COSO framework
Karnov has chosen to structure internal control work in accordance with the so-called COSO framework, which includes the following elements: control environment, risk assessment, control activities, information and communication as well as monitoring and follow-up.
Control environment
Karnov’s control environment is based on the distribution of work among the board of directors, the committees, the CEO and the CFO and the corporate values on which the board of directors and the Group management communicate and base their work. In order to maintain and develop a well-functioning control environment, to comply with applicable laws and regulations, and to ensure compliance within the entire group with the Karnov’s desired business practices, the board of directors, as the ultimately responsible body, has established a number of basic documents relevant to risk management and the internal control which consists of operational control documents, policies, procedures and instructions. Among these documents are the rules of procedure for the board of directors, the instructions for the committees of the board of directors, the instructions for the CEO, the instructions for financial reporting, the code of conduct, the communication policy and the insider policy.
Risk assessment
Karnov has established a risk assessment procedure, meaning Karnov conducts annual risk analysis and risk assessment. Based on this procedure, risks are identified and categorised according to the following four areas:
- Strategic risks
- Operational risks
- Compliance risks
- Financial risks
Karnov’s objective with the risk analysis is to identify the most significant risks that may prevent Karnov from achieving its targets or realising its strategy. The objective is further to evaluate these risks based on the probability that they will arise in the future and to what extent the risks may affect Karnov’s targets if they were to occur.
Individual risks are assigned a so-called risk owner. The risk owner has a mandate and responsibility to ensure actions and controls are established and implemented. The risk owner is also responsible for monitoring, follow-up and reporting of changes in Karnov’s risk exposure to identified risks.
Identified risks are reported annually by the CFO to the audit committee and the board of directors. The board of directors evaluates Karnov’s risk management system, including risk assessments, and shall annually submit a description in which the most important elements of Karnov’s internal control and risk management are examined in detail. The purpose of this procedure is to ensure that significant risks are managed and that controls that counteract identified risks are implemented.
Control activities
Karnov has established a risk management process that includes a number of key controls of matters that must be in place and function in the risk management processes. The control requirement is an important tool that enables the board of directors to lead and to evaluate information from Group management and to take responsibility for identified risks. Karnov focuses on documenting and evaluating the major risks related to financial reporting to ensure that the Karnov’s reporting is accurate and reliable.
Information and communication
The board of directors of Karnov has adopted an insider policy and a communication policy governing Karnov’s management and communication of inside information and other information. The insider policy is intended to reduce the risks of insider dealing and other unlawful behaviour and to facilitate Karnov’s compliance with applicable rules regarding the handling of inside information. In addition, Karnov has established procedures for the handling of information and restriction of the dissemination of information. The communication policy describes Karnov’s overall focus on communication matters. Karnov’s communication shall be characterised by long-term perspective and trust, reliability as well as proactivity, speed and transparency. The communication shall be accurate, relevant and comprehensive in accordance with Nasdaq Stockholm’s rule book for issuers.
Policies, routine descriptions and instructions are distributed to all relevant employees through Karnov’s intranet. Karnov’s employees are obliged to comply with the code of conduct, the communication policy and insider policy, and employees regularly perform relevant tests to ensure they are aware of the content of relevant policies, routine descriptions and instructions.
Monitoring and follow up
A self-assessment of internal control requirement effectiveness shall annually be performed and facilitated by the employee appointed for the task by the CFO. The CFO must quarterly present the self-assessment report for the Group Information Security Board, before presenting it to the audit committee. The CFO is responsible for presenting the result to the audit committee and the board of directors. Karnov has a group-wide monitoring process by which the entities and functions shall follow up the effectiveness of controls and report back to the employee appointed by the CFO.
Karnov does not have a review function in the form of internal audit. The board has deemed that monitoring of internal control which is carried out by the Board and Group management make up a sufficient control function when considering the company’s operations and size.