Professional Documents
Culture Documents
P1-11 Reporting On Internal Control
P1-11 Reporting On Internal Control
FOCUS
This session covers the following content from the ACCA Study Guide.
Session 11 Guidance
Note that this session is NOT about reporting internal control weaknesses to management.
Read through all of the Illustrations (extracts from issued financial statements) a couple of times to
get an idea of the practical realities discussed in this session. Then go through the detail. The UK's
Turnbull guidance provides a useful checklist, albeit somewhat extensive.
REPORTING
ON INTERNAL CONTROL
AUDITOR'S RESPONSIBILITIES
• SOX
• UK Corporate Governance Code
Session 11 Guidance
Understand the difference between the UK principles-based approach and the US rules-based
approach and the different roles of the auditor.
1.1 Requirement
< The board is responsible for maintaining a sound system of
internal control to safeguard the shareholders' investment and
the company's assets and should, at least annually:*
= conduct a review of the effectiveness of the group's system
*The report to
of internal controls;
shareholders covers
= cover all material controls, including financial, operational the year under review
and compliance controls and risk management systems and the time up to the
within their review; and date of approval of the
= report to shareholders that they have done so. financial statements.
1.3.4 Monitoring
= Are there ongoing processes embedded in the overall
business operations which monitor the effective
application of the policies, processes and activities related
to internal control and risk management? For example:
–control self-assessment and confirmation by personnel
of compliance with policies and codes of conduct;
–internal audit reviews and specific management reviews.
= Do these processes monitor the company's ability to re-
evaluate risks and adjust controls effectively in response
to changes in its objectives, its business and its external
environment?
= Are there effective follow-up procedures to ensure that
appropriate change or action occurs in response to
changes in risk and control assessments?
= Is there appropriate and timely communication to the
board (or board committees) on the effectiveness of the
monitoring processes on risk and control matters?
= Are there specific arrangements for management
monitoring and reporting to the board on risk and control
matters of particular importance? For example:
–actual or suspected fraud;
–illegal or irregular acts;
–matters that could adversely affect the company's
reputation; or
–matters negatively impacting financial position.
Illustration 1 BT Group
30 June 2011
Internal Control and Risk Management
The BT Group
The Board is responsible for the group's systems of internal control
and risk management and reviews each year the effectiveness of illustrations put into
those systems. Such systems are designed to manage, rather than context the various
eliminate, the risk of failure to achieve business objectives; any requirements for
system can provide only reasonable and not absolute assurance external reporting
against material misstatement or loss. The process in place for on internal control.
reviewing BT's systems of internal control includes procedures The examiner
designed to identify and evaluate failings and weaknesses, and, in expects candidates
the case of any categorised as significant, procedures exist to ensure to demonstrate
that necessary action is taken to remedy the failings. knowledge of the
The Board also takes account of significant social, environmental general contents and
and ethical matters that relate to BT's businesses and reviews requirements in this
annually BT's corporate social responsibility policy. The company's area. He does not
workplace practices, specific environmental, social and ethical risks
expect details of a
and opportunities and details of underlying governance processes are
dealt with in Business review—Our resources. specific report.
We have enterprise wide risk management processes for identifying,
evaluating and managing the significant risks faced by the group.
These processes have been in place for the whole of the 2011 financial
year and have continued up to the date on which this document was
approved. The processes are in accordance with the Revised Guidance
for Directors on the UK Corporate Governance Code published by the
Financial Reporting Council (the Turnbull Guidance).
Risk assessment and evaluation takes place as an integral part
of BT's annual strategic planning cycle. We have a detailed risk
management process, culminating in a Board review, which
identifies the key risks facing the group and each business unit.
This information is reviewed by senior management as part of the
strategic review. Our current key risks are summarised in Business
review—Our risks.
The key features of the enterprise wide risk management process
comprise the following procedures:
= senior executives collectively review the group's key risks and
have created a group risk register describing the risks, owners
and mitigation strategies. This is reviewed by the Operating
Committee before being reviewed and approved by the Board;
= the lines of business and internal service units carry out risk
assessments of their operations, create risk registers relating to
those operations, and ensure that the key risks are addressed;
= senior executives with responsibilities for major group operations
report quarterly with their opinion on the effectiveness of the
operation of internal controls in their area of responsibility;
= the group's internal auditors carry out continuing assessments
of the quality of risk management and control, report to
management and the Audit & Risk Committee on the status of
specific areas identified for improvement and promote effective
risk management in the lines of business and internal service units
operations; and
= the Audit & Risk Committee, on behalf of the Board, considers the
effectiveness of the operation of internal control procedures in
the group during the financial year. It reviews reports from the
internal and external auditors and reports its conclusions to the
Board. The Audit & Risk Committee has carried out these actions
for the 2011 financial year.
Illustration 2 BT Group
30 June 2011
Report of Management on Internal Control Over
Financial Reporting
US Sarbanes-Oxley Act of 2002
BT has securities registered with the US Securities and Exchange
Commission (SEC). As a result, we must comply with those
provisions of the Sarbanes-Oxley Act applicable to foreign issuers.
