Internal control system and risk management

According to the Finnish Limited Liability Companies Act
and the Finnish Corporate Governance Code, the Board of
Directors is responsible for ensuring that the company’s
internal controls are appropriately organized
Page last updated: 07.03.2025

AAs a listed company, the Group has to comply with a variety of regulations. Furthermore, it is important to ensure that key operational and reporting targets are met. Outokumpu has developed a system of internal controls and implements it throughout the company. The main purpose of the internal control system is to provide management and the Board of Directors with reasonable assurance regarding the achievement of objectives relating to the Group’s operations, reporting and compliance.

Outokumpu applies the COSO Internal Control – Integrated Framework (2013) as main guidance for the internal control system. Outokumpu’s internal control system is based on the Internal Control Policy and related instructions, common ways of working with clearly defined roles and responsibilities, and processes run on a digital platform. The risk management policy approved by the company’s Board of Directors defines the objectives, approaches and areas of responsibility in the Group’s risk management activities. The risk management process consists of the following five core stages: 1) risk identification, 2) risk evaluation, 3) mitigation actions, 4) control activities, and 5) risk reporting. Read more about risks and opportunities in our Annual report.

The process for control activities is further described in the below chapter. 

  

Internal controls over financial reporting

Internal control system 2024This section provides a description of how the internal controls over financial reporting are organized at Outokumpu. Outokumpu’s objective is to ensure that common financial processes and reporting practices are followed throughout the Group and that effective internal controls relating to financial reporting are established. Outokumpu’s Internal Control Policy defines main roles, responsibilities, principles, and objectives for the Group’s internal control system. The Board of Directors is ultimately responsible for overseeing the system of internal controls and the CEO, supported by other members of executive management, is responsible for implementing and maintaining an efficient system of internal controls. The Group’s internal control function supports and develops internal control management processes, is responsible for control testing and monitoring of the system of internal controls. Components of the system include control environment, risk assessment, control activities, information and communication as well as monitoring activities. 

Outokumpu’s consolidated financial statements have been prepared in accordance with IFRS Accounting Standards as adopted by the European Union. The Outokumpu Accounting Principles are Outokumpu’s application guidance on IFRS. Outokumpu also complies with the regulations regarding financial reporting published by the Financial Supervisory Authority (FIN-FSA), Nasdaq Helsinki, and the European Securities and Markets Authority (ESMA). The objective of internal controls over financial reporting at Outokumpu is to provide reasonable assurance that the financial reporting and the preparation of financial statements are in accordance with applicable laws, regulations, and internal requirements.

Control environment

The foundation of Outokumpu’s control environment consists of policies, standards, processes, and structures that provide the basis for the internal control system across the organization and define the ways in which Outokumpu operates. The performance management as well as the risk and internal control process are key management activities in enabling an efficient control environment. Throughout the Group’s operations, the planning activities and the setting of compliance, reporting and operational targets, including financial targets, are executed in accordance with Outokumpu’s overall business targets. Management monitors related achievements. Risks or threats are handled through regular reporting and status review meetings.

Key policies relevant to internal controls
  • Acceptable use of IT Policy outlines the guidelines of constraints and practices that a user must agree to for access to Outokumpu’s network, the internet, and other resources.
  • Approval Policy defines the relevant authorization levels and thresholds within the Outokumpu Group. Applies to the internal approval of contracts and other commitments made by the business areas and Group Functions of the Outokumpu Group.
  • Code of Conduct sets out the ethical standards and provides guidelines for a common way of working.
  • Identity and Access Management Instructions enable the right individuals to access the right resources at the right times for the right reasons.
  • Internal Audit Charter describes the main principles and rules followed by the Outokumpu Group in relation to internal audit’s assignment and underlying values.
  • Internal Control Policy Defines main roles, responsibilities, principles, and objectives for Outokumpu’s internal control system.
  • Outokumpu Accounting Principles (OAP) set out the accounting principles and disclosure requirements that must be followed by all legal companies and reporting units in reporting their financial information to the Group.
  • Risk Management Policy describes the risk management principles and guidelines in the Outokumpu Group and scope, roles and responsibilities for risk management activities.
  • Treasury Policy defines objectives and main principles for treasury as well as the distribution of related tasks and responsibilities within the Outokumpu Group.

Risk assessment

Risk assessment involves a dynamic and iterative process identifying and evaluating risks to achieve predefined objectives and provides the foundation for determining how risks will be managed. The risks related to the financial reporting are managed according to Outokumpu’s risk management policy. The risks related to financial reporting are identified and evaluated in risk workshops or similar, addressing risks for the most relevant parts of the financial reporting process.

