Risk Management and Internal Control
Internal control over financial reporting and risk management
The Committee acknowledges its duty to assist the Board to fulfill its responsibilities for the Group’s risk management and internal control systems, including the adequacy and effectiveness of the control environment, internal control over financial reporting and the Group’s compliance with the 2018 Code.
During the year, all business areas prepared annual operating plans and budgets. These are regularly reviewed and updated as necessary. Performance against budget is monitored centrally at the operational level, and is discussed at Committee and Board meetings. The cash position of the Group is monitored daily by the treasury function.
Clear guidelines are in place for capital expenditure and investment decisions. These include budget preparation, appraisal and review procedures, and delegated authority levels.
Effective controls ensure the Group’s exposure to avoidable risk is minimized, and the Committee is cognizant of the material controls within the Group, including, amongst other things, that proper accounting records are maintained, financial information used within all business areas is reliable and up-to-date, and the financial reporting processes comply with relevant regulatory reporting requirements.
Internal control systems are in place in relation to the Group’s financial reporting processes for preparation of consolidated accounts. These systems include policies and procedures that relate to the maintenance of records which accurately and fairly reflect transactions, provide reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements, require representatives of the Group to certify that their reported information gives a true and fair view of the state of affairs of the business and its results for the period, and review and reconcile reported data.
Control processes are designed to manage, rather than eliminate, the risk of assets being unprotected and guard against their unauthorized use, culminating in the failure to achieve business objectives. Internal controls will only provide reasonable and not total assurance against material misstatement or loss.
The Group’s Enterprise Risk Management (ERM) process is designed to identify, assess, manage, report and monitor risks and opportunities that may impact the achievement of the Group’s strategy and objectives. This includes adjusting the risk profile in line with the Group’s risk tolerances to respond to new threats and opportunities.
To fulfill its duties, the Committee reviewed:
- presentations from the Chief Information Officer outlining the Group’s approach to IT and cybersecurity;
- reports from Internal Audit at each scheduled Committee meeting covering key audit areas and any deficiencies in the control environment covering internal financial control, operational, IT and risk management; and
- the External Auditor’s reports to the Committee.
Accordingly, the Committee confirms its oversight of the process for identifying, evaluating and managing risks faced by the Group and the operational effectiveness of the appropriate controls, all of which have been in place throughout the year and up to the date of approval of the 2020 Annual Report and Accounts.