Audit Committee report continued
Controls relating to financial reporting and preparation of the Annual Report and Accounts • Information provided to management covering financial performance and key performance indicators, including non‑financial measures (enhanced by new KPIs and targeted management reports) • A detailed budgeting process where business units prepare plans for the coming year (enhanced with new standardised reporting, discretionary cost reviews and consolidation models and systems) • Procedures for the approval of capital expenditure and investments and acquisitions (enhanced by standardised capital approval request forms) • Monthly operational reviews to monitor and reforecast results as required against the annual operating plan, with major variances followed up and management action taken where appropriate Other controls • Defined management structure and delegation of authority to Committees of the Board, subsidiary boards and associated business units (enhanced by more detailed authorities and guidance notes) • Recruitment standards and training to ensure the integrity and competence of staff • Anti-bribery, security and compliance training for all colleagues • Clearly documented internal procedures set out in the Group’s ISO 9001:2015 accredited quality manual • Regular internal audits of key processes and procedures under the Group’s ISO 9001 and ISO 27001 accredited quality assurance process • Monitoring of any whistleblowing or fraud reports The external auditor regularly reports its findings on those areas of internal control which it assesses as part of the external audit and half year review to the Board and the Audit Committee. Our internal control effectiveness is assessed through the performance of regular checks, which in the year ended 31 May 2021 included: • Assessment of the identification and management of risks connected to the Group’s strategy and management of strategic change • Reviewing and testing the Group’s financial reporting processes • Performing compliance monitoring activities • Assessment of the Group’s processes for identifying and mitigating potential conflicts of interest • Monitoring the completion of the Group’s mandatory colleague training
Internal audit The internal audit function is responsible for internal audit, the assurance of other quality systems and processes, and monitoring the embedding of risk management processes throughout our operations. The internal audit plan was approved by the Committee during the financial year and a number of audits were performed, the findings of which have been reviewed by the Committee. During the year, eight internal audit reports were issued. The Group will look to increase the scope of the audit plan during FY22, drawing on third party resource provided under co-source arrangements, and through the use of data analytics. Internal controls and risk management The Board is responsible for establishing, maintaining and monitoring the Group’s system of risk management and internal control and reviewing its effectiveness. The Committee monitors the performance of management in this area. We have an ongoing process for identifying, evaluating and managing the principal risks faced by the Group which has been in place for the year under review and up to the date of approval of the Annual Report and Accounts. The Group’s non-cyber security risks are monitored by the Audit Committee on behalf of the Board which sets aside time for an in-depth discussion of notable or changing risks to the business. A description of the process for managing risk together with a description of the principal risks and strategies to manage those risks is provided on pages 40 to 48. Cyber risks are reviewed by the Cyber Security Committee; the Cyber Security Committee Report can be found pages 98 and 99. Internal control systems are designed to meet the particular needs of the Group and the risks to which it is exposed. By their nature, however, internal control systems are designed to manage rather than eliminate the risk of failure and can provide only reasonable but not absolute assurance against material misstatement or loss. During the year, the Group has implemented new systems which have brought about some changes in controls, as the Group transitions away from historic systems. These controls will require further changes in the forthcoming year as we continue to embed new ways of working across all our systems. Key elements of the risk management and internal control system are described below. Enhancements during the year are highlighted while the other elements have all been in place throughout the year.
92
NCC Group plc — Annual report and accounts for the year ended 31 May 2021
Made with FlippingBook Converter PDF to HTML5