Interna Contro Guidance for Directors on the Combined Code
ISBN 1 84152 010 1 Pubished by The Institute of Chartered Accountants in Engand & Waes Chartered Accountants Ha PO Box 433 Moorgate Pace London EC2P 2BJ Internet: www.icaew.co.uk/internacontro Copyright The Institute of Chartered Accountants in Engand & Waes Further copies can be obtained from: Accountancy Books PO Box 21375 London WC1N 1QP Teephone 020 7920 8991 Fax 020 7920 8992 www.accountancybooks.co.uk September 1999
Interna Contro Guidance for Directors on the Combined Code
Foreword from the London Stock Exchange The London Stock Exchange wecomes the pubication of Interna Contro: Guidance for Directors on the Combined Code, pubished by the Interna Contro Working Party of the Institute of Chartered Accountants in Engand & Waes. The work invoved in preparing this guidance for directors of UK incorporated isted companies in respect of Principe D.2 of the Combined Code, and its associated Provisions D.2.1 and D.2.2, is greaty appreciated. The Working Party s guidance is consistent with both the requirements of the Combined Code and of the reated Listing Rue discosure requirements, and carifies to boards of directors of isted companies what is expected of them. We consider that compiance with the guidance wi constitute compiance with Combined Code provisions D.2.1 and D.2.2 and provide appropriate narrative discosure of how Code principe D.2 has been appied. Once the guidance has been adopted in fu by a company the guidance on Interna Contro and Financia Reporting (the Rutteman guidance) wi have been superseded and fu compiance with the Combined Code and Listing Rue requirements is possibe. Pau Geradine Head of Listing London Stock Exchange September 1999 Interna Contro 1
Contents Paragraph number(s) Introduction Interna contro requirements of the Combined Code 1-7 Objectives of the guidance 8-9 The importance of interna contro and risk management 10-13 Groups of companies 14 The Appendix 15 Maintaining a sound system of interna contro Responsibiities 16-19 Eements of a sound system of interna contro 20-24 Reviewing the effectiveness of interna contro Responsibiities 25-26 The process for reviewing effectiveness 27-34 The board s statement on interna contro 35-41 Interna audit 42-47 Appendix Assessing the effectiveness of the company s risk and contro processes Membership of the Interna Contro Working Party Interna Contro 2
Introduction Interna contro requirements of the Combined Code 1. When the Combined Code of the Committee on Corporate Governance (the Code) was pubished, the Institute of Chartered Accountants in Engand & Waes agreed with the London Stock Exchange that it woud provide guidance to assist isted companies to impement the requirements in the Code reating to interna contro. 2. Principe D.2 of the Code states that The board shoud maintain a sound system of interna contro to safeguard sharehoders investment and the company s assets. 3. Provision D.2.1 states that The directors shoud, at east annuay, conduct a review of the effectiveness of the group s system of interna contro and shoud report to sharehoders that they have done so. The review shoud cover a contros, incuding financia, operationa and compiance contros and risk management. 4. Provision D.2.2 states that Companies which do not have an interna audit function shoud from time to time review the need for one. 5. Paragraph 12.43A of the London Stock Exchange Listing Rues states that in the case of a company incorporated in the United Kingdom, the foowing additiona items must be incuded in its annua report and accounts: (a) a narrative statement of how it has appied the principes set out in Section 1 of the Combined Code, providing expanation which enabes its sharehoders to evauate how the principes have been appied; (b) a statement as to whether or not it has compied throughout the accounting period with the Code provisions set out in Section 1 of the Combined Code. A company that has not compied with the Code provisions, or compied with ony some of the Code provisions or (in the case of provisions whose requirements are of a continuing nature) compied for ony part of an accounting period, must specify the Code provisions with which it has not compied, and (where reevant) for what part of the period such noncompiance continued, and give reasons for any non-compiance. 6. The Preambe to the Code, which is appended to the Listing Rues, makes it cear that there is no prescribed form or content for the statement setting out how the various principes in the Code have been appied. The intention is that companies shoud have a free hand to expain their governance poicies in the ight of the principes, incuding any specia circumstances which have ed to them adopting a particuar approach. Interna Contro 3
