Session 11

Reporting on Internal Control

FOCUS
This session covers the following content from the ACCA Study Guide.

B. Internal Control and Review

3. Internal control and reporting
a) Describe and assess the need to report on internal controls to
shareholders.
b) Describe the content of a report on internal control and audit.

C. Identifying and Assessing Risk

3. Identification, assessment and measurement of risk
d) Describe the process of, and importance of, externally reporting on internal
control and risk.
e) Explain the sources, and assess the importance of, accurate information
for risk management.

Session 11 Guidance
Note that this session is NOT about reporting internal control weaknesses to management.
Read through all of the Illustrations (extracts from issued financial statements) a couple of times to
get an idea of the practical realities discussed in this session. Then go through the detail. The UK's
Turnbull guidance provides a useful checklist, albeit somewhat extensive.

(continued on next page)

P1 Governance, Risk and Ethics Becker Professional Education | ACCA Study System

Ali khan - rajaali321@yahoo.com

VISUAL OVERVIEW
Objective: To discuss the requirements for reporting to shareholders on internal control.

REPORTING
ON INTERNAL CONTROL

UK CORPORATE SARBANES-OXLEY ACT (2002)

GOVERNANCE CODE
• Section 404
• Requirement • Report Content
• Turnbull Guidance
• Financial Services Authority
(FSA)

AUDITOR'S RESPONSIBILITIES
• SOX
• UK Corporate Governance Code

Session 11 Guidance
Understand the difference between the UK principles-based approach and the US rules-based
approach and the different roles of the auditor.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 11-1

Ali khan - rajaali321@yahoo.com

Session 11 • Reporting on Internal Control P1 Governance, Risk and Ethics

1 UK Corporate Governance Code

1.1 Requirement
< The board is responsible for maintaining a sound system of
internal control to safeguard the shareholders' investment and
the company's assets and should, at least annually:*
= conduct a review of the effectiveness of the group's system
*The report to
of internal controls;
shareholders covers
= cover all material controls, including financial, operational the year under review
and compliance controls and risk management systems and the time up to the
within their review; and date of approval of the
= report to shareholders that they have done so. financial statements.

1.2 The Turnbull Guidance

< Requires directors to exercise judgement in reviewing how the
entity has implemented the provisions of the Code relating to
internal control and reporting to shareholders thereon.
< The guidance identifies two elements in the reviewing and
reporting procedures:
1. Regular receipt and review of internal control reports.
2. An annual assessment for the purposes of the board's
statement in the annual financial statements.

1.2.1 Regular Reports

< Scope and frequency of reports from management decided by
the board.
< Reports should provide:
= a balanced assessment of significant risks and the
effectiveness of the system of internal control in managing
those risks; and
= a basis for sound, appropriately documented support for the
board's annual assessment.*
< The board review of the reports should:
= consider the risks identified by the reports and whether they
*Significant control
are significant; failings or weaknesses
= assess how they have been identified, evaluated and identified must be
managed; reported together with
= assess the effectiveness of the system of internal control in the impact they have
had, or may have, and
managing the risks, having regard to any significant failings
the actions to be taken
or weaknesses in internal control reported;
to rectify them.
= consider whether necessary actions are being taken promptly
to remedy any significant failings or weaknesses; and
= consider whether the findings indicate a need for more
extensive monitoring of the system of internal control.

11-2 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali khan - rajaali321@yahoo.com

P1 Governance, Risk and Ethics Session 11 • Reporting on Internal Control

1.2.2 Annual Assessment

< Made by the board in order to prepare a statement on
internal controls.
< Should consider issues raised by the regular reports, plus:
= changes since the last assessment in the nature and extent
of significant risks;
= a company's ability to respond to changes in its business
and external environment;
= the scope and quality of ongoing monitoring of risks and the
system of internal control;
= where applicable, the work of internal audit and other
providers of assurance;
= the extent and frequency of reporting to enable a
cumulative assessment of the state of control and the
effectiveness with which risk is being managed;
= the incidence of significant control failings or weaknesses
that have been identified during the period;
= the extent to which failures resulted in actual, possible or
potential future material effects on the company's financial
performance; and
= effectiveness of the company's public reporting processes.

1.3 Details of the Turnbull Guidance

< The Turnbull guidance suggests a number of questions to be
considered, as a minimum, by the board as part of its review
process covering:
= risk assessment;
= control environment and control activities;
= information and communication; and
= monitoring.

