Internal control

General

Storskogen has established a framework for internal control that aims to achieve an efficient organisation that achieves the goals set by the board of directors. This framework includes measures to ensure that Storskogen’s operations are conducted correctly and efficiently, that laws and regulations are complied with and that the financial reporting is correct, reliable and in accordance with applicable laws and regulations. Within the group, the structure for internal control shall be based on the so-called COSO framework (Committee of Sponsoring Organizations of the Treadway Commission). Based on COSO, Storskogen applies the following building blocks to achieve good internal control.

Control environment

The internal control is based on divisions of responsibilities and work tasks through, for example, the board of director’s rules of procedure, instructions for the board of director’s committees, the CEO and the financial reporting as well as the code of conduct and policies of the group. Compliance with these is monitored and evaluated continuously by the person responsible. The overall control environment also includes that a group-wide risk assessment shall be performed where risks are identified, evaluated and managed.

Risk assessment

Storskogen’s risk assessment aims to identify and evaluate risks of material errors in the group’s financial reporting and other group-wide risks. The risk assessment is, inter alia, carried out as a basis for the work of ensuring that the financial reporting is reliable and how the risks in the reporting are to be managed through various control structures.

Control activities

Each identified risk at group level and regarding the group’s financial reporting shall be linked to controls until the risk is considered to be eliminated or reduced to an acceptable level. Measures taken, documented process maps and risk/control matrices are examples of how control activities are managed within the group.

Storskogen has also introduced routines for mapping and implementing important internal controls in connection with acquisitions.

Information and insider policy

Relevant information must be communicated properly, to the right recipient and at the right time. Communicating important information, both upwards and downwards in an organisation and to external parties, is an important part of good internal control. Management meetings shall be used as a forum for communication and information dissemination linked to risk management in the group. It is also the group’s management’s responsibility to ensure that the process managers linked to the financial reporting possess sufficient knowledge of the significant risks and related control activities in the specific process.

Governance and follow-up

The management shall evaluate that the group-wide risk assessment and management as well as the specific control activities performed in each significant process linked to the financial reporting are still relevant for managing the significant risks Storskogen faces. Control activities must be documented so that there is traceability of the performance.

Follow-up to ensure the effectiveness of internal control is performed by the board of directors, the audit committee, the CEO, the management, the accounting department and by the company’s subsidiaries.

The system for group-wide risk management and financial reporting shall be followed up continuously and aims to ensure that the system is maintained, that changes take place when necessary and that evaluation of changes in working methods takes place. The audit committee shall also review internal control and report to the board of directors at least once a year.