The board is responsible for internal control per the Swedish Companies Act and the Swedish Code of Corporate Governance. This board report was prepared per the Code and the guidelines issued by FAR SRS (the Institute for the Accountancy Profession in Sweden) and the Confederation of Swedish Enterprise. Accordingly, this board report is (i) limited to the organisation of internal control over Cybercom's financial reporting, (ii) not part of the formal annual report for 2008, and (iii) not examined by Cybercom's auditors.
Framework for internal control
The guidelines issued by the Confederation of Swedish Enterprise and FAR SRS (the Institute for the Accountancy Profession in Sweden) regarding the board's report on internal control over financial reporting identify the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as:
• The most widely used and internationally accepted framework
• Having a special status in defining good internal control. Consequently, Cybercom chose to use the COSO method as a starting point. The COSO framework describes internal controls by dividing them into five components: control environment, risk assessment, control activities, information and communication, and monitoring.
Work in progress and planned initiatives
Cybercom did a detailed, Group-level analysis of the risk of significant deficiencies in the income statements, balance sheets, and related notes; the analysis accounted for quantitative and qualitative risk parameters. On the basis of the initial risk analysis and to minimise risk of major deficiencies, several significant accounts were identified for further inventory, analysis, documentation, and evaluation of the company's control work. In this context, the company reviews roles and responsibilities related to internal control of financial reporting. During 2008, Cybercom continued to formulate appropriate general IT controls such as access structures, system modification procedures, backup procedures, and IT security. The company also assessed whether existing internal controls are working as intended. These assessments provided a basis for the board's evaluation of the effectiveness of internal control over financial reporting. Responsibility for creating processes with a high degree of internal control ultimately rests on the board, though operationally, this responsibility is delegated to the head of each subsidiary and coordinated by the parent company, which leads the work.
The following description of how internal control over financial reporting is now organised complies with the structure prescribed in the Confederation of Swedish Enterprise/FAR SRS guidelines.
Control environment
Effective board supervision forms the foundation for good internal control. The company's board adopted rules of procedure for this purpose. One key board task is to decide on the internal control framework to be applied in the Group and to formulate and approve several fundamental policies, guidelines, and structures related to financial reporting. Internal governance instruments were prepared in the form of the aforementioned rules of procedure for the board and its committees and instructions for the CEO. Other such documents include an accounting manual with instructions for financial accounting and reporting, a finance policy, instructions on decision-making powers and authorisation of business transactions, and an ethics policy for Group companies. In addition, the board ensured that the organisational structure is logical and transparent with clearly defined roles, responsibilities, and processes that promote effective management of operating risks.
Cybercom's management team has operating responsibility for internal control. The Group CFO has overall operating responsibility for internal control over the Group's financial reporting and reports to the management team and the board. The subsidiaries' financial directors have overall responsibility for internal control over financial reporting in their own units and continuously report on the status of internal control to the Group CFO. The board and management team determined the importance of timely, accurate reporting, and have thus also required efficiency within accounting and internal control functions. The latter also ensures that all tasks are evaluated and their efficiency is optimised. Cybercom's board in its entirety comprises the audit committee. The
board is thus obligated to ensure (i) compliance with established principles for financial reporting and internal controls and (ii) maintenance of appropriate relations with the company's auditor. The parent company has established internal audit procedures.
Risk assessment
Cybercom established several risk management processes that have a considerable influence on the company's ability to ensure accurate financial reporting and that those risks to which the company is exposed are managed within the framework established by the board. Cybercom's management team continuously analyses the company's business and support processes for assessment of efficiency and risks, including identification of risks for misstatements in financial reporting. Assessment of internal control is based on materiality and risk; in other words, the focus is on large income statement and balance sheet items. The parent company manages the largest balance-sheet items. Cybercom's risk assessment as regards financial reporting – identifying and evaluating the most significant risks that affect financial reporting – serves as the basis for how such risks are managed. Management of these risks may entail acceptance, reduction, or elimination of these risks as per requirements set by the board, the CEO, and executive management.
Control activity
Control structures are designed to manage risks that the board judges to be significant for internal control over financial reporting and that were identified in Cybercom's risk analysis. These control structures consist of (i) an organisation with clearly defined roles that facilitate an effective, and from an internal control standpoint, appropriate division of responsibilities and (ii) specific control activities aimed at detecting or preventing risks of significant deficiencies in financial reporting.
Examples of control activities include clear channels and procedures for significant decisions (such as investments, agreements, and approval of accounting transactions), profit analyses and other analytical procedures, reconciliations, inventories, and automatic controls in IT systems.
Due to the nature of Cybercom's business, every external business transaction is documented and monitored closely and the accounting function has in-depth insight into the process. This control work also includes the management team's monthly review of financial information.
Information and communication
Cybercom has established information and communication channels to promote completeness and accuracy in financial reporting to all those concerned by ensuring that internal governance instruments such as policies, guidelines, and manuals, which pertain to financial reporting, are kept updated and are communicated via relevant channels, such as the intranet and internal meetings. Cybercom will implement internal reporting procedures to assess internal control throughout the Group. It has already begun verification that controls are working as intended. Cybercom has a policy for communication with external parties to ensure compliance with all information obligations and that information provided is accurate and complete.
Monitoring
The board continuously evaluates the information submitted by company management and the audit committee. One area of particular importance for monitoring internal control is the work of the audit committee in evaluating efficiency of the management team's activities in this area. This work includes ensuring that action is taken with respect to the deficiencies and recommendations identified in internal and external audits. Monitoring of internal control will include audits of compliance with policies and guidelines and will evaluate effectiveness of significant control activities linked to risks of significant deficiencies in financial reporting. Furthermore, the board and the audit committee have an annual process to ensure that appropriate measures are taken to address report findings from the external audit.
As was mentioned previously, Cybercom chose to establish an internal audit function. Cybercom's internal auditor visits various Group companies to carry out this audit and notifies the subsidiary and the Group's CFO of the audit results.
Stockholm, 14 April 2009
Cybercom's board of directors