Audit Committee report continued
The Group’s approach to materiality In considering the materiality of any individual issue or issues in aggregate, the Group looks at a range of qualitative and quantitative measures to assess whether omitting, misstating or obscuring information could reasonably be expected to influence decisions that the primary users of general-purpose Financial Statements make on the basis of those Financial Statements. The range of measures includes (but is not limited to) the primary Financial Statements themselves, the individual line item in question, and whether the issue moves the result from one side of an inflection point to another (for example, turning a profit into a loss or a net asset into a net liability). Qualitative and quantitative measures are both considered, as is any potential impact on remuneration or banking arrangements such as debt covenants. Internal audit The risk and assurance function is responsible for internal audit, and the provision of assurance in relation to financial, operational and quality systems and processes. The team is responsible for supporting the implementation of risk management across the business and monitors the implementation of related action plans. During the year, 19 internal audit reports were issued to the Audit Committee covering a range of risk areas including but not limited to key financial controls, backup controls, HR and payroll processes, including IR35, expenses and business cases. The Audit Committee maintains an ongoing review of the risk and assurance function, which reports directly into the Chair of the Committee. The Committee is responsible for approving the content and coverage of the Internal Audit Plan, which documents the links to the Group’s strategic risks, key controls and associated assurance coverage. In addition, the risk and assurance team has a co-source arrangement as required for IT specialist audits and also utilises the cyber experts from within the business. The members of the risk and assurance team are all qualified in ACA, ACCA, CIMA, or hold the CIIA qualification. The Internal Audit Plan also includes time for the continual professional development of the team. The work of the risk and assurance function is a regular standing agenda item at all Committee meetings where a full update is provided including updates on audit and assurance activities, progress against the Internal Audit Plan, and commentary and tracking of the implementation of agreed management actions to address deficiencies in an expedited manner. All internal audit reports are provided to the PwC external audit team and discussed during regular catch-up meetings. The Internal Audit Plan is reviewed to ensure continued relevance, or is adjusted to the current environment taking a risk‑based approach. In FY25, the risk and assurance team has carried out a gap analysis against the 2024 CIIA Standards and commissioned an external quality assessment which is required once every five years. The output will be shared with the Audit Committee in early FY26. Internal controls and risk management The Board is responsible for establishing, maintaining and monitoring the Group’s system of risk management and internal control and reviewing its effectiveness. The Committee monitors the performance of management in this area. We have an ongoing process for identifying, evaluating and managing the principal risks faced by the Group, which has been in place for the year under review and is deemed effective up to the date of approval of the Annual Report and Accounts. The Group’s non-Cyber Security risks are monitored by the Audit Committee on behalf of the Board, which sets aside time for an in-depth discussion of notable or changing risks to the business. A description of the process for managing risk, together with a description of the principal risks and strategies to manage those risks, is provided on pages 29 to 37. Cyber risks are reviewed by the Cyber
Security Committee; the Cyber Security Committee Report can be found on pages 79 and 80. Internal control systems are designed to meet the needs of the Group and the risks to which it is exposed. By their nature, however, internal control systems are designed to manage rather than eliminate the risk of failure and can provide only reasonable but not absolute assurance against material misstatement or loss. Key elements of the risk management and internal control system are described below. Controls relating to financial reporting and preparation of the Annual Report and Accounts • Information provided to management covering financial performance and key performance indicators, including non-financial measures • A robust internal review process to ensure the integrity of the preparation of the Annual Report and Accounts • A detailed budgeting process where business units prepare plans for the coming year • Procedures for the approval of capital expenditure and investments and acquisitions • Monthly operational reviews to monitor and reforecast results as required against the annual operating plan, with major variances followed up and management action taken where appropriate • The Group finance manual Other controls • Defined management structure and delegation of authority to Committees of the Board, subsidiary boards and associated business units • Regional governance committees have been established to provide management with ongoing oversight • Recruitment standards and compliance training to ensure the integrity and competence of staff • Annual economic crime, ethics, data protection, information security, health and safety, export controls, sexual harassment and climate change mandatory training for all colleagues • Clearly documented internal procedures set out in the Group’s ISO 9001-2015-accredited quality manual • Regular internal audits of key processes and procedures under the Group’s ISO 9001 and ISO 27001-accredited quality assurance process • Monitoring of any whistleblowing or fraud reports The external auditor regularly reports its findings on those areas of internal control which it assesses as part of the external audit to the Board and the Audit Committee. Our internal control effectiveness is assessed through the performance of regular checks, which in the year ended 30 September 2025 included: • Assessment of the identification and management of risks connected to the Group’s strategy and management of strategic change • Reviewing and testing the Group’s financial reporting processes • Performing compliance monitoring activities for travel, expenses and health and safety • Assessment of the Group’s processes for identifying and mitigating potential conflicts of interest • Monitoring the completion of the Group’s mandatory compliance training Following these regular checks, it was deemed that the controls were effective and the internal control systems are designed to meet the needs of the Group and its risks. Compliance with the revised Corporate Governance Code is being reviewed with a dry run planned for FY26. This will be discussed with the Audit Committee and progress updates communicated throughout FY26.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 74
Made with FlippingBook Online newsletter maker