Internal control, internal audit and risk management
Internal control is under the Board of Director's responsibility. Internal control's function is, famong other things, to ensure the efﬁciency and proﬁtability of operations, the reliability of information, and adhering to rules and regulations. Internal control is a part of day-to-day management and company administration.
An essential part of internal control is the Internal Audit, which operates as a separate unit under the CEO and reports its observations to the Board of Directors. The Internal Audit supports the Group's management in directing operations by inspecting and evaluating the efﬁciency of business operations, risk management and internal control, and by producing information and recommendations to enhance efﬁciency. The Internal Audit also inspects the processes of business operations and ﬁnancial reporting. Internal Audit's directive has been approved by Stockmann's Board of Directors. The operations of the Internal Audit are guided by being risk-focused and emphasising the development of business operations.
The goal of risk management is to secure the Group's earnings development and to ensure that the company operates without any disturbances by controlling risks in a cost efficient and systematic manner in all divisions.The Board of Directors has approved the company's risk management principles, which concern all of the Stockmann Group's divisions and areas of business.
Stockmann's Board of Directors and the Group Management Team regularly evaluate risk factors to which business operations are exposed and the sufficiency of risk management actions as a part of the strategy process. Risk management is supported by internal control systems and guidelines. Risk management guidelines have been drawn up separately for the following areas, among others: IT and information security, finance operations, environmental issues, malpractice, security and insurance.
Stockmann's business is exposed to various risks that may have an adverse effect on the company's operations. The divisions' management committees are responsible for making financial and strategic plans in their own units; analysing business risks and evaluating actions is a part of strategy planning. Business risks are also analysed outside the strategic process, especially in connection with significant projects and investments, and are reported to the Board of Directors as needed.
The Group has a risk management steering group, whose task it is to support business operations in recognising and managing such risks that may endanger or prevent Stockmann from achieving its strategic goals. The steering group, which comprises the company's Head of Internal Audit, Director of Legal Affairs and Group Consolidation Manager, reports its ﬁndings and recommendations to the Group's Management Team.
Main features of the internal control and risk management systems pertaining to the ﬁnancial reporting process
The company's Board of Directors and its Audit Committee are responsible for the implementation of internal control in regard to ﬁnancial reporting. The Group's Chief Financial Officer and the Finance and Control Department are responsible for the Group's financial reporting. Group-level directions are complied with in Stockmann's ﬁnancial reporting. The reporting is based on information from commercial and administrative processes and data produced by the ﬁnancial management systems. The Group's Finance and Control Department determines the control measures applied to the ﬁnancial reporting process. These control measures include various guidelines, process descriptions, reconciliations, and analyses used for ensuring the validity of the information used in the reporting and the validity of the reporting itself.
The ﬁnancial reporting results are monitored and any anomalies in relation to forecasts or in comparison with the previous year's ﬁgures are analysed on a regular basis. Such analyses are used to detect any reporting errors and to produce materially accurate information on the company's ﬁnances.
The divisions and the Group's Finance and Control Department are responsible for the effectiveness of internal control within their own sphere of responsibility. The Group's Finance and Control Department is responsible for assessments of the reporting processes. The risk management process includes assessment of the risks pertaining to financial reporting and the related management measures are determined as a part of the risk management process.