Risk Management, Internal Control and Internal Audit

The Board of Directors of Stonesoft Corporation has primary responsibility for accounting and monitoring of financial administration of the company. The Board of Directors is also ultimately responsible for risk management and internal control of Stonesoft Corporation, and the CEO is in charge of arranging the risk management and internal control in practice as well as of monitoring their functioning. Co-ordination of risk management and internal control is the responsibility of the Chief Financial Officer (CFO). The Executive Management of the Group supports the risk management processes by considering the risks and management thereof in its meetings.

Risk management and internal control aim at ensuring that (i) the operation of the company is effective and suited to its purpose, (ii) financial information is reliable and (iii) authority regulation and internal policies are complied with.

CFO, as the co-ordinator of corporate risk management, creates corporate-level risk management principles, develops risk management tools and establishes global insurance policies. Business units must adhere to the corporate level policies and proactively contribute to the development of corporate risk management. Risk management function concentrates on

•    (i) evaluation and management of operational risks
•    (ii) management of financial risk and
•    (iii) management and safeguard of critical business-related information and assets.

Operational risks

The company sets financial targets annually in connection with the budgeting and the realization of the targets is monitored on a monthly basis. The guidance and supervision of the business operations takes place with the means of a reporting and forecasting system covering the entire group that the company strives to develop on a continuous basis. The product sales and related services sales are made mainly through a global channel partners, using standardized Stonesoft agreements. The sales operations are supported by the company's internal legal unit seeking to reduce the risks related to the global business operations through continuous management and development of contracts. The company also uses insurance to cover the property, operational and liability risks.

Financial risks

Stonesoft does not provide financing, other than generally accepted terms of payment, to its customers. The company invoices mainly in Euros, the US dollar being the other invoicing currency. The company's costs occur mostly in Euros. Exchange rate fluctuations can affect the company's financial results. The company uses matching as a main tool for offsetting the exchange rate risks.

The task of Stonesoft's Corporate Treasury is to manage financial risks in accordance with the Treasury Policy approved by Stonesoft's Board of Directors. The main principles of the policy are:

•    (i) to ensure the short-term liquidity of the company
•    (ii) to guarantee efficient circulation and short-term investments of the operational cash flows and
•    (iii) to follow prudent and transparent investment policy for the cash reserves, aiming at guaranteeing competitive return on a selected risk level. The company's reserves are all invested on interest bearing low risk instruments.

The company's operations and related costs are continuously controlled.

Management and safeguard of critical business related information and assets

Stonesoft manages and safeguards its critical business information by stringent internal policies and processes. The company constantly reviews and updates its network infrastructure and takes actively advantage of its own products in order to protect the network infrastructure of the company. The company has back-up systems to ensure business continuity during the unexpected.

Internal audit

Due to the small size of the company and the scope of the business operations Stonesoft does not have a separate organization for the internal audit function or a separate internal audit committee. The regular audits conducted by the audit firm in relation to the interim reports aim also for their part at evaluating the efficiency of and constant developing of risk management, internal audit and administrative processes.

The structure of the group and the financial administration have been set up with the aim to prevent malpractice, among others, through clear internal guidelines and definition of authorizations. In addition, all sales are made in the name of the parent company and local payment transactions of subsidiary companies and sales offices concern generally only local salaries and other minor costs.