7. The guidance in this document shoud be foowed by boards of isted companies in: assessing how the company has appied Code principe D.2; impementing the requirements of Code provisions D.2.1 and D.2.2; and reporting on these matters to sharehoders in the annua report and accounts. Objectives of the guidance 8. This guidance is intended to: refect sound business practice whereby interna contro is embedded in the business processes by which a company pursues its objectives; remain reevant over time in the continuay evoving business environment; and enabe each company to appy it in a manner which takes account of its particuar circumstances. The guidance requires directors to exercise judgement in reviewing how the company has impemented the requirements of the Code reating to interna contro and reporting to sharehoders thereon. 9. The guidance is based on the adoption by a company s board of a risk-based approach to estabishing a sound system of interna contro and reviewing its effectiveness. This shoud be incorporated by the company within its norma management and governance processes. It shoud not be treated as a separate exercise undertaken to meet reguatory requirements. The importance of interna contro and risk management 10. A company s system of interna contro has a key roe in the management of risks that are significant to the fufiment of its business objectives. A sound system of interna contro contributes to safeguarding the sharehoders investment and the company s assets. 11. Interna contro (as referred to in paragraph 20) faciitates the effectiveness and efficiency of operations, heps ensure the reiabiity of interna and externa reporting and assists compiance with aws and reguations. 12. Effective financia contros, incuding the maintenance of proper accounting records, are an important eement of interna contro. They hep ensure that the company is not unnecessariy exposed to avoidabe financia risks and that financia information used within the business and for pubication is reiabe. They aso contribute to the safeguarding of assets, incuding the prevention and detection of fraud. Interna Contro 4
13. A company s objectives, its interna organisation and the environment in which it operates are continuay evoving and, as a resut, the risks it faces are continuay changing. A sound system of interna contro therefore depends on a thorough and reguar evauation of the nature and extent of the risks to which the company is exposed. Since profits are, in part, the reward for successfu risktaking in business, the purpose of interna contro is to hep manage and contro risk appropriatey rather than to eiminate it. Groups of companies 14. Throughout this guidance, where reference is made to company it shoud be taken, where appicabe, as referring to the group of which the reporting company is the parent company. For groups of companies, the review of effectiveness of interna contro and the report to the sharehoders shoud be from the perspective of the group as a whoe. The Appendix 15. The Appendix to this document contains questions which boards may wish to consider in appying this guidance. Interna Contro 5
Maintaining a sound system of interna contro Responsibiities 16. The board of directors is responsibe for the company s system of interna contro. It shoud set appropriate poicies on interna contro and seek reguar assurance that wi enabe it to satisfy itsef that the system is functioning effectivey. The board must further ensure that the system of interna contro is effective in managing risks in the manner which it has approved. 17. In determining its poicies with regard to interna contro, and thereby assessing what constitutes a sound system of interna contro in the particuar circumstances of the company, the board s deiberations shoud incude consideration of the foowing factors: the nature and extent of the risks facing the company; the extent and categories of risk which it regards as acceptabe for the company to bear; the ikeihood of the risks concerned materiaising; the company s abiity to reduce the incidence and impact on the business of risks that do materiaise; and the costs of operating particuar contros reative to the benefit thereby obtained in managing the reated risks. 18. It is the roe of management to impement board poicies on risk and contro. In fufiing its responsibiities, management shoud identify and evauate the risks faced by the company for consideration by the board and design, operate and monitor a suitabe system of interna contro which impements the poicies adopted by the board. 19. A empoyees have some responsibiity for interna contro as part of their accountabiity for achieving objectives. They, coectivey, shoud have the necessary knowedge, skis, information and authority to estabish, operate and monitor the system of interna contro. This wi require an understanding of the company, its objectives, the industries and markets in which it operates, and the risks it faces. Interna Contro 6
Eements of a sound system of interna contro 20. An interna contro system encompasses the poicies, processes, tasks, behaviours and other aspects of a company that, taken together: faciitate its effective and efficient operation by enabing it to respond appropriatey to significant business, operationa, financia, compiance and other risks to achieving the company s objectives. This incudes the safeguarding of assets from inappropriate use or from oss and fraud, and ensuring that iabiities are identified and managed; hep ensure the quaity of interna and externa reporting. This requires the maintenance of proper records and processes that generate a fow of timey, reevant and reiabe information from within and outside the organisation; hep ensure compiance with appicabe aws and reguations, and aso with interna poicies with respect to the conduct of business. 21. A company s system of interna contro wi refect its contro environment which encompasses its organisationa structure. The system wi incude: contro activities; information and communications processes; and processes for monitoring the continuing effectiveness of the system of interna contro. 