in business area management teams, the reconciliation of accounts, analyses of the logic behind reported figures, forecasts compared to actual reported figures, and analyses of the Group’s financial reporting processes, among others. A key component is the monitoring of monthly performance against financial and operational targets.
These control activities take place at different levels of the organization. The most important accounting items in Outokumpu are the valuation and reporting of inventories and other items of working capital. Moreover, in difficult market situations, asset impairment calculations and related sensitivity analyses are equally important. These items are carefully monitored and controlled, both within business areas and at the Group level, on a regular basis.
Information technology and solutions play an important role in guaranteeing that the Group’s internal controls have a solid foundation. The Group’s consolidation system was renewed in 2015 to ensure timely and uniform financial and management reporting from the Group entities and an effective closing process within the whole Group. Outokumpu is also running a business transformation program to develop and improve business capabilities and to renew major parts of its fragmented system environment. This will be achieved mainly by harmonizing and improving the Group’s core business processes and implementing supporting IT systems (e.g. ERP) that will be common to the whole Group. Outokumpu is also in the transition phase to centralize accounting and financial reporting to its global business service centers. As part of this development, internal controls based on systems and processes are being further developed and improvements to the control environment are in the process of being implemented. First rollouts of the ERP will take place during 2018.
Information and communication
Group-wide policies and principles are available to all Outokumpu employees. Instructions relating to financial reporting are communicated to all the parties involved. The main communication channels employed are Outokumpu’s intranet and other easily accessible databases. Face-to-face controller meetings are also organized. Senior controller meetings are organized on a quarterly basis or more frequently when this is considered necessary to share information and discuss issues of topical interest to the Group.
Outokumpu has established different networks and communities in which financial reporting and internal control issues and related instructions are discussed and reviewed. These networks usually consist of personnel from the business areas and Group functions. The aim of these networks, communities and common instructions is to ensure that unified financial processes and reporting practices are used throughout the Group. The networks and communities play an important role in establishing the effectiveness of internal controls relating to financial reporting and in developing Outokumpu policies, instructions, and processes.
Both management in all Outokumpu companies and personnel in the accounting and controlling functions are responsible for the follow-up and monitoring of internal controls connected with financial reporting. Through its activities, the Internal Audit function monitors as well as ensures a proper control environment across the Group. Risk management and external auditors are also engaged in follow-up of control activities. The findings of the follow-up procedures are reported to the Audit Committee and the Outokumpu Leadership Team on a regular basis.
Internal Audit is an independent and objective assurance, control, and consulting function designated to add value, to improve operations, and to monitor and support the organization in the achievement of its objectives. Through a systematic, disciplined approach, Internal Audit determines whether governance processes, the internal control system, and the risk management system, as designed and represented by the Board of Directors and the Leadership Team, are effective and efficient.
With a strong commitment to integrity and accountability, Internal Audit provides value to governing bodies and senior management as an objective and direct source of correct, reliable information, and independent advice. Internal Audit also monitors adherence to Group principles, policies, and procedures, and investigates fraudulent and noncompliant behaviors and activities. Internal Audit performs its function on behalf of and directly reports to the Audit Committee and to the Leadership Team, but is functionally assigned to the CEO. The annual internal audit plan is approved by the Audit Committee.
In 2017, Internal Audit performed 18 scheduled operational audits including audits of various entities in Sweden, focused reviews of coil service centers in Eastern Europe and Italy, and audits of the Outokumpu subsidiaries in India and the Far East.
The results of all the audits carried out including their risk appraisals are reported and distributed in writing. In view of the Outokumpu Code of Conduct and the Corporate Responsibility Policy, the previously identified potential risk in the context of sales intermediary agreements is deemed to be resolved and controlled adequately. The key risk areas to be focused on in 2018 are the newly established Ferrochrome business area, the procedural control environment at interfaces with global business services in Europe and in the Americas, and the procurement of raw materials and IT soft-/hardware.
The confidential whistleblowing hotline (“Helpline”) available on the company intranet and via the Internet is set up to anonymously inform Internal Audit and the Audit Committee of suspicions of financial misconduct or unethical behavior. Two cases were reported via the Helpline in 2017.
Seven unscheduled investigations of potential misconduct were recognized through other channels. Internal Audit observed cases of unfair behavior, forged company documents and incurred or alleged theft, among them stealing material out of a closed-down melt shop; however, none of these cases were
financially material. Various noted attempts of misconduct via faked emails resulted in no harm to the company.