1.3.1 Risk Assessment

= Does the company have clear objectives? Have they
been communicated to provide effective direction to
employees on risk assessment and control issues? For
example, do objectives and plans include measurable
performance targets and indicators?
= Are the significant internal and external operational,
financial, compliance and other risks identified and
assessed on an ongoing basis?*
= Is there a clear understanding by management and
employees of what risks are acceptable to the board? *The risks would
include those
1.3.2 Control Environment and Control Activities identified under
= Does the board have clear strategies and policies for IAS 1 Presentation
dealing with and managing the significant risks that have of Financial
been identified? Statements and
= Do the company's culture, code of conduct, human IFRS 7 Financial
resource policies and performance reward systems Instruments:
support the business objectives and risk management Disclosures.
and internal control system?
= Does senior management demonstrate, through its
actions as well as its policies, the necessary commitment
to competence and integrity and foster a climate of trust
in the company?

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 11-3

Ali khan - rajaali321@yahoo.com

Session 11 • Reporting on Internal Control P1 Governance, Risk and Ethics

= Are authority, responsibility and accountability defined

clearly such that decisions are made and actions taken by
the appropriate people?
= Are the decisions and actions of different parts of the firm
appropriately coordinated?
= Does the company communicate to its employees what is
expected of them and the scope of their freedom to act?
For example, in the areas of:
–customer relations;
–service levels for both internal and outsourced
activities;
–health, safety and environmental protection;
–security of tangible and intangible assets;
–business continuity issues;
–expenditure matters; and
–accounting, financial and other reporting.
= Do people in the firm (and in its providers of outsourced
services) have the knowledge, skills and tools to support
the achievement of the firm's objectives and to manage
effectively any risks to their achievement?
= How are processes/controls adjusted to reflect new or
changing risks, or operational deficiencies?
1.3.3 Information and Communication
= Do management and the board receive timely, relevant
and reliable reports on progress against business
objectives (quantitative and qualitative) and the related
risks? For example:
–key performance reports and benchmarking key
performance indicators;
–variance analysis and indicators of change; and
–regulatory reports, customer satisfaction and employee
attitudes.
= Do they use such reports for decision-making and
management review purposes?
= Are information needs (thus related information systems)
reassessed as the objectives and related risks evolve, and
as reporting deficiencies are identified?
= Are periodic reporting procedures, including half-yearly
and annual reporting, effective in communicating a
balanced and understandable account of the company's
position and prospects?
= Are there established channels of communication for
individuals to report suspected breaches of law or
regulations or other improprieties (whistle-blowing)?

11-4 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali khan - rajaali321@yahoo.com

P1 Governance, Risk and Ethics Session 11 • Reporting on Internal Control

1.3.4 Monitoring
= Are there ongoing processes embedded in the overall
business operations which monitor the effective
application of the policies, processes and activities related
to internal control and risk management? For example:
–control self-assessment and confirmation by personnel
of compliance with policies and codes of conduct;
–internal audit reviews and specific management reviews.
= Do these processes monitor the company's ability to re-
evaluate risks and adjust controls effectively in response
to changes in its objectives, its business and its external
environment?
= Are there effective follow-up procedures to ensure that
appropriate change or action occurs in response to
changes in risk and control assessments?
= Is there appropriate and timely communication to the
board (or board committees) on the effectiveness of the
monitoring processes on risk and control matters?
= Are there specific arrangements for management
monitoring and reporting to the board on risk and control
matters of particular importance? For example:
–actual or suspected fraud;
–illegal or irregular acts;
–matters that could adversely affect the company's
reputation; or
–matters negatively impacting financial position.

1.4 Financial Conduct Authority (FCA)

< The UK FCA's Disclosure and Transparency rules (as part of
the listing rules for companies listed on the London Stock
Exchanges) require a description of the main features of the
internal control and risk management systems in relation to
the financial reporting process to be included in the corporate
governance statement (which also includes many of the
disclosure requirements of the Code).
< For a listed company in the UK, the board's statements on
internal control over financial reporting and their statement
covering internal control and risk management must refer to:
= an ongoing process, regularly reviewed by the board, for
identifying, evaluating and managing the significant risks
faced by the company;
= an acknowledgement by the board of its responsibility
for the system of internal control and for reviewing its
effectiveness;
= an explanation that control systems are designed to manage
rather than eliminate the risk of failure to achieve business
objectives and can only provide reasonable and not absolute
assurance against material misstatement or loss;
= a summary of the board's processes applied in reviewing
the effectiveness of internal control; and
= the process applied to deal with material internal control
aspects of any significant problems disclosed in the financial
statements.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 11-5

