According to the Finnish Limited Liability Companies Act and the Finnish Corporate Governance Code, the Board of Directors is responsible for ensuring that the company’s internal controls are appropriately organized. As a listed company, the Group has to comply with a variety of regulations. Furthermore, it is important to ensure that key operational and reporting targets are met. Outokumpu has developed a system of internal controls and implements it throughout the company. The main purpose of the internal control system is to provide management and the Board of Directors with reasonable assurance regarding the achievement of objectives relating to the Group’s operations, reporting and compliance.
Outokumpu applies the COSO Internal Control – Integrated Framework (2013) as main guidance for the internal control system. Outokumpu’s internal control system is based on the Internal Control Policy and related instructions, common ways of working with clearly defined roles and responsibilities, and processes run on a digital platform. The risk management policy approved by the company’s Board of Directors defines the objectives, approaches and areas of responsibility in the Group’s risk management activities. The risk management process consists of the following five core stages: 1) risk identification, 2) risk evaluation, 3) mitigation actions, 4) control activities, and 5) risk reporting. Our Annual report includes more information about material risks and opportunities.
The process for control activities over financial reporting is further described below.
Internal controls over financial reporting
TThis section provides a description of how the internal controls over financial reporting are organized at Outokumpu. Outokumpu’s objective is to ensure that common financial processes and reporting practices are followed throughout the Group and that effective internal controls relating to financial reporting are established. Outokumpu’s Internal Control Policy defines main roles, responsibilities, principles, and objectives for the Group’s internal control system. The Board of Directors is ultimately responsible for overseeing the system of internal controls and the CEO, supported by other members of executive management, is responsible for implementing and maintaining an efficient system of internal controls. The Group’s internal control function supports and develops internal
control management processes, is responsible for control testing and monitoring of the system of internal controls. Components of the system include control environment, risk assessment, control activities, information and communication and monitoring activities.
Outokumpu’s consolidated financial statements have been prepared in accordance with IFRS Accounting Standards as adopted by the European Union. The Outokumpu Accounting Principles are Outokumpu’s application guidance on IFRS. Outokumpu also complies with the regulations regarding financial reporting published by the Financial Supervisory
Authority (FIN-FSA), Nasdaq Helsinki, and the European Securities and Markets Authority (ESMA). The objective of internal controls over
financial reporting at Outokumpu is to provide reasonable assurance that the financial reporting and the preparation of financial statements are in accordance with applicable laws, regulations, and internal requirements.
Control environment
The objective of control activities is to prevent, discover, and correct potential errors and deviations. Control activities also include management of segregation of duty risk (SoD) in the main ERP environments. Control activities are performed at all levels of the organization, at various stages within business processes, and within the key technologies,e.g. ERP systems. Control activities for the financial reporting consist of various measures and include e.g. reviews of financial reports by management teams, the reconciliation of accounts, analyses of the logic behind reported figures, forecasts compared to reported figures, and analyses of the Group’s financial reporting processes. A key component is the monitoring of monthly performance against financial and operational targets.
Risk assessment
Risk assessment involves a dynamic and iterative process identifying and evaluating risks to achieve predefined objectives and provides the foundation for determining how risks will be managed. The risks related to the financial reporting are managed according to Outokumpu’s risk management policy. The risks related to financial reporting are identified and evaluated in risk workshops or similar, addressing risks for the most relevant parts of the financial reporting process.
Control activities
The objective of control activities is to prevent, discover, and correct potential errors and deviations. Control activities also include management of segregation of duty risk (SoD) in the main ERP environments. Control activities are performed at all levels of the organization, at various stages within business processes, and within the key technologies, e.g. ERP systems. Control activities for the financial reporting consist of various measures and include reviews of financial reports by management teams, the reconciliation of accounts, analyses of the logic behind reported figures, forecasts compared to reported figures, and analyses of the Group’s financial reporting processes, among others. A key component is the monitoring of monthly performance against financial and operational targets.
Control activities highlights in 2025
- During 2025, the coverage of internal controls was expanded, with notable progress in compliance and procurement.
- A Minimum Control Requirements framework was introduced, and work began to assess existing controls against these requirements to drive consistency and quality.
