Internal Controls and Risk Management

The Board is responsible for establishing, maintaining and reviewing sound risk management and internal control systems. As such systems are designed to manage rather than eliminate the risk of failure to achieve business objectives, they can provide reasonable, but not absolute, assurance against material financial misstatement or loss. For certain joint arrangements, the Board places reliance upon the systems of internal control operating within the partners’ infrastructure and the obligations upon partners’ boards relating to the effectiveness of their own systems.

An annual review of the effectiveness of the risk management and control systems is required and this was performed by the Audit Committee in May 2012, under delegated authority from the Board. The review included senior executives being asked to confirm to confirm compliance with the Group’s system of internal control, Group policies, and corporate governance and corporate responsibility processes, i.e. to confirm compliance with the Turnbull Guidance ‘Internal Control Revised Guidance for Directors’ throughout the financial year. Unqualified confirmations were received from all regional finance directors and officers, senior Group functional heads and the Chief Executive Officer. The Committee also reviewed the features of the risk management and control systems and the control framework, noting the various forms of assurance (both management and independent) that are provided to it throughout the year. Following the review, it is the Board’s view that the information was sufficient to enable it to review the effectiveness of the Group’s system of internal control in accordance with the Turnbull Guidance, and that the system has no significant failings or weaknesses.

Principal features of the risk management and internal control systems:

Tone at the Top

• Sustaining a culture of integrity and ethical values supported by a global code of conduct, anti-corruption policies and a sustainable corporate responsibility programme.
• Commitment to competency through our people selection, retention and talent management programmes. Further details on this process can be found in the ‘Our people’ section of the Annual Report 2011.
• Management’s commitment to maintaining a strong risk and control culture through support of a structured enterprise governance and risk management framework. Further details can be found in this section and the risks and uncertainties section of the business review section of the Annual Report 2011.

How do we identify, manage and control risk?

There is an ongoing process for identifying, assessing and managing the significant risks faced by the Group, including those risks relating to social, ethical and environmental matters. Further details on this process, which was in place throughout the year ended 31 March 2012 and up to the date of approval of the annual report, can be found in the risks and uncertainties section of the Annual Report 2011.

What does the control environment look like?

• Terms of reference for the Board and each of its committees, which are regularly reviewed.
• Clear organisational structure, with the global and regional delegated authorities matrices clearly outlining the delegation of authority, including from the Board to principal subsidiaries.
• Principles, policies and standards to be adhered to throughout the business. These include a global risk management policy, accounting policies, treasury policy, information security policy and a policy on fraud and whistleblowing.
• Defined and well-understood review and approval procedures for major transactions, capital expenditure and revenue expenditure.
• The regional and global strategic project committees review and evaluate all significant business investments, developments and divestments, with risk assessment an integral component of the evaluation process.
• Appropriate strategies to deal with each significant risk that has been identified, including internal controls, insurance and specialised treasury instruments.

Information and communication

• Monthly finance report to the Board, which includes a Group financial summary, Group results, forecasts and sales trends, investor relations analysis and detailed business trading summaries.
• Detailed monthly performance reviews at a regional level.
• Regional and executive risk management committees receive quarterly reporting on the status of principal and emerging risks along with the status of significant projects that promote the Group’s strategic objectives.
• The Audit Committee receives global risk management reports during the year which are generated through the facilitated, quarterly contribution of managers in each area of Experian’s business, including facilitated contributions from key governance functions such as Information Security, Business Continuity, Legal, Government Affairs, Compliance, Finance, Group Corporate Secretariat, Internal Audit and Technology Services.
• Fraud and whistleblowing procedures are in place for employees to report suspected improprieties and the Audit Committee receives regular reports on this area from the Head of Global Internal Audit.

What monitoring takes place?

• Well-developed system of planning, incorporating Board approval of Group strategy and budgets. Performance against the agreed plan is subsequently monitored and reported at each Board meeting.
• The achievement of business objectives, both financial and non-financial, is assessed on a monthly basis, using a range of key performance indicators.
• There is regular reporting to the Board in respect of the exercise of the delegations of authorities to the principal subsidiaries.
• The global risk management policy provides for the ongoing identification and escalation of accepted, new and emerging risks to management and the Board as appropriate.
• Each business unit is responsible for the day-to-day management of risk and for ensuring that risk exposure remains within established limits. The global risk management policy outlines, for business units, the expectations in relation to escalation of identified risks, control weaknesses or gaps.
• Certificates are provided annually by each business unit and key function to confirm compliance with the Group’s system of internal control, Group policies, and corporate governance and corporate responsibility processes.
• The Group’s internal audit function provides independent testing and verification of risk management policies, processes and practices across the Group and reports to the Audit Committee on the effectiveness of the system of internal control.
• The Audit Committee reviews a variety of reports on risk, including material risk reports, material litigation reports, information security reports and regulatory and compliance reports.
• The Audit Committee performs an annual review of the effectiveness of the Group’s systems of risk management and internal control and receives an annual report on the controls over relevant risks.
• The internal audit programme and methodology is aligned to the risk categories and makes use of risk assessment information at a business level in planning and conducting its audits.

Internal control over financial reporting

Detailed policies and procedures are in place to ensure the accuracy and reliability of financial reporting and the preparation of consolidated financial statements. A comprehensive Group Accounting Manual (‘GAM’), including details of International Financial Reporting Standards (‘IFRS’) requirements, is in place. The document is owned by the Group’s finance team and has been rolled out across the Group. All Experian companies are obliged to follow the requirements of the GAM. The aims of the GAM are to:

• provide guidance on accounting issues;
• allow for consistent and well defined information for IFRS reporting requirements;
• provide uniform measures for quantitative and qualitative measures of Group performance; and
• increase the efficiency of the Group’s reporting process.