Internal control system and risk management

According to the Finnish Limited Liability Companies Act
and the Finnish Corporate Governance Code, the Board of
Directors is responsible for ensuring that the company’s
internal controls are appropriately organized
Page last updated: 06.03.2024

As a listed company, the Group has to comply with a variety of regulations. Furthermore, it is important to ensure that key operational and reporting targets are met. Outokumpu has developed a system of internal controls and implements it throughout the company. The main purpose of the internal control system is to provide management and the Board of Directors with reasonable assurance regarding the achievement of objectives relating to the Group’s operations, reporting and compliance.

Outokumpu applies the COSO Internal Control – Integrated Framework (2013) as main guidance for the internal control system. Outokumpu’s internal control system is based on the Internal Control Policy and related instructions, common ways of working with clearly defined roles and responsibilities, and processes run on a digital platform. The risk management policy approved by the company’s Board of Directors defines the objectives, approaches, and areas of responsibility in the Group’s risk management activities. The risk management process consists of the following five core stages: 1) risk identification, 2) risk evaluation, 3) mitigation actions, 4) control activities, and 5) risk reporting. Read more about risks and opportunities in our Annual report

Internal controls over financial reporting

Internal controlThis section provides a description of how the internal controls over financial reporting are organized at Outokumpu. Outokumpu’s objective is to ensure that common financial processes and reporting practices are followed throughout the Group and that effective internal controls relating to financial reporting are established. Outokumpu’s Internal Control Policy defines main roles, responsibilities, principles, and objectives for the Group’s internal control system. The Board of Directors is ultimately responsible for overseeing the system of internal controls and the CEO, supported by other members of executive management, is responsible for implementing and maintaining an efficient system of internal controls. The Group’s internal control function supports and develops efficient internal control management processes and is responsible for control testing. Components of the system include control environment, risk assessment, control activities, information and communication as well as monitoring activities.

Outokumpu’s consolidated financial statements have been prepared in accordance with IFRS Accounting Standards as adopted by the European Union. The Outokumpu Accounting Principles are Outokumpu’s application guidance on IFRS. Outokumpu also complies with the regulations regarding financial reporting published by the Financial Supervisory Authority (FIN-FSA), Nasdaq Helsinki, and the European Securities and Markets Authority (ESMA). The objective of internal controls over financial reporting at Outokumpu is to provide reasonable assurance that the financial reporting and the preparation of financial statements are in accordance with applicable laws, regulations, and internal requirements.

Control environment

The foundation of Outokumpu’s control environment consists of policies, standards, processes, and structures that provide the basis for the internal control system across the organization and define the ways in which Outokumpu operates. The performance management as well as the risk management and internal control process are key management activities in enabling an efficient control environment. Throughout the Group’s operations, the planning activities and the setting of compliance, operational and financial targets are executed in accordance with Outokumpu’s overall business targets. Management monitors related achievements. Risks or threats are handled through regular reporting and status review meetings.

Key policies relevant to internal controls
  • Approval Policy: Defines the relevant authorization levels and thresholds within the Outokumpu Group. Applies to the internal approval of contracts and other commitments made by the business areas and Group Functions of the Outokumpu Group.
  • Risk Management Policy: Describes the risk management principles and guidelines in the Outokumpu Group and scope, roles and responsibilities for risk management activities.
  • Code of Conduct: Sets out the ethical standards and provides guidelines for a common way of working.
  • Internal Audit Charter: Describes the main principles and rules followed by the Outokumpu Group in relation to internal audit’s assignment and underlying values.
  • Internal Control Policy: Defines main roles, responsibilities, principles, and objectives for Outokumpu’s internal control system.
  • Treasury Policy: Defines objectives and main principles for treasury as well as the distribution of related tasks and responsibilities within the Outokumpu Group.
  • Acceptable Use of IT Policy: Outlines the guidelines of constraints and practices that a user must agree to for access to Outokumpu’s network, the internet, and other resources.
  • Identity and Access Management Policy: Enables the right individuals to access the right resources at the right times for the right reasons.
  • Corporate Responsibility Policy and Ethics Statement: Aims to guarantee that companies work ethically, considering human rights as well as the social, economic and environmental impacts.
  • Outokumpu Accounting Principles (OAP): Sets out the accounting principles and disclosure requirements that must be followed by all legal companies and reporting units in reporting their financial information to the Group.

Risk assessment

Risk assessment involves a dynamic and iterative process identifying and evaluating risks to achieve predefined objectives and it provides the foundation for determining how risks will be managed. The risks related to the financial reporting are managed according to Outokumpu’s risk management policy. The risks related to financial reporting are identified and evaluated in risk workshops or similar, addressing risks for the most relevant parts of the financial reporting process.

