Internal control is a process that is influenced by the Board of Directors, the Executive Management Team and the company’s employees and has been designed to provide reasonable assurance that the company’s goals are achieved in the following categories:
- that the company has an appropriate and efficient organisation for its business operations
- that the company produces reliable financial statements
- that the company complies with applicable laws and regulations
The company applies the established COSO (Internal Control – Integrated Framework) framework in its work.
Fabege has a geographically well contained organisation and homogeneous operational activities, but its legal structure is complex. The business is capital-intensive and characterised by large monetary flows, including rental income, expenditure for project investments, acquisitions/sales of properties and financial expenses.
Ultimate responsibility for ensuring effective internal control and efficient risk management rests with the Board of Directors. To be able to perform its work in an appropriate and efficient manner, the Board has adopted rules of procedure. The Board’s rules of procedure are aimed at ensuring a clear division of responsibility between the Board of Directors (including committees) and the CEO (and the Executive Management Team) with a view to achieving efficient risk management in the company’s operations and in financial reporting. The rules of procedure are updated annually. In 2018, the Board performed its annual review and adopted rules of procedure for the Board, rules of procedure for the Audit Committee and the company’s Code of Conduct. The Executive Management Team is responsible for designing and documenting, and for maintaining and testing, the systems/processes and internal controls that are required to manage significant risks in the accounts and the company’s day-to-day activities. The company’s CEO and Executive Management Team, along with those individuals who by virtue of their roles in the company are in charge of each defined critical process, function or area, share operational responsibility for internal control.
The company’s financial reporting is governed by a set of policies and guidelines. For example, the company has policies regarding finance, the environment, gender equality, communication, insider dealing and tax management. There are also accounting policies and instructions for the closing of accounts and authorisation of payments. A new policy for procurement of auditing services was adopted in 2017. Furthermore, a review and update of Fabege’s policies was implemented. All policies were discussed and decided on by the Executive Management Team. Information concerning adopted policies was also disseminated throughout the organisation. In addition, more detailed guidelines and instructions are reviewed and updated regularly. In April, Fabege issued its annual Communication on Progress Report to the UN Global Compact. Work on developing the company’s sustainability reporting is conducted continuously. Integrated reporting has been applied since 2015, which means sustainability reporting is an integral part of financial reporting.
Risks and critical processes, functions and areas are defined on the basis of the control environment, significant results and balance sheet items, as well as significant business processes. The following risk areas have been defined as critical for Fabege:
- Risk area Property Management: The processes for new letting, renegotiation and rent payments. Customer relations and customer satisfaction and the risk of rent losses.
- Risk area Technical Operation: Technical work environment and physical buildings.
- Risk area Property Development and Projects: Planning process and projects, implementation and procurement/purchasing.
- Risk area Valuation and Transactions
- Risk area Financial Control and Finance: Liquidity risk, interest rate risk, financial information and taxes.
- Risk area Communication: Information management, brand, business ethics and IT.
- Risk area Employees: Lack of resources and dependence on key personnel.
- Risk area Environment
Fabege’s Executive Management Team conducts an annual review and evaluation of risk areas, for the purpose of identifying and managing risks. This is done in consultation with the Board and the Audit Committee, for examination by the auditors. The company’s internal processes and procedures provide support for the continuous management of risks.
Critical processes, functions and areas are described and documented in respect of division of responsibility, risks and controls. The necessary instructions, procedures and manuals are produced, updated and communicated to the relevant staff to ensure that they have up-to-date knowledge and adequate tools. The measures are aimed at incorporating risk management into the company’s day-to-day procedures. Compliance with policies, guidelines and instructions is monitored on an ongoing basis. Employees are given regular training, or as needed, to ensure that they have the required expertise. All critical processes are reviewed regularly and in 2018, a selection of the company’s critical processes was subject to special review. To supplement the external audit, the company also performed an internal assessment of compliance and controls in a selection of significant processes during 2018. A central controller function supports work on the follow-up of the operating units – Property Management and Property Development.
The controller department is in charge of operational reporting. Operational reports are prepared monthly and quarterly based on a standardised reporting package and submitted for comments/ approval to executives with operational responsibility. Reviews and updates by executives with operational responsibility are made continuously throughout the year. Monitoring of outcomes is assessed against budgets and forecasts, which are updated twice a year. For several years now the company has been producing rolling 12-month forecasts. A central function prepares consolidated financial statements and other financial reports in close collaboration with the controller function, the operating units and the finance function. This work includes integrated control activities in the form of reconciliation with standalone systems/specifications of outcomes for income and expense items and balance sheet items. The company’s operational reporting is developed and improved continuously in terms of both content and system support, as well as availability to executives with operational responsibility.
Information and communication
Management is responsible for informing the staff concerned about their responsibility to maintain good internal control. The company intranet and briefing sessions are used to ensure that employees are kept abreast of Fabege’s governing policies and guidelines.
Responsibility for external information rests with the Communications Department. Investor Relations activities are based on principles for regular and accurate information in accordance with Nasdaq Stockholm’s Rule Book for Issuers.
The aim is to improve knowledge of and build confidence in the company among investors, analysts and other stakeholders. In 2018, work continued on improving information and access to information on the external website. A new and revised web platform was launched at the start of 2019. Efforts to improve and further clarify the dissemination of information to the market are ongoing. In the autumn, an in-depth customer dialogue was conducted in order to better understand and satisfy customer requirements. In November, an employee survey was also carried out. The company received high ratings in both surveys.
The internal control system needs to change over time. The aim is to ensure that this is continually monitored and addressed via management activities at various levels of the company, both through monitoring of the individuals responsible for each defined critical process, function and area and via regular evaluation of the internal control system. In addition to financial reporting to the Board, more detailed reports are prepared, at more frequent intervals, in support of the company’s internal governance and control activities. Information is made continually available to those with operational responsibility via the company’s BI system.
Management reports regularly to the Board based on the adopted instructions for financial reporting, which are designed to ensure that the information provided is relevant, adequate, up-to-date and appropriate.
The Audit Committee, which acts as the extended arm of the Board in monitoring the formulation and reliability of financial reports, also reports to the Board. In addition to familiarising itself with the content of and methods used in preparing financial reports, the Audit Committee has studied the way in which the more detailed and frequent internal reporting is used in evaluating and managing various areas of activity. The Committee also performs regular reviews and evaluations of internal controls in respect of the company’s critical processes and regularly studies the results of the external auditors’ examinations of the company’s accounts and internal controls. The auditors examine the company’s financial reporting in respect of the full-year financial statements and carry out a limited review of one quarterly report.
The Board regularly evaluates the information submitted by the Executive Management Team and the Audit Committee. Of particular significance is the Audit Committee’s task of monitoring management’s work on developing internal controls and of ensuring that measures are taken to address proposals and any shortcomings that have been identified in the course of examinations by the Board, the Audit Committee or the external auditors.
The Board of Directors has informed itself through its members and through the Audit Committee of risk areas, risk management, financial reporting and internal control and has discussed risks of errors in financial reporting with the external auditors.
In the course of its work on examining and evaluating internal control in respect of critical processes in 2018, the Audit Committee found no reason to alert the Board to any significant issues in respect of internal control or financial reporting.
To supplement the external auditing activities, Fabege is working to facilitate internal evaluations of critical processes. As a result of this work, and in view of the homogeneous and geographically limited nature of the company’s activities and its simple organisational structure, the Board has not found reason to set up a separate internal audit unit. The Board believes the monitoring and examination described above, coupled with the external audits, are sufficient to ensure that effective internal control of financial reporting is maintained.