According to the Finnish Limited Liability Companies Act and the Finnish Corporate Governance Code, the Board of Directors is responsible for ensuring that the company’s internal controls are properly organized.
The purpose of this section is to provide shareholders and other parties with a description of how internal control and risk management of financial reporting is organized in Outokumpu. As a listed company, the Group has to comply with a variety of regulations. To ensure that all the stated requirements are met, Outokumpu has introduced principles for financial reporting and internal control and deployed them throughout the company’s organization.
The foundation of Outokumpu's control environment is the business culture established within the Group and its associated methods of operation. The basis for the company's compliance and control routines is provided by Group policies and principles, which define the way in which Outokumpu's organization operates. These policies and principles include, for example, the Group's Corporate Responsibility Policy and Ethical Principles. The Outokumpu Code of Conduct describes the Group's basic values and offers standardized, practical guidelines for managers and employees to follow. More about Outokumpu's compliance program.
The Outokumpu performance management process is a key management activity and an important factor in enabling an efficient control environment. In all sections of the Group's operations, planning activities and the setting of both operational and financial targets are executed in accordance with Outokumpu's overall business targets. Management follow-up of related achievements is carried out through monthly management reporting routines and in performance review meetings.
Outokumpu operates in accordance with the risk management policy approved by the Group's Board of Directors, and the Audit Committee regularly monitors the Group's risk map. The policy defines the objectives of risk management activities, the approaches to be taken and areas of responsibility. In addition to supporting the Outokumpu strategy, risk management activities help in defining a balanced risk profile from the perspective of shareholders and other stakeholders, such as customers, suppliers, personnel and lenders. More information on risk management.
Outokumpu's control process for financial reporting is based on Group policies, principles and instructions relating to financial reporting, as well as on the responsibility and authorization structure within the Group. Policies relating to financial reporting are usually owned and approved by the CEO and the CFO. Financial reporting in Outokumpu is carried out in a harmonized way using a common chart of accounts.
Financial reporting is prepared in accordance with International Financial Reporting Standards (IFRS). The Outokumpu Accounting Principles (OAP) are Outokumpu's application guidance as regards IFRS. The aim of the OAP and other financial reporting policies and instructions included in the Outokumpu Controller's Manual is to ensure that uniform financial processes and reporting practices are used throughout the Group. Policies and instructions for financial reporting are reviewed on a regular basis and revised when necessary.
During the 2018 financial year, Outokumpu has implemented the new IFRS 15 and IFRS 9 standards, as well as changes to the IFRS 2 standard, and continued to prepare for IFRS 16 implementation at the beginning of 2019. In 2017, Outokumpu carried out an evaluation and preparation work for these IFRS changes. Outokumpu will implement the IFRS 16 standard as of the beginning of 2019 and continue to follow other changes in IFRS standards closely. The impacts of the IFRS 16 implementation will be disclosed during the first quarter of 2019.
Financial statements by the parent company and stand-alone Finnish subsidiaries are prepared in accordance with generally accepted accounting principles in Finland, while foreign subsidiaries follow local accounting principles. Outokumpu also complies with the regulations regarding the financial reporting published by the Financial Supervisory Authority (FINFSA), Nasdaq Helsinki and ESMA.
Identification and assessment of risks related to financial reporting
Risks related to the Group’s financial reporting are managed according to Outokumpu’s risk management process and classified as operational risks which can arise as consequences of inadequate or failed internal processes, employee actions, systems, or other events such as misconduct or crime. The risks related to financial reporting are identified and typically assessed in risk workshops, which were recently arranged in connection with Outokumpu’s ongoing project to further improve its governance, risk and compliance processes. All major risks are reported to and evaluated by the Audit Committee on a regular basis.
In addition to the Board of Directors and Audit Committee, operational management teams in Outokumpu are responsible for ensuring that internal controls relating to financial reporting are in place at all Outokumpu units. The aim of control activities is to discover, prevent, and correct potential errors and deviations in financial reporting. Control activities also aim to ensure that authorization structures are designed and implemented in such a way that conflicting divisions of work do not exist (i.e. one person performing an activity and also being responsible for controlling that activity). Control activities consist of different kinds of measures and include reviews of financial reports by Group management and in business area management teams, the reconciliation of accounts, analyses of the logic behind reported figures, forecasts compared to actual reported figures, and analyses of the Group’s financial reporting processes, among others. A key component is the monitoring of monthly performance against financial and operational targets.
