The board of directors of MedCap is responsible for the company’s internal corporate governance controls. Internal controls should ensure:
- Reliable financial reporting and information about the business.
- Compliance with applicable legislation, regulations, guidelines, etc.
- Effective and cost-efficient operations.
The company’s internal controls are designed to ensure that reporting is prepared in accordance with applicable laws and regulations and that it complies with the requirements placed on companies that are admitted to trading on a regulated market in Sweden. Internal controls comprise the following main components: control environment, risk assessment, control activities, information technology (IT), information and communication, and reporting.
In order to create and maintain an effective control environment, the board has adopted a number of fundamental documents relevant to financial reporting, including in particular the board’s rules of procedure and instructions to the chief executive officer and the committees. It is primarily the day-to-day responsibility of the chief executive officer to maintain the control environment directed by the board. This officer reports regularly to the board according to established procedures. The chief executive officers and chief financial officers of subsidiaries are responsible for the design, implementation and proper application at local level. Reporting from the company’s auditors is additional to this.
The internal control environment also includes policy documents adopted to achieve an effective control environment, such as rules of procedure for the board and the audit committee of MedCap AB, instructions for MedCap AB’s remuneration committee, instructions for the chief executive officer of MedCap AB, including authorisation and delegation procedures, instructions for chief executive officers of group subsidiaries, including authorisation and delegation procedures, financial policy and information policy.
The above policy documents are reviewed annually and revised as necessary. In addition to these documents is the application of the company’s finance manual, which includes guidelines, policies, principles and procedures for accounting, reporting and control of the finance functions of MedCap and its subsidiaries.
Risk identification and assessment should be carried out regularly. All units within the group are exposed to various external and internal risks that need to be assessed. A prerequisite for risk assessment is that there are clear objectives and that the risk assessment consists of identifying and analysing relevant risks in order to achieve those objectives. External strategic risks, financial risks and operational risks have been identified as risk areas. All MedCap subsidiaries and MedCap AB annually conduct a thorough risk assessment with continuous monitoring during the year. There are specially prepared documents used as the basis for the annual risk assessment.
Control activities are the policies and procedures that help ensure that management directives are complied with and that necessary measures are taken to highlight risks that may prevent the company from achieving its objectives. Control activities are found at all levels of the organisation and in all functions. These include a diverse range of activities such as approvals, permits, verifications, reconciliations, reviews of operating results, securing assets, and allocation of responsibilities. The local management is responsible for ensuring that all control activities are implemented and maintained in their respective units. The group’s chief financial officer is responsible for ensuring that all control activities are implemented and maintained at central level. Most control activities are a natural part of the key processes of the group and its subsidiaries: order processing, invoicing, purchasing and inventory management. The control activities consist of a mix of preventive and detective controls, such as approval of competent people at different levels of the organisation through arm’s length principles, duality of payment authorisations, clear authorisation and decision-making procedures, clear decision-making policies, continuous sampling from business systems to identify significant deviations from the organisation’s targets or policies, monthly performance analysis, regular contact with the organisation’s staff outside the normal decision-making line, and the annual management audit by the company’s auditors.
Information technology (IT)
All IT systems include measures for internal control or support for the internal control framework. When choosing new IT systems there is always an evaluation of whether there are sufficient functions to minimise the risk of fraud or other errors, and the potential to build in such functions is also evaluated when necessary. When evaluation shows that there is insufficient functionality manual procedures are created.
As far as possible management reporting is directly linked to financial reporting. MedCap has a pre-defined report package for the different levels of management, which includes financial reporting. The integrated report package is distributed monthly to the board and senior management. The main policy documents for financial reporting are regularly updated and communicated to relevant persons through regular meetings. The policy documents are stored in digital form and are readily available to authorised personnel.
Regular evaluation is continuously carried out in order to assess whether or not the internal controls are still effective. The main monitoring control within MedCap is the continuous monitoring conducted by central and local managements, and which is included in all business transactions and processes. Local management is responsible for ensuring compliance with applicable laws and regulations in their respective areas of responsibility. Senior management assesses and assures the adequacy and effectiveness of MedCap’s internal controls and risk management. The audit committee and subsidiary boards perform monitoring as part of their regular supervision.
Deficiencies identified in internal controls are reported upwards. Corrective measures are taken to ensure continuous improvement of internal controls. Each month, identified but uncorrected deficiencies in internal or external reporting are reported and discussed with the people concerned and with management.