Control environment
Internal control, over financial reporting and in general, is based on the overall control environment established by the Board and the Executive Team, which includes the culture and values that the Board and management communicate and operate from. Key components are the organisational structure, management philosophy and style, and responsibilities and powers that are clearly defined and communicated to all levels in the organisation.
Every year, the Board updates and adopts the rules of procedure, instructions to the President & CEO, decision making procedure and authorisation policy, and finance policy and reviews the Group’s other policy documents. Rules of procedure for the local boards and instructions to the local presidents are in place in every Group company and are based on the same principles as those applicable to Sweco AB’s Board. Sweco also has policies for finance, CSR information, corporate communication, information security, crisis management, data privacy, HR and quality and environment. These policies are the foundation for good internal control.
Sweco’s decision-making procedure and authorisation policy clearly regulates the allocation of powers at every level, from the individual consultant to Sweco AB’s Board of Directors. The areas covered include tenders, investments, rental and lease agreements, expenditures and guarantees.
The Audit Committee monitors policies and procedures on financial reporting, sustainability reporting and reporting to the Board to ensure that internal control activities focused on these matters are functioning properly. Internal controls are reviewed yearly. Outcomes are reported to the Audit Committee.
Risk management
The goal of Sweco’s risk management is to secure the Group’s longterm earnings growth and guarantee that Sweco’s operations in its various business units are able to achieve their objectives.
The company’s Board and senior management are ultimately responsible for risk management. Sweco’s risk management covers all business areas, companies/divisions and processes in the Group. Each manager is responsible for risk management activities in his/ her respective area.
Sweco’s goals, which are expressed in the company’s business plan and strategy, are the foundation for the company’s risk management. Risk management is based on a group-wide risk analysis. This inventory of risks is aimed at identifying the most significant risks the Group is exposed to, the probability that these will occur and the potential impact on Sweco’s goals. The effectiveness of existing controls and risk mitigation measures are assessed in the same manner. Results of the overall risk analysis have been gathered in a risk map that reflects Sweco’s estimate of its risk exposure.
A report on risk management and internal control within the Group was discussed by the Board, the Audit Committee and the Executive Team. Risk management is a standing item on the agenda for each business area management meeting.
Monitoring
Each business area has a BA Finance Director responsible for ensuring compliance with financial reporting policies and procedures. BA Finance Directors are also responsible for ensuring the accuracy and completeness of the financial information reported. An Internal Control Framework is in place and is validated to track the effectiveness of significant internal controls related to the company’s financial reporting and other key areas.
The Group’s business system includes a number of functions for financial management, control and monitoring. Project reporting systems are in place to enable project managers to continuously monitor their projects and track monthly earnings and key ratios. This can also be monitored on a group, region, division and business area level. Operationally relevant key ratios can be followed up weekly on all of these levels. A group-wide consolidation is carried out every month to measure actual results against budgets and internal forecasts.
Communication about financial reporting also takes place in connection with business area management meetings, which are held regularly. An information policy defines responsibilities and rules for communication with external parties.
Code of Conduct and regulations
Sweco’s Code of Conduct specifies Sweco’s and its employees’ fundamental view on responsible business conduct for Sweco and Sweco’s business partners. The Code of Conduct constitutes our quality, environment, health & safety, and human rights policy and defines our corporate responsibility in society. The Code covers business ethics, employee development, human rights, equality and diversity, and occupational health and safety. Sweco also has a Business Partner Programme aimed at ensuring that existing and prospective partners meet Sweco’s corporate responsibility requirements. Additionally, Sweco has group-wide policies providing more detailed descriptions for Sweco employees regarding business ethics, data protection, information security and communication. To combat corruption Sweco also has group-wide policies on gifts, business entertainment and sponsorship. Local regulations specify areas of responsibilities in more detail.
Sweco complies with the laws, regulations and other requirements applicable to operations in countries where the Group is active. In some cases, Sweco’s standards and requirements exceed legal requirements. We support and respect human rights, as defined by the UN in the Universal Declaration of Human Rights. Sweco also follows the Code of Ethics formulated by the International Federation of Consulting Engineers (FIDIC). Sweco is a signatory of the UN’s Global Compact and works proactively to uphold its principles.
Sweco reports on its sustainability work in accordance with the regulations specified in the Swedish Annual Accounts Act that are based on the EU Non-Financial Reporting Directive. Sweco is preparing to report on its sustainability work pursuant to the EU Corporate Sustainability Reporting Directive (CSRD), which, after implementation into national law, is expected to come into effect during 2024. Sweco has undertaken compliance with the FIDIC’s Climate Change Charter, an international framework for sustainable practices in the engineering and technology consulting industry.
Compliance
Compliance is a matter for the Group’s executive management, for managers at all levels in the Group and for each individual employee. All managers are responsible for ensuring that their employees have everything they need to comply with Sweco’s policies and guidelines. All employees are obligated to familiarise themselves with the content of policies and guidelines, to accept and follow them, and to take steps to ensure that business partners comply with applicable policies.
Employees who suspect business ethics improprieties or a violation of human rights are obligated to report this either to their manager, their manager’s manager, HR department, Legal Counsel or other appointed contact person, and, in cases where anonymity is called for, via Sweco’s external whistleblower channel, Sweco Ethics Line. The President & CEO holds the ultimate responsibility for ensuring that the policies are monitored, e.g., through internal and external audits, surveys, internal statistics and line manager reviews.
Each business area is responsible for implementing and monitoring the Code of Conduct and other policies. Compliance is monitored monthly with the business areas and annually through performance reviews with employees, employee surveys, internal and external audits, and other processes. The policy framework is reviewed annually to manage sustainability in accordance with regulatory requirements and developments in the organisation and external environment.
Internal audit
Sweco has a dedicated internal audit function, the roles and responsibilities of which are defined in the audit charter. As per year end, Group Internal Audit consists of a Head of Internal Audit, two Group internal auditors and a team of qualified business auditors. Business auditors are experienced financial professionals who otherwise work in a business area but who participate on individual audits as part of their management development.
Internal audit work is governed by the annual risk-based audit plan approved by the Audit Committee, with detailed audit assignments defined on a quarterly basis.
Audits were conducted in multiple business areas in 2023 and focused mainly on:
- (Financial) project management
- Revenue recognition
- Project governance
- Compliance with business ethics and GDPR guidelines
A summary of audit findings is reported to the Audit Committee on a quarterly basis. Read more about Sweco’s risks and risk management in Swecos’s Annual and Sustainability Report.