Internal controls and risk management
The Board is responsible for the operation and effectiveness of the Group’s system of internal controls and risk management. There is an on-going process for identifying, evaluating and managing the significant risks faced by the Group. Our system of internal controls and risk management is designed to meet our particular needs and to address the risks to which our business is exposed. By its nature, this system can only provide reasonable, not absolute, assurance against material misstatement or loss.
The effectiveness of the system of internal controls and risk management is regularly reviewed by the Board and complies with the UK Corporate Governance Code 2012. There is an on-going process for identifying, evaluating and managing the significant risks faced by the Group which is managed on a day-to-day basis by the Group Risk and Assurance Director and such a review was undertaken during the year.
Monitoring and review
There are processes in place to monitor the system of internal controls and the reporting of any significant control failings or weaknesses and planned mitigating actions. These processes include annual certification, internal audit activity and Audit Committee review.
On an on-going basis, Sage operating companies certify to the risk and assurance team working with the Group Risk and Assurance Director that Sage’s policy requirements have been received and understood. In addition, management representations covering compliance with relevant policies and the accuracy of financial information are collated on an annual basis.
Risk management processes and responsibilities
The processes to identify and manage the key risks to the success of Sage are an integral part of the internal controls environment.
Risk appetite is utilised to ensure the correct focus is placed on the correct risks. Identified risks are scored on a gross and a net risk basis using our predefined scoring matrix. Risks are then prioritised based on both gross and net risk scores and using our risk appetite. The top four risks are reviewed by the Board on an annual basis, with prioritised risks below the top four being reviewed by the Audit Committee. The Audit Committee also reviews the assurance gained through reliance on controls to mitigate risks, i.e. the delta between gross and net risk score.
Risk management processes and procedures are set to ensure that risks are identified from a top down strategic perspective as well as a bottom up local perspective. During the year, processes and procedures have operated as described above. Facilitated risk workshops have been completed with the Executive Committee and major territories around the Group and results from risk management activities have been reported to and discussed directly with the Executive Committee, Audit Committee and the Board.
Internal audit activities are provided by an in-house team supplemented under co-source agreements by third-party providers. The role of Head of Internal Audit is undertaken by the Group Risk and Assurance Director who has a direct reporting line to the Audit Committee and its Chair in order to ensure independence.
It is the role of internal audit to advise management and the Board on the extent to which systems of internal controls are effective. The internal audit plan is determined through a structured process of risk assessment and the scope of work provides assurance over both key risks to Sage and its main business functions.
The internal audit plan set out at the beginning of the year is flexed as necessary during the year to take into account any key business changes. During this year, key areas reviewed, over and above financial, HR and IT controls, were the provision of online services, information security, treasury, storage of source code and compliance with external regulatory and internal policy requirements. The full plan was delivered during the year and the results were in line with expectations.
Other internal controls procedures.
A whistleblowing telephone hotline service operates in many of our operating companies (including all those in the UK and US) allowing employees to raise issues of concern in relation to dishonesty or malpractice on an entirely confidential basis. Processes for the confidential reporting of concerns exist in France and Germany and the Group continues to seek the introduction of further telephone hotlines where local legislation permits. The Audit Committee receives regular reports on any matters raised through these services and monitors their use throughout the Group.
As part of the general internal controls and risk management processes, Sage also has specific internal controls and risk management systems to govern financial reporting. The requirements for producing financial information are governed by the Group Accounting Manual, against which the Group’s external auditors review the financial statements. Financial control requirements are set out in a detailed Financial Controls Policy, which is subject to internal audit reviews on an annual basis.
Any part of the Group not subject to a specific internal audit review of financial controls in any given year is required to self-assess on the effectiveness of their financial control environment.
Processes have been set up during the year to ensure that assurance can be provided over whether the Annual Report & Accounts is considered to be fair, balanced and understandable. Management representations, external and internal audit reviews and an independent messaging review have taken place to provide this assurance.
Quality and integrity of personnel
The integrity and competence of personnel is ensured through high recruitment standards and the provision of subsequent training and development. High-quality personnel are seen as an essential part of the control environment.
A clearly defined organisational structure exists within which individual responsibilities are identified and can be monitored. The management of the Group as a whole is delegated to the Chief Executive and the Executive Committee.
The Executive Committee meets regularly to agree strategy, monitor performance and consider key business issues. As part of its review, it considers the risks associated with the delivery of strategy and important governance issues within operating companies.
Within the Group team, based in Newcastle upon Tyne, there are a number of central administrative functions such as Group Treasury, Corporate Communications and Group Legal. These functions report to the Board through its executive members and the members of the Executive Committee.
A number of Group-wide policies, issued and administered centrally, have been set to ensure compliance with key governance standards. These policies cover areas such as finance, data protection and mergers and acquisitions. The conduct of Sage’s individual businesses is delegated to the local executive management teams. Details of the authority delegated to local and regional management are set out in a delegation of authority matrix which is communicated to management throughout Sage. These teams are accountable for the conduct and performance of their businesses within the agreed business strategy. They have full authority to act subject to the reserved powers and sanctioning limits laid down by the Board and to Group policies and guidelines.
A comprehensive budgeting system is in place, with annual budgets for all operating companies being approved by respective local boards. Subsequently the combined budget is subject to consideration and approval by the Board. Management information systems provide the directors with relevant and timely information required to monitor financial performance.
Investment appraisal (including acquisitions)
Budgetary approval and defined authorisation levels regulate capital expenditure. As part of the budgetary process the Board considers proposals for research and development programmes. Acquisition activity is subject to internal guidelines governing investment appraisal criteria, financial targets, negotiation, execution and post-acquisition management.