The purpose of internal control and risk management is to ensure that the company’s operations are effective, that financial and other information is reliable, and that the company complies with the relevant regulations and operating principles. The Board of Directors, assisted by the Audit Committee, is responsible for monitoring and assessing the effectiveness of the company’s internal control and risk management systems. Internal audit assists the Board of Directors with its monitoring responsibility by ensuring that the group’s control measures have been planned and set up effectively.
Internal control system
The company has developed and implemented a comprehensive internal control system that covers business and financial reporting processes. UPM’s internal control framework is based on the internal control framework issued by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). The framework was originally published in 1992 and it is internationally recognised guidance for designing, implementing and conducting internal control, and assessing its effectiveness. During 2014, UPM transitioned to the updated COSO 2013 framework.
The five components of UPM’s internal control system are:
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring activities
UPM’s system of internal control can be described with the lines of defense model, which is reflected in UPM’s risk management and control processes.