Internal control

Castellum’s internal control environment

Internal control is governed by:

  • The Board of Directors’ rules of procedure.
  • Audit and Finance Committee’s rules of procedure.
  • Resolution procedure.
  • Instructions for signatories, proxy forms and authorisations.
  • Accounting structure.
  • Reporting structure.
  • Financial policy, communication policy, insider policy, sustainability policy, Code of Conduct, Code of Conduct for suppliers and crisis management policy.
  • Guidelines for information and IT security, insurance and electricity trading.
  • Accounting manual, HR manual, Manager manual.
  • Financial instructions.
  • Processing routine for personal data.
  • Continuity plan.

Under the Swedish Companies Act and the Code, the Board is responsible for internal control. This report has been drawn up in accordance with the Swedish Annual Accounts Act and the Code and therefore refers to internal control relating to financial reporting and other processes relevant to the operations.

The work on introducing self-assessment of internal controls continued in 2020.

Internal control at Castellum follows the Internal Control – Integrated Framework (COSO), which consists of the following five components: control environment, risk assessment, control activities, information and communication, and monitoring.

Control environment

The basis for internal control relating to financial reporting is a control environment consisting of various parts that together form the culture and values on which Castellum is governed. Essential for Castellum’s internal control are its decentralised, small-scale organisation with more than 600 properties, as are the cost centres administered by four regional companies. The decision-making paths, authorisations and responsibilities documented and communicated in such policies as the Board of Directors’ rules of procedure, resolution procedure, instructions for authorised signatories, proxy forms and authorisations, accounting and reporting instructions, internal policies, guidelines and manuals are also of importance for internal control. Current documents are updated regularly in the event of changes (e.g. to legislation, accounting standards or listing requirements).

Risk assessment

At Castellum, risk management is built into the processes concerned, and various methods are used to evaluate and limit risks as well as to ensure that the risks Castellum is exposed to are managed in accordance with established policies and guidelines. Under the rules of procedure, the Board of Directors and the Audit and Finance Committee annually review customary internal control and operational risk as well as how they are handled; for the latter, see the “Risks and Opportunities” section on The share. The risks deemed to exist are identified and then each individual risk is ranked from a perspective of impact and likelihood.

The material risks Castellum has identified as specifically linked to financial reporting are errors in accounting and valuation of properties, lack of financing, interest-bearing liabilities, tax and VAT, workplace injuries and the risks of fraud and loss or embezzlement of assets.

Group policies issued by the Board

Financial policy

Establishes overall objectives and guidelines for financial risk and how financial operations are to be conducted. The financial policy also indicates how responsibility for financial operations is allocated, and how risks are to be managed and reported. It also includes instructions for how operational activities are to be pursued.

Code of Conduct

Provides guidelines for conducting operations responsibly, with the aim of all business being characterised by a high level of business ethics and accountability. Governs the Group in relation to employees, contractors, customers, suppliers and other stakeholders.

Code of Conduct for suppliers

Provides similar guidelines for suppliers as for Group employees as regards conducting operations responsibly with the objective of having all business characterised by a high level of business morals and accountability.

Sustainability policy

Provides guidelines for how sustainability activities in the Group are to be pursued. The work must promote sustainable development and be broken down into specific measurable goals as well as being an integral and natural part of operations and based on participation and commitment.

Communication policy

Ensures that all Group communication is correct and is provided in a professional manner at the right time. The policy covers both internal and external communication.

Insider policy

Ensures proper ethical management in relation to the capital market by describing trading and reporting requirements.

Crisis management policy

Provides guidelines for how the Group is to act and communicate in a potential crisis.

Tax policy

Ensures a clear framework for tax governance in the Castellum Group as a stage in the company’s sustainability initiatives. The tax policy establishes the principles for compliance with taxes in the countries where Castellum operates.

Control measures

The risks identified as regards financial reporting are managed through the Company’s control structure, resulting in a number of control measures. The control measures are intended to prevent, detect and correct errors and deviations and cover, for example, analytical reviews at several levels in the organisation and comparisons of income statement items, reconciliation of accounts, monitoring and reconciliation of Board decisions and policies set by the Board, authorisation and recognition of business transactions, structures for proxies and authorisation, authorised signatories, compliance officer functions, and consolidated accounts prior to publication. The auditors issue a review report of the January–June half-year report.

