Internal control

Introduction
The Board’s responsibility for internal control is regulated by the Swedish Companies Act and the Swedish Corporate Governance Code. Capio’s internal control structure is inspired by the COSO framework. The purpose of this report is to provide shareholders and other interested parties with a description of how internal control is organized at Capio with regard to financial reporting.

Control environment
A fundamental part of Capio’s framework for internal control over financial reporting is the overall control environment. The basis of Capio’s control environment is the company culture which is reflected in everything we do. The company culture is based on the Capio model, our way of working in order to create value for the benefit of patients and society, and the ethics and values stated in Capio’s Code of Conduct. Extensive management programs on this theme are conducted within the Group.

An important part of Capio’s control environment is the Group policies and guidelines. The Board of Directors has delegated the ongoing work regarding the internal control over financial reporting within the Group to the CEO and the CFO. The CEO and the CFO have determined detailed policies and guidelines regarding how the financial reporting within the Group should be organized and controlled.

Important Group policies that apply to internal control over financial reporting, including authorization rules is Capio Financial Policies and Guidelines (FPG) and Capio Accounting and Reporting Manual (CARMA).

Risk assessment
Risks relating to the financial reporting are evaluated and monitored by the Board through the Finance and Audit Committee. The Group performs regular risk assessments to identify key risks. Identified risk areas are summarized in Capio’s Financial Policies and Guidelines together with relevant routines on how the risk is to be controlled. Risks are managed and followed-up in line with the control environment that the Group has established. Local risks related to the financial reporting are identified in the course of the normal business and in connection with the external audit.

During 2016 the Group finalized and implemented a routine whereby formal risk assessment meetings were held with the business areas. The result of the risk assessments were used as input when designing and performing the yearly self-assessment process for 2016.

Control activities
Control activities performed at Capio include decision and authorization rules, an appropriate assignment of responsibilities, manual and automated controls and verifications and reconciliations. In addition to process level controls, a number of Group-wide control activities are performed. The monthly financial and operational reporting, including follow-up of the Group, represents an important point of control, which also aims at securing that the financial reporting gives a true and fair view of the Group’s financial position and development. The structured budget and forecasting processes are also examples of Group-wide control activities. Furthermore, the monthly reporting process with analysis and comparison to budget is an integrated part of the Capio model including QPIs, KPIs and financial results.

Information and communication
Group policies and guidelines related to the financial reporting are updated regularly, and communicated to relevant employees via appropriate channels within the Group. Furthermore, financial managers and controllers for each business area have regular meetings with relevant positions within the Group functions. In connection to these meetings, the fundamental control environment is reviewed and discussed as well as any other issues related to the internal control. Furthermore, Capio has a communication policy governing both internal and external communication.

Monitoring
Monitoring of internal control over financial reporting is carried out at different levels of the organization. Key functions include the Board of Directors, the Finance and Audit Committee, Group Management, Group finance functions as well as business area and local management together with local finance functions. The Board of Directors, through the Finance and Audit Committee, is involved in the planning of Group-wide monitoring activities on a yearly basis as part of the internal control plan of the year. Process level controls consist of both formal and informal routines and monitoring is performed locally by managers and process owners.

The overall control environment and implemented control activities for financial reporting are evaluated on a regular basis in terms of a self-assessment process. The self-assessment process is coordinated by the Group support function Group Reporting and Control and carried out by management and finance teams at business area and main unit level. Areas evaluated are compliance with Group policies and guidelines with special emphasis on the Financial Policies and Guidelines and are selected in cooperation with the Finance and Audit Committee based on the risk assessment. The results of the self-assessment are compiled and presented to the Board of Directors, the Finance and Audit Committee as well as the Group Management. Reported results are verified by the Group’s external auditor through interviews and
sample testing on a selected number of entities. Group Reporting and Control also verify reported results as an important part of the self-assessment process.

Other Group-wide monitoring activities include a thorough review and follow-up of the monthly financial and operational reporting. Reviews are performed at different levels of the organization, from main unit level to Group level. The Board of Directors receive monthly financial reports from the CFO and the CEO regarding the Group’s earnings and financial position and are involved in the review of all quarterly financial statements, quarterly reports and the Group’s annual report before publication.

The Board involvement in the planning of the Group-wide monitoring activities and the established reporting procedures mentioned above, enables for the Board of Directors to verify that Capio has formalized routines to ensure that approved principles for financial reporting and internal control are applied, and that Capio’s financial reports are produced in accordance with legislation, applicable accounting standards and other requirements for listed companies.
The Board of Directors of Capio has chosen not to establish a separate internal audit function. Based on Capio’s current structure and decentralized organization, it is deemed most efficient that Group level internal control activities are coordinated by CFO and Group Reporting and Control in close collaboration with the Finance and Audit Committee. The need for an internal audit function is regularly assessed by the Finance and Audit Committee.