Control activities

The objective of control activities is to prevent, discover, and correct potential errors and deviations. Control activities also include management of segregation of duty risk (SoD) in the main ERP environments. Control activities are performed at all levels of the organization, at various stages within business processes, and within the key technologies, e.g. ERP systems. Control activities for the financial reporting consist of various measures and include reviews of financial reports by management teams, the reconciliation of accounts, analyses of the logic behind reported figures, forecasts compared to reported figures, and analyses of the Group’s financial reporting processes, among others. A key component is the monitoring of monthly performance against financial and operational targets.

Information and communication

Group-wide policies and principles are available to all Outokumpu’s employees. Instructions relating to financial reporting are communicated to all involved parties. The main communication channels employed are regular controller meetings, Outokumpu’s intranet as well as digital platforms and databases. Outokumpu’s executive management is regularly receiving information on internal controls. Furthermore, Finance Leadership Team meetings are organized regularly to discuss and address finance related topics e.g. relating to the financial reporting. 

Monitoring activities

The organization evaluates and communicates internal control deficiencies in a timely manner to the parties responsible for taking corrective action, including executive and senior management, and the Board of Directors, as appropriate. Both management in Outokumpu’s group companies and in the finance function are responsible for the follow-up and monitoring of internal controls connected with financial reporting. Overall, development and monitoring of the internal control process and platform, as well as control testing, are performed by the Group's internal control function. The internal audit function monitors that an appropriate control environment exists across the Group. Risk management, the compliance function, and Outokumpu’s external auditors are also engaged in the review of control activities. The findings of the assurance procedures as well as the maturity of the system of internal controls are reported to the Audit Committee and the executive management on a regular basis.

Control activities highlights
  • During 2024, the coverage of internal controls improved further especially in the areas of cyber, IT general controls and transactional finance. In addition, development of inventory management process continued and implementation of related controls to the digital platform has been on-going.
  • Group’s internal control function continued to strengthen control testing procedures to reach reasonable coverage of control testing. The coverage is currently at about forty percent of all key controls. Results of the testing are presented to the attention of the control owners for further consideration.
  • Also, improvements in the segregation of duties management (SoD) continued in 2024 with enhanced SoD reporting and risk mitigation, leading to risk reduction especially in the SAP S/4HANA environment.
  • In addition, preparations for the next rollout of the SAP S/4HANA together with other related IT systems continued. 

Internal audit

The mission of internal audit is to provide an independent and objective assurance, control, and consulting function designated to add value, improve operations, and monitor and support the organization in the achievement of its objectives.

Through a systematic, disciplined approach, internal audit determines whether governance and compliance processes, the internal control system, and the risk and control management process, as designed and represented by the Board of Directors and the Outokumpu Leadership Team, are effective and efficient.

Internal audit, with the third line of defense role in risk management, performs audits according to the audit plan approved by the Audit Committee. Internal audit monitors, together with the Group’s ethics and compliance function, adherence to Group principles, policies, and instructions, and leads investigations into fraudulent and noncompliant behaviors and activities.

Key activities in 2024

  • Internal audit performed seven audits relating to the 2024 audit plan. The results of the audits as well as progress in derived actions are reported to the relevant management, the Audit Committee, and the external auditor.
  • Total of 35 misconduct reports were recorded (2023: 48), many of the received reports eventually leading to recommendations for management actions.

Planned key activities for 2025

  • During the year, from seven to nine site and thematic audits are expected.

Ethics and compliance

Outokumpu is strongly committed to the highest ethical standards and complies with the applicable laws and regulations of the countries in which it operates as well as with the agreements and commitments it has made. Outokumpu’s Code of Conduct sets out these ethical standards and provides guidelines for common ways of working with the aim of ensuring that all Outokumpu employees live up to Outokumpu’s ethical standards. Outokumpu also expects that its business partners follow similar ethical standards as Outokumpu.

Outokumpu’s legal and compliance function is responsible for managing and continuously developing Outokumpu’s group-wide ethics and compliance program. Outokumpu’s ethics and compliance program is described in more detail in the Sustainability Statement in the Review by the Board of Directors. The Legal and Compliance function reports to the CEO as well as directly to the Audit Committee on ethics and compliance related matters.

Ethics and compliance related matters are also regularly handled in an internal Ethics and Compliance Steering Group which consists of the Head of Controls and Internal Audit, Head of Ethics and Compliance and selected members of the Outokumpu Leadership Team. The Ethics and Compliance Steering Group had four meetings in 2024. In addition, a global network of ethics and compliance contact persons and several data protection governance bodies support the implementation of the ethics and compliance program in the business areas, business lines and group functions.