22. The system of interna contro shoud: be embedded in the operations of the company and form part of its cuture; be capabe of responding quicky to evoving risks to the business arising from factors within the company and to changes in the business environment; and incude procedures for reporting immediatey to appropriate eves of management any significant contro faiings or weaknesses that are identified together with detais of corrective action being undertaken. 23. A sound system of interna contro reduces, but cannot eiminate, the possibiity of poor judgement in decision-making; human error; contro processes being deiberatey circumvented by empoyees and others; management overriding contros; and the occurrence of unforeseeabe circumstances. 24. A sound system of interna contro therefore provides reasonabe, but not absoute, assurance that a company wi not be hindered in achieving its business objectives, or in the ordery and egitimate conduct of its business, by circumstances which may reasonaby be foreseen. A system of interna contro cannot, however, provide protection with certainty against a company faiing to meet its business objectives or a materia errors, osses, fraud, or breaches of aws or reguations. Interna Contro 7
Reviewing the effectiveness of interna contro Responsibiities 25. Reviewing the effectiveness of interna contro is an essentia part of the board s responsibiities. The board wi need to form its own view on effectiveness after due and carefu enquiry based on the information and assurances provided to it. Management is accountabe to the board for monitoring the system of interna contro and for providing assurance to the board that it has done so. 26. The roe of board committees in the review process, incuding that of the audit committee, is for the board to decide and wi depend upon factors such as the size and composition of the board; the scae, diversity and compexity of the company s operations; and the nature of the significant risks that the company faces. To the extent that designated board committees carry out, on behaf of the board, tasks that are attributed in this guidance document to the board, the resuts of the reevant committees work shoud be reported to, and considered by, the board. The board takes responsibiity for the discosures on interna contro in the annua report and accounts. The process for reviewing effectiveness 27. Effective monitoring on a continuous basis is an essentia component of a sound system of interna contro. The board cannot, however, rey soey on the embedded monitoring processes within the company to discharge its responsibiities. It shoud reguary receive and review reports on interna contro. In addition, the board shoud undertake an annua assessment for the purposes of making its pubic statement on interna contro to ensure that it has considered a significant aspects of interna contro for the company for the year under review and up to the date of approva of the annua report and accounts. 28. The reference to a contros in Code Provision D.2.1 shoud not be taken to mean that the effectiveness of every interna contro (incuding contros designed to manage immateria risks) shoud be subject to review by the board. Rather it means that, for the purposes of this guidance, interna contros considered by the board shoud incude a types of contros incuding those of an operationa and compiance nature, as we as interna financia contros. 29. The board shoud define the process to be adopted for its review of the effectiveness of interna contro. This shoud encompass both the scope and frequency of the reports it receives and reviews during the year, and aso the process for its annua assessment, such that it wi be provided with sound, appropriatey documented, support for its statement on interna contro in the company s annua report and accounts. Interna Contro 8
30. The reports from management to the board shoud, in reation to the areas covered by them, provide a baanced assessment of the significant risks and the effectiveness of the system of interna contro in managing those risks. Any significant contro faiings or weaknesses identified shoud be discussed in the reports, incuding the impact that they have had, coud have had, or may have, on the company and the actions being taken to rectify them. It is essentia that there be openness of communication by management with the board on matters reating to risk and contro. 31. When reviewing reports during the year, the board shoud: consider what are the significant risks and assess how they have been identified, evauated and managed; assess the effectiveness of the reated system of interna contro in managing the significant risks, having regard, in particuar, to any significant faiings or weaknesses in interna contro that have been reported; consider whether necessary actions are being taken prompty to remedy any significant faiings or weaknesses; and consider whether the findings indicate a need for more extensive monitoring of the system of interna contro. 32. Additionay, the board shoud undertake an annua assessment for the purpose of making its pubic statement on interna contro. The assessment shoud consider issues deat with in reports reviewed by it during the year together with any additiona information necessary to ensure that the board has taken account of a significant aspects of interna contro for the company for the year under review and up to the date of approva of the annua report and accounts. 33. The board s annua assessment shoud, in particuar, consider: the changes since the ast annua assessment in the nature and extent of significant risks, and the company s abiity to respond to changes in its business and the externa environment; the scope and quaity of management s ongoing monitoring of risks and of the system of interna contro, and, where appicabe, the work of its interna audit function and other providers of assurance; the extent and frequency of the communication of the resuts of the monitoring to the board (or board committee(s)) which enabes it to buid up a cumuative assessment of the state of contro in the company and the effectiveness with which risk is being managed; Interna Contro 9
