Internal control
Control environment
Control is embedded in Suominen's organisation and it is carried out through check-ups on the various business processes and comprehensive reporting, which help to monitor and manage the business.
There is no separate control or internal audit organisation. Suominen's control environment is based on given instructions, the corporate culture and mode of operating adhered to by managers and employees alike. Suominen has established its values, or Guiding Principles, which enforce an active and ethical way of working with various stakeholders and within the Group. By cascading the working principles within the organisation, honesty, transparency and teamwork are emphasised as playing an integral role in establishing a high standard of moral conduct throughout the company.
The foundation of the internal control process relating to financial reporting is built up around the Group's policies approved by the Board of Directors and other directives and instructions. The Group's responsibility structure is based on the authority inherent in the positions and work descriptions, the segregation of duties and the four-eyes and one-over principles. Effective internal control requires that duties are properly segregated to different employees and that potential conflicts of interests are identified and eliminated. A satisfactory control environment is ensured through internal analyses and evaluations of key processes and reviews conducted by external auditors.
Group Finance supports the business units in analysing their performance and in decision-making concerning various business choices. Business Controllers at unit level have the task of ensuring that the control procedures are in place in the various units. IT's role is to ensure that the security procedures are maintained throughout the Group companies.
Risk assessment
Risk management is considered an integral part of running the business, and identification and assessment of risk is an essential element of internal control. The aim is to give attention to the material risks that are significant from the business perspective. Risk is divided into business risks caused by changes in the business environment and operational risks, which may be a result of shortcomings in the way that the organisation manages its processes.
Business risks are evaluated and, to the extent possible, quantified in conjunction with the acceptance of plans and budgets for the forthcoming year. In 2010, risk assessment focused on customer risks, changes in sales prices, fluctuations in raw material prices, the availability of financing and the implementation of the operational enhancement programme. Business risks are also discussed annually in the Report by the Board of Directors in Suominen's Annual Report.
Operational risks are considered to have a potential material value in transactions with external parties. However, Group instructions, process check-ups, segregation of tasks and standards set up by total quality operating systems help to establish a prudent environment, in which exposure to material risks can be mitigated.
Risks relating to financial reporting are evaluated and monitored by the Board to make sure that the financial reporting of the corporation is reliable, supports decision making and serves the needs of external stakeholders. Valuation of assets and liabilities according to various evaluation assumptions and criteria may constitute a risk.
There are estimates and assumptions that involve a significant risk of causing material changes in the carrying amounts of assets and liabilities, and these estimates and assumptions are continually evaluated and benchmarked against other similar entities. On the basis of the risk assessment process described above, a decision was made to write down the goodwill of the Nonwovens cash-generating unit in the 2010 financial statements. Complex and/or changing business circumstances may present a challenge when assessing the carrying amounts of assets. To avoid errors in stating the fair values of assets or liabilities, regular check-ups are made, e.g. by comparing material flows, values, and quantity and quality data with the information given in the accounts. The risk of errors caused by irregularities and discontinuities in information is reduced by using established and automated system-based audit trails.
Control activities
The control activities include both general and detailed controls, which aim at preventing, disclosing and correcting errors and deviations. In addition to following Group level instructions, control activities are also conducted at unit and plant levels.
Several control activities are applied in the ongoing business processes to ensure that potential errors or deviations in the financial reporting are prevented, discovered and corrected. Suominen divides control activities into the following three categories. Documented instructions help the organisation to standardise the monitoring of tasks. Continuous and regular reporting conveying feedback on the performance of Group functions and entities ensures that instructions and defined processes are observed. In processes considered critical, specific authorisations are needed in the work-flow, either for security or for verification purposes.
In the context of Suominen's share issue in spring 2010, a fairly extensive legal due diligence assessment and a business audit covering the various units were conducted by lawyers with a view to verifying the facts and information included in the prospectus.
Control activities range from a review of realised outcome results in management group meetings to specific reconciliation of accounts and analyses of the ongoing processes for financial reporting. Whether separate evaluations are needed, as well as their scope and frequency, will depend primarily on an assessment of risks and on the effectiveness of ongoing monitoring procedures. It is the role of Business Controllers to ensure that control activities in the financial processes are appropriate and in accordance with the Group's policies and instructions. Information technology security and related control activities are a vital part of IT system features.
Information and communication
The Group Accounting Manual, policies approved by the Board and other directives and instructions relating to financial reporting are updated and communicated by management to all affected employees on a regular basis, and they are also available on the intranets of Group companies.
In addition, a standard reporting package is used by the units. The Group management and the business unit management conduct monthly reviews including analysis of performance metrics and indicators, which assist the management to better understand the underlying business performance.
Follow-up
Ongoing responsibility for follow-up rests with the business unit's management groups and controller functions. In addition, separate internal control reviews on key financial processes are conducted by external auditors on a rolling basis.
In 2010, the control reviews carried out by auditors included definitions and reviews relating to the content of IFRS, reporting on material flows, and reviews of the prospectus, the values of stocks and other assets, the payroll system and financial risks.
Regular inspections by quality auditors or client audit personnel also cover the internal controls of delivery chain processes.
The Group's Finance function carries out a self-assessment of the implementation of control in the Group's units, which provides the basis for a yearly report on the general level of control submitted to the Board of Directors. The Finance function also carries out case-by-case controls of unit functions or processes. Within this framework, definitions and reviews of the units' stock and working capital management processes were started in autumn 2010. In addition, a validation of business control processes was conducted in one unit by an external expert. The Finance function also monitors the correctness of external and internal financial reporting.