Corporate governanceInternal control

According to the Companies Act, the Board must ensure that the company's organization is designed so that accounting, asset management and the company's financial situation in other respects are controlled in a satisfactory manner. The Board is responsible for the company's internal control, the overall purpose of which is to protect the shareholders' investment and the company's assets. Internal control comprises methods and processes to safeguard assets, control the accuracy and reliability of internal and external financial reporting and ensure compliance with established guidelines. Internal control also improves operating efficiency and limits the risk level in operations.

Control environment

The basis of internal control consists of the control environment with the organization, decision-making channels, delegation of decision-making authority and responsibilities documented and communicated in governing documents as well as the culture that the Board and Management communicate and base their actions on. These governing documents, together with laws and other external regulations, serve as a framework that forms the basis of the Group's process for internal control and risk management. Governing documents are revised annually.

Cision's Board has established the following policies that provide guidelines for the Group's operations and its employees:

• Code of Conduct. The code is an expression of the values and guidelines that apply within the Group with regard to business ethics, freedoms and rights. Cision follows the laws and regulations in the markets where it is active. Cision conducts its operations with high demands on integrity and ethics.
• Financial policy. The Group's finance function follows the framework for financial risk management adopted by the Board. The financial policy and financial framework are updated annually. The goal is to limit the financial risks that arise in connection with borrowing, investments and foreign exchange transactions.
• Insurance policy. The policy describes risk management, delegation of responsibilities and the scope of global and local insurance protection.
• Information policy. The information policy describes the Group's principles for releasing information to the stock market and other external and internal stakeholders. The goal is to provide all market players will simultaneous, accurate, appropriate and reliable information on Cision.
• Compensation policy. The policy describes the principles of compensation (salaries, benefits and bonuses) for senior executives.
• Certifications and authorization. The instruction to the President includes rules on certifications and authorization.

Managers at various levels of the company are responsible for ongoing work with the internal control and risk management within each area of responsibility.

Since 2001 the "Cision Financial Manual" is applied in the entire Group. This manual provides guidelines, policies, principles and routines for accounting, reporting and control.

HR has Group-wide policies on compensation and recruitment. The manual and all guidelines are revised annually.

The Group has uniform rules on certifications and authorization for subsidiaries. This governing document covers the delegation of responsibility between the subsidiary presidents and the CEO, the local president's authority and the Group-wide policies and guidelines that are binding for all subsidiaries of the Group.

Risk assessments and control activities

The Board evaluates strategic risks and opportunities at the highest level and formulates the Group's strategy. Responsibility for managing operating risks lies with Group Management and regional managements. They have responsibility to identify, evaluate and manage risks as well as implement and maintain control systems in accordance with the Board's policies. Control activities consist of clear delegation of responsibility, decision-making processes and rules, detailed analyses of results and follow-ups of business plans and forecasts. Follow-ups and feedback are provided at Board meetings and through monthly and quarterly reporting on financial developments and exposures.

In 2006 an internal control project was initiated to establish a formalized process to continuously evaluate the internal control of financial reporting. The process comprises risk identification, documentation of processes, a review of governing documents, identification of controls and an evaluation of how well processes and existing controls manage identified risks. Important areas covered by risk evaluations, i.e., areas where with a relatively higher risk of material errors in financial reporting due to its complexity and significance, include revenue recognition, compliance with Group-wide accounting principles, valuation of intangible assets, the accounting and consolidation process, treasury, IT and the risk of fraud. Identified and prioritized risks also serve as a basis for the planning process where the need for improvement activities is taken into account in operational planning.

The Group's central finance function conducts periodic internal control reviews of subsidiaries in which controls for prioritized risk areas are evaluated. The aim is to ensure compliance with policies and guidelines, that risk management is adequate and to identify and recommend process improvements. The Board has decided that the establishment of a separate internal audit function is not motivated.

The Group has a system to confirm the annual accounts where local presidents and CFOs at year-end sign a Letter of Representation that gives management's opinion of the internal control of financial reporting and verifies that the reporting provides a true and fair view of the financial position of the company. In connection with the preparation of the closing accounts, each subsidiary performs a self-evaluation of its accounting process. This self-evaluation includes a control to ensure that reporting complies with the Group's principles and guidelines and that reconciliations and controls are conducted. Self-evaluations are enclosed with Letters of Representation.

During the year the Group established a project control office and a shared project control model for control, planning and follow-ups of major development projects. The aim is to reduce risks and ensure anticipated results from projects.

Information and communication

Policies, guidelines and instructions are available on the company's intranet. To ensure the quality of financial reporting, information is shared and a dialogue is maintained between the Group's central finance function and the subsidiaries' CFOs and controllers. This is done through monthly reviews of financial results, quarterly reviews of business plans and forecasts, quarterly web conferences and annual financial conferences.

Control model

In 2006 the Board revised the company's strategy, established new long-term financial targets and decided on a new control model based on a scorecard with three-year targets as well as annual business plans based on Group strategies. Based on the Group's overall financial targets, measurable targets have been set for each region in the form organic growth, operating margin (EBIT) and operating capital. In addition, other key performance indicators have been defined and established.

Follow-ups

The Board ensures the quality of the financial reporting by continually reviewing information on financial developments, financial risk management and reports from the company's auditors. The Board receives monthly financial reports and a detailed quarterly report that include a review of plans and forecasts for the next twelve months in a format it determines.

Follow-ups are made against business plans, financial targets and other key financial indicators. Moreover, goodwill is tested for impairment test, which is annually verified by the company's auditors. In connection with this test, the Board evaluates the assumptions that the test is based on and is informed of its outcome.

All legal entities report their financial results on a monthly basis in the Group's accounting system according to the Group's accounting principles (IFRS). Reporting is consolidated and serves as the basis for quarterly reports and monthly operational follow-ups of sales, results, cash flow and other key financial indicators and trends for the Group. Local accounting managers are responsible for ensuring that reported financial information is accurate, thorough and timely, for compliance with established policies and guidelines, and for introducing routines for internal control of financial reporting.

Cision has a central business control function responsible for operational follow-ups and financial control of regions and subsidiaries as well as for ensuring that internal financial information is transparent and relevant.

Follow-ups serve as a basis for analysis and measures by management and controllers at various levels. Each region has a regional controller responsible for analysis of revenue, expenses and profitability from a commercial perspective as well as investments and project follow-ups. The Group's business controllers also participate in the steering groups for major development projects.

In connection with the quarterly accounts, reviews are conducted with each region in which the CEO, CFO and each regional management take part. The reviews cover developments in respect of markets, clients, revenue and profit, with comparisons against objectives in the business plans. Forecasts for the next 12 months are reviewed as well.