Annual report 2015: Internal control

Karolinska Institutet (KI) conducts systematic internal control at all levels of operations to ensure that the university is performing its duties, achieving established objectives and making sure that its work is being pursued in accordance with operational requirements from the Government.

KI is subject to the Internal Audit Ordinance (2006:1228) and is thereby obligated to maintain a quality-assured process for internal control. The Internal Control Ordinance (2007:603) means that KI must prepare a risk assessment, implement control activities, perform systematic follow-up and also document this work. The university’s process for internal control has been designed in accordance with rules and guidelines established by the Board in 2009, with more detailed instructions being adopted on a continuous basis by the Vice-Chancellor.

In April 2014, the Board adopted KI’s Strategy 2018, which contains measures within four main areas. During the year, the intentions behind the strategy have been integrated into the processes of operational planning, follow-up and of internal control, which covers the years 2016–2018.

Risk analysis

The basis for the risk assessment is KI’s commission in accordance with the Higher Education Act and Ordinance, the appropriation directions and KI’s Strategy 2018. In addition, significant observations in conjunction with internal and external audit were taken into account.

A more thorough analysis is to be performed at departments and internal boards every three years. This fell in 2015. On 12 October 2015, the Board established twelve risks concerning the organisation as a whole, based on aggregated documentation. These areas are mainly associated with the university’s core activities in combination with external uncertainties. The three highest rated risk areas have points of contact with Stockholm County Council. Here, KI must find effective forms of collaboration to create opportunities for clinical research and education and to bring about one coherent informatics structure.

Control activities

Based on the Board’s assessment of the risk priorities that must be managed, there are annual decisions on the control activities necessary for fulfilling duties and objectives.

In light of the simplified risk analysis performed for 2015, the Board decided on control activities and responsible risk owners for the different areas. Significant results in developed action plans have then been reported to the Board on two occasions during the year. An overall assessment of the effects of these control activities is that the risk level has decreased within some areas, but several risks concerning the organisation as a whole are recurrent and require long-term solutions. In addition, a central part of the control structure is established through the university’s process for operational planning at all organisational levels, but also within the framework of continuous manual or automatic controls within various areas.


The Board is ultimately responsible for the follow-up and evaluation of the internal control process in order to ensure the adequacy of risk analysis and associated control activities. This follow-up also forms the basis of the conclusions that can be drawn prior to the assessment of internal control in the annual report.

One part of the follow-up of KI’s process for internal control is continuous internal audit. The risks identified constitute an important basis for assessment. Evaluation and review of the university’s operations is also performed by external parties, such as the Swedish Higher Education Authority (UKÄ) and the Swedish National Audit Office. Taken together, this provides the university with continuous proposals and recommendations for further improvements.

The quality of operations is an important measure regarding goal achievement and an indirect measure of internal control. In May 2015, the Vice-Chancellor set up a project with the mission of creating an integrated quality management system for the university. A vital objective is to establish conditions for continuous quality evaluation, quality assurance and quality improvement of operations based on Strategy 2018 and external requirements.


The Board makes an annual decision regarding which documentation is to constitute the basis for the assessment of internal control in connection with signing in the annual report. This documentation has its starting point in implemented work with the mandatory elements for internal control. The Board’s assessment is also based on the Vice-Chancellor’s annual compilation of decision proposals and on reports from the Swedish National Audit Office and KI’s internal audit.

Summary assessment and report of measures

In connection with the Board’s overall assessment of internal control at KI, it may be stated that deficiencies might exist. This statement is occasioned by an ongoing matter at KI concerning the researcher Paolo Macchiarini. The Board has appointed an external investigation with regard to this case. 

Annual report