Control activities

The objective of control activities is to prevent, discover, and correct potential errors and deviations. Control activities also aim to ensure that authorization structures are designed and implemented in such a way that incompatible tasks (e.g. one person performing a activity and being responsible for controlling that activity) are segregated. Control activities are performed at all levels of the organization, at various stages within business processes, and within the key technologies, e.g. ERP systems. Control activities for the financial reporting consist of various measures and include reviews of financial reports by management teams, the reconciliation of accounts, analyses of the logic behind reported figures, forecasts compared to reported figures, and analyses of the Group’s financial reporting processes, among others. A key component is the monitoring of monthly performance against financial and operational targets.

Control activities highlights
  • During 2023, the maturity of the digital platform for risk and control management was improved by developing reporting capabilities which supports monitoring and decision making by management.
  • Coverage of internal controls improved by including new areas, like business area Americas financial reporting process controls, in the digital control platform. A separate review of the inventory management process was conducted and implementation of additional internal controls in the process has been initiated.
  • Group’s internal control function started control testing, a measure by which control design and effectiveness are assessed. Results of the testing is presented to the attention of the control owners for further consideration.
  • Strengthening of segregation of duties management (SoD) continued in 2023 with the implementation of GRC functionality into the SAP S/4HANA environment. Furthermore, the development of SoD governance and process continued with a target to start SoD reporting and risk mitigation in 2024.
  • Outokumpu implemented a new financial planning, reporting and consolidation tool. Financial reporting related controls were reviewed and fine-tuned to reflect the new reporting process.
  • Preparations for the next rollout of the SAP S/4HANA together with other related IT systems continued.

Information and communication

Group-wide policies and principles are available to all Outokumpu’s employees. Instructions relating to financial reporting are communicated to all involved parties. The main communication channels employed are regular controller meetings, Outokumpu’s intranet as well as digital platforms and databases. Outokumpu’s Group Functions Board discusses and reviews among other topics issues over internal controls. Furthermore, Finance Leadership Team meetings are organized regularly to discuss and address issues e.g. relating to the financial reporting process.

Monitoring activities

The organization evaluates and communicates internal control deficiencies in a timely manner to the parties responsible for taking corrective action, including executive and senior management, and the Board of Directors, as appropriate. Both management in Outokumpu’s group companies and in the finance function are responsible for the follow-up and monitoring of internal controls connected with financial reporting. Overall development and monitoring of the internal control process and platform, as well as control testing, are performed by the Group's internal control function. The internal audit function monitors that an appropriate control environment exists across the Group. Risk management, the compliance function, and Outokumpu’s auditors are also engaged in the review of control activities. The findings of the assurance procedures as well as maturity of the system of internal controls are reported to the Audit Committee and the Group Functions Board on a regular basis.

Internal audit

The mission of internal audit is to provide an independent and objective assurance, control, and consulting function designated to add value, improve operations, and monitor and support the organization in the achievement of its objectives.

Through a systematic, disciplined approach, Internal Audit determines whether governance and compliance processes, the internal control system, and the risk and control management process, as designed and represented by the Board of Directors and the Outokumpu Leadership Team, are effective and efficient.

Group Internal audit, with the third-line roles in risk management, performs audits according to the audit plan approved by the Audit Committee. Internal audit monitors, together with the Group’s ethics and compliance function, adherence to Group principles, policies, and instructions, and leads investigations into fraudulent and noncompliant behaviors and activities.

Key activities in 2023

  • Internal audit performed nine audits, including one special audit. The results of the audits as well as progress in related actions are reported to the relevant management, the Audit Committee, and the external auditor.
  • Total of 48 misconduct reports were recorded (2022: 45), most of the reports leading to recommendations for management actions.

Planned key activities for 2024

  • During the year, from 7 to 9 site and thematic audits are expected.

Ethics and compliance

Outokumpu is strongly committed to the highest ethical standards and complies with the applicable laws and regulations of the countries in which it operates as well as with the agreements and commitments it has made. Outokumpu’s Code of Conduct sets out these ethical standards and provides guidelines for common ways of working with the aim of ensuring that all Outokumpu employees live up to Outokumpu’s ethical standards.

Outokumpu’s legal and compliance function is responsible for managing and continuously developing Outokumpu’s group-wide ethics and compliance program. Outokumpu’s ethics and compliance program is described in more detail in the Sustainability review. The Legal and Compliance function reports to the CEO and to the Outokumpu Leadership Team as well as directly to the Audit Committee on ethics and compliance related matters.

Ethics and compliance related matters are also regularly handled in the Compliance Steering Group which consists of the Group Functions Board, Head of Internal Controls and Internal Audit, General Counsel and Head of Compliance. The Compliance Steering Group met four times in 2023. In addition, a global network of compliance contact persons and several data protection governance bodies support the implementation of the ethics and compliance program in the business areas, business lines and group functions.