1 Internal ControlGuidance for Directors on the Combined CodeISBN 1 84152 010 1 Published by The Institute of Chartered Accountants in England & WalesChartered Accountants HallPO Box 433 Moorgate PlaceLondon EC2P 2 BJInternet: The Institute of CharteredAccountants in England & WalesFurther copies can be obtained from:Accountancy BooksPO Box 21375 London WC1N 1 QPTelephone 020 7920 8991 Fax 020 7920 1999 Internal ControlGuidance for Directors on the Combined Code Internal Control1 Forewordfrom the London Stock ExchangeThe London Stock Exchange welcomes the publication of Internal Control: Guidancefor Directors on the Combined Code, published by the Internal Control Working Partyof the Institute of Chartered Accountants in England & Wales. The work involved in preparing this guidance for directors of UK incorporated listedcompanies in respect of Principle of the Combined Code, and its associatedProvisions and , is greatly Working Party s guidance is consistent with both the requirements of theCombined Code and of the related Listing Rule disclosure requirements, and clarifiesto boards of directors of listed companies what is expected of them.
2 We consider that compliance with the guidance will constitute compliance withCombined Code provisions and and provide appropriate narrativedisclosure of how Code principle has been the guidance has been adopted in full by a company the guidance on InternalControl and Financial Reporting (the Rutteman guidance) will have been superseded and full compliance with the Combined Code and Listing Rule requirements is GeradineHead of ListingLondon Stock ExchangeSeptember 1999 Internal Control2 ContentsParagraph number(s)IntroductionInternal control requirements of the Combined Code1-7 Objectives of the guidance8-9 The importance of Internal control and risk management10-13 Groups of companies14 The Appendix15 Maintaining a sound system of Internal controlResponsibilities16-19 Elements of a sound system of Internal control20-24 Reviewing the effectiveness of Internal controlResponsibilities25-26 The process for reviewing effectiveness27-34 The board s statement on Internal control35-41 Internal audit42-47 AppendixAssessing the effectiveness of the company s risk and control processesMembership of the Internal Control Working Party Internal Control3 IntroductionInternal control requirements of the Combined the Combined Code of the Committee on Corporate governance (the Code)
3 Was published, the Institute of Chartered Accountants in England &Wales agreed with the London Stock Exchange that it would provide guidance toassist listed companies to implement the requirements in the Code relating tointernal the Code states that The board should maintain a sound systemof Internal control to safeguard shareholders investment and the company sassets . that The directors should, at least annually, conduct areview of the effectiveness of the group s system of Internal control and shouldreport to shareholders that they have done so. The review should cover allcontrols, including financial, operational and compliance controls and riskmanagement . that Companies which do not have an Internal auditfunction should from time to time review the need for one . of the London Stock Exchange Listing Rules states that in thecase of a company incorporated in the United Kingdom, the following additionalitems must be included in its annual report and accounts:(a)a narrative statement of how it has applied the principles set out in Section 1of the Combined Code, providing explanation which enables its shareholdersto evaluate how the principles have been applied.
4 (b)a statement as to whether or not it has complied throughout the accountingperiod with the Code provisions set out in Section 1 of the Combined company that has not complied with the Code provisions, or complied withonly some of the Code provisions or (in the case of provisions whoserequirements are of a continuing nature) complied for only part of anaccounting period, must specify the Code provisions with which it has notcomplied, and (where relevant) for what part of the period such non-compliance continued, and give reasons for any non-compliance . Preamble to the Code, which is appended to the Listing Rules, makes it clear that there is no prescribed form or content for the statement setting outhow the various principles in the Code have been applied. The intention is thatcompanies should have a free hand to explain their governance policies in thelight of the principles, including any special circumstances which have led tothem adopting a particular guidance in this document should be followed by boards of listed companiesin:lassessing how the company has applied Code principle ;limplementing the requirements of Code provisions and ; and lreporting on these matters to shareholders in the annual report and of the guidance is intended to:lreflect sound business practice whereby Internal control is embedded in the business processes by which a company pursues its objectives; lremain relevant over time in the continually evolving business environment;andlenable each company to apply it in a manner which takes account of its particular circumstances.
5 The guidance requires directors to exercise judgement in reviewing how thecompany has implemented the requirements of the Code relating to internalcontrol and reporting to shareholders guidance is based on the adoption by a company s board of a risk-basedapproach to establishing a sound system of Internal control and reviewing itseffectiveness. This should be incorporated by the company within its normalmanagement and governance processes. It should not be treated as a separate exercise undertaken to meet regulatory importance of Internal control and risk company s system of Internal control has a key role in the management ofrisks that are significant to the fulfilment of its business objectives. A soundsystem of Internal control contributes to safeguarding the shareholders investment and the company s control (as referred to in paragraph 20) facilitates the effectiveness andefficiency of operations, helps ensure the reliability of Internal and externalreporting and assists compliance with laws and financial controls, including the maintenance of proper accountingrecords, are an important element of Internal control.
