The general governance principles and Outotec’s self-regulatory framework provide the basis for Outotec’s operations. In order to ensure the proper functioning of the governance model Outotec Oyj’s Board of Directors has defined the principles for Outotec’s internal control.
Internal audit is a fundamental part of Outotec’s corporate governance and management systems. Internal audit assists the Board of Directors in supervising and controlling the company. The role of internal audit activity is to monitor that the company’s operations are efficiently managed and profitable, risk management is at sufficient level and the provided reports for external and internal purposes are accurate. The internal audit system also verifies that the defined principles, policies and instructions are followed and internal audit assist in the investigation of suspected fraudulent activities within the organization.
Internal audit is designed to add value and improve Outotec’s operations by acting as an independent, objective assurance and consulting service. Internal audit helps Outotec to support a good organizational governance, give an independent perspective for management in considering and reviewing company operations, and accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.
The company’s Internal Audit function reports administratively to the Chief Financial Officer but in matters related to the internal audit directly to the Board’s Audit and Risk Committee and the CEO. The Audit and Risk Committee approves the annual and long-term internal audit plans. Audit findings, recommendations and management corrective actions are reported regularly to the Audit and Risk Committee.
Risk management is an integral part of Outotec’s management system and internal control framework. It aims at assessing risks in a systematic way in order to facilitate profound planning and decision making process. Risk management covers all parts of the organization and captures risks from strategic to operational risks. Risk management supports the management and the Board of Directors to ensure that the company can execute its strategy effectively.
Outotec operates in accordance with its enterprise risk management policy, which acts as an umbrella for all risk management activities within Outotec.
Outotec’s project risk management process, financial risk management activities, QEHS (Quality, Environment, Health and Safety) systems, and Corporate Responsibility Policy form an integral part of the enterprise risk management. Outotec’s risk management includes Group level and project-specific risk management processes, which all increase the reliability of the financial reporting.
Outotec’s Board of Directors oversees and approves Outotec enterprise risk management policy and the related processes. The policy defines the objectives, principles, operating procedures, organization and responsibilities of risk management as well as the reporting and follow-up procedures. Board’s Audit and Risk Committee is responsible for reviewing the risk assessments and reports to the Board. The Audit and Risk Committee also oversees how the management monitors compliance with the Group’s risk management policies and procedures and reviews the adequacy of the risk management framework in relation to the risks faced by Outotec.
The CEO and the Executive Board are responsible for defining and implementing risk management processes and for ensuring that risks are taken into account in the company strategy planning and operative business. Business areas, regions and global functions are responsible for achieving their strategic targets and for mitigating and managing all their risks with support from risk management, contract management and internal audit function.
Risk management and operational control is managed by the Corporate Finance & Control function headed by the Chief Financial Officer. Functionally risk management has direct access to the Executive Board, the CEO, the Audit and Risk Committee and the Board of Directors.
Risks are assessed regularly and the risks and related risk management measures are reported regularly to the CEO and the Executive Board, the Audit and Risk Committee and the Board of Directors. The main risks related to Outotec are strategic, operational, project and finance risks, which may affect significantly Outotec’s reported financial information. Most significant risks and uncertainties related to Outotec’s business are described in the Board of Director’s report. Financial risks are described in the notes to financial statements. Operational and project risks are assessed according to Outotec Operational Risk Management policy and the related processes.
Financial reporting controls
Internal control in the framework of financial reporting aims at providing assurance that the financial reporting is reliable and in line with the generally accepted accounting principles, applicable laws and regulations as well as internal reporting principles. The financial reporting framework in Outotec is based on Group wide instructions, financial processes and common reporting platform. This framework is supported by Outotec’s values, honesty and high ethical standards as well as frequent training and information exchange through meetings where information about financial processes is shared.
