Find it

Internal control


The Board has overall responsibility for the Group’s system of internal control, which is designed to safeguard the assets of the Group and ensure the reliability of the financial information for both internal use and external publication, and to comply with the Turnbull guidance and the Code.

The Board confirms that it has reviewed the effectiveness of the internal control system, including financial, operational and compliance controls and risk management in accordance with the Code, for the period from 1 February 2014 to the date of approval of this Annual Report and Accounts 2014/15.

If significant losses were to be incurred during the year as a result of a failure of controls, a detailed report would be provided to the Audit Committee and the Board. The Board confirms that no significant weaknesses were identified in relation to the review carried out during the year and, therefore, no remedial action was required.

The Board has approved a set of policies, procedures and frameworks for effective internal control. The Group has procedures for the delegation of authorities for significant matters, to ensure approval is sought at the appropriate level. These procedures are subject to regular review and provide an ongoing process for identifying, evaluating and managing the significant risks faced by the Group. Such a system is designed to manage rather than eliminate the risk of failure to achieve business objectives and can provide only reasonable and not absolute assurance against material misstatement or loss.

The responsibility for designing, operating and monitoring the system and the maintenance of effective control is delegated to the management of each of the Group’s operating companies. The Group’s risk management and reporting process helps Group management to identify, assess, prioritise and mitigate risk. Management at each operating company has responsibility for the identification and evaluation of the significant risks applicable to their business and any mitigating actions to be taken. The Group Executive Committee reviews, identifies and evaluates the risks that are significant at a Group level, as well as the mitigating actions against those risks. These are then considered by the Board. The types of risks identified included both strategic and material operational risks and are detailed on pages 26 to 29 of the Strategic Report.

Management is required to apply judgement in evaluating the risks facing the Group in achieving its objectives, in determining the risks that are considered acceptable to bear, in assessing the likelihood of those risks materialising, in identifying the Group’s ability to reduce the incidence and impact on the business of risks that do materialise, and in ensuring the costs of operating particular controls are proportionate to the benefit provided.


There are clear processes for controlling and monitoring the system of internal control and reporting any significant control failings or weaknesses together with details of corrective action. These include:

  • an annual planning process and regular financial reporting, comparing results with plan and the previous year on a monthly and cumulative basis;
  • written reports from the Chief Executive Officer and Chief Financial Officer submitted at each Board meeting;
  • operating company management report formally to the Audit Committee on a regular basis on the control environment in their business and actions taken to maintain or improve the environment as appropriate; and
  • reports and presentations to the Board on certain areas of specialist risk. These include treasury, insurance, tax and pensions.

A formal bi-annual certification is provided by the CEO and Finance Director of each operating company stating that appropriate internal controls were in operation and confirming compliance with Group policies and procedures. Any weaknesses are highlighted and the results are reviewed by operating company management, the Group Audit and Risk Management Director, the Group Finance and Planning Director, the Audit Committee and the Board. The internal audit function monitors and selectively checks the results of this exercise, ensuring that representations made are consistent with the results of its work during the year.

The internal audit function follows a planned programme of reviews that are aligned to the Group’s risks. The function:

  • works with the operating companies to develop, improve and embed risk management tools and processes into their business operations;
  • reports directly to the Audit Committee and has the authority to review any relevant part of the Group;
  • oversees the operation of the individual operating companies’ audit committees; and
  • provides the Audit Committee and the Board with objective assurance on the control environment across the Group.