6 They help ensure that thecompany is not unnecessarily exposed to avoidable financial risks and thatfinancial information used within the business and for publication is reliable. Theyalso contribute to the safeguarding of assets, including the prevention anddetection of company s objectives, its Internal organisation and the environment in which itoperates are continually evolving and, as a result, the risks it faces arecontinually changing. A sound system of Internal control therefore depends on athorough and regular evaluation of the nature and extent of the risks to which thecompany is exposed. Since profits are, in part, the reward for successful risk-taking in business, the purpose of Internal control is to help manage and controlrisk appropriately rather than to eliminate of this guidance, where reference is made to company it should betaken, where applicable, as referring to the group of which the reportingcompany is the parent company.
7 For groups of companies, the review ofeffectiveness of Internal control and the report to the shareholders should be from the perspective of the group as a Appendix to this document contains questions which boards may wish toconsider in applying this guidance. Internal Control5 Maintaining a sound system of Internal board of directors is responsible for the company s system of internalcontrol. It should set appropriate policies on Internal control and seek regularassurance that will enable it to satisfy itself that the system is functioningeffectively. The board must further ensure that the system of Internal control iseffective in managing risks in the manner which it has determining its policies with regard to Internal control, and thereby assessingwhat constitutes a sound system of Internal control in the particularcircumstances of the company, the board s deliberations should includeconsideration of the following factors:lthe nature and extent of the risks facing the company; lthe extent and categories of risk which it regards as acceptable for the company to bear;lthe likelihood of the risks concerned materialising;lthe company s ability to reduce the incidence and impact on the business ofrisks that do materialise; and lthe costs of operating particular controls relative to the benefit therebyobtained in managing the related is the role of management to implement board policies on risk and control.
8 Infulfilling its responsibilities, management should identify and evaluate the risksfaced by the company for consideration by the board and design, operate andmonitor a suitable system of Internal control which implements the policiesadopted by the board. employees have some responsibility for Internal control as part of theiraccountability for achieving objectives. They, collectively, should have thenecessary knowledge, skills, information and authority to establish, operate andmonitor the system of Internal control. This will require an understanding of thecompany, its objectives, the industries and markets in which it operates, and the risks it faces. Internal Control6 Elements of a sound system of Internal Internal control system encompasses the policies, processes, tasks,behaviours and other aspects of a company that, taken together:lfacilitate its effective and efficient operation by enabling it to respondappropriately to significant business, operational, financial, compliance andother risks to achieving the company s objectives.
9 This includes thesafeguarding of assets from inappropriate use or from loss and fraud, and ensuring that liabilities are identified and managed;lhelp ensure the quality of Internal and external reporting. This requires themaintenance of proper records and processes that generate a flow of timely,relevant and reliable information from within and outside the organisation;lhelp ensure compliance with applicable laws and regulations, and also withinternal policies with respect to the conduct of company s system of Internal control will reflect its control environment whichencompasses its organisational structure. The system will include:lcontrol activities;linformation and communications processes; andlprocesses for monitoring the continuing effectiveness of the system of Internal system of Internal control should:lbe embedded in the operations of the company and form part of its culture;lbe capable of responding quickly to evolving risks to the business arisingfrom factors within the company and to changes in the businessenvironment; andlinclude procedures for reporting immediately to appropriate levels ofmanagement any significant control failings or weaknesses that are identifiedtogether with details of corrective action being sound system of Internal control reduces, but cannot eliminate, the possibilityof poor judgement in decision-making; human error; control processes beingdeliberately circumvented by employees and others; management overridingcontrols; and the occurrence of unforeseeable circumstances.
10 Sound system of Internal control therefore provides reasonable, but notabsolute, assurance that a company will not be hindered in achieving itsbusiness objectives, or in the orderly and legitimate conduct of its business, bycircumstances which may reasonably be foreseen. A system of Internal controlcannot, however, provide protection with certainty against a company failing tomeet its business objectives or all material errors, losses, fraud, or breaches oflaws or Control7 Reviewing the effectiveness of Internal the effectiveness of Internal control is an essential part of the board sresponsibilities. The board will need to form its own view on effectiveness afterdue and careful enquiry based on the information and assurances provided to is accountable to the board for monitoring the system of internalcontrol and for providing assurance to the board that it has done role of board committees in the review process, including that of the auditcommittee, is for the board to decide and will depend upon factors such as thesize and composition of the board; the scale, diversity and complexity of thecompany s operations; and the nature of the significant risks that the companyfaces.