The Board’s responsibility for internal control is governed by the Companies Act, the Annual Accounts Act – which requires that information on the key elements of Calliditas’ internal control and risk management system in connection with financial reporting annually be included in the corporate governance report – as well as the Swedish Corporate Governance Code. The Board shall, among other things, ensure that Calliditas has good internal control and formalized procedures that ensure compliance with established principles for financial reporting and that there are appropriate systems for monitoring and controlling the company’s operations and the risks that the company and its operations are associated with.

The overall purpose of internal control is to reasonably ensure that the company’s operational strategies and objectives are monitored and that the owner’s investment is protected. Internal control shall further ensure that external financial reporting, with reasonable certainty, is reliable and prepared in accordance with generally accepted accounting principles, compliance with applicable laws and regulations, and compliance with listed companies.

In addition to the above mentioned internal control, there is also internal activity-specific control of data on research and development as well as quality control that includes systematic monitoring and evaluation of the company’s development and manufacturing work.

Control environment

The Board has overall responsibility for the internal control of financial reporting. In order to create and maintain a functioning control environment, the Board has adopted a number of policies and control documents that regulate financial reporting. These consist mainly of the Board’s rules of procedure, the Managing Director’s instructions, the Audit Committee’s rules of procedure and instructions for financial reporting. The Board has also adopted a certification scheme and a financial policy. The company also has an accounting manual that contains principles, guidelines and process descriptions for accounting and financial reporting. The Board has furthermore set up an Audit Committee whose main tasks are to monitor the company’s financial position, to monitor the effectiveness of the company’s internal control, internal audit and risk management, to keep informed of the audit of the annual report and consolidated accounts, and to review and monitor the auditor’s impartiality and independence. Responsibility for ongoing work on internal control of financial reporting has been delegated to the company’s CEO. The Managing Director reports regularly to the Board in accordance with the established Managing Director’s instructions and the financial reporting instructions. The Board also receives reports from the company’s auditor. Responsibility for the internal activity-specific control in the day-to-day operations lies with the CEO.

Risk assessment

Risk assessment includes identifying risks that may arise if the basic requirements for the financial reporting of the company are not met. Calliditas’ management team has, in a specific risk register, identified and evaluated the risks that arise in the company’s operations, and has assessed how these risks can be managed. Calliditas’ management shall annually perform a risk assessment of strategic, operational and financial risks and present the assessment to the Audit Committee and the Board of Directors. The CEO is responsible for the presentation and the management’s risk assessment shall be reviewed on an annual basis by the CFO before it is presented to the Audit Committee and the Board of Directors. Within the Board of Directors, the Audit Committee is primarily in charge of evaluating the company’s ongoing risk position, whereby the Board thereafter also performs an annual review of, and assesses, the risk position.

Control activities

Control activities limit identified risks and ensure correct and reliable financial reporting. The Board is responsible for the internal control and follow-up of company management. This is done through internal and external control activities as well as through review and follow-up of the company’s management documents related to risk management. The effectiveness of control activities is evaluated annually, and the results of these evaluations are reported to the Board and Audit Committee. In agreements with key subcontractors, the company is guaranteed the right to check the respective subcontractor’s fulfillment of current services, including quality aspects.

Monitoring

The compliance and the effectiveness of internal controls are monitored continuously. The CEO ensures that the Board receives ongoing reports on the development of the company’s operations, including the development of the company’s earnings and position as well as information on important events, such as research results and important agreements. The CEO also reports these issues at each Board meeting. The company’s compliance with applicable policies and control documents is subject to annual evaluation. The results of these evaluations are compiled by the company’s CFO and reported to the Board and Audit Committee annually.

Information and communication

The company has information and communication channels that aim to promote the accuracy of financial reporting and enable reporting and feedback from operations to Board and management, for example by making governance documents in the form of internal policies, guidelines and instructions on financial reporting available and known to the relevant employees. The Board has also adopted an information policy that regulates the company’s disclosure of information.

Internal audit

The Board has evaluated the need for an internal audit function and concluded that such is not justified by Calliditas in view of the scope of operations and that the Board’s follow-up of internal control is deemed sufficient to ensure that internal control is effective. The Board reassesses the need when changes occur which may lead to reassessment and at least once a year.