Risk management and internal control processes at F-Secure seek to ensure that risks related to the business operations of F-Secure are properly identified, evaluated, monitored and reported in compliance with applicable legislation. F-Secure promotes continuous risk evaluation by its personnel. Relevant operational risks identified through the risk management process are regularly reviewed by F-Secure’s CEO and Leadership Team and F-Secure’s statutory auditor. Risk management is an integral part of F-Secure’s governance and management, and the risk management process is aligned with the ISO-31000 standard.
The purpose of Internal Control is to ensure that operations are effective and aligned with the strategy, and that financial reporting and management reporting is reliable and in compliance with applicable regulations and operating principles.
Internal control consists of all the guidelines, policies, processes, practices and relevant information about organizational structure that help ensure that the business conduct is in compliance with all applicable legislation and regulations. The purpose of internal control is also to ensure that accounting and financial information provides a true and accurate reflection of the operations and financial conditions of the company.
The company constantly monitors its key financial processes linked to sales, revenue, costs and profitability as well as incoming and outgoing payment transactions. If any inconsistencies appear, the issues are handled without delay. The Company’s finance department is responsible for the consistency and reliability of these internal control methods. The CFO and finance team work in close cooperation with F-Secure’s various businesses, providing relevant data for business planning purposes and sales estimates. The finance team regularly assesses and monitors the reliability of estimates and revenue recognition. Ethical business practices are also reflected in contracts, and F-Secure is in continuous dialogue with stakeholders on these issues.
The Audit Committee considers the need for and appropriateness of a separate Internal Audit function on a regular basis. To date, the Audit Committee has concluded that, due to the size, organizational structure and largely centrally controlled financial management of the company, a separate Internal Audit function is not necessary.
In the absence of an Internal Audit function, attention is paid to regular review of the written guidelines and policies concerning accounting, reporting, documentation, authorization, risk management, internal control and other relevant matters in all of F-Secure™’s departments. Related control systems are also tested from time to time. The guidelines and policies are coordinated by the company’s finance department with active involvement by the legal department.
The absence of a separate Internal Audit function is considered when defining the scope of the company’s external audit. Where necessary, the Internal Audit services will be purchased from an external service provider.
The company has taken into use a whistleblowing line for any employees to notify the Board and Leadership Team of any suspected infringements.