The Board is responsible for the overall system of internal control for the Company and its subsidiaries and for reviewing the effectiveness of the system. It carries out such a review annually, covering all material controls including financial, operational and compliance controls and risk management systems, and reports to shareholders that it has done so.
The Company maintains a sound system of internal control with a view to safeguarding shareholders’ investment and the Company’s assets. It is designed to identify, evaluate and manage risks that may impede the achievement of the Company’s business objectives rather than to eliminate these risks and can therefore provide only reasonable, not absolute, assurance against material misstatement or loss. A description of the key risk factors that may affect the Group’s business is provided in the Operating and Financial Review.
The main features of the risk management processes and system of internal control operated within the Group are identified below. They do not cover the Group’s associate undertakings. Save to the extent indicated (in relation to developments which occurred during the year), they have been in place throughout the year under review and up to date.
Audit committee framework
The Group uses audit committees at central, regional, area and individual market levels to support the Audit Committee in monitoring risks and control. This framework provides a continuing process for identifying, evaluating and managing the significant risks faced by the Company and its subsidiaries. It is designed to capture and evaluate failings and weaknesses and to ensure that appropriate remedial action is taken where necessary.
The audit committee framework is regularly reviewed by the Board and was revised during the course of 2007 to ensure that it remains aligned with the Group’s business structure. The revised framework reflects the continuing migration of many of the processes and supporting control systems above the Group’s individual markets and is directed towards ensuring that these processes and control systems remain subject to adequate review from an internal control and business risk perspective. In relation to each level of audit committee, the Group’s requirements on constitution, membership and procedures have been developed to reflect both existing practice within the Group and best practice generally in the field of corporate governance.
The Group’s regional audit committees (which are all chaired by an Executive Director) focus on risks and the control environment within each region and are in turn supported by end market or area audit committees. The corporate audit committee comprises members of the Management Board and it focuses on the risks and the control environment within the Group’s operations which do not fall under the responsibility of the regional, area and local audit committees, for example central functions, global programmes and above-region projects. The reviews conducted by the regional audit committees and the corporate audit committee include consideration of the effectiveness of the process for identifying, evaluating and managing the risks of the business and the assessments of internal control and business risks completed by operating companies. The relevant external and internal auditors regularly attend meetings of all audit committees and have private audiences with members of the audit committees at least once each year. In addition, central, regional and individual market management, along with internal audit, supports the Board in its role of ensuring a sound control environment.
Risk management and internal control processes
It is the responsibility of each Group company to manage its risks (both financial and non-financial) and they must maintain a business risk register to identify, assess and monitor the key risks which they face. They are required regularly to review and update the register. The Group’s internal audit function provides advice and guidance to the Group’s businesses on best practice in risk management and control systems.
Group companies and other business units are required at least annually to complete a checklist of the key controls which they are expected to have in place. Its purpose is to enable them to self-assess their internal control environment, assist them in identifying any controls which may require strengthening and support them in implementing and monitoring action plans to address control weaknesses.
The Group’s internal audit function is responsible for carrying out audit checks on Group companies and other business units, and does so against an audit plan presented annually to the Audit Committee, which focuses in particular on higher risk areas of the Group’s business.
Annually, at the year end, each operating company within the Group and each department within the Group’s UK headquarters is required to:
- review its system of internal control, confirm whether it remains effective and report on any material weaknesses and the action being taken to address them; and
- review and confirm compliance with the Standards of Business Conduct and identify any material instances of non-compliance or conflicts of interest identified.
The results of these reviews are reported to the relevant regional audit committee or to the corporate audit committee and, where appropriate, to the Board’s Audit Committee to ensure that appropriate remedial action has been, or will be, taken where necessary.
The Turnbull Guidance sets out best practice on internal control for UK-listed companies to assist them in assessing the application of the Code’s principles and compliance with the Code’s provisions with regard to internal control. The current version of the Turnbull Guidance (the Guidance) applies to listed companies for financial years beginning on or after 1 January 2006.
The processes described above, and the reports that they give rise to, enable the Board and the Audit Committee to monitor the internal control framework on a continuing basis throughout the year and to review its effectiveness at the year end. The Board, with advice from its Audit Committee, has completed its annual review of the effectiveness of the system of internal control for the period since 1 January 2007. No significant failings or weaknesses were identified and the Board is satisfied that, where specific areas for improvement have been identified, processes are in place to ensure that the necessary remedial action is taken and that progress is monitored. The Board is satisfied that the system of internal control is in accordance with the Guidance.