Internal control

Internal control over financial reporting

Introduction
The Board’s responsibility for internal control is regulated by the Swedish Companies Act and the Swedish Corporate Governance Code. Capio’s internal control structure is inspired by the COSO framework. The purpose of this report is to provide shareholders and other interested parties with a description of how internal control is organized at Capio with regard to financial reporting.

Control environment 
A fundamental part of Capio’s framework for internal control over financial reporting is the overall control environment. The basis for Capio’s control environment is the company culture, which is reflected in everything we do. The company culture is based on the Capio model, our way of working in order to create value for the benefit of patients and society, and the ethics and values stated in Capio’s Code of Conduct. Extensive management programs on this theme are conducted within the Group. 

An important part of Capio’s control environment is the Group policies and guidelines. The Board of Directors has delegated the ongoing work regarding the internal control over financial reporting within the Group to the CEO and the CFO. The CEO and the CFO have determined detailed policies and guidelines regarding how the financial reporting within the Group should be organized and controlled. 

Important Group policies that apply to internal control over financial reporting, including authorization rules, are the Capio Financial Policies and Guidelines (FPG) and Capio Accounting and Reporting Manual (CARMA).

Risk assessment 
Risks relating to the financial reporting are evaluated and monitored by the Board through the Finance and Audit Committee. The Group performs regular risk assessments to identify key risks. Identified risk areas are summarized in Capio’s Financial Policies and Guidelines together with relevant routines for how the risk is to be controlled. Risks are managed and followed-up in line with the control environment that the Group has established. Local risks related to the financial reporting are identified in the course of the normal business and in connection with the external audit. 

In order to identify risks in a broader sense, Capio has a routine whereby annual risk assessment meetings are held with each business area. The risk assessments are based on the Capio model. Each business area is responsible for conducting risk assessment meetings with their respective main units in order to verify identified risks. The result of the risk assessments are used as input when designing and performing the yearly self-assessment process.  

Control activities 
Control activities performed at Capio include decision and authorization rules, an appropriate assignment of responsibilities, manual and automated controls, and verifications and reconciliations. In addition to process level controls, a number of Group-wide control activities are performed. The monthly financial and operational reporting, including follow- up of the Group, represents an important point of control, which also aims to ensure that the financial reporting gives a true and fair view of the Group’s financial position and development. The structured budget and forecasting processes are also examples of Group-wide control activities. Furthermore, the monthly reporting process with analysis and comparison to budget is an integrated part of the Capio model, including QPIs, KPIs and financial results.

Information and communication
Group policies and guidelines related to the financial reporting are updated regularly, and communicated to relevant employees via appropriate channels within the Group. Furthermore, financial managers and controllers for each business area have regular meetings with relevant positions within the Group functions. In connection with these meetings, the fundamental control environment is reviewed and discussed, as well as any other issues related to internal control.

Furthermore, Capio has a communication policy governing both internal and external communication.

Monitoring
Monitoring of internal control over financial reporting is carried out at different levels of the organization. Key functions include the Board of Directors, the Finance and Audit Committee, Group Management, Group finance functions as well as business area and local management together with local finance functions.The Board of Directors, through the Finance and Audit Committee, is involved in the planning of Group-wide monitoring activities on a yearly basis as part of the internal control plan of the year. Process level controls consist of both formal and informal routines and monitoring is performed locally by managers and process owners.

The overall control environment and implemented control activities for financial reporting are evaluated on a yearly basis in terms of a selfassessment
process. The self-assessment process is coordinated by the Group support functions Group Reporting and Control and Compliance and is carried out by management and finance teams at business area and main unit level. Areas evaluated are compliance with Group policies and guidelines, with special emphasis on the Financial Policies and Guidelines and are selected in cooperation with the Finance and Audit Committee based on the risk assessment. The results of the self-assessment are compiled and presented to the Board of Directors, the Finance and Audit Committee as well as the Group Management. Reported results are verified by the Group’s external auditor through interviews and sample testing on a selected number of entities. Group Reporting and Control and Compliance also verify reported results as an important part of the self-assessment process.

Other Group-wide monitoring activities include a thorough review and follow-up of the monthly financial and operational reporting. Reviews are performed at different levels of the organization, from main unit level to Group level. The Board of Directors receive monthly financial reports from the CFO and the CEO regarding the Group’s earnings and financial position and are involved in the review of all quarterly financial statements, quarterly reports and the Group’s Annual Report before publication. 

The Board’s involvement in the planning of the Group-wide monitoring activities and the established reporting procedures mentioned above, enables for the Board of Directors to verify that Capio has formalized routines to ensure that approved principles for financial reporting and internal control are applied, and that Capio’s financial reports are produced in accordance with legislation, applicable accounting standards and other requirements for listed companies.

Internal audit
The Board of Directors of Capio has decided not to establish a separate internal audit function. Capio is a decentralized organization where internal control activities are performed locally. Annually every main unit participates in a self-assessment review where compliance with Group policies is evaluated. The results of the self-assessment reviews are verified by the Group’s external auditor as part of their internal control audit. The Board of directors considers that it is most efficient that the Group wide internal control reviews is coordinated by the CFO and relevant Group support functions in close collaboration with the Finance and Audit Committee and considers that this structure fulfills the required control and follow-up. The need for an internal audit function is regularly assessed by the
Finance and Audit Committee.