The general governance principles and Outotec’s self-regulatory framework provide the basis for Outotec’s operations. In order to ensure the proper functioning of the governance model Outotec Oyj’s Board of Directors has defined the principles for Outotec’s internal control and risk management.
Internal audit is a fundamental part of Outotec’s corporate governance and management systems. Internal audit assists the Board of Directors in supervising the company. The role of internal audit activity is to monitor that the company’s operations are efficiently managed and risk management and internal controls are at sufficient level. Internal audit also verifies that the defined principles, policies and instructions are followed and internal audit assist in the investigation of suspected fraudulent activities within the organization.
Internal audit is designed to add value and improve Outotec’s operations by acting as an independent, objective assurance and audit function. Internal audit helps Outotec to support a good organizational governance, give an independent perspective for management in considering and reviewing company operations, share best practices and accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control and governance processes.
The company’s Corporate Risk Management and Internal Audit function reports administratively to the Chief Financial Officer but in matters related to the internal audit directly to the Board’s Audit and Risk Committee and the CEO. The Audit and Risk Committee approves the annual internal audit plans. Audit findings, recommendations and management corrective actions are reported regularly to the Executive Board and the Audit and Risk Committee.
Risk management is an integral part of Outotec’s management system and internal control framework. It aims at assessing risks in a systematic way in order to facilitate planning and decision-making process. Risk management covers all parts of the organization and captures risks from strategic to operational risks. Risk management supports the management and the Board of Directors to ensure that the company can execute its strategy effectively.
Outotec operates in accordance with its Enterprise Risk Management Policy, which acts as an umbrella for all risk management activities within Outotec. Outotec’s project risk management process, financial risk management activities, QEHS systems and internal audit form an integral part of the enterprise risk management. Outotec’s risk management includes Group level and project-specific risk management processes.
Outotec’s Board of Directors revised Outotec´s Enterprise Risk Management Policy on January 22, 2015 and oversees this policy and the related processes. The policy defines the objectives, principles, operating procedures, organization and responsibilities of risk management as well as the reporting and follow-up procedures. Board’s Audit and Risk Committee is responsible for reviewing the risk assessments and reports to the Board. The Audit and Risk Committee also oversees how the management monitors compliance with the Group’s risk management policies and procedures and reviews the adequacy of the risk management framework in relation to the risks faced by Outotec.
The CEO and the Executive Board are responsible for defining and implementing risk management processes and for ensuring that risks are taken into account in the company strategy planning and operative business. Business Units and Corporate Functions are responsible for achieving their strategic targets and for mitigating and managing all risks related to their operations with support from risk management, contract management and internal audit function. Risk management and operational control is managed by the Corporate Finance & Control function headed by the Chief Financial Officer. Functionally risk management has direct access to the Executive Board, the CEO, the Audit and Risk Committee and the Board of Directors.
Strategic, operational and financial risks are assessed regularly, and key risks and related risk management measures are reported regularly to the CEO, the Executive Board and the Audit and Risk Committee. Project related risks are identified and assessed in an end-to-end process from early sales phase until the end of project delivery with the objective to manage risks and opportunities in an integrated and transparent manner. The project risk tool covers also environmental and social sustainability risks, as well as risks relating to regulatory changes in these areas. Sales proposals/projects undergo a comprehensive risk assessment covering identified risk areas and, on the basis of the analysis, appropriate follow-up actions are specified. The goal is to identify proposals that can be expected to strengthen Outotec’s sales, operating profits, cash flow, basis for lifecycle service business and competitiveness, as well as the availability of resources and technology.
The main risks related to Outotec are strategic, technological and operational, as well as project and finance risks, which may affect significantly Outotec’s reported financial information. The most significant risks and uncertainties related to Outotec’s business, as well as non-financial risks in accordance with the Finnish Accounting Act, are described in the Board of Director’s report. Financial risks are described in the notes to the Financial Statements. Operational and project risks are described in Outotec’s financial disclosures as well as on Outotec’s website www.outotec.com/company/investors/outotec-as-an-investment/risks-related-to-operations/.
Internal Control Framework
Internal control framework aims to provide management reasonable assurance that the company complies with laws and regulations as well as internal policies and guidelines, that the company operates efficiently and that the financial reporting is reliable and in line with the generally accepted accounting principles, applicable laws and regulations as well as internal reporting principles.
