Norva24’s internal control framework is governed by the Swedish Companies Act and the Code. Utilising control activities such as segregation of duties, reconciliations, approvals, safeguarding of assets and control over information systems, Norva24’s internal control framework is intended to provide a reasonable assurance that Norva24’s objectives are met with respect to effective and efficient operations, reliable and timely internal and external reporting and compliance with applicable laws and regulations.
The board of directors has the overall responsibility for Norva24’s internal control. The control is formally executed through written rules of procedure which define the responsibilities of the board of directors and the division of these responsibilities between the members of the board of directors, the board committees, and the CEO.
The audit committee has a particular responsibility for the quality and the supervision and control of Norva24’s internal control and risk management in relation to matters regarding compliance and financial reporting.
Internal control framework
Norva24’s internal control procedures cover management, business and support processes. Overall, Norva24’s control environment is intended to secure awareness and action of the board of directors and management.
The control environment is a defence model intended to prevent the Company from overlooking risk factors that could ultimately lead to Norva24 not achieving its business objectives. This includes a process for risk assessment. Norva24’s risk management work shall follow a defined process, consisting of the three steps below:
- Risk identification and assessment
- Internal control requirements
- Self-assessments and reporting
These steps are to be carried out at least annually. The first step in the risk identification and assessment, which shall be initiated annually by the CEO and performed by the management team, is to ensure that Norva24 is aware of the most significant risks affecting its business. The purpose is to identify new risks and update Norva24’s view on already identified risks. Based on the risk identification and assessment performed, internal controls shall be designed to cover the risks where applicable. The internal controls shall be phrased as requirements in order to describe the minimum level of efforts expected to establish an effective internal control environment throughout the different business processes. The effectiveness of the controls is to be assessed by defined persons throughout the organization. The results are to be compiled by the Chief Financial Officer and presented to the audit committee and the Board of Directors annually.
Internal control over financial and other reporting
Norva24’s internal control over financial reporting is designed to promote reliability of internal and external financial and non-financial reporting. Ultimately, this is intended to ensure timely and reliable reporting within external financial reporting, external non-financial reporting, internal financial reporting and internal non-financial reporting. Risks relating to financial reporting are evaluated annually.
Underlying risks are documented by process in a risk and control matrix, which is also used for self-assessment for evaluation of the internal control relating to financial reporting in each country where Norva24 operates. Risks relating to financial reporting are further evaluated by IR and communications function as per Norva24’s internal control framework. Further, risks relating to financial reporting are also discussed with the Company’s external auditors on a regular basis.
Information technology
Norva24 needs to maintain a well-functioning IT infrastructure to ensure business continuity and ensure the effectiveness of its operations and interface with its customers, as well as to maintain financial accuracy and efficiency. The general controls utilized by Norva24 to achieve this include policies and procedures that relate to critical applications and support the effective functioning of application controls and are intended to ensure the integrity of the data and processes that the systems support. Four domains make up the IT general controls:
- General entity level IT controls: To ensure that IT is managed in a structured way to secure the stability and integrity of business processes and their supporting applications.
- Access to programs and data: To ensure that only authorized access is granted to systems and data upon authentication of a user’s identity.
- Change management: To ensure the changes to critical programs and related infrastructure components are requested, authorized, performed, tested and implemented.
- Computer operations: To ensure that production systems are processed completely and accurately and that processing problems are identified and resolved completely and accurately to maintain the integrity of financial data.