The Board has overall responsibility for the [Group]’s internal control systems and for monitoring their effectiveness. Implementation and maintenance of the internal control systems are the responsibility of the executive directors and senior management. The performance of internal control systems is reviewed regularly by the [AC], the [GRCC] and the main operating boards.
The Board regularly reviews actual and forecast performance of its businesses compared with their one year plans, as well as other key performance indicators. Lines of responsibility and delegated authorities are clearly defined. The Group’s control policies and procedures are published on a dedicated intranet site, which is regularly updated and accessible throughout the Group. Senior managers are required to confirm compliance with these policies throughout the year. The results of this confirmation process are considered by the AC on behalf of the Group Board.
The arrangements for establishing policies in respect of the key risks to the Group are set out in the Management of Risk section.
Review of Internal Control
The Code requires directors to review and report to shareholders on the Group’s internal control systems, which include financial, operational and compliance controls, and risk management.
The Board has controls in place to identify, evaluate and manage significant risks faced by the Group on an ongoing basis and for determining the effectiveness of the system of internal control. Where failings or weaknesses are identified, necessary actions are taken to remedy any such failings or weaknesses.
Established procedures, including those already described, are in place to comply with the Code. The Board assesses the effectiveness of internal control systems on the basis of:- regular reports by management to the main operating boards and the AC, on the adequacy and effectiveness of internal control systems and significant control issues
- the GRCC’s review of the continuous process for formally identifying, evaluating and managing the significant risks to the achievement of the Group’s objectives
- compliance reports and presentations from the Compliance Director on at least a quarterly basis
- presentations of the results of internal audits by the Group Chief Internal Auditor to the [AC]; and
- monitoring and reporting on the control environment by business units to the GRCC.
The Board takes regular account of the significance of social, environmental and ethical matters to the businesses of the Group. The [GRCC]’s review of the significant risks to the Group includes these matters. The work of the CSR Committee, which is chaired by the Group Chief Executive, are outlined in the Corporate Social Responsibility section.
The Group’s internal control systems are designed to manage, rather than eliminate, the risk of failure to meet business objectives and can only provide reasonable, and not absolute, assurance against material misstatement or loss. In assessing what constitutes reasonable assurance, the Board has regard to materiality and to the relationship between the cost of, and benefit from, internal control systems.
The results of the ongoing monitoring of financial, operational and compliance controls, and the risk management process, are reported by the AC to the Board. For 2008, the Board was able to conclude, with reasonable assurance, that appropriate internal control systems were maintained throughout the year.
Internal Audit
Internal Audit advises management on the extent to which systems of internal control are adequate and effective to manage business risk, safeguard the Group’s resources and ensure compliance with legal and regulatory requirements. It provides objective assurance on risk and control to senior management and the Board.
Internal Audit’s work is focused on areas of greatest risk to the Group as determined by a structured risk assessment process involving executive directors and senior managers. The output from this process is summarised in a plan which is presented to the AC. The Group Chief Internal Auditor reports regularly to the Group Chief Executive and to the AC.