Internal control and risk management system


Sanoma’s internal control and risk management system consists of the following components, which are described in more detail below.

Sanoma Code of Conduct forms the basis of all internal control procedures and activities.

Audit & Assurance

The Audit and Assurance function reports to Sanoma’s CFO and COO, and to the Audit Committee of the Board. It co-operates with the management of the Group and the SBUs as well as with the Group’s statutory auditors.

The scope of Audit and Assurance covers Internal Audits and Risk Assessments as well as monitoring Internal Control process related work regarding all organisational levels and businesses. The Audit and Assurance function supports the development of the organisation and provides additional assurance with a risk based approach.

The operations of the Audit and Assurance are steered by Sanoma’s Corporate Governance Framework and Group Policies on Internal Audit, Internal Control and Enterprise Risk Management.

Internal controls

Sanoma’s Internal Control Policy defines the internal control process applicable to all subsidiaries. The process includes internal control objective setting, control design and implementation, operating effectiveness testing, monitoring and continuous improvement and reporting.

The Company’s values and Code of Conduct lay the foundations and set the tone for the internal control framework. The Internal Controls framework has been defined by using a top-down and risk-based approach. Internal Controls consist of entity-level controls, process-level controls and ICT general controls.

Entity-level controls are applied on all levels of Sanoma (i.e. Group, SBU, business and entity-level) and can relate to more than one process. The existence and active implementation of codes of conduct and different Group policies and guidelines are examples of entity-level control activities.

Process-level control activities are designed to mitigate risks relating to certain key processes. Examples of such processes are sales, purchase-to-pay and payroll processes. Automated or manual reconciliations and approvals of transactions are typical process-level controls.

ICT general controls are embedded within ICT processes that provide a reliable operating environment and support the effective operation of application controls. Controls that prevent inappropriate and unauthorised use of the system and controls over the effectiveness of acquisition are examples of ICT general controls.

Control environment

Management of the Group and its businesses is based on a clear organisational structure, well-defined areas of authority and responsibility, common planning and reporting systems and policies and guidelines.

The Board approves all Group-level policies such as Sanoma’s Corporate Governance Framework, Code of Conduct, Enterprise Risk Management Policy, Internal Control Policy and Treasury Policy. Sanoma’s strategy and business objectives as well as Sanoma’s Corporate Governance Framework set the foundation for the Internal Control processes.

The Audit Committee assists the Board in its responsibilities by dealing with matters related to financial reporting procedures, the Group’s risk management, the reliability and effectiveness of internal control systems and compliance with Sanoma’s Corporate Governance Framework, as well as matters related to statutory audit and internal audit work.

The Parent Company Sanoma Corporation is responsible for carrying out publicly listed company’s statutory duties under, for example, the Finnish Securities Market Act, for managing communications with key stakeholders including investor relations, centralised treasury activities, as well as Group compliance with applicable laws and regulations. In addition, the Parent Company supports the President and CEO in driving the performance of the SBUs and in the management of the Group’s daily operations. The Parent Company drives cross-business and cross-border co-operation projects and improvement initiatives and provides support and guidance to the SBUs in areas such as finance and control, human resources, procurement, communications, legal affairs, taxation, M&A, treasury, ICT systems and real estate.

Sanoma’s SBUs operate within the approved scope of strategic goals and financial targets, Sanoma’s Corporate Governance Framework as well as within Group policies and guidelines. In addition, Sanoma’s shared values govern the daily operations of the personnel.

Risk management

The Audit and Assurance function coordinates the Group risk management process and produces periodical risk reports for the President and CEO and the Executive Management Team. Updated Group risk assessment results with related ongoing or planned mitigation actions are communicated to the Audit Committee and further to the Board twice a year.

The main objective of Sanoma’s Risk Management Policy is to identify and manage essential risks related to the execution of the Group’s strategy and operations. The Risk Management Policy defines Group-wide risk management principles, objectives and responsibilities within the Group.

The Board is responsible for setting and approving Sanoma’s Risk Management Policy and for overseeing the effectiveness of risk management.

The Audit Committee regularly reviews and monitors the implementation of the Risk Management Policy and risk management process.

The President and CEO is responsible for defining risk management strategies and procedures and setting risk management priorities.

Sanoma has a Group-wide process for assessment of significant risks. Risk assessment is closely linked to the Group’s strategy process and strategic objectives. A risk framework is used for identifying and assessing risks, as well as for defining risk management activities. Risks and their probability of occurrence are assessed in different stages of decision-making.

Managing business risks and opportunities is a core element in the daily operational responsibilities of Sanoma’s management. Risk-taking is an essential part of a competitive business. While executing its strategy, Sanoma and its SBUs are exposed to numerous risks and opportunities.

More information on risk management at Sanoma is available in the Financial Statements 2017 and on p. 4 in the Statement of Non-Financial Information for 2017.


Sanoma is committed to complying with international and local laws and ethical policies in accordance with the Sanoma Code of Conduct approved in 2014 and updated in 2017. The Company has a Compliance function, which supports business operations and Group administration by developing practices related to identifying and complying with applicable laws and regulations, as well as internal policies and guidelines. The key tasks of Sanoma’s Compliance function are to minimize the risk of infringement of applicable regulatory requirements in all operations, to maintain Sanoma’s compliance programme and to ensure the continuous development of an ethical business culture.

Each Group function in the Parent Company prepares policies for Board approval and standards to be approved by the President and CEO regarding its area of responsibility. Group policies and standards are available on the Sanoma intranet. In addition, SBUs and Business Units may have their own supplementary instructions. These instructions are available on the unit’s intranet.

Breaches of the Code of Conduct or related policies or laws may be reported through internal channels or through an externally hosted confidential hotline, which may be used anonymously. Sanoma does not tolerate retaliation against any employee who makes a report in good faith.

Claims against Sanoma are monitored by Group Legal Affairs through a process covering material claims irrespective of whether they have been taken by a governmental body, partner, agreement counterpart, personnel, or any other party.

Monitoring of financial reporting process

The Group Finance and Control function is a part of the Parent Company and prepares control point guidelines for transactions and periodic controls for the SBUs. The guidelines are approved by the President and CEO. Periodic controls are linked to monthly and annual reporting processes and include reconciliations and analyses to ensure the accuracy of financial reporting. These control activities seek to ensure that potential deviations and errors are prevented, discovered and corrected both at the Parent Company and the SBU level. Internal control systems cover the whole financial reporting process.

The Group’s financial performance is monitored on a monthly basis using a Group-wide financial planning and reporting system, which includes actualised income statements, balance sheets, cash flow statements and key performance indicators, as well as estimates for the current financial year.

Furthermore, business reviews between Group and SBU management are held at least quarterly. In addition to the SBUs’ financial performance, issues including changes in the operating environment, future expectations, structure and status of business development are also discussed. The business reviews also have a role in the process of ensuring the functioning of the continuous risk assessment and internal control systems.