The Board of Directors bears the overall responsibility for the internal control over financial reporting. Financial performance is reviewed by the Board. The Board has appointed an Audit and Risk Committee, which in addition to other tasks monitors on regular basis also the financial reporting principles and accuracy of financial reporting. The CEO and the Executive Board as well as the management teams in Business Areas and Regions conduct a monthly review of the historical financial performance and business outlook. Central part of the review is the financial performance of delivery projects. Controlling functions in subsidiaries are responsible for ensuring that the business transactions are reported according to Group accounting principles. The Internal Audit function performs regular checks on the financial reporting and report directly to the Audit and Risk Committee and the CEO. The corporate wide financial management and control is coordinated by the Corporate Finance & Control function headed by the Chief Financial Officer. The operational responsibility for internal controls lies in subsidiaries, Business Areas, Regions and Global Functions.
The Corporate Finance & Control function maintains common instructions for financial reporting, acts as process owner for financial processes and controls centrally the reporting platforms. The application and interpretation of accounting standards for the Group wide purposes is done by the Corporate Finance & Control and those principles are documented in the Outotec Accounting Policy and reporting manual. Reporting principles are implemented by the network of controllers in business areas, regions and global functions. Outotec’s financial transactions are currently recorded in several different financial transaction systems. As part of global process and IT systems harmonization process started in 2011 several legacy systems have already been replaced with Outotec’s standard enterprise resource planning (ERP) system, namely SAP. Outotec targets to replace most of the remaining legacy systems by the end of year 2015. The financial information is collected from the ERP systems to a common consolidation system to ensure standardized external and internal financial information. Internal management reporting is always matched with the external reporting in order to ensure that the internal and external reporting is based on the same information. Changes in accounting system master data are managed centrally to ensure data integrity. Automatic interfaces between financial transaction platforms and the consolidation systems are applied when reasonable. User rights for the financial IT systems and segregation of duties as well as consistent and well documented processes are an important part of the internal control.
Outotec’s monthly financial review process forms a key control mechanism when measuring the effectiveness of operations and the development of the company versus the set financial targets. Monthly reporting includes detailed analysis of deviations between actual results, budget, previous year and latest forecast. In addition to the financial information the reporting covers also other key performance indicators for measuring the operational performance of Outotec Group, business areas and regions as well as cost development of global functions. As project deliveries represent majority of Outotec’s sales, project risk management and project control are the key processes for providing information for financial control and reporting.
Financial performance and outlook are reviewed on monthly basis on all organizational levels. Special emphasis is put on the review of project related contractual risks, project provisions and financial performance. Project related financial performance and risks are reviewed also by the Audit and Risk Committee on quarterly basis. Controllers participate in evaluating the performance as well as in planning activities. Controllers’ responsibility is also to ensure that the reporting follows corporate guidelines and time schedules.
The company has one auditor which shall be an auditing firm authorized by the Finland Chamber of Commerce. The auditor is elected by the Annual General Meeting to audit the accounts for the ongoing financial year and its duties cease at the closure of the subsequent Annual General Meeting. The audit firm performs an annual audit of the accounting records for each financial year, the annual accounts and the corporate governance of the company. The audit of the company also includes an examination of the consolidated annual accounts for the company, as well as the relationships between Outotec companies. This calls for cooperation between the auditor of Outotec Oyj and the auditors of the other Outotec companies world-wide. In the scope of the audit, it is taken into account that the company has its own separate internal audit function. On closing of the annual accounts, the external auditor submits the statutory auditor’s report to the company’s shareholders, and it also regularly reports the findings to the Board of Directors’ Audit and Risk Committee. An auditor, in addition to fulfilling general competency requirements, must also comply with legal independence requirements guaranteeing the execution of an independent and reliable audit.
In 2015, the company paid a fee of EUR 860,500 (2014: EUR 896,100) for the auditing services. Additionally, the company paid to the auditor EUR 519,900 (2014: EUR 456,400) for non-auditing related consultation.
In the Annual General Meeting on April 11, 2016, Public Accountants PricewaterhouseCoopers Oy was elected as the company’s auditor.