the incidence of significant contro faiings or weaknesses that have been identified at any time during the period and the extent to which they have resuted in unforeseen outcomes or contingencies that have had, coud have had, or may in the future have, a materia impact on the company s financia performance or condition; and the effectiveness of the company s pubic reporting processes. 34. Shoud the board become aware at any time of a significant faiing or weakness in interna contro, it shoud determine how the faiing or weakness arose and re-assess the effectiveness of management s ongoing processes for designing, operating and monitoring the system of interna contro. Interna Contro 10
The board s statement on interna contro 35. In its narrative statement of how the company has appied Code principe D.2, the board shoud, as a minimum, discose that there is an ongoing process for identifying, evauating and managing the significant risks faced by the company, that it has been in pace for the year under review and up to the date of approva of the annua report and accounts, that it is reguary reviewed by the board and accords with the guidance in this document. 36. The board may wish to provide additiona information in the annua report and accounts to assist understanding of the company s risk management processes and system of interna contro. 37. The discosures reating to the appication of principe D.2 shoud incude an acknowedgement by the board that it is responsibe for the company s system of interna contro and for reviewing its effectiveness. It shoud aso expain that such a system is designed to manage rather than eiminate the risk of faiure to achieve business objectives, and can ony provide reasonabe and not absoute assurance against materia misstatement or oss. 38. In reation to Code provision D.2.1, the board shoud summarise the process it (where appicabe, through its committees) has appied in reviewing the effectiveness of the system of interna contro. It shoud aso discose the process it has appied to dea with materia interna contro aspects of any significant probems discosed in the annua report and accounts. 39. Where a board cannot make one or more of the discosures in paragraphs 35 and 38, it shoud state this fact and provide an expanation. The Listing Rues require the board to discose if it has faied to conduct a review of the effectiveness of the company s system of interna contro. 40. The board shoud ensure that its discosures provide meaningfu, high-eve information and do not give a miseading impression. 41. Where materia joint ventures and associates have not been deat with as part of the group for the purposes of appying this guidance, this shoud be discosed. Interna Contro 11
Interna audit 42. Provision D.2.2 of the Code states that companies which do not have an interna audit function shoud from time to time review the need for one. 43. The need for an interna audit function wi vary depending on company-specific factors incuding the scae, diversity and compexity of the company s activities and the number of empoyees, as we as cost/benefit considerations. Senior management and the board may desire objective assurance and advice on risk and contro. An adequatey resourced interna audit function (or its equivaent where, for exampe, a third party is contracted to perform some or a of the work concerned) may provide such assurance and advice. There may be other functions within the company that aso provide assurance and advice covering speciaist areas such as heath and safety, reguatory and ega compiance and environmenta issues. 44. In the absence of an interna audit function, management needs to appy other monitoring processes in order to assure itsef and the board that the system of interna contro is functioning as intended. In these circumstances, the board wi need to assess whether such processes provide sufficient and objective assurance. 45. When undertaking its assessment of the need for an interna audit function, the board shoud aso consider whether there are any trends or current factors reevant to the company s activities, markets or other aspects of its externa environment, that have increased, or are expected to increase, the risks faced by the company. Such an increase in risk may aso arise from interna factors such as organisationa restructuring or from changes in reporting processes or underying information systems. Other matters to be taken into account may incude adverse trends evident from the monitoring of interna contro systems or an increased incidence of unexpected occurrences. 46. The board of a company that does not have an interna audit function shoud assess the need for such a function annuay having regard to the factors referred to in paragraphs 43 and 45 above. Where there is an interna audit function, the board shoud annuay review its scope of work, authority and resources, again having regard to those factors. 47. If the company does not have an interna audit function and the board has not reviewed the need for one, the Listing Rues require the board to discose these facts. Interna Contro 12
