Internal control over financial reporting
This section has been prepared in accordance with the Code and the Annual Accounts Act, and describes the Company’s internal control and risk management in relation to financing reporting. The aim is to provide shareholders and other stakeholders with an understanding of how internal control over financial reporting is organised in the Company.
The Board of Directors is responsible for ensuring that ICA Gruppen has good internal control and routines which guarantee compliance with the adopted principles for financial reporting and internal control. The Board is also responsible for ensuring that financial reporting conforms to the Companies Act, applicable accounting standards and other requirements of listed companies.
ICA Gruppen has a separate Internal Control function which is to support and contribute to reliable internal control and effective processes for financial reporting, and is also to evaluate and contribute to compliance with internal policies and guidelines.
ICA Gruppen’s internal control work is based on the internal control principles produced by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). These principles have five basic elements: 1. control environment, 2. risk assessment, 3. control activities, 4. information & communication, and 5. monitoring.
Taking into consideration the guidelines and policies established by the Board, the management and Internal Control have divided the responsibility for ensuring good control over financial reporting between themselves as follows:
|Responsibility over internal control of financial reporting|
|Management (all levels)||Internal Control|
|Policies/processes||Establishes, communicates and implements policies and routines. Maintains up-to-date process descriptions. Defines, implements and maintains key controls for all processes.||Supports the implementation of processes for follow-up of compliance with policies and routines within financial reporting. Assists with updating process descriptions and defining key controls.|
|Identification of deficiencies||Identifies potential deficiencies in processes or compliance with policies.||Facilitates and challenges the identification of potential deficiencies in processes or compliance with policies within financial reporting. Surveys processes, helps to identify control deficiencies and opportunities to improve/streamline processes.|
|Analysis||Analyses the likelihood and potential impact of identified deficiencies.||Facilitates and challenges the analysis. Assists with expertise on how the identified deficiencies could impact the Company.|
|Assessment||Establishes and assesses the potential deficiencies to be addressed/remedied.||Facilitates and challenges the assessment. Determines whether identified deficiencies are to be followed up in the self-assessment process.|
|Management||Implements key controls to address potential deficiencies. Monitors control components in daily operations, including regular monitoring activities, analyses and follow-up.||Defines minimum requirements for internal control and key controls for centralised follow-up/monitoring. Initiates and/or supports process improvement activities/projects.|
|Reporting||Responsible for self-assessment of compliance with the key controls defined. Reports the self-assessment result to Internal Control. Establishes action plans for all reported deficiencies.||Assists with tools for monitoring internal control and compliance. Consolidates results of reported self-assessments and presents these to Executive Management based on the assessed impact of the deficiencies.|
|Monitoring||Responsible for implementation/follow-up of defined remedial measures and assessment of their effectiveness.||Responsible for follow-up of previously defined and reported action plans.|
1. Control environment
A good control environment forms the foundation of an effective internal control system within a company. It is built on an organisation with clear decision paths, where authority and responsibilities have been distributed based on guidelines and where there is a corporate culture with shared values. The control environment is also affected by the individual employee’s awareness of his or her role in the maintenance of good internal control.
The Board’s rules of procedure and the instructions for the CEO ensure a clear division of roles and responsibilities designed for effective control and management of operational risks. The Board has also adopted a number of basic guidelines and policies of significance for maintaining effective control, such as the delegation arrangements, Financial Policy, Guarantee Policy, Sustainability Policy and Communication Policy.
2. Risk assessment
The Audit Committee is responsible for ensuring that significant risks of error in financial reporting are identified and managed. Within ICA Gruppen there is continuous dialogue with each operating company to ensure good internal control and awareness of operational risks. Self-assessments and analysis of processes are used to identify deficiencies and potential sources of error in financial reporting, supported by Internal Control. In addition, all risks judged to have a potential negative impact on achievement of ICA Gruppen’s goals are analysed and managed within the framework of the Group’s Enterprise Risk Management (ERM) process. Significant risks are reported to the management at least twice a year and annually to the Board of Directors.
3. Control activities
The Board is of the opinion that there is good understanding among employees of the need for good control over financial reporting. ICA Gruppen’s internal control structure is based on regular reporting to the Board, established policies and guidelines. ICA Gruppen places particular emphasis on controls designed to prevent, identify and correct deficiencies in the income statement and balance sheet items that might be associated with increased risk.
The Company mainly uses three types of controls:
- Group-wide controls relating to the overall control environment. The control requirements concern Group policies, authorisation/access to business-critical systems and applications, (delegation arrangements, certification instructions, etc.).
- Key controls are created for each operating company based on that company’s operations, organisation and risks. The key controls aim to check specific risks associated with an account, a transaction and/or a process.
- IT controls cover IT processes and applications that are critical from a financial or commercial perspective. The control requirements concern security, maintenance and development of applications and IT infrastructure.
Efficient and correct communication of information, both internally and externally, is important for ensuring complete and correct financial reporting at the right time. Policies, routines, handbooks and other documents of significance for financial reporting are updated and communicated to the employees involved on an ongoing basis. The Group’s Accounting function has direct operational responsibility for ongoing financial accounting and works to achieve consistent application of the Group’s guidelines, principles and instructions for financial reporting. Subsidiaries and operating units provide regular financial reports and reports on current operations to Executive Manage-ment, which in turn reports to the Board of Directors.
The Communication Policy and associated guidelines ensure that external communication is correct and meets the requirements made of companies listed on NASDAQ OMX Stockholm. Financial information is provided regularly through annual reports, interim reports, press releases and notices on the Company's website.
The Board continually assesses the information submitted by the Management Team and the Audit Committee. The Audit Committee’s work on monitoring the efficiency of internal control is of particular importance. This includes ensuring that action is taken to deal with any deficiencies and that proposed measures arising from internal and external audits are heeded. In addition, Executive Management, Internal Audit and Internal Control review and follow up as described above.