Ali khan - rajaali321@yahoo.com

Session 11 • Reporting on Internal Control P1 Governance, Risk and Ethics

Illustration 1 BT Group
30 June 2011
Internal Control and Risk Management
The BT Group
The Board is responsible for the group's systems of internal control
and risk management and reviews each year the effectiveness of illustrations put into
those systems. Such systems are designed to manage, rather than context the various
eliminate, the risk of failure to achieve business objectives; any requirements for
system can provide only reasonable and not absolute assurance external reporting
against material misstatement or loss. The process in place for on internal control.
reviewing BT's systems of internal control includes procedures The examiner
designed to identify and evaluate failings and weaknesses, and, in expects candidates
the case of any categorised as significant, procedures exist to ensure to demonstrate
that necessary action is taken to remedy the failings. knowledge of the
The Board also takes account of significant social, environmental general contents and
and ethical matters that relate to BT's businesses and reviews requirements in this
annually BT's corporate social responsibility policy. The company's area. He does not
workplace practices, specific environmental, social and ethical risks
expect details of a
and opportunities and details of underlying governance processes are
dealt with in Business review—Our resources. specific report.
We have enterprise wide risk management processes for identifying,
evaluating and managing the significant risks faced by the group.
These processes have been in place for the whole of the 2011 financial
year and have continued up to the date on which this document was
approved. The processes are in accordance with the Revised Guidance
for Directors on the UK Corporate Governance Code published by the
Financial Reporting Council (the Turnbull Guidance).
Risk assessment and evaluation takes place as an integral part
of BT's annual strategic planning cycle. We have a detailed risk
management process, culminating in a Board review, which
identifies the key risks facing the group and each business unit.
This information is reviewed by senior management as part of the
strategic review. Our current key risks are summarised in Business
review—Our risks.
The key features of the enterprise wide risk management process
comprise the following procedures:
= senior executives collectively review the group's key risks and
have created a group risk register describing the risks, owners
and mitigation strategies. This is reviewed by the Operating
Committee before being reviewed and approved by the Board;
= the lines of business and internal service units carry out risk
assessments of their operations, create risk registers relating to
those operations, and ensure that the key risks are addressed;
= senior executives with responsibilities for major group operations
report quarterly with their opinion on the effectiveness of the
operation of internal controls in their area of responsibility;
= the group's internal auditors carry out continuing assessments
of the quality of risk management and control, report to
management and the Audit & Risk Committee on the status of
specific areas identified for improvement and promote effective
risk management in the lines of business and internal service units
operations; and
= the Audit & Risk Committee, on behalf of the Board, considers the
effectiveness of the operation of internal control procedures in
the group during the financial year. It reviews reports from the
internal and external auditors and reports its conclusions to the
Board. The Audit & Risk Committee has carried out these actions
for the 2011 financial year.

11-6 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali khan - rajaali321@yahoo.com

P1 Governance, Risk and Ethics Session 11 • Reporting on Internal Control

2 Sarbanes-Oxley Act (2002)

2.1 Section 404

< Section 404 of Sarbanes-Oxley requires management to
document and evaluate the design and operation, and report on
the effectiveness, of its internal control over financial reporting.

2.2 Internal Control Report Content

< The internal control report must be incorporated into the
annual report and include the following components:
= Management's recognition of its responsibility for
establishing and maintaining adequate internal controls and
procedures for financial reporting.
= The framework used by management in its evaluation.
= Management's assessment of the effectiveness of the
company's internal control over financial reporting and a
statement of the effectiveness of the internal control.
= A statement that the issuer's external auditors have issued
an attestation report on management's assessment of
effectiveness of internal control over financial reporting and
that it is included in the annual report.
< In addition, the report will include:
= The nature and extent of involvement by the chairman and
chief executive, but may also specify the other members
of the board involved in the internal controls over financial
reporting. The purpose is for shareholders to be clear about
who is accountable for the controls.
= The disclosure of any "material weaknesses" in the
company's internal control over financial reporting identified
by management.
= For frameworks developed internally, a description of the key
metrics, measurement methods (e.g. rates of compliance,
fair value measures, etc) and tolerances allowed.
= Rates of compliance, failures, costs, resources committed
and outputs (if measurable) achieved as necessary and any
qualification to the auditor's attestation.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 11-7