We comply with the legal and regulatory requirements introduced
pursuant to this legislation, insofar as they are applicable.
The Audit & Risk Committee includes members Phil Hodkinson and
Nick Rose who, in the opinion of the Board, are "audit committee
financial experts" and who are independent (as defined for this
purpose). The Board considers that the Committee's members have
broad commercial knowledge and extensive business leadership
experience, having held between them various prior roles in major
business, Government, financial management, treasury and financial
function supervision and that this constitutes a broad and suitable
mix of business and financial experience on the Committee.
The code of ethics adopted for the purposes of the Sarbanes-Oxley
Act is posted on the company's website at www.bt.com/ethics. The
code applies to the Chief Executive, Group Finance Director and
senior finance managers.
Disclosure controls and procedures
The Chief Executive and Group Finance Director, after evaluating
the effectiveness of BT's disclosure controls and procedures as of
the end of the period covered by this Annual Report & Form 20-
F, have concluded that, as of such date, BT's disclosure controls
and procedures were effective to ensure that material information
relating to BT was made known to them by others within the group.
The Chief Executive and Group Finance Director concluded that
BT's disclosure controls and procedures are also effective to ensure
that the information required to be disclosed by the company in
reports that it files under the Exchange Act is recorded, processed,
summarised and reported within the time periods specified in the
rules and forms of the SEC. The Chief Executive and Group Finance
Director have also provided the certifications required by the
Sarbanes-Oxley Act.
Internal control over financial reporting
BT's management is responsible for establishing and maintaining
adequate internal control over financial reporting for the group
including the consolidation process. Internal control over financial
reporting is designed to provide reasonable assurance regarding
the reliability of financial reporting and the preparation of financial
statements for external reporting purposes in accordance with
IFRS. Management conducted an assessment of the effectiveness of
internal control over financial reporting based on the framework for
internal control evaluation contained in the Turnbull Guidance.
Based on this assessment, management has concluded that as at
31 March 2011, BT's internal control over financial reporting was
effective. There were no changes in BT's internal control over
financial reporting that occurred during 2011 that have materially
affected, or are reasonably likely to have materially affected, the
group's internal control over financial reporting. Any significant
deficiency, as defined by the US Public Company Accounting
Oversight Board (PCAOB), in internal control over financial reporting,
is reported to the Audit & Risk Committee. PricewaterhouseCoopers
LLP, which has audited the consolidated financial statements for
2011, has also audited the effectiveness of the group's internal
control over financial reporting under Auditing Standard No. 5 of the
PCAOB. Their report is on page 90.
3 Auditor's Responsibilities
3.1 SOX*
< Under SOX, auditors have strict
and extensive responsibilities
to audit and report on an *SOX effectively requires a full audit of the internal
organisation's internal control control systems and how this has been combined into
over financial reporting. the form of a standard ISA 700 audit report.
Illustration 4 BT Group
30 June 2011
Matters on which we are required to report by exception:
We have nothing to report in respect of the following:
Under the Companies Act 2006 we are required to report to you if, in
our opinion:
= certain disclosures of directors' remuneration specified by law are
not made; or
= we have not received all the information and explanations we
require for our audit.
Under the Listing Rules we are required to review:
= the directors' statement, set out on page 54, in relation to going
concern; and
= the part of the Corporate Governance Statement relating to the
company's compliance with the nine provisions of the Combined
Code (June 2008) specified for our review.
Summary
UK Approach (Principles-Based)
< Directors required to exercise judgement in reviewing how the entity has implemented
the requirements of the UK Corporate Governance Code relating to internal control and
reporting to shareholders on the controls in place.
< Two elements in the reviewing and reporting procedures:
• regular receipt and review of internal control reports; and
• an annual assessment for the purposes of the board's statement in the annual financial
statements.
< A description of the main features of the internal control and risk management systems in
relation to the financial reporting process must be included within the corporate governance
statement of the annual report.
< A summary of the board's processes applied in reviewing the effectiveness of internal
control and the process applied to deal with material internal control aspects of any
significant problems disclosed in the financial statements must also be made.
< Auditors are expected to review information disclosed under provisions of the Listing Rules
and Corporate Governance Code and report any non-compliance. They are not required to
disclose any missing information or qualify their audit opinion.
US Approach (Rules-Based)
< Section 404 of SOX requires management to document, evaluate and report on the
effectiveness of internal controls (similar to the provisions of the UK Code). SOX, however,
has the more onerous requirements to determine rates of compliance, failures, costs, inputs
and outputs.
< Auditors are required to perform an extensive audit of an organisation's internal control
systems over financial reporting alongside the financial statement audit and produce an
audit report covering both the internal controls and the financial statements.
Session 11 Quiz
Estimated time: 10 minutes
1. List SIX considerations in assessing the control environment and control activities. (1.2.2)
2. List SIX components of an internal control report under SOX. (2)
3. State the main UK Corporate Governance Code requirements for reporting on internal control
by external auditors. (3.2)