Information and communication

Castellum has information and communication paths that are intended to ensure efficient and correct provision of information as regards financial reporting. This requires all parts of the operations to communicate and exchange relevant, material information. Policies and guidelines regarding financial reporting as well as updates and changes are made available and made known to the personnel concerned. Executive Management and the Board of Directors regularly receive financial information from the regions with comments on financial results and risks.

The Board also receives additional information regarding risk management, internal control and financial reporting from the auditors through the Audit and Finance Committee. In order to ensure that the external provision of information is correct and complete, there are a communication policy and guidelines for information security.

Corporate culture

Conducting Castellum’s operations responsibly is crucial for the company’s long-term success. Castellum’s Code of Conduct governs its daily work, and the Company has signed and supports the principles of the UN Global Compact on human rights, labour issues, the environment and corruption. The objective is to make sound and proper business decisions in all respects, where the Company’s actions are characterised by good business conduct with a high level of competence and business morals, good business practices, accountability and impartiality. The Code of Conduct is based on providing good quality and service, complying with laws and regulations, not discriminating against anyone, creating a good work environment and security. Castellum also has a Code of Conduct for suppliers, since Castellum expects suppliers to also promote sustainable development. Castellum’s work on diversity and equality are also important components in building a corporate culture in which employees are given the right conditions to work. That is why Castellum has produced an equality policy as well as a diversity and equality plan in order to take a proactive approach to these issues every day. In addition, there are ambitious long-term goals regarding diversity and equality.

A cornerstone of Castellum’s corporate culture has been its decentralised organisation, which creates committed employees who take on responsibilities and feel themselves a part of operations.

Long-term value creation

Long-term value creation requires that operations are conducted with a focus on sustainability. Sustainability efforts involve environmental considerations such as efficient and responsible use of resources and developing a future-proof and sustainable asset portfolio as well as social responsibility by promoting the development of the cities where Castellum operates.

The work also involves ensuring a healthy work environment for employees. Sustainability activities are carried out in collaboration with customers and other stakeholders – a requirement for success. Guidelines for conducting value-creating sustainability efforts can be found in the sustainability policy, the Code of Conduct and the Code of Conduct for suppliers. Castellum reports on this work in accordance with the GRI Standards. Reports on sustainability activities are regularly presented to Castellum’s Board of Directors.


Routine monitoring takes place at many levels in the Group, at the property and regional levels as well as at Group level. Through the Audit and Finance Committee, the Board of Directors evaluates the information submitted by Executive Management and the auditors. Furthermore, the Company’s auditors report their observations from the review, and their assessment of internal controls, directly to the Audit and Finance Committee at least twice a year.

In addition, the Audit and Finance Committee conducts an annual review of the risk assessment and the measures agreed on. Monitoring by the Audit and Finance Committee and the Board of Directors is of particular importance for the development of internal control and for ensuring that action is taken regarding any shortcomings and proposals that emerge.

Internal audit

Castellum has a decentralised and transparent organisation. The economic and Treasury functions are managed from the head office, meaning that routines and processes are uniform but also provide the conditions for various parts of the functions to review one another’s processes – a form of self-assessment. All this is to increase and improve internal control. The business units and the Company monitor the income statements and balance sheets on a quarterly basis.

Clear documentation through policies and instructions, along with frequent monitoring and regular discussions with the auditors, continually ensure the work to improve these processes. Management and reporting are reviewed twice a year by the Company’s auditors and reported to both the Audit and Finance Committee and the Board. In addition, there is a whistleblower function on the Group’s website and intranet. Taken together, this means that a specific division for internal audits is not considered justifiable.


Castellum’s whistleblower service, “Help us to do right,” can be accessed on the Group’s website and the Group’s intranet. The whistleblower service is an early warning system that provides both employees and external stakeholders the opportunity to anonymously report any deviations from Castellum’s values and business ethics. The service is administered by an external partner to ensure anonymity and professionalism.