Internal Control, Risk Management and Internal Audit
The objectives of the internal control and risk management are to ensure that:
- the board and management receive sufficient and reliable information about company's financial position, risks impacting on the future performance and the implementation of strategy.
- the Company's external reports are reasonable correct, comprehensive and timely
- laws and regulations are followed.
According to Finnish Companies Act and the recommendation 48 of the Finnish Corporate Governance Code the Board is responsible for a proper arrangement of the internal control. The actual internal control is embedded into the responsibilities of each member of the organization. The operational principles of the internal control are:
Instructions related to the internal control are gathered into two company confidential documents, the former intended for all and the latter for finance staff. The first document, Policies, defines the Company's operating policies:
- control is a duty of all employees
- all significant transactions and meetings including decisions made are documented
- IT and other support systems are used efficiently and appropriately
- security is arranged properly.
The second document, Finance Manual, includes:
- representation and approval rights
- HR policies and approval of employee benefits
- pricing, payment term and credit policies
- approval procedures for expenses
- instructions for preparation and handling of agreements
- instructions for IT usage and IT security
- principles of risk management and insurance coverage.
- accounting instructions
- principles and instructions for management reporting and external reporting
- definition of internal controls in bookkeeping and reporting processes including responsibilities.
Risk management has been included in the Group's business strategy and operational goal setting. The Board reviews both annual and longer-term plans. Identifying risks and hedging against them are part of the Group's management system. The target is to eliminate or minimize all significant risks cost efficiently and without limiting the flexibility of the organization. In case elimination or minimization is not practically possible, other means are used to prepare for the realization of the risk.
Risks are categorized into strategic, operative and financial risks. The Company reports the most significant, mainly financial risks in its internet pages as well in interim and annual reports prepared by the Board.
The Company does not have a separate internal auditing organization. Internal auditing is partially outsourced to an audit firm. The main auditing themes are decided in connection with the annual auditing plan.