The internal control (over financial reporting and in general) is based on the overall control environment established by the Board and the Executive Team, including, among others, the culture and values communicated and practiced by the Board and Executive Team. Key components are the organisational structure, management philosophy and style, and responsibilities and powers that are clearly defined and communicated to all levels in the organisation.
The Board has formulated explicit decision-making procedures, rules of procedure and instructions for its own work and that of the Remuneration Committee, Audit Committee and President & CEO in order to facilitate effective management of operational risks. Every year, the Board updates and adopts the rules of procedure, instructions to the President & CEO, decision making procedure and authorisation policy and a finance policy and reviews the Group’s other policy documents. Rules of procedure for the local boards and instructions to the local presidents are in place in every Group company and are based on the same principles as those that apply to Sweco AB’s Board. Sweco also has a number of policies for finance, CSR information, corporate communication, information security, crisis management, data privacy, HR and quality and environment. These policies are the foundation for good internal control.
Sweco’s decision making procedure and authorisation policy clearly regulates the allocation of powers at every level, from the individual consultant to the Sweco AB Board. The areas covered include tenders, investments, rental and lease agreements, expenditures and guarantees.
Through the Audit Committee, the Board adopts and monitors policies and procedures on financial reporting and reporting to the Board to ensure that internal control activities focused on these matters are functioning properly. Internal controls are reviewed by Group internal audit, as well as the statutory auditor. The outcomes are reported to the Audit Committee.
The goal of Sweco’s risk management is to secure the Group’s long-term earnings growth and guarantee that Sweco’s operations in the various business units are able to achieve their objectives.
The company’s Board and senior management are ultimately responsible for risk management. Sweco’s risk management covers all business areas, companies/divisions and processes in the Group. Each manager is responsible for risk management activities in his/her respective area.
Sweco’s goals, which are expressed in the company’s business plan and strategy, provide a foundation for the company’s risk management. Risk management is based on a group-wide risk analysis. This inventory of risks is aimed at identifying the most significant risks that the Group is exposed to, the probability that these will occur and the potential impact on Sweco’s goals. At the same time, the effectiveness of existing controls and risk mitigation measures are assessed. The results of the overall risk analysis have been gathered in a risk map that reflects Sweco’s estimate of its risk exposure.
A report on risk management and internal control within the Group was discussed by the Board, the Audit Committee and the Executive Team. Risk management is a standing item on the agenda for each business area management meeting
Each business area has a BA Finance Director responsible for ensuring compliance with policies, and routines for financial reporting. The BA Finance Directors are also responsible for ensuring the accuracy and completeness of the reported financial information. To further enhance internal control of financial reporting, a self-assessment questionnaire on internal control is produced each year and circulated to all BA Finance Directors in the Group. The purpose of the questionnaire is to track the effectiveness of significant internal controls related to the company’s financial reporting as well as other key areas. The submitted answers are analysed and any shortcomings are identified and corrected.
The Group’s business system includes a number of functions for financial management, control and monitoring. There are project reporting systems where project managers can continuously monitor their projects and track monthly earnings and key ratios. This can also be monitored on a group, region, division and business area level. Operationally relevant key ratios can be followed up weekly on all of these levels. A group-wide consolidation is carried out every month to measure actual results against budgets and internal forecasts.
Communication about financial reporting also takes place in connection with business area management meetings, which are held regularly. An information policy defines the responsibilities and rules for communication with external parties.
Sweco has a dedicated internal audit function, whose roles and responsibilities are defined in the audit charter. Group internal audit consists of the head of internal audit, one group internal auditor and a team of qualified (business) auditors. Business auditors are experienced financial professionals that rotate into Group Internal Audit as part of their management development.
Internal audit work is governed by the annual audit plan, which reflects risk assessment relative to the realisation of business objectives (risk-based approach). The audit plan is approved by the Audit Committee, with detailed audit assignments defined on a quarterly basis.
Audits were conducted in multiple business areas in 2019, mainly focusing on:
- (Financial) project management
- Revenue recognition
- Compliance with business ethics programme
- Compliance to GDPR guidelines
A summary of audit findings is reported to the Audit Committee on a quarterly basis.
Read more about Sweco’s risks and risk management on pages 100–101 of Sweco’s annual report for the financial year 2019.