The Board’s description of internal audit
In accordance with the Swedish Companies Act and the Swedish Code of Corporate Governance, the Board is responsible for the Company’s internal audit. The description does not constitute part of the formal Annual Report documents. In the description, the Board does not issue any statement on the effectiveness of the internal audit. The company’s auditor has reviewed the description.
Nolato’s internal audit in relation to financial reporting includes five main activities: creating a control environment, risk assessment, control activities, information and communication, and monitoring.
Control environment
Effective Board work forms the foundation for good internal auditing. The Board has established clear processes and rules of procedure for its work. One key element of the Board’s work is deciding on and approving a number of fundamental policies, guidelines and frameworks for financial reporting. These include the Group’s Code of Conduct, the information policy and the financial policy.The Board evaluates operational performance and results on an ongoing basis, via a reporting package which includes operating income, rolling forecasts, the analysis of key figures and other significant operating and financial information.
Nolato has a simple legal and operational structure, with established management and internal audit systems. This enables the business to react swiftly in the event of changed conditions in the Group’s market or in other areas. Operational decisions are taken at company or business area level, while decisions on overall strategy, focus, acquisitions, major investments and overall financial issues are taken by Nolato’s Board and Group management.
Internal auditing in relation to Nolato’s financial reporting is tailored to work within this organisation. Within the Group, there is a clear regulatory framework for delegating responsibility and authorisation, and this follows the Group structure. The basis for internal auditing in relation to financial reporting is a control environment consisting of the organisation, decision-making paths, authorisation and responsibilities communicated, as well as the culture which the Board and the Company management communicates and works within. This culture is formulated in the documents Nolato’s Basic Principles, Nolato’s Code of Conduct, Nolato’s Environmental Policy, Nolato’s Quality Policy and Nolato’s Information Policy, and is described on pages 24–29 of this Annual Report. These cultural declarations are an important element when it comes to creating an effective control environment within Nolato. They are communicated to all employees, including in the form of a publication entitled “The Nolato Spirit”, and are based on a set of values which Nolato has upheld for many years.
In addition to this, rules of procedure for the Board and President and CEO instructions have also been drawn up. These describe matters such as the distribution of work within the Board and the duties of the Chairman of the Board and the President and CEO. Rules of procedure have also been drawn up for the managing director of each subsidiary. Managers at various levels within the Company are responsible for dealing with internal auditing on an ongoing basis within their own particular areas of responsibility.
Risk assessment
The Company carries out an annual process, involving a risk analysis of its financial reporting, which will be evaluated and ratified by the board. In connection with this risk analysis, income statement and balance sheet items are identified where there is a heightened inherent risk of serious errors.Within the company’s operations, these risks are mainly present in fixed assets, financial instruments, inventories, customer receivables, accrued expenses, taxes and revenue recognition.
These risk assessments are based on effects on financial reporting, the outcome of the income statement, business processes, external factors and the risk of fraud.
Control activities
Those risks which have been identified in relation to financial reporting are dealt with via the Company’s control activities, e.g. authentication checks for IT systems and authorisation controls.These operational-specific controls are supplemented by detailed financial analyses of earnings, followed-up with business plans and forecasts, which provide an overall assessment of the quality of the reporting.
Information and communication
The Company’s steering documents for financial reporting consist mainly of policies and guidelines, which are kept up-to-date and communicated via the relevant channels. Information is obtained from the subsidiaries through financial and operational reports to the boards of the subsidiaries, the business area management and the Group management.There is a clear information policy for communication with external parties, which provides guidelines for the forms which this communication should take. The aim of the policy is to ensure that all information obligations are complied with in a correct and complete manner.
Monitoring
The President and CEO is responsible for internal auditing being organised and monitored in accordance with the guidelines established by the Board. Financial control is carried out by the Group financial function. Financial reporting is analysed in detail each month.The Board has monitored the financial reporting at its meetings, and the Company’s auditors have reported back their observations to the Board and the Audit Committee. The Audit Committee has received reports from the auditor on an ongoing basis, and monitors measures taken to improve or amend controls. The Board has received financial reports on a monthly basis, and the Company’s financial situation has been addressed at each Board meeting. The Board and the Audit Committee have reviewed all interim reports and the Annual Report prior to publication.
