The Company's internal controls are designed to ensure that its reporting is prepared in accordance with applicable laws and regulations and complies with the requirements applicable to companies whose shares are admitted for trading on a regulated market in Sweden. The internal controls consist primarily of the following elements: control environment, risk assessment, control activities, information and communication, and follow-up.
MedCap’s Board of Directors is responsible for the Company’s internal controls. The purpose of the internal controls is to ensure:
- Reliable financial reporting and information about the business.
- Compliance with applicable laws, regulations, guidelines etc.
- Fit-for-purpose and cost-effective operations.
In order to create and maintain an effective control environment, the Board of Directors has adopted a number of fundamental documents of importance in terms of financial reporting, including in particular the Rules of Procedure for the Board of Directors and the Instructions to the CEO and the Committees. The CEO has overall responsibility in his day-to-day work for maintaining the control environment adopted by the Board of Directors. The CEO regularly reports to the Board of Directors in accordance with established procedures.
The CEOs and the Financial Officers of the subsidiaries are responsible for structuring, implementation and correct application at local level. In addition, reports are presented by the Company's auditors. The internal control environment also includes governing documents established to bring about an effective control environment, including the rules of procedure for the Board of Directors and the Audit Committee of MedCap AB, instructions to the Remuneration Committee of MedCap AB, instructions to the CEO of MedCap AB, including rules of attestation and delegation, instructions to the CEOs of the Group's subsidiaries, including rules of attestation and delegation, financial policy and information policy.
The above-mentioned governing documents are reviewed annually and revised as necessary. In addition to the above documents, the Company's Finance Manual is applied, comprising accounting guidelines, policies, principles and procedures for the finance functions of MedCap and its subsidiaries.
Risks are to be identified and assessed on an ongoing basis. All entities in the Group are exposed to various external and internal risks, which need to be assessed. A requirement for assessment of risks is that clear objectives are set, and the risk assessment will consist of identifying and analysing relevant risks in order to achieve these objectives.
The risk assessment also includes identifying and evaluating operational risks. All MedCap subsidiaries and MedCap AB perform an annual risk assessment. Specially prepared documents are used as a basis for the annual risk assessment. Risks identified are counteracted, for example, by a clear division of responsibilities and tasks, as well as by internal guidelines for accounting and reporting.
To ensure that the objectives of financial reporting are met, control requirements are built into the Company's processes and procedures. These are intended to ensure that management directives are observed and that the necessary measures are taken to highlight the risks that could prevent the Company from achieving its objectives.
Control activities are in place at all levels of the organisation and in all functions. They cover a wide range of activities such as approvals, authorisations, controls, reconciliations, reviews of the performance of the business, safeguarding of assets and delegation of responsibilities. Local management is responsible for ensuring that all control activities are in place and maintained within the units concerned.
The Group's Chief Financial Officer (CFO) is responsible for ensuring that all control activities are implemented and maintained at central level. Most control activities form a natural part of the key processes of the Group and its subsidiaries: order processing, invoicing, purchasing and inventory management.
Control activities consist of a mix of preventive and detective controls, such as approval of authorised persons at different levels of the organisation through dual approval of payments, clear attestation and decision-making procedures, clear decision-making processes, continuous random sampling from ERP systems to identify material deviations from the organisation's objectives or policies, monthly performance analysis and regular contacts with the organisation's staff outside the regular decision-making line.
Information and communication
Information, both external and internal, is governed by the Group's Communication and IR Policy. A specific section deals with responsibilities, procedures and rules. The policy is continuously evaluated to ensure that the information provided to the stock market is of high quality and in compliance with stock exchange rules. Financial information, such as quarterly reports, annual reports and reports of significant events, is published through press releases and the MedCap website. Meetings with financial analysts are organised on a regular basis in connection with the publication of quarterly reports.
Policies and regulations are communicated to and fed back from the subsidiaries through the boards of directors of the subsidiaries concerned. As far as possible, management reporting is directly linked to financial reporting. MedCap has a predefined reporting package, which also includes financial reporting, for each of the different management levels. The package is distributed monthly to the Board of Directors and Executive Management. The main financial reporting policy documents are regularly updated and communicated to the relevant persons via regular meetings.
The internal controls are evaluated on an ongoing basis to determine whether they remain effective or not. Within MedCap, the most important monitoring control consists of the continuous reviews that are performed by central and local management and that are part of all business transactions and processes. Local management is responsible for ensuring compliance with applicable laws and regulations within their respective areas of responsibility. Senior management assesses and ensures the fitness-for-purpose and effectiveness of MedCap's internal controls and risk management. The Boards of the subsidiaries perform monitoring as part of their regular supervisory activities.
Deficiencies in internal control that are detected are escalated. Corrective measures are taken to ensure continuous improvement of internal controls. Serious deficiencies regarding Group companies are reported to the MedCap Board and are monitored until the risk is dealt with in a satisfactory manner. A whistle-blower function is in place so that employees and other stakeholders can highlight any deficiencies in MedCap’s financial reporting, or other areas of concern at the company.