Risk Management and Internal Control
Internal financial control and risk management
The Committee acknowledges its responsibilities to assist the Board to fulfill its responsibilities for the Group’s risk management and internal control systems, including the adequacy and effectiveness of the control environment, controls over financial reporting and the Group’s compliance with the Code.
All business areas of the Group prepare annual operating plans and budgets. These are regularly reviewed and updated as necessary throughout the year. Performance against budget is monitored centrally at operational level, and is discussed at Committee and Board meetings. The cash position of the Group is monitored daily by the Treasury function.
Clear guidelines are in place for capital expenditure and investment decisions. These include budget preparation, appraisal and review procedures, and delegated authority levels.
Effective controls ensure that the Group’s exposure to avoidable risk is minimized, and the Committee is cognizant of the material controls within the Group, including, amongst other things, that proper accounting records are maintained, financial information used within all business areas is reliable and up-to-date, and the financial reporting processes comply with relevant regulatory reporting requirements.
The Group has in place internal controls and risk management systems in relation to the Group’s financial reporting processes for preparation of consolidated accounts. These systems include policies and procedures that relate to the maintenance of records which accurately and fairly reflect transactions, provide reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements, require representatives of the Group to certify that their reported information gives a true and fair view of the state of affairs of the business and its results for the period, and review and reconcile reported data. Additionally, the Committee has reviewed plans on key operational issues, risk management, and Internal and External Auditors’ reports.
Control processes are designed to manage, rather than eliminate, the risk of assets being unprotected and guard against their unauthorized use, culminating in the failure to achieve business objectives. Internal controls will only provide reasonable and not total assurance against material misstatement or loss.
To fulfill its duties, the Committee reviewed:
- the External Auditor’s reports to the Committee;
- reports from Internal Audit on key audit areas and any deficiencies in the control environment covering internal financial control, operational and risk management;
- the Group’s approach to IT and cyber security; and
- the Group’s whistleblowing policy and the ongoing compliance with the policy including reviewing reports provided by the external service provider and any actions arising therefrom.
Accordingly, the Committee confirms there is a process for identifying, evaluating and managing risks faced by the Group and the operational effectiveness of the appropriate controls, all of which have been in place throughout the year and up to the date of approval of the 2018 Annual Report and Accounts.
Reviewing the effectiveness of internal control
As referred to above, throughout the year the Board, through the Committee and assisted by the Internal Audit function, reviews the effectiveness of internal control and the management of risk. The Internal Audit function reports into the Committee and has authority to review any relevant part of the Group or its business and has a planned schedule of reviews that coincide with the Group’s risks. In addition to financial and business reports, the Committee has reviewed medium- and longer-term strategic plans, reports on key operational issues, tax, treasury, risk management, legal matters and Committee reports, including Internal and External Auditors’ reports.