- Digital risk and control platform was upgraded to a new version, improving usability and stability.
- Outokumpu implemented the next rollout of SAP S/4HANA and related systems in the autumn, further standardizing processes and improving control maturity.
- Segregation of duty risk was reduced further and the efforts were supported by strengthened governance, process modelling, enhanced reporting, and the launch of updated instructions.
Information and communication
Group-wide policies and principles are available to all Outokumpu’s employees. Instructions relating to financial reporting are communicated to all involved parties. The main communication channels employed are regular controller meetings, Outokumpu’s intranet as well as digital platforms and databases. Outokumpu’s executive management is regularly receiving information on internal controls. Furthermore, Finance Leadership Team meetings are organized regularly to discuss and address finance related topics e.g. relating to the financial reporting.
Monitoring activities
The organization evaluates and communicates internal control deficiencies in a timelymanner to the parties responsible for taking corrective action, including executive andsenior management, and the Board of Directors, as appropriate. Both management inOutokumpu’s group companies and in the finance function are responsible for the follow-upand monitoring of internal controls connected with financial reporting. Overall, developmentand monitoring of the internal control process and platform, as well as control testing, areperformed by the Group's internal control function. The internal audit function monitors thatan appropriate control environment exists across the Group. Risk management, thecompliance function, and Outokumpu’s external auditors are also engaged in the review ofcontrol activities. The findings of the assurance procedures as well as the maturity of thesystem of internal controls are reported to the Audit Committee and the executivemanagement on a regular basis.
Internal audit
The mission of internal audit is to provide an independent and objective assurance, control, and advisory service designated to add value, improve operations, and monitor and support the organization in the achievement of its objectives. Through a systematic and disciplined approach, internal audit evaluates and improves the effectiveness and efficiency of governance, compliance, risk management and control processes.
Internal audit, with the third line of defense role in risk management, performs audits according to the audit plan approved by the Audit Committee. Internal audit monitors, together with the Group’s ethics and compliance function, adherence to Group principles, policies, and instructions, and supports investigations into fraudulent and non-compliant behaviors and activities.
Key activities in 2025
- Internal audit performed eight audits relating to the 2025 audit plan, including site and process audits, as well as one special audit.
- The audits have been selected with a risk-based approach, and continued to cover key entities and locations across the business areas and functions.
- The results of the audits as well as progress in derived management actions are
reported to management, the Audit Committee, and the external auditor. - Management actions have been subject to active follow-up and monitoring throughout
the year.
Planned key activities for 2026
- During the year, from seven to nine site and thematic/process audits are expected.
Ethics and compliance
Outokumpu is strongly committed to the highest ethical standards and complies with the applicable laws and regulations of the countries in which it operates as well as with the agreements and commitments it has made. Outokumpu’s legal and compliance function is responsible for managing and continuously developing Outokumpu’s group-wide ethics and compliance program. Outokumpu’s Code of Conduct is the core element of the program and it sets out key ethical standards and provides guidelines for common ways of working with the aim of ensuring that all Outokumpu employees live up to Outokumpu’s ethical standards. Outokumpu also expects that its business partners follow similar ethical standards as Outokumpu.
Outokumpu aims to foster a transparent and open culture and encourages everyone to speak up. This means that Outokumpu encourages all employees, business partners and other stakeholders to raise concerns, if they suspect a violation of the Outokumpu Code of Conduct or other misconduct. There are various ways to raise concerns at Outokumpu, including Outokumpu’s SpeakUp channel. A total of 30 alleged misconduct cases were recorded in SpeakUp channel of Outokumpu Corporation in 2025. Outokumpu’s ethics and compliance program is described in more detail the Sustainability Statement in the Review by the Board of Directors.
The Legal and Compliance function reports to the CEO as well as directly to the Audit Committee on ethics and compliance related matters. Ethics and compliance related matters are also regularly handled in an internal Ethics and Compliance Steering Group which consists of the Head of Controls and Internal Audit, Head of Ethics and Compliance and selected members of the Outokumpu Leadership Team. The Ethics and Compliance Steering Group had four meetings in 2025. In addition, a global network of ethics and compliance contact persons and several data protection governance bodies support the implementation of the ethics and compliance program in the business areas, business lines and group functions.