Board of directors’ report on internal control
The Board is responsible for MEKO’s internal control, the overall purpose of which is to protect the owners’ investment and the company’s assets. The Audit Committee has special responsibility to monitor the effectiveness of risk management and internal control regarding financial reporting.
During 2019, a second-line function was established with responsibility for developing and following up the Group’s internal control work, with reporting responsibility to the Board and the Audit Committee. Internal control for financial reporting is included as a part of the overall internal governance and control and constitutes a central part of the Group’s corporate governance. According to generally accepted frameworks established for this purpose, including COSO, internal control is usually described from five different aspects described below.
The control environment constitutes the basis for internal governance and control. An important part of the control environment is that decision paths, authorities and responsibilities, as well as competence requirements must be clearly defined and communicated between various levels in the organization and that the control documents are available in the form of internal policies, handbooks, guidelines and manuals, are adapted to operational changes and are updated regularly. To help strengthen the internal control, the Group has prepared a financial handbook that provides an overall view of existing policies, rules and regulations and procedures within the financial area. The handbook is updated annually. In addition, for implementation 2021, there is an overall corporate governance document that will provide new employed Managers, but also existing, with a comprehensive overview of the requirements placed on a manager. This document clarifies organization and decision pathways, goals, values and overall strategies, formal governance tools and all Group policies other than those stated in the financial handbook.
Risk assessment and risk management mean that the management is aware of and has itself assessed risks and threats in the business. The Group conducts frequent mapping of the Group’s risks. Among identified risks are a number of items in the financial statements and administrative flows and processes where there is an elevated risk of error. The company works continuously to reduce these risks by strengthening controls.
Control activities are the measures and procedures that the management has structured to keep errors from arising and to discover and resolve errors. Risks of errors in the financial reporting are reduced through a high level of internal control over the financial reporting, with specific focus on significant areas defined by management and the Board. Within the Group, there are specific control activities that are intended to ensure the timely discovery or prevention of the risks of errors in the reporting. During the year, the work of strengthening the Group’s internal control framework continued, where the framework for stock management at central warehouses was further formalized and implemented. In addition, the inventory management framework at local warehouses has been developed to be fully implemented in 2021 Furthermore, the work on a framework for general IT controls (ITGC) began during the year, where implementation will start during 2021.
Internal Audit is an independent function that provides security for the Board and management. Internal Audit examines different processes and procedures, gives the Board and management a balanced picture of the current situation and proposes improvement measures. This is done by evaluating and proposing improvement in such areas as risk management, compliance with policies and efficiency in the internal control over the financial reporting. The function works throughout the Group. The results of audits carried out are reported to the Audit Committee, the CEO and the CFO and information is provided to management in each business area and other units where relevant. For a number of years, MEKO has hired the auditing firm Deloitte to conduct the internal audit in the Group. In 2020 the firm also carried out an audit of the implementation of the AX business system, which has been implemented in units within Mekonomen Sweden. In 2020, the Board decided to choose EY as a new partner for the internal audit. During the autumn, EY carried out an audit of the work initiated during the year to establish a new control framework and governance model for cybersecurity. The Group´s Head of Risk and Internal Audit is responsible for Internal Audit, who reports to the Chairman of the Audit Committee in this function.
Information and communication
In order for individual task to be able to be done in a satisfactory manner, the staff in an organization must have access to relevant and current information. Policies and guidelines are particularly important for accurate accounting, reporting and dissemination of information. Guidelines on the financial process are updated as necessary at MEKO. Such updates mainly take place in each Group function for the various operations by making the guidelines available on the intranet, but also at regular CFO meetings in which representatives from the Group finance function also participate. A review of policies is carried out annually or in the event of significant changes. External investor communication is regulated by the Group’s communications policy
The final component in the framework pertains to follow-up of the structure and effectiveness of internal governance and control. The Board evaluates the information submitted by the Group Management Team and auditors. In conjunction with this, the Audit Committee is responsible for the preparation of the Board’s work to quality assure the Group’s financial reporting. The President, CEO and CFO hold monthly reviews of financial position with each Head of Operations. Group finance function also cooperates closely with the Group company finance managers and controllers of Group companies on matters pertaining to accounting and reporting. The follow-up and feedback concerning possible deviations arising in the internal controls are a key part of the internal control work, since this is an efficient manner for the company to ensure that errors are corrected and that the control is further strengthened. During the year, each business area reported a self-rating of the internal control framework for central inventory management. In cases where shortcomings have been identified, the business areas have presented an action plan. The CFO, Head of Accounting and the Head of Internal Audit for the Group and the CFO for the respective business area, were included in the work. Furthermore, work has been carried out to more thoroughly document and validate financial assessments in order to meet the external auditors’ requirements based on the new audit standard ISA 540R. A more formalized process is under development for reporting completed self-assessments of internal controls and evaluating the effectiveness of these controls.