The company’s values and UPM Code of Conduct as well as the group policies and guidelines form the basis and set the tone for internal control at UPM. Internal control is part of the corporate culture, covering all levels and processes of the group. The company’s management system enables effective monitoring in different parts of the group. Internal control in its primary and most extensive form takes place at the operational level, where internal control is continuous and part of daily routines.
An essential part of the internal control environment is the control over UPM’s IT applications and IT infrastructure. A special set of internal controls aims to ensure the reliability of UPM’s IT systems and the segregation of duties in the IT environment.
Internal control activities pertaining to financial reporting process are led centrally by the Finance and Control Function with an annual schedule and defined roles and responsibilities in the control process. The head of each unit or function organises the internal control of his or her unit or organisation. The Finance and Control Function is responsible for monitoring business, function and unit level control processes. The aim of establishing control measures and setting up uniform testing and monitoring processes is to ensure that potential errors or deviations are prevented or detected and corrected accordingly.
Effectiveness of internal control is ensured also in the context of using outsourced service providers. The maturity level of internal controls at UPM is assessed every other year and the results of the assessment are reported to the Audit Committee.
A more comprehensive description of internal control pertaining to financial reporting is included in the Corporate Governance Statements.