Internal control
General
Cinclus Pharma's (also referred to as the Group or the Company) board is responsible according to the Companies Act for the Company's organization and the management of the Company's affairs. Furthermore, the board must continuously assess the Company's and the Group's financial situation and ensure that the Company's organization is designed so that the accounting, fund management and the Company's financial conditions in general are controlled in a reassuring manner.
Cinclus Pharma has established an internal control framework that aims to achieve efficient, structured and controlled processes for the organization to achieve the objectives set by the board. This framework includes work to ensure that Cinclus Pharma's operations are conducted correctly and efficiently, and that laws and regulations are complied with. Furthermore, the work includes ensuring that the financial reporting is correct, reliable and in accordance with applicable laws and regulations.
The board's responsibility regarding internal control is regulated in the Swedish Companies Act, the Annual Accounts Act and the Swedish Code of Corporate Governance. Within the group, the structure for internal control must be based on the so-called The COSO framework (Committee of Sponsoring Organizations of the Treadway Commission). Based on COSO, Cinclus Pharma applies the following building blocks to achieve good internal control.
Control environment
The internal control is based on division of responsibilities and division and distribution of work through, among other things, the board's rules of procedure, instructions for the board's committees, the executive director and instructions for and the established financial reporting as well as Cinclus Pharma's code of conduct and other policies.
A financial policy has been adopted by the board that sets out the framework for how financial risks are to be managed and the division of responsibilities between the board, CEO and CFO. Cinclus Pharma also has a financial handbook, the purpose of which is to set guidelines and rules for how the financial control and reporting must be carried out and complied with within Cinclus Pharma.
Compliance with these governing documents and policies is followed up at least annually by management and reported to the audit committee and board.
Risk assessment
Cinclus Pharma's risk assessment aims to identify and evaluate risks for material errors in group-wide risks and the group's financial reporting. The risk assessment is, among other things, the basis for the work to ensure that the financial reporting is reliable and how the risks in the reporting are to be handled through various control structures. Group management makes a risk assessment at least annually, which is reported to the audit committee and board. The CFO is responsible for the risk assessment of the financial reporting and the work to ensure its reliability.
Control activities
Controls must be linked to each identified risk on a group-wide level and regarding the group's financial reporting until the risk is considered eliminated or reduced to an acceptable level. Prepared measures and documented process maps and risk/control matrices are part of how control activities are handled within the group.
Information and communication
Relevant information must be communicated in the right way, to the right recipient and at the right time. Communicating important information, both upwards and downwards in an organization and to external parties, is an important part of good internal control. Group management meetings must be used as a forum for communication and information dissemination linked to risk management for the group. It is also the responsibility of the group's management team to ensure that the process responsible connected to the financial reporting have sufficient knowledge of the essential risks and related control activities in the specific process.
The guidelines for internal and external communication are described in Cinclus Pharma's Information Policy. Ultimately, this is about ensuring that information obligations according to laws and regulations are complied with and that investors receive the right information in time. The board and its audit committee regularly receive financial reports regarding the group's position and earnings development. The routines for the provision of external information aim to provide the market with relevant, reliable and accurate information about the Company's development and financial position. The Company's guidelines include how such communication should take place, who is authorized to provide certain types of information and when a logbook must be kept.
Governance and follow-up
Group management must evaluate that, the group-wide risk assessment and management as well as the specific control activities carried out in each material process linked to the financial reporting, are still relevant to manage the material risks Cinclus Pharma faces. Control activities must be documented so that execution is traceable. Follow-up to ensure the effectiveness of the internal control is also done by the audit committee and the board.
The system for group-wide risk management and financial reporting must be followed up continuously and aim to require that the system is maintained that changes take place when necessary and to evaluate changes in working methods. The audit committee must also review that internal control follows established routines and policies, and report to the board at least once a year. The company's CFO is responsible for maintaining internal control in accordance with what the board has decided.
Auditor
As a public company, the company is obliged to have at least one auditor to review the company's and the Group's annual report and accounting, as well as the administration of the board and the managing director. The review must be as thorough and comprehensive as good auditing practice requires. The company's auditors are elected in accordance with the Swedish Companies Act by the annual general meeting. An auditor in a Swedish limited company thus has his assignment from and reports to the annual general meeting and must not allow him- or herself to be guided in his or her work by the board or any senior executive. According to the Company's articles of association, the annual general meeting must appoint a minimum of one (1) and a maximum of two (2) auditors with a maximum of two (2) deputy auditors. The company's current authorized auditor is Leonard Daun from Öhrlings PricewaterhouseCoopers AB (PWC).
Internal audit
The group has chosen not to introduce an internal audit function as the organization and operations are not yet so extensive that this has been deemed necessary.