Internal control (over financial reporting and in general) is based on the overall control environment established by the Board and the Executive Team, including the culture and values communicated and practiced by the Board and Executive Team. Key components are the organisational structure, management philosophy and style, and responsibilities and powers that are clearly defined and communicated for all levels in the organisation.
The Board has formulated explicit decision-making procedures, rules of procedure and instructions for its own work and that of the Remuneration Committee, Audit Committee and President & CEO in order to facilitate effective management of operational risks. Every year, the Board updates and adopts the rules of procedure, instructions to the President & CEO, decision-making procedure and authorisation manual, and a finance policy and reviews the Group's other policy documents. Rules of procedure for the local boards and instructions to the local presidents are in place in every Group company and are based on the same principles as those that apply for Sweco AB's Board. Sweco also has a number of policies and guidelines for financial information, corporate communication, IT security, CSR, crisis management, HR, and quality and environment. These policies are the foundation for good internal control.
Sweco has a decision-making procedure and authorisation manual that clearly regulate the allocation of powers at every level, from the individual consultant to the Sweco AB Board. The areas covered include tenders, investments, rental and lease agreements, expenditures and guarantees.
Through the Audit Committee, the Board adopts and monitors policies and procedures on financial reporting and reporting to the Board to ensure that internal control activities focused on these issues are functioning properly. Internal controls are reviewed by Group internal audit, as well as the statutory auditor. The outcomes are reported to the Audit Committee.
The goal of Sweco's risk management is to secure the Group's long-term earnings growth and guarantee that Sweco's operations in the various business units are able to achieve their objectives.
The company's Board and senior management are ultimately responsible for risk management. Sweco's risk management covers all business areas, companies/divisions and processes in the Group. Each manager is responsible for risk management activities in his/her respective area.
Sweco's goals, which are expressed in the company's business plan and strategy, provide a foundation for the company's risk management. Risk management is based on a Group-wide risk analysis. This inventory of risks is aimed at identifying the most significant risks that the Group is exposed to, the probability that these will occur and the potential impact on Sweco's goals. At the same time, the effectiveness of existing controls and risk mitigation measures is assessed. The results of the overall risk analysis have been gathered in a risk map that reflects Sweco's risk exposure.
A report on risk management and internal control within the Group was discussed by the Board, the Audit Committee and the Executive Team. Risk management is a standing item on the agenda for each business area management meeting.
Each business area has a Finance Director responsible for ensuring compliance with policies, guidelines and routines for financial reporting. Finance Directors are also responsible for ensuring the accuracy and completeness of the reported financial information. To further enhance internal control of financial reporting, a self-assessment questionnaire on internal control is produced each year and circulated to all Finance Directors in the Group. The purpose of the questionnaire is to ensure the effectiveness of all significant internal controls related to the company's financial reporting. The submitted answers are analysed and any shortcomings are identified and corrected.
The Group's business system includes a number of functions for financial management, control and monitoring. There are project reporting systems where project managers can continuously monitor their projects and track monthly earnings and key ratios. This can also be monitored at the group, region, division and business area levels. Operationally relevant key ratios can also be followed up weekly on all of these levels. A group-wide consolidation is carried out every month to measure actual results against budgets and internal forecasts.
Communication about financial reporting also takes place in connection with business area management meetings, which are held regularly. A corporate communication guideline defines the responsibilities and rules for communication with external parties.
Sweco has a simple and uniform operational structure throughout the Group. Controllers at the Group and business area levels regularly monitor compliance with Sweco's established operating and internal control systems.
Sweco has a dedicated internal audit function, consisting of a head of internal audit and a team of qualified business auditors. Business auditors are experienced financial professionals that rotate into Group Internal Audit as part of their management development.
Internal audit work is governed by the annual audit plan, which reflects risk assessment relative to the realisation of business objectives (risk-based approach). The audit plan is approved by the Audit Committee, with detailed audit assignments defined on a quarterly basis.
Audits were conducted in multiple business areas in 2017, focusing on:
• (Financial) project management
• Revenue recognition
• Compliance with business ethics programme
A summary of audit findings is reported to the Audit Committee on a quarterly basis.
Read more about Sweco's risks and risk management on pages 98–99 in Sweco's annual report.