Internal control is a process that is influenced by the Board of Directors, the Executive Management Team and the company’s employees, and has been designed to provide reasonable assurance that the company’s goals are being achieved in the following categories.

• That the company has an appropriate and efficient organisation for its business operations.
• That the company produces reliable financial statements.
• That the company complies with the relevant laws and regulations.

The company applies the established COSO (Internal Control – Integrated Framework) framework in its work.

Control environment

Fabege has a geographically well contained organisation and homogeneous operational activities, but its legal structure is complex. The business is capital-intensive and characterised by large monetary flows, including rental income, expenditure for project investments, acquisitions/sales of properties and financial expenses.

Ultimate responsibility for ensuring effective internal control and efficient risk management rests with the Board of Directors. To be able to perform its work in an appropriate and efficient manner, the Board has adopted rules of procedure. The Board’s rules of procedure are aimed at ensuring a clear division of responsibility between the Board of Directors (including committees) and the CEO (and the Executive Management Team) with a view to achieving efficient risk management in the company’s operations and in financial reporting. The rules of procedure are updated annually. In 2023, the Board performed its annual review and adopted rules of procedure for the Board, rules of procedure for the Audit Committee and Remuneration Committee and the company’s Code of Conduct. The Executive Management Team is responsible for designing and documenting, and for maintaining and testing, the systems/processes and internal controls required to manage significant risks in the accounts and the company’s day-to-day activities. The CEO and Executive Management Team, along with those individuals who by virtue of their roles in the company are in charge of each defined critical process, function or area, share operational responsibility for internal control.

The company’s financial reporting is governed by a set of policies and guidelines. For example, the company has policies regarding finance, the environment, gender equality, communication, insider dealing and tax management. There are also accounting policies and instructions for the closing of accounts, as well as for authorisation of payments and procurement of auditing services. The company’s policies are continually reviewed and updated as required. All policies have been discussed and adopted by the Executive Management Team. Information concerning adopted policies has also been disseminated throughout the organisation. In addition, more detailed guidelines and instructions are reviewed and updated regularly. In March, Fabege issued its annual Communication on Progress Report to the UN Global Compact. Work on developing the company’s sustainability reporting is conducted continuously. The Sustainability Report is presented in a separate section of  Annual Report; see pages 21–42.

Risk assessment

Risks and critical processes, functions and areas are defined on the basis of the control environment, significant results and balance sheet items, as well as significant business processes. The following risk areas have been defined as critical for us:

• Risk area Property Management: Processes for new lettings, renegotiations and rent payments. Customer relations and customer satisfaction, changes in customer needs, risk of rent losses.
• Risk area Technical Operation: Technical work environment and physical buildings.
• Risk area Property Development and Projects: Planning process and projects, implementation, procurement/purchasing.
• Risk area Valuation and Transactions. Report on internal control in respect of financial reporting.
• Risk area Financial Control and Finance: Liquidity risk, interest rate risk, financial information, taxes.
• Risk area Communication: Information management, brand, business ethics.
• Risk area Employees: Lack of resources, dependence on key personnel.
• Risk area Climate and Sustainability: climate change, emissions.
• Risk area Cyber Security and IT: digitalisation, data nfringement, GDPR.

The Executive Management Team conducts an annual review and evaluation of risk areas, for the purpose of identifying and managing risks. This is done in consultation with the Board and the Audit Committee, for examination by the auditors. Fabege’s internal processes and procedures provide support for the continuous management of risks.

Control activities

Critical processes, functions and areas are described and documented in respect of division of responsibility, risks and controls. Instructions, procedures and manuals are produced, updated and communicated to the relevant staff to ensure that they have up-to-date knowledge and adequate tools, with a standardised reporting package. Executives with operational responsibility comment on/approve the reports. Reviews and updates by executives with operational responsibility are made continuously throughout the year. Monitoring of outcomes is assessed against budgets and forecasts, which are updated twice a year. A central function prepares consolidated financial statements and other financial reports in close collaboration with the controller function, the operating units and the finance function. This work includes integrated control activities in the form of reconciliation with standalone systems/specifications of outcomes for income and expense items and balance sheet items. The company’s operational reporting is developed and improved continuously in terms of both content and system support, as well as availability to executives with operational responsibility

Information and communication

Management is responsible for informing the staff concerned about their responsibility for maintaining effective internal control. Employees are kept informed about governing policies and guidelines and how the business is performing via an intranet, information briefings and regular newsletters.

The CEO and Vice President/CFO, along with the Head of Investor Relations, are responsible for external financial communication. Investor Relations activities are based on principles for regular and accurate disclosure of information in accordance with Nasdaq Stockholm’s Rule Book for Issuers. The aim is to improve knowledge of and build confidence in the business among investors, analysts and other stakeholders. Efforts to improve and further clarify the disclosure of information to the market are continually ongoing.

The Communication and Marketing Department is responsible for other external and internal information. In October, an employee survey was carried out according to the Great Place To Work (GPTW) method. Fabege has GPTW certification, with a Trust Index score of 88.

Review

The internal control system needs to adjust and adapt to changing conditions over time. The aim is to ensure that this is continually monitored and addressed via management activities at various levels of the company, both through monitoring of the individuals responsible for each defined critical process, function and area and via regular evaluation of the internal control system. In addition to financial reporting to the Board, more detailed reports are prepared, at more frequent intervals, in support of the company’s internal governance and control activities.

Management reports regularly to the Board based on the adopted instructions for financial reporting, which are designed to ensure that the information provided is relevant, adequate, up-to-date and appropriate. The Audit Committee, which acts as the extended arm of the Board in monitoring the design and reliability of financial reports, also reports to the Board. In addition to familiarising itself with the content of, and methods used in preparing financial reports, the Audit Committee has also studied the way in which the more detailed and frequent internal reporting is used in evaluating and managing various areas of activity. The Committee also performs regular reviews and evaluations of internal control in respect of the company’s critical processes.

It regularly studies the results of the external auditors’ examinations of the company’s accounts and internal controls. The auditors examine the company’s financial reporting in respect of the full-year financial statements and carry out a limited assurance review of one quarterly report.

The Board regularly evaluates the information submitted by the Executive Management Team and the Audit Committee. Of particular significance is the Audit Committee’s task of monitoring management’s work on developing internal controls and of ensuring that measures are taken to address proposals and any shortcomings that have been identified in the course of examinations by the Board, the Audit Committee or the external auditors.

The Board of Directors has informed itself through its members and through the Audit Committee of risk areas, risk management, financial reporting and internal control and has discussed risks of errors in financial reporting with the external auditors. In the course of its work on examining and evaluating internal control in respect of critical processes in 2023, the Audit Committee found no reason to alert the Board to any significant issues in respect of internal control or financial reporting.

Internal auditing

To supplement the external auditing activities, Fabege is working to facilitate internal evaluations of critical processes. As a result of this work, and in view of the homogeneous and geographically limited nature of the company’s activities and its organisational structure, the Board has not found reason to set up a separate internal audit unit. The Board believes the monitoring and examination described above, coupled with the external audits, are sufficient to ensure that effective internal control of financial reporting is maintained.