Appendix Assessing the effectiveness of the company s risk and contro processes Some questions which the board may wish to consider and discuss with management when reguary reviewing reports on interna contro and carrying out its annua assessment are set out beow. The questions are not intended to be exhaustive and wi need to be taiored to the particuar circumstances of the company. This Appendix shoud be read in conjunction with the guidance set out in this document. 1. Risk assessment Does the company have cear objectives and have they been communicated so as to provide effective direction to empoyees on risk assessment and contro issues? For exampe, do objectives and reated pans incude measurabe performance targets and indicators? Are the significant interna and externa operationa, financia, compiance and other risks identified and assessed on an ongoing basis? (Significant risks may, for exampe, incude those reated to market, credit, iquidity, technoogica, ega, heath, safety and environmenta, reputation, and business probity issues.) Is there a cear understanding by management and others within the company of what risks are acceptabe to the board? 2. Contro environment and contro activities Does the board have cear strategies for deaing with the significant risks that have been identified? Is there a poicy on how to manage these risks? Do the company s cuture, code of conduct, human resource poicies and performance reward systems support the business objectives and risk management and interna contro system? Does senior management demonstrate, through its actions as we as its poicies, the necessary commitment to competence, integrity and fostering a cimate of trust within the company? Are authority, responsibiity and accountabiity defined ceary such that decisions are made and actions taken by the appropriate peope? Are the decisions and actions of different parts of the company appropriatey co-ordinated? Does the company communicate to its empoyees what is expected of them and the scope of their freedom to act? This may appy to areas such as customer reations; service eves for both interna and outsourced activities; heath, safety and environmenta protection; security of tangibe and intangibe assets; business continuity issues; expenditure matters; accounting; and financia and other reporting. Interna Contro 13
Do peope in the company (and in its providers of outsourced services) have the knowedge, skis and toos to support the achievement of the company s objectives and to manage effectivey risks to their achievement? How are processes/contros adjusted to refect new or changing risks, or operationa deficiencies? 3. Information and communication Do management and the board receive timey, reevant and reiabe reports on progress against business objectives and the reated risks that provide them with the information, from inside and outside the company, needed for decision-making and management review purposes? This coud incude performance reports and indicators of change, together with quaitative information such as on customer satisfaction, empoyee attitudes etc. Are information needs and reated information systems reassessed as objectives and reated risks change or as reporting deficiencies are identified? Are periodic reporting procedures, incuding haf-yeary and annua reporting, effective in communicating a baanced and understandabe account of the company s position and prospects? Are there estabished channes of communication for individuas to report suspected breaches of aws or reguations or other improprieties? 4. Monitoring Are there ongoing processes embedded within the company s overa business operations, and addressed by senior management, which monitor the effective appication of the poicies, processes and activities reated to interna contro and risk management? (Such processes may incude contro sef-assessment, confirmation by personne of compiance with poicies and codes of conduct, interna audit reviews or other management reviews). Do these processes monitor the company s abiity to re-evauate risks and adjust contros effectivey in response to changes in its objectives, its business, and its externa environment? Are there effective foow-up procedures to ensure that appropriate change or action occurs in response to changes in risk and contro assessments? Is there appropriate communication to the board (or board committees) on the effectiveness of the ongoing monitoring processes on risk and contro matters? This shoud incude reporting any significant faiings or weaknesses on a timey basis. Are there specific arrangements for management monitoring and reporting to the board on risk and contro matters of particuar importance? These coud incude, for exampe, actua or suspected fraud and other iega or irreguar acts, or matters that coud adversey affect the company s reputation or financia position? Interna Contro 14
Membership of the Interna Contro Working Party Nige Turnbu (Chairman) Roger Davis (Deputy Chairman) Dougas Fint Huw Jones David Lindse Tim Rowbury Executive Director Rank Group Pc Head of Professiona Affairs PricewaterhouseCoopers Group Finance Director HSBC Hodings pc Director of Corporate Finance Prudentia Portfoio Managers Partner Ernst & Young Interna Audit Consutant Jonathan Southern David Wison Director of Accounting and Reporting Diageo pc Company Secretary and Genera Counse Debenhams pc Staff Anthony Carey Jonathan Hunt Project Director, ICAEW Project Manager, ICAEW Interna Contro 15