Internal Control and Internal Audit
The objectives of the internal control and risk management are to ensure that:
- the Board and management receive sufficient and reliable information about the company’s financial position, risks impacting on the future performance and the implementation of strategy
- the company’s external reports are essentially correct, comprehensive and timely
- laws and regulations are followed.
According to the Finnish Companies Act and Recommendation of the Finnish Corporate Governance Code, the Board is responsible for the proper arrangement of the internal control. The actual internal control is embedded into the responsibilities of each member of the organization. The operational principles of the internal control are:
- control is a duty of all employees
- all significant transactions and meetings including the decisions made are documented
- IT and other support systems are used efficiently and appropriately
- security is arranged properly.
Instructions related to the internal control are gathered into two company confidential documents, the former intended for all and the latter for finance staff. The first document, Policies, defines the company’s operating policies:
- representation and approval rights
- HR policies and approval of employee benefits
- pricing, payment term and credit policies
- approval procedures for expenses
- instructions for preparation and handling of agreements
- instructions for IT usage and IT security
- principles of risk management and insurance coverage.
The second document, Finance Manual, includes:
- accounting instructions
- principles and instructions for management reporting and external reporting
- definition of internal controls in bookkeeping and reporting processes including responsibilities.
Due to its size, the company does not have a separate internal auditing organization or employees assigned full-time to this task. Internal auditing is partially outsourced to an audit firm. The main auditing themes are decided in connection with the annual auditing plan.
Risk management is included in the Group’s business strategy and operational goal setting. The Board reviews both annual and longer-term plans. Identifying risks and hedging against them are part of the Group’s management system. The target is to eliminate or minimize all significant risks cost efficiently and without limiting the flexibility of the organization. In case elimination or minimization is not practically possible, other means are used to prepare for the realization of the risk.
Risks are categorized into strategic, operative and financial risks. The company reports the most significant, mainly financial risks on its Internet pages as well as in the interim and annual reports prepared by the Board.