Outotec financial reporting controls
Internal control in the framework of financial reporting aims at providing assurance that the financial reporting is reliable and in line with the generally accepted accounting principles, applicable laws and regulations as well as internal reporting principles. The financial reporting framework at Outotec is based on Group-wide instructions, financial processes and common reporting platform. This framework is supported by Outotec’s values and high ethical standards as well as frequent training and information exchange through meetings where information about financial processes is shared.
The Board of Directors bears the overall responsibility for the internal control over financial reporting. Financial performance is reviewed by the Board. The Board´s Audit and Risk Committee in addition to other tasks monitors on regular basis also the financial reporting principles and accuracy of financial reporting. The CEO and the Executive Board as well as the management teams in Business Units conduct a monthly review of the historical financial performance and business outlook as well as financial performance of key delivery projects. Controlling function in subsidiaries is responsible for ensuring that the business transactions are reported according to the Group accounting principles. Outotec’s financial shared service center handles centrally most of Outotec’s financial transactions. The shared service center enables improved end-to-end control of the financial processes. The Internal Audit function performs regular checks on the financial reporting and reports directly to the Audit and Risk Committee and the CEO. The corporate wide financial management and control is coordinated by the Corporate Finance & Control function headed by the Chief Financial Officer. The operational responsibility for internal controls lies in Market Areas, Business Units, and Corporate Functions.
The Corporate Finance & Control function maintains general instructions for financial reporting, acts as process owner for financial processes and controls centrally the reporting platforms. The application and interpretation of accounting standards for the Group wide purposes is done by the Corporate Finance & Control and those principles are documented in the Outotec Accounting Policy and reporting manual. Reporting principles are implemented by the network of controllers in Market Areas, Business Units, and Corporate Functions. Outotec’s main enterprise resource planning system (ERP) is SAP, where majority of the financial transactions are recorded. In subsidiaries where SAP has not been implemented a local ERP is in use. The financial information is collected from the ERP systems to a common consolidation system to ensure standardized external and internal financial information. Automatic interfaces between financial transaction platforms and the consolidation systems are applied when reasonable. Internal management reporting is always matched with the external reporting in order to ensure that the internal and external reporting are based on the same information. Changes in the accounting system master data are managed centrally to ensure data integrity. User rights for the financial IT systems and segregation of duties as well as consistent and well documented processes are an important part of the internal control.
Outotec’s monthly financial review process forms a key control mechanism when measuring the effectiveness of operations and the development of the company versus the set financial targets. Monthly reporting includes detailed analysis of deviations between actual results, budget, previous year and latest forecast. In addition to the financial information the reporting covers also other key performance indicators for measuring the operational performance of Outotec, Business Units, Market Areas as well as cost development of Corporae Functions. As project deliveries represent majority of Outotec’s sales, project risk management and project controlling are the key processes for providing information for financial control and reporting.
Financial performance and outlook are reviewed on monthly basis on all organizational levels. Special emphasis is put on the review of project related contractual risks, project provisions and financial performance. Project related financial performance and risks are reviewed also by the Audit and Risk Committee on a quarterly basis. Controllers participate in evaluating the performance as well as in planning activities. Controllers’ responsibility is also to ensure that the reporting follows corporate guidelines and time schedules.
The company has one auditor which shall be an auditing firm authorized by the Finland Chamber of Commerce. The auditor is elected by the AGM to audit the accounts for the ongoing financial year and its duties cease at the closure of the subsequent AGM. The audit firm performs an annual audit of the accounting records for each financial year, the annual accounts and the corporate governance of the company. The audit of the company also includes an examination of the consolidated annual accounts for the company, as well as the relationships between Outotec companies. This calls for cooperation between the auditor of Outotec Oyj and the auditors of the other Outotec companies world-wide. In the scope of the audit, it is taken into account that the company has its own separate internal audit function. On closing of the annual accounts, the external auditor submits the statutory auditor’s report to the company’s shareholders, and it also regularly reports the findings to the Board of Directors’ Audit and Risk Committee. An auditor, in addition to fulfilling general competency requirements, must also comply with legal independence requirements guaranteeing the execution of an independent and reliable audit.
In 2019, the company paid a fee of EUR 0.9 million (2018: EUR 0.8 million) for the auditing services. Additionally, the company paid to the auditor EUR 1.5 million (2018: EUR 0.5 million) for non-auditing related consultation.
In the Annual General Meeting on March 14, 2019, PricewaterhouseCoopers Oy, a firm of authorized Public Accountants was elected as the company’s auditor. The auditor with principal responsibility is APA Pasi Karppinen.