Framwork for internal control
The guidelines issued by FAR SRS (the Institute for the Accountancy Profession in Sweden) and Svenskt Näringsliv (the Confederation of Swedish Enterprise) regarding the Board’s report on internal control over financial reporting identify COSO (Committee of Sponsoring Organizations of the Treadway Commission) as the most widely used and internationally accepted framework, and as having a special status in defining good internal control. In 2005 the company therefore made a decision to implement the COSO framework for internal control over financial reporting, after which the framework has been adapted to the company’s operations and conditions.
Ongoing activities and planned initiatives
In the autumn of 2005 the company analysed the conditions for practical implementation of the COSO framework in the company. A standard for how internal control is to be structured, documented and evaluated in a uniform manner has been define in the Group.
The company applies a risk-based approach based on the annual report’s consolidated profit and loss accounts, balance sheets and related notes. In 2006 the company performed a detailed risk analysis at the Group level of the risk for significant deficiencies in the consolidated profit and loss accounts, balance sheets and related notes, with respect to both quantitative and qualitative risk parameters.
On the basis of the initial risk analysis, a number of significant accounts were identified where analysis, documentation and evaluation of the company’s controls to minimise the risk of significant deficiencies commenced in 2006. At this time, the focus of these activities has been on documentation and analysis of company-wide controls in the Group as defined in the COSO framework, with a special emphasis on the Control Environment. In addition, documentation and analysis of controls at the process level and of general IT controls for the systems that support the significant processes for preparation of financial information and financial reporting have been started for the Group’s Swedish and Finnish operations.
In 2007, efforts to document, analyse and evaluate the internal control system will continue and include both the Swedish and Finnish operations.
After mapping out internal controls at the Group-wide level, the process level and relevant general IT controls, an analysis and evaluation of internal control systems will be carried out. The company also intends to assure that the existing internal controls and those that may be implemented as a result of the ongoing activities function as intended. This monitoring is planned to be carried out at the end of 2007 through a combination of self-assessments and independent testing and verification.
These self-assessments will provide a basis for the Board’s assessment of the effectiveness of internal control over financial reporting.
The Board of Directors has defined guidelines for the above work which include roles, responsibilities and processes that are vital in maintaining good internal control. The following description of how internal control over financial reporting is currently organised complies with the structure prescribed in the Svenskt Näringsliv/FAR SRS guidelines:
DESCRIPTION
Control environment
Effective oversight by the Board of Directors is the basis for good internal control. The company’s Board of Directors has established well defined processes and procedures for its work. One key task of the Board is to decide on the internal control framework to be applied in the Group and to formulate and approve a number of fundamental policies, guidelines and structures related to financial reporting. These include an accounting manual with instructions for financial accounting and reporting, a finance policy, instructions on decision-making powers and authorisation of business transactions and an ethical policy.
In addition, the Board has ensured that the organisational structure is logical and transparent with clearly defined roles, responsibilities and processes that promote effective management of operating risks.
The audit committee assists the Board in continuous monitoring of internal control. The tasks of the audit committee include evaluation and discussion of significant accounting and reporting issues.
In 2006 the audit committee has received reports from the company’s management on the progress of the internal control project. The audit committee has examined and evaluated the routines for financial accounting and reporting and has monitored and evaluated the external auditors’ performance, qualifications and independence. During 2006 the audit committee held three reviews with, and received reports from, the company’s independent auditors.
The company’s management has operating responsibility for internal control. The Group CFO has overall operating responsibility for internal control over the Group’s financial reporting, and reports to the management and the Board. The financial directors of the subsidiaries will have overall responsibility for internal control over financial reporting in their own units, and will continuously report on the status of internal control to the Group CFO.
Risk assesment
As mention earlier, a risk analysis was performed in 2006 to assess the risk for irregularities in financial reporting.
The risk analysis identified a number of items in the profit and loss account and balance sheet associated with a heightened risk for significant deficiencies. In the company’s operations there risks are found mainly in revenue recognition, valuation of goodwill and other intangible assets, valuation of inventories and valuation of trade receivables, as well as accrued expenses, provisions and income taxes.
Furthermore, the company has established a number of risk management processes that have a considerable influence on the company’s ability to ensure complete and accurate financial reporting. These procedures cover the following main areas:
• Risk assessments in which one aim is to quickly identify events in the market or in operations with a potential effect on financial reporting
• Processes to identify changes in accounting rules and recommendations and to ensure that these changes are accurately reflected in the company’s financial reporting.
Control activities
Control structures are designed to manage the risks which the Board judges to be significant for internal control over financial reporting and which have been identified in the company’s risk analysis. These control structures consist partly of an organisation with clearly defined roles that facilitate an effective, and from an internal control standpoint, appropriate division of responsibilities, and partly of specific control activities aimed at detecting or preventing risks for significant deficiencies in financial reporting. As a result of the ongoing activities, critical control activities will be clearly documented and linked to the inherent risks they are intended to minimise for every significant account in the financial statements and related notes in the company’s annual report.
Examples of control activities include channels and procedures for significant decisions (such as investments, agreements, approval of accounting transactions, etc.), profit analyses and other analytical procedures, reconciliations, inventories and automatic controls in IT systems.
Information and communication
The company’s normative documents in the form of policies, guidelines, manuals, etc., with relevance for financial reporting are updated and communicated via appropriate channels, such as the intranet and external meetings.
Internal reporting on the effectiveness of internal control will be implemented throughout the Group and will be carried out continuously with starting in 2007. Verification that the controls are functioning as intended will be accomplished through self-assessments by the process owner in combination with objective testing, and will be reported within the organisation.
For communication with external parties, there is an explicit policy that contains guidelines for this communication. The purpose of the policy is to ensure that all information requirements are met in a complete and accurate manner.
Monitoring
The Board continuously monitors and evaluates the information provided by the executive management and audit committee. One area of particular importance for monitoring internal control is the work of the audit committee in evaluating the efficiency of the management’s activities in this area. This includes ensuring that action is taken with respect to the deficiencies and recommendations identified in in-ternal and external audits. Monitoring of internal control will include audits of compliance with certain policies and guidelines, and will evaluate the effectiveness of significant control activities linked to risks for significant deficiencies in financial reporting.
Furthermore, the Board of Directors and audit committee have a yearly process to ensure that appropriate measures are taken to address the shortcomings identified and measures recommended by the independent auditors.
EVALUATION OF THE NEED FOR A SEPARATE INTERNAL AUDIT FUNCTION
At present, the Group has no separate internal audit function.
In view of the initiated process for performance of self-assessments and objective testing by an independent party, the Board of Directors has concluded that there is currently no need for a separate internal audit function in order to perform effective monitoring of internal control.
The Board of Directors
This report has been prepared in accordance with the Swedish Code of Corporate Governance, sections 3.7.2 and 3.7.3, and is therefore limited to internal control over financial reporting.
In September 2006, the Swedish Corporate Governance Board issued supplementary instructions for application of the rule on reporting of internal control over financial reporting (instruction no. 1-2006 ). According to the Swedish Corporate Governance Board’s statement, the company reports on how the internal control is organised but the Board is not required to issue a statement on the effectiveness of internal control and the report need not be examined by the company’s auditors. In accordance with the statement of the Swedish Corporate Governance Board, a description of how the company’ s internal control is organised is provided on pages 99-101 without a statement from the Board on the effectiveness of internal control during the financial year. The report has not been audited by the company’s auditors.