Internal control

Internal control is embedded in UPM's management system and it supports systematic execution of the group strategy. Internal control is aimed at ensuring that the company’s operations are efficient and reliable, and in compliance with statutory requirements, and that the company's financial reporting is accurate and reliable, and reflects operational results. The Board of Directors is responsible for ensuring that the company has defined the operating principles of internal control and for monitoring and assessing the effectiveness of such control. The Audit Committee assists the Board in monitoring internal control systems’ effectiveness.


The company’s values and UPM Code of Conduct as well as the group policies and guidelines form the basis and set the tone for internal control at UPM. Internal control is part of the corporate culture, covering all levels and processes of the group. The company’s management system enables effective monitoring in different parts of the group. Internal control in its primary and most extensive form takes place at the operational level, where internal control is continuous and part of daily routines.

An essential part of the internal control environment is the control over UPM’s IT applications and IT infrastructure. A special set of internal controls aims to ensure the reliability of UPM’s IT systems and the segregation of duties in the IT environment.

Main features of UPM’s internal control system


​Internal control pertaining to financial reporting

Internal control activities pertaining to financial reporting process are led centrally by the Finance and Control Function with an annual schedule and defined roles and responsibilities in the control process. The head of each unit or function organises the internal control of his or her unit or organisation. The Finance and Control Function is responsible for monitoring business, function and unit level control processes. The aim of establishing control measures and setting up uniform testing and monitoring processes is to ensure that potential errors or deviations are prevented or detected and corrected accordingly.

Effectiveness of internal control is ensured also in the context of using outsourced service providers. The maturity level of internal controls at UPM is assessed every other year and the results of the assessment are reported to the Audit Committee.

A more comprehensive description of internal control pertaining to financial reporting is included in the Corporate Governance Statements.