These control activities take place at different levels of the organization. The most important accounting items in Outokumpu are the valuation and reporting of inventories and other items of working capital. Moreover, in difficult market situations, asset impairment calculations and related sensitivity analyses are equally important. These items are carefully monitored and controlled, both within business areas and at the Group level, on a regular basis.
Information technology and solutions play an important role in ensuring appropriate structures for the Group’s internal controls. The Group’s consolidation system provides timely and uniform financial and management reporting from the Group entities and an effective closing process within the whole Group. Outokumpu is also running a business transformation program to develop and improve business capabilities and to renew parts of its fragmented system environment. This will be achieved mainly by harmonizing and improving the Group’s core business processes and implementing supporting IT systems (e.g. ERP). Outokumpu has also recently centralized the majority of its accounting and financial reporting in its global business service centers. As part of this development, internal controls based on systems and processes are being further developed and improvements to the control environment are in the process of being implemented. The quality and consistency of the controls around the financial closing process are addressed separately in a project started in 2018. First rollouts of the new ERP will take place during 2019.
Information and communication
Group-wide policies and principles are available to all Outokumpu employees. Instructions relating to financial reporting are communicated to all the parties involved. The main communication channels employed are Outokumpu’s intranet and other easily accessible databases. Face-to-face controller meetings are also organized. Senior controller meetings are organized on a quarterly basis or more frequently when this is considered necessary to share information and discuss issues of topical interest to the Group.
Outokumpu has established different networks and communities in which financial reporting and internal control issues and related instructions are discussed and reviewed. These networks usually consist of personnel from the business areas and Group functions. The aim of these networks, communities and common instructions is to ensure that unified financial processes and reporting practices are used throughout the Group. The networks and communities play an important role in establishing the effectiveness of internal controls relating to financial reporting.
Both management in all Outokumpu companies and personnel in the accounting and controlling functions are responsible for the follow-up and monitoring of internal controls connected with financial reporting. Through its activities, the Internal Audit function monitors as well as ensures a proper control environment across the Group. Risk management and external auditors are also engaged in follow-up of control activities. The findings of the follow-up procedures are reported to the Audit Committee and the Outokumpu Leadership Team on a regular basis.
Internal Audit is an independent and objective assurance, control, and consulting function designated to add value, to improve operations, and to monitor and support the organization in the achievement of its objectives. Through a systematic, disciplined approach, Internal Audit determines whether governance processes, the internal control system, and the risk management system, as designed and represented by the Board of Directors and the Leadership Team, are effective and efficient.
With a strong commitment to integrity and accountability, Internal Audit provides value to governing bodies and senior management as an objective and direct source of correct, reliable information, and independent advice. Internal Audit also monitors adherence to Group principles, policies, and procedures, and investigates fraudulent and noncompliant behaviors and activities. Internal Audit performs its function on behalf of and directly reports to the Audit Committee and to the Leadership Team, but is functionally assigned to the CEO. The annual internal audit plan is approved by the Audit Committee.
In 2018, Internal Audit performed 12 scheduled operational audits including the Outokumpu Global Business Services Europe in Lithuania, the worldwide IT hardware refresh program, the Ferrochrome business area in Finland, and audits of the Outokumpu subsidiaries in China and South America.
The results of all the audits carried out including their risk appraisals are reported and distributed in writing. In view of the Outokumpu Code of Conduct and the Corporate Responsibility Policy a previously identified potential risk in the context of sales is deemed to be resolved and controlled adequately. The 2019 internal audit plan covers for instance the following topics: the Outokumpu Global Business Services Americas in Mexico, the procurement of raw materials, the Outokumpu subsidiaries in Singapore and Australia, the controls in procurement and payroll processing in Sweden, the Long Products operations in the United Kingdom and Sweden, and the Coil Service Centers in Germany and France.
The confidential whistleblowing hotline (“Helpline”) available on the company intranet and via the Internet is set up to anonymously inform Internal Audit and the Audit Committee of suspicions of financial misconduct or unethical behavior. Fourteen unscheduled investigations of potential misconduct were performed in 2018, thereof one case reported via the Helpline and thirteen recognized through other channels. Internal Audit observed a small number of cases involving inappropriate behavior, but none of these cases was financially material. Various attempts of fraud through faked e-mails received from external sources resulted in no harm to the company.