Ali khan - rajaali321@yahoo.com

Session 11 • Reporting on Internal Control P1 Governance, Risk and Ethics

Illustration 2 BT Group
30 June 2011
Report of Management on Internal Control Over
Financial Reporting
US Sarbanes-Oxley Act of 2002
BT has securities registered with the US Securities and Exchange
Commission (SEC). As a result, we must comply with those
provisions of the Sarbanes-Oxley Act applicable to foreign issuers.
We comply with the legal and regulatory requirements introduced
pursuant to this legislation, insofar as they are applicable.
The Audit & Risk Committee includes members Phil Hodkinson and
Nick Rose who, in the opinion of the Board, are "audit committee
financial experts" and who are independent (as defined for this
purpose). The Board considers that the Committee's members have
broad commercial knowledge and extensive business leadership
experience, having held between them various prior roles in major
business, Government, financial management, treasury and financial
function supervision and that this constitutes a broad and suitable
mix of business and financial experience on the Committee.
The code of ethics adopted for the purposes of the Sarbanes-Oxley
Act is posted on the company's website at www.bt.com/ethics. The
code applies to the Chief Executive, Group Finance Director and
senior finance managers.
Disclosure controls and procedures
The Chief Executive and Group Finance Director, after evaluating
the effectiveness of BT's disclosure controls and procedures as of
the end of the period covered by this Annual Report & Form 20-
F, have concluded that, as of such date, BT's disclosure controls
and procedures were effective to ensure that material information
relating to BT was made known to them by others within the group.
The Chief Executive and Group Finance Director concluded that
BT's disclosure controls and procedures are also effective to ensure
that the information required to be disclosed by the company in
reports that it files under the Exchange Act is recorded, processed,
summarised and reported within the time periods specified in the
rules and forms of the SEC. The Chief Executive and Group Finance
Director have also provided the certifications required by the
Sarbanes-Oxley Act.
Internal control over financial reporting
BT's management is responsible for establishing and maintaining
adequate internal control over financial reporting for the group
including the consolidation process. Internal control over financial
reporting is designed to provide reasonable assurance regarding
the reliability of financial reporting and the preparation of financial
statements for external reporting purposes in accordance with
IFRS. Management conducted an assessment of the effectiveness of
internal control over financial reporting based on the framework for
internal control evaluation contained in the Turnbull Guidance.
Based on this assessment, management has concluded that as at
31 March 2011, BT's internal control over financial reporting was
effective. There were no changes in BT's internal control over
financial reporting that occurred during 2011 that have materially
affected, or are reasonably likely to have materially affected, the
group's internal control over financial reporting. Any significant
deficiency, as defined by the US Public Company Accounting
Oversight Board (PCAOB), in internal control over financial reporting,
is reported to the Audit & Risk Committee. PricewaterhouseCoopers
LLP, which has audited the consolidated financial statements for
2011, has also audited the effectiveness of the group's internal
control over financial reporting under Auditing Standard No. 5 of the
PCAOB. Their report is on page 90.

11-8 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali khan - rajaali321@yahoo.com

P1 Governance, Risk and Ethics Session 11 • Reporting on Internal Control

3 Auditor's Responsibilities

3.1 SOX*
< Under SOX, auditors have strict
and extensive responsibilities
to audit and report on an *SOX effectively requires a full audit of the internal
organisation's internal control control systems and how this has been combined into
over financial reporting. the form of a standard ISA 700 audit report.

Illustration 3 Extracts From Audit Opinion

United States Opinion

Report of Independent Registered Public Accounting Firm to the Board of Directors and
Shareholders of BT Group plc (the "company")
In our opinion, the accompanying Group income statements, Group statements of comprehensive
income, Group statements of changes in equity, Group cash flow statements and Group balance
sheets present fairly, in all material respects, the financial position of BT Group plc. and its
subsidiaries at 31 March 2011 and 2010 and the results of their operations and cash flows for
each of the three years in the period ended 31 March 2011, in conformity with International
Financial Reporting Standards (IFRSs) as issued by the International Accounting Standards Board.
Also, in our opinion the company maintained, in all material respects, effective internal control over
financial reporting as of 31 March 2011, based on criteria established in the Turnbull Guidance.
The company's management is responsible for these financial statements, for maintaining
effective internal control over financial reporting and for its assessment of the effectiveness of
internal control over financial reporting, included in management's evaluation of the effectiveness
of internal control over financial reporting as set out in the first three paragraphs of Internal
control over financial reporting in the Report of the directors, Business Policies of the BT Group
plc. Annual Report & Form 20-F. (See Illustration 2)
Our responsibility is to express opinions on these financial statements and on the company's
internal control over financial reporting based on our integrated audits. We conducted our audits
in accordance with the standards of the Public Company Accounting Oversight Board (United
States). Those standards require … (audit scope) ... and whether effective internal control over
financial reporting was maintained in all material respects.
Our audits of the financial statements included … (audit scope) … Our audit of internal control
over financial reporting included obtaining an understanding of internal control over financial
reporting, assessing the risk that a material weakness exists, and testing and evaluating the
design and operating effectiveness of internal control based on the assessed risk. Our audits also
included performing such other procedures as we considered necessary in the circumstances. We
believe that our audits provide a reasonable basis for our opinions.
A company's internal control over financial reporting is a process designed to provide reasonable
assurance regarding the reliability of financial reporting and the preparation of financial
statements for external purposes in accordance with generally accepted accounting principles.
A company's internal control over financial reporting includes those policies and procedures that
(i) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect
the transactions and dispositions of the assets of the company; (ii) provide reasonable assurance
that transactions are recorded as necessary to permit preparation of financial statements in
accordance with generally accepted accounting principles, and that receipts and expenditures of
the company are being made only in accordance with authorisations of management and directors
of the company; and (iii) provide reasonable assurance regarding prevention or timely detection
of unauthorised acquisition, use, or disposition of the company's assets that could have a material
effect on the financial statements.
Because of its inherent limitations, internal control over financial reporting may not prevent or
detect misstatements. Also, projections of any evaluation of effectiveness to future periods are
subject to the risk that controls may become inadequate because of changes in conditions, or that
the degree of compliance with the policies or procedures may deteriorate.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 11-9

