Internal control
The directors are responsible for, and reviewing the effectiveness of, the Company’s system of internal control, including internal financial control, which is designed to provide reasonable, but not absolute, assurance regarding: (a) the safeguarding of assets against unauthorised use or disposition, and (b) the maintenance of proper accounting records and the reliability of financial information used within the business or for publication. These controls are designed to manage rather than eliminate the risk of failure to achieve business objectives due to circumstances which may reasonably be foreseen and can only provide reasonable and not absolute assurance against material misstatement or loss. The Company has a Statement of Business Principles applicable to all employees. The Company also has a Code of Business Conduct and Ethics which applies to all employees. These are two of a number of Standing Instructions to employees of the Group designed to enhance internal control. Along with the Finance Standing Instructions, these are regularly updated and made available to staff through the Company’s intranet.
A clear organisational structure exists, detailing lines of authority and control responsibilities. The professionalism and competence of staff is maintained both through rigorous recruitment policies and a performance appraisal system which establishes targets, reinforces accountability and awareness of controls, and identifies appropriate training requirements. Action plans are prepared and implemented to ensure that staff develop and maintain the required skills to fulfil their responsibilities, and that the Company can meet its future management requirements.
Information systems are developed to support the Company’s long-term objectives and are managed by a professionally staffed Information Management department. Appropriate policies and procedures are in place covering all significant areas of the business. During 2007/08, the Company has worked to enhance controls in relation to IT risks.
The business agenda is determined by the business plan which represents the operational and financial evaluation of the corporate strategy, setting out the agreed targets for financial return and service standards, identifying and prioritising improvement opportunities to deliver those targets, and the agreed capital and manpower requirements. The business planning process confirms that the targeted results can be achieved, satisfies departments that their plans are robust and establishes performance indicators against which departments can be evaluated. The business plan is approved by the Board on an annual basis.
A comprehensive management accounting system is in place providing management with financial and operational performance measurement indicators. Detailed management accounts are prepared monthly to cover each major area of the business. Variances from plan are analysed, explained and acted on in a timely manner. As well as regular Board discussions, monthly meetings are held by the Leadership team to discuss performance with specific projects being discussed as and when required. Throughout 2007/08, the Capital Investment Committee was instrumental in maintaining tight control of capital and external expenditure and headcount. All major corporate projects are audited regularly.
Corporate governance remains key to the business. The Company continues to review its internal control framework to ensure it maintains a strong and effective internal control environment. The effectiveness of the framework has been under regular review by the Leadership team. The Group will continue to comply with the Combined Code on corporate governance and the UK Listing Authority rules.
Business controls are reviewed on an ongoing basis by the internal audit function which operates internationally and to a programme based on risk assessment. The department is managed by professionally qualified personnel with experience gained from both inside and outside the industry. A risk-based annual audit plan for the calendar year 2007, which provides assurance over key business processes and commercial and financial risks facing the Company, was approved by the Audit Committee in November 2006. A further risk-based audit plan for the first six months of 2008 was approved by the Audit Committee in January 2008 to cover the transition phase to a 12-month audit plan from July 2008 to June 2009.
The Audit Committee considers significant control matters raised by management and both the internal and external auditors and reports its findings to the Board. Where weaknesses are identified, the Audit Committee ensures that appropriate action is taken by management. No significant failings or weaknesses were identified during 2007/08.
Risk management approach
The Company has put in place a structure and process to help identify, assess and manage risks. This process has been in place throughout the year to which these statements apply and up to the date of their approval.
The Risk Group consists of the Leadership team and the Heads of Internal Control and Risk Management. Meeting quarterly, it reviews the Company’s key risks contained in the corporate risk register and ensures that all new and emerging risks are appropriately evaluated and any further actions identified. The Risk Group also provides policy and guidance to those responsible for managing the individual risks, and to the departmental risk leaders. The management of each major area of corporate risk is subject to review by an appropriate ‘assurance body’. This includes a review of the controls in place to mitigate the risks and the further actions being taken by management. The Risk Group reports bi-annually to the Audit Committee to assist the Board in the management of risk in accordance with the revised guidance for directors on the Combined Code (June 2006).
The Board carried out a risk review in December 2007 in preparation for its review of the annual business plan at its meeting in January 2008.
During 2007/08, the Company has continued to monitor any staff concerns about possible improprieties relating to financial reporting or other matters. This can be in confidence through a third-party helpline if the staff member so chooses.