- Directors' Report
- CEO's commentary
- Four questions for the Chairman
- This is Svenska Spel
- The Swedish gaming market
- Svenska Spel's operations and structure
- Strategic orientation and objectives
- Objectives and target fulfilment
- Risks and risk management
- Brand management
- Svenska Spel's games
- Group financial results and position
- Svenska Spel's business areas
- Corporate Governance Report
- Board of Directors
- Executive management
- Report on internal control in conjunction with financial reporting
- Proposed distribution of profits
- Events after balance sheet date
Report on internal control in conjunction with financial reporting
The Board’s responsibility for internal control is governed by the Swedish Companies Act and by the Code, which includes requirements for annual external information disclosure concerning how internal control in respect of financial reporting is organised. Svenska Spel’s process for internal control is based on the framework drawn up by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and comprises the following components: risk assessment, control environment, control structure, information and communication, plus follow-up.
Organisation of internal control and risk management
Svenska Spel’s internal control in conjunction with financial reporting is designed to provide confidence in financial reporting and ensure that it is prepared in accordance with appropriate laws, regulations and accounting standards.
Internal control is defined as the process conducted by the Board, executive management and other appointed personnel to gain reasonable assurance of the correctness of financial reporting.
Svenska Spel has a keen focus on risk management and internal control. This includes an established process for risk management, an effective internal auditing process and processes for financial reporting with defined internal checkpoints.
Process improvements are achieved consistently in a target-oriented manner in an effort to attain the maximum quality level for financial reporting. Internal control activities are assessed and adjusted continuously, employees are kept informed and trained in order to minimise risks.
Internal audit
Svenska Spel has an internal auditing function that focuses on tasks such as security in the internal control system and conformity to regulations. The internal auditing function assists the Board and CEO with independent, objective auditing assignments and consulting services, which result in actions and improvement programmes. The function assists the Group’s other units in attaining their targets by systematically evaluating the effectiveness of processes for governance, risk identification and control. During the year, the internal audit conducted some ten reviews in the following areas: Marketing and sponsoring, IT control, test purchases and test gaming as well as cash handing at Casino Cosmopol.
Control environment
The basis for the internal control consists of the control environment with its organisation, decision-making channels and responsibility, which are documented and communicated in governing documents, and the values that the Board and the Group executive management communicate and from which they act. Governing documents at Svenska Spel include:
- Rules of procedure for the Board.
- Rules of procedure for the Audit Committee and Benefits Committee.
- The Board’s instructions for the CEO.
- Attestation rules aimed at guiding everybody involved in handling financial transactions, and to ensure favourable control of financial transactions to prevent intentional and unintentional errors.
- Policies for ethics, contact promoting-measures and representation
- Financial policy. The Group’s Finance/Accounts function works on the basis of the financial frameworks adopted by the Board in respect of financial risk management. Financial policy must be reviewed annually and be set by the Board. The objective is to limit its financial risks that arise in connection with investments and currency exposure.
- Risk management policy. Risks at the operational and Group level are identified, analysed and valued annually or whenever required in line with the set risk management process.
- Work procedures and instructions for internal control activities, ongoing accounting and closing accounts are well documented at the detailed level.
Combined with legislation and other external regulations, these governing documents constitute the framework that forms the basis for the Group process for internal control and risk management. The Board establishes the governing documents annually.
Ongoing internal control and risk management are conducted within the framework of Svenska Spel’s defined managerial responsibility. Responsibility is delegated from the Board to the CEO and further down to the operations managers.
Risk assessment and control structure
Svenska Spel works in a continuous risk management process for identifying, evaluating and managing risks in the Group with the overall purpose of ensuring that the Company and its subsidiaries efficiently and systematically manage risk, using the right priorities. Risk management must have a clearly preventive orientation in order to identify threats as early as possible and constitute an information base in the operations’ decision-making processes thus ensuring that the operations can attain the set objectives. The support of Group-wide resources, processes and tools is used to handle the ongoing risk management work of both an operational and financial nature in the Group’s business and among operational areas and staff units.
Each manager is responsible for driving and developing his/her particular area of responsibility, which includes identifying possibilities and threats and following up operations. Identified risks – operational and financial – are matched with various control activities and a person is tasked with responsibility for this. Each quarter a list is drawn up of the Group’s risks and reporting is made to executive management.
The rules surrounding the Group’s processes for risk assessment and risk management and the outcome are dealt with annually by the Board. The Board assesses and monitors risks and the quality of financial reporting through the Audit Committee.
The Audit Committee has continuous and regular contact with the Group’s internal and external auditors for the assessment of risks in financial reporting.
The most significant risk for the Group’s financial reporting is the process involved in the reporting of gaming transactions. The process is highly transaction intensive. The control systems built up around this process are deemed to provide favourable security and good reliability in financial reporting. Risk assessment is conducted annually to provide a base for the analysis of any adjustment requirements. Among other developments in 2010, enhancement measures were completed in the processes for new structures for games, settlement of lotteries and the management of the products’ winnings funds.
Svenska Spel’s process description for financial reporting includes a risk assessment and the control structures that are in place to handle the risks.
A clear division of responsibility within the Finance/Accounts department and detailed work procedures are documented for financial reporting. The accounting processes are regularly evaluated and modified in line with generally accepted accounting practices, applicable laws and stipulations, and other requirements that apply to the Group’s financial reporting.
Compliance with policies and instructions that affect financial reporting is checked on a regular basis and deviations are reported to the relevant manager.
Continuous monitoring and control of the Company’s business and financial position in relation to established goals is carried out at the Group level and for each business area.
The objective for internal reporting is that there should be an appropriate, prompt and correct follow-up and reporting of how operations are progressing vis-à-vis the set operational plan and budget.
Certification
Svenska Spel is certified in accordance with the security standard of the World Lottery Association (WLA). The security standard also includes fulfilling the requirements pertaining to the management system for information security in ISO/IEC 27001:2006. The standard includes requirements in terms of ensuring confidentiality, availability, accuracy and traceability for all business-critical information. Svenska Spel worked intensively during the year with the objective of gaining certification according to the Payment Card Industry (PCI), which are the regulations of VISA and Master Card. PCI certification is a security and quality certification aimed at increasing data security among all parties who store, process or transfer card data. Svenska Spel expects to be PCI-certified during the first quarter of 2011.
Information and communications
Key policies, guidelines and instructions that are of significance for financial reporting are presented on Svenska Spel’s intranet and updating is done continuously as required. All employees have access to the intranet and directly affected personnel are informed separately in the event of any changes. In conjunction with the annual employee dialogue, employees must verify that they are updated on the Group’s current policies and guidelines.
Follow-up
The Board of Directors regularly reviews the information provided by executive management and the Audit Committee at each Board meeting.
The Audit Committee’s work includes ensuring that action is taken concerning the shortcomings that emerge and to propose measures in connection with internal control activities and internal and external audits.
An annual review is made of the application of the Group’s policies. The unit responsible for a policy is also responsible for checking compliance with it. Follow-up takes place at the executive management meeting in January when the unit responsible provides a written compliance report for the past year.
This review shall state whether there were any material nonconformities.
At the statutory Board meeting of Svenska Spel in connection with the AGM, the CEO provides a written report on the scrutiny of the Group’s policies for the preceding year.
Work is in progress aimed at changing the structure, decision-making procedures and so forth for the Group’s policies. The approach is that after their preparation in the Audit Committee in February, all policies are to be set by the Board at the statutory meeting in April.
The internal control process for financial reporting is to be reviewed and updated annually. Detailed instructions are updated regularly as soon as changes occur.