Ali khan - rajaali321@yahoo.com

Session 11 • Reporting on Internal Control P1 Governance, Risk and Ethics

3.2 UK Corporate Governance Code

< Requirements placed on external auditors under the UK
Corporate Governance Code and FCA's listing rules are
significantly less onerous. The auditors are only required
to review (i.e. discuss, assess and appraise documents and
reports) if the directors have carried out specific actions as
required by a limited number of Code sections and FCA listing
rules. They are not required to carry out any tests nor form
any opinion.
< They are expected to:
= draw upon their knowledge of the client, its environment
and internal control;
= consider the results of their testing of the effectiveness of
internal controls for audit purposes;
= review the information disclosed by the provisions of the UK
Corporate Governance Code and FCA rules for consistency
with the financial statements as required by ISA 720 Other
Information in Documents Containing Audited Financial
Statements;
= report any non-compliance with the specific requirements of
the UK Corporate Governance Code/FCA rules (e.g. where
no explanation is given when required) in their audit report,
but not as a qualification (e.g. as an "Other Matter" following
any Emphasis of Matter) nor give any of the missing required
information (i.e. not as a disagreement qualification).

Illustration 4 BT Group
30 June 2011
Matters on which we are required to report by exception:
We have nothing to report in respect of the following:
Under the Companies Act 2006 we are required to report to you if, in
our opinion:
= certain disclosures of directors' remuneration specified by law are
not made; or
= we have not received all the information and explanations we
require for our audit.
Under the Listing Rules we are required to review:
= the directors' statement, set out on page 54, in relation to going
concern; and
= the part of the Corporate Governance Statement relating to the
company's compliance with the nine provisions of the Combined
Code (June 2008) specified for our review.

11-10 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali khan - rajaali321@yahoo.com

 Session 11

Summary
UK Approach (Principles-Based)
< Directors required to exercise judgement in reviewing how the entity has implemented
the requirements of the UK Corporate Governance Code relating to internal control and
reporting to shareholders on the controls in place.
< Two elements in the reviewing and reporting procedures:
• regular receipt and review of internal control reports; and
• an annual assessment for the purposes of the board's statement in the annual financial
statements.
< A description of the main features of the internal control and risk management systems in
relation to the financial reporting process must be included within the corporate governance
statement of the annual report.
< A summary of the board's processes applied in reviewing the effectiveness of internal
control and the process applied to deal with material internal control aspects of any
significant problems disclosed in the financial statements must also be made.
< Auditors are expected to review information disclosed under provisions of the Listing Rules
and Corporate Governance Code and report any non-compliance. They are not required to
disclose any missing information or qualify their audit opinion.
US Approach (Rules-Based)
< Section 404 of SOX requires management to document, evaluate and report on the
effectiveness of internal controls (similar to the provisions of the UK Code). SOX, however,
has the more onerous requirements to determine rates of compliance, failures, costs, inputs
and outputs.
< Auditors are required to perform an extensive audit of an organisation's internal control
systems over financial reporting alongside the financial statement audit and produce an
audit report covering both the internal controls and the financial statements.

Session 11 Quiz
Estimated time: 10 minutes

1. List SIX considerations in assessing the control environment and control activities. (1.2.2)
2. List SIX components of an internal control report under SOX. (2)
3. State the main UK Corporate Governance Code requirements for reporting on internal control
by external auditors. (3.2)

Study Question Bank

Estimated time: 40 minutes

Priority Estimated Time Completed

Reporting on Internal
Q16 40 minutes
Control Systems

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 11-11

Ali khan - rajaali321@yahoo.com