- that the company has an appropriate and efficient organisation for its business operations
- that the company produces reliable financial statements
- that the company complies with applicable laws and regulations
The company applies the established COSO (Internal Control – Integrated Framework) framework in its work.
Control environment
Fabege has a geographically well contained organisation and homogenous operational activities but its legal structure is complex. The business is capital-intensive and is characterised by large monetary flows, including rental income, expenses for project activities, acquisitions/sales of properties and financial expenses.
Overall responsibility for ensuring good internal control and efficient risk management rests with the Board of Directors. To be able to perform its work in an appropriate and efficient manner, the Board has adopted a set of rules of procedure. The Board’s rules of procedure are aimed at ensuring a clear division of responsibility between the Board of Directors (and its committees) and the Chief Executive Officer (and his management team) with a view to achieving efficient risk management in the company’s operations and in financial reporting. The rules of procedure are updated annually.
In 2011, the Board performed its annual review and adopted rules of procedure for the Board, rules of procedure for the Audit Committee and the company’s Code of Conduct. The management team is responsible for designing and documenting and for maintaining and testing the systems/processes and internal controls that are required to manage significant risks in the accounts and the company’s day-to-day activities. Operational responsibility for internal control rests with the company’s management and with those individuals who by virtue of their roles in the company are in charge of each defined critical process, function or area.
The company’s financial reporting is governed by a set of policies and guidelines. The company has defined policies for matters such as funding, environmental issues, equal opportunities and disclosure, accounting policies and instructions for the closing of the accounts and authorisation of payments. In 2010, Fabege implemented a comprehensive evaluation and update of its policies, which are subsequently regularly reviewed and updated. All policies were discussed and decided on by Group management. Information concerning resolved policies was also disseminated throughout the organisation. In addition, more detailed guidelines and instructions are reviewed and updated regularly. In early 2011, Fabege joined the UN Global Compact and thus pledged to comply with the ten principles in the areas of human rights, labour rights, the environment and anticorruption. As part of its work on the UN Global Compact, the company established an ethics council and adopted a new Code of Conduct.
The first status report will be submitted in March 2012 and comprises part of the company’s Annual Report. During the year, work on reporting according to GRI was also initiated.
Risk assessment
Risks and critical processes, functions and areas are defined on the basis of the control environment, significant results and balance sheet items as well as significant business processes. The following processes, functions and areas have been defined as critical for Fabege:
- Acquisitions and sales
- New lettings and renegotiations
- Projects
- Closing of the accounts and reporting
- Funding
- Valuation of properties
- Rent payments
- Purchasing
- Tax
Fabege conducts annual reviews and evaluations of risk areas for the purpose of identifying and managing risks in consultation the Board and the Audit Committee for review by the auditors.
Control activities
Critical processes, functions and areas are described and documented in respect of division of responsibility, risks and controls. The necessary instructions, procedures and manuals are produced, updated and communicated to the relevant staff to ensure that they have up-to-date knowledge and adequate tools.
The measures are aimed at integrating risk management in the company’s day-to-day procedures. Compliance with policies, guidelines and instructions is monitored on an ongoing basis. Employees are given frequent training to ensure that they have required expertise. In 2011, all of the company’s critical processes were subject to an internal review. In addition to the external audit performed in 2011, the company also performed an internal assessment of compliance and controls in critical processes.
A central controller function supports work on the follow up the operating units – Property Management and Projects. The control department is in charge of operational reporting. The operating units, Property Management and Projects, have a separate controller function which supplements the central controller function at Group level. Operational reports are prepared monthly and quarterly based on a standardised reporting package and submitted for comments/approval to executives with operational responsibility.
Reviews and updates with executives with operational responsibility are made throughout the year. Performance is assessed against budgets and forecasts, which are updated twice a year. Since 2009, the company has been producing rolling 12-month forecasts.
A central function prepares consolidated financial statements and other financial reports in close collaboration with the controller function/operating units and the finance function. Th is work includes integrated control activities in the form of reconciliation with standalone systems/specifications of outcomes for income and expense items and balance sheet items.
Information and communication
Management is responsible for informing the staff concerned about their responsibility to maintain good internal control. The company Intranet and briefing sessions are used to ensure that employees are kept up-to-date on the company’s governing policies and guidelines.
Responsibility for external information rests with the Communications department. The company’s Investor Relations activities are based on principles for regular and accurate information in accordance with Nasdaq OMX Stockholm’s Rule Book for Issuers. The aim is to improve knowledge of and build confidence in the company among investors, analysts and other stakeholders. In 2011, the effort to improve information and access to information on the external website continued. The communications department was strengthened by the recruitment of an additional employee with the aim of further improving and clarifying the dissemination of information to the market.
Follow-up
The internal control system also needs to change over time. Th e aim is to ensure that this is monitored and addressed on an ongoing basis through management activities at various levels of the company, both through monitoring of the individuals responsible for each defined critical process, function and area and through ongoing evaluations of the internal control system.
In addition to financial reporting to the Board, more detailed reports are prepared, at more frequent intervals, in support of the company’s internal governance and control activities. Monthly reports are presented and discussed at meetings of Group management.
The company’s management reports regularly to the Board based on the adopted instructions for financial reporting, which are designed to ensure that the information provided is relevant, adequate, up-to-date and appropriate. The Audit Committee also reports to the Board. It acts as the extended arm of the Board in monitoring the formulation and reliability of financial reports. In addition to examining the content of and methods used in preparing financial reports, the Audit Committee has studied the way in which the more detailed and frequent internal reporting is used in evaluating and managing different areas of activity, which provides an indication of the quality of the control environment.
The Committee also performs regular reviews and evaluations of internal controls in respect of critical processes and regularly studies the results of the external auditors’ examinations of the company’s accounts and internal controls. The auditors examine the company’s financial reporting in respect of the full year financial statements and review all quarterly interim reports.
The Board regularly evaluates the information submitted by management and the Audit Committee. Of particular significance, when required, is the Audit Committee’s task of monitoring management’s work on developing the internal controls and of ensuring that measures are taken to address any problems and proposals that have been identified in the course of examinations by the Board, Audit Committee or auditors.
The Board of Directors has informed itself through its members and through the Audit Committee on risk areas, risk management, financial reporting and internal control and has discussed risks for errors in financial reporting with the external auditors.
In the course of its work on examining and evaluating internal control in respect of critical processes in 2011, the Audit Committee found no reason to alert the Board’s to any significant issues in respect of internal control or financial reporting.
Internal auditing
To supplement the external auditing activities, Fabege is working to facilitate internal evaluations of critical processes. As a result of this work, and in view of the homogenous and geographically limited nature of the company’s activities and its simple organisational structure, the Board has not found reason to set up a separate internal audit unit. The Board believes the monitoring and examination described above, coupled with the external audits, are sufficient to ensure that effective internal control in respect of financial reporting is maintained.