9. Internal control
The Turnbull Guidance sets out best practice on internal control for UK listed companies to assist them in assessing the application of the Combined Code’s principles and compliance with the Combined Code’s provisions with regard to internal control.
The group’s systems of internal control are designed and operated to support the identification, evaluation and management of risks affecting the group and the business environment in which it operates. As such, they are subject to continuous review as circumstances change and new risks emerge. The company has made significant progress towards achieving substantive compliance with s404 of the Sarbanes Oxley Act through an Internal Financial Control (IFC) programme. This is a voluntary initiative, and has led to a further strengthening of internal control systems and processes within the group.
Key features of the systems of internal control are:
- the risk management system described in the preceding section;
- written policies and procedures within our businesses, which are detailed in policy manuals;
- clearly defined lines of accountability and delegation of authority;
- identification and regular testing of key financial controls through the IFC programme;
- key policies employed in managing operating risk involve segregation of duties, transaction authorisation, monitoring, financial and managerial and comprehensive reporting and analysis against approved standards and budgets;
- group treasury operations which manage exposure to interest rate, counterparty, liquidity and currency transaction risks and co-ordinate the activities of group companies in this area. Treasury policies, risk limits and monitoring procedures are reviewed regularly by the audit committee on behalf of the board;
- a group tax risk and tax operating framework which forms the basis of tax governance across the group and is managed by a group tax function, which monitors tax risk and implements strategies and procedures to control it;
- minimisation of operating risk by using appropriate infrastructure, controls, systems and people throughout the businesses; and
- business continuity planning, including preventative and contingency measures, back-up capabilities and the purchase of insurance.
Assurance on compliance with systems of internal control and on their effectiveness is obtained through regular management reviews, review of key financial controls, internal audit reviews and quality assurance described in section 10 opposite, testing of certain aspects of the internal financial control systems by the external auditors during the course of their statutory examinations and regular reports to the audit committee by the external auditors. The group’s divisional Finance, Control and Assurance committees consider the results of these reviews, to confirm that controls are functioning and to ensure that any material breakdowns and remedial actions have been reported to the appropriate boards of directors. This does not apply in respect of the group’s associated undertakings or joint ventures.
At the half year and at the year end the divisional managing directors and finance directors of all the group’s operations, and each of the group’s functional directors, are required to submit formal letters of representation on controls, compliance and notification of continuing or potential material financial and legal exposures.
These letters form the subject of reports to the audit committee. They cover all subsidiary companies but do not cover associates (except for Tsogo Sun, which does submit letters of representation) or joint ventures. Where material, group executives sit on the boards of associated companies. Directors and members of the executive committee also make annual written declarations of interests and are obliged to report without delay any potential or actual conflicts of interest which may arise.
The directors are responsible for the group’s systems of internal control and for reviewing their effectiveness annually. The board has conducted a review of the effectiveness of the group’s internal controls covering material financial, operational and compliance controls and risk management systems for the year under review. Necessary actions have been, or are being, taken to remedy any significant weaknesses identified from the board’s review of the internal control system. The systems of internal control are designed to manage, rather than eliminate, the risk of failure to achieve business objectives and can provide reasonable, but not absolute, assurance against material misstatement or loss. In reviewing these, the board has taken into account the results of all the work carried out by internal and external auditors.
The board, with advice from the audit committee, has completed its annual review of the effectiveness of the system of internal control for the period since 1 April 2007 in accordance with the Turnbull Guidance, and is satisfied that this system is in accordance with that Guidance and that it has been in place throughout the year under review and up to the date of this report.