Committee’s key roles and responsibilities
The Board believes the Audit Committee to be a central pillar for effective corporate governance by providing independent and impartial oversight of the Company’s relevant functions. The Committee's responsibilities include:
- Monitoring the integrity of the financial statements and reviewing significant financial reporting judgments contained in them.
- Reviewing internal financial controls and the Group’s internal control and risk management systems.
- Reviewing the effectiveness and quality of the audit process and the independence and objectivity of the external auditor.
- Monitoring and reviewing the effectiveness of the internal audit function.
- Developing and implementing policy on engaging the external auditor to supply non-audit services, taking into account relevant guidance.
- Approving the external auditor’s remuneration and terms of engagement, and making recommendations about its re-appointment.
Committee activities in FY22
May 2021 | September 2021 | November 2021 | March 2022 | |||
|
|
|
|
All meetings
- Reviewed an Information Security update from the Chief Information Security Officer at each scheduled meeting. This is a standing item on the Committee agenda, given its importance to the Group.
- Reviewed full or summary Risk Management updates at each meeting, including status of and changes to the Group’s principal risks, material litigation, regulatory developments and details of any emerging risks.
- An internal audit update was presented by the Head of Global Internal Audit at each meeting, and discussed by the Committee, including the status of the audit plan, audit findings and themes in the reporting period, and progress on any overdue audit actions.
Significant issues
The table below summarises the significant matters considered by the Committee in relation to the Group and Company financial statements and the way they were concluded. These matters, together with any other significant considerations of the Committee, are reported to the Board. The minutes of each Audit Committee meeting are also circulated to all members of the Board.
Matter considered | Challenge and conclusion | |
Tax | ||
The Committee received a regular update from management on the adequacy of provisions in respect of significant open tax matters. The review included details of ongoing correspondence with tax authorities in the UK, the USA and Brazil and the principal areas of tax challenge. | The Committee agreed that the assessment of the uncertain tax positions was appropriate and that the judgment taken in respect of the year-end provision in the Group financial statements was reasonable. The Committee also noted the evolving and complex tax laws that applied to the Group and the uncertainty that these might bring. It concluded that the Group tax risk disclosures were appropriate. | |
Impairment review – goodwill and other intangible assets | ||
A summary of the annual impairment analysis and underlying process was provided to the Committee. Particular attention was given to EMEA and Asia Pacific, where restructuring activities were ongoing, with uncommitted restructuring activities needing to be excluded from the forecasts. The recoverable amounts of the assets of all segments continued to sufficiently exceed their carrying amounts. | The Committee scrutinised the methodology and assumptions applied by management. The Committee challenged management on the changes to the forecast, particularly in EMEA, and on how management had ensured no restructuring-related savings were included in the model. The overall strategy for the impacted segments and the potential impacts that might be seen in future were also discussed. The Committee noted the headroom and the sensitivity to changes in assumptions and concurred with the proposed disclosure of these in note 20 to the Group financial statements. | |
Impairment review – other assets | ||
A summary of the review process for other assets was provided to the Committee. The review indicated that an impairment was required in one of the Group’s associates. | The Committee scrutinised the methodology and assumptions applied by management. The Committee noted the changes in trading performance, against the forecast, of the associate and debated with management the future strategy for this investment. The Committee concurred with management’s conclusion that a write-down of the associate was required, and that the assets should be treated as held-for-sale. | |
Acquisitions and disposals | ||
The Committee received an update on the acquisitions made during the year, notably the acquisitions of Gabi Personal Insurance Agency, Inc. and Tax Credit Co., LLC in North America. The disposal of our Russian operations and our associate stake in the Cheetah Digital business were also discussed. | The Committee noted these acquisitions included elements of contingent consideration, and that an independent external valuer had assisted with these valuations along with those of the acquired assets and liabilities. The Committee challenged management on the allocation of goodwill to the disposal of our Russian operations, noting the unique circumstances and the impact of various methods that might be used for the allocation. The Committee approved the valuation of the acquisition intangibles and contingent consideration, along with the allocation of goodwill to our Russian operations. | |
Litigation and regulatory matters | ||
The Committee received an update and analysis of open litigation and regulatory matters affecting the Group, including the enforcement notice from the UK Information Commissioner’s Office. | The Committee concluded that these matters had been appropriately provided for at 31 March 2022. The Committee considered and concurred with the proposed contingent liability disclosures included in the notes to the Group financial statements. | |
Restructuring | ||
The proposed restructuring activities in EMEA and Asia Pacific were discussed with the Committee. In addition to the impact on goodwill impairment noted above, the Committee also considered whether any assets were held for sale, if restructuring provisions were required and noted the expenditure on restructuring activities. | The Committee discussed in detail the strategy for the impacted segments and the timing of programme elements. Given the current stage of the activities the Committee concluded that no assets should be held for sale and no restructuring provisions recorded. The Committee concluded that the recording of the restructuring costs was appropriate. |
Fair, balanced and understandable – what do we do?
Each year, in line with the UK Corporate Governance Code and the Committee’s terms of reference, the Committee is asked to consider whether or not, in its opinion, the Annual Report is fair, balanced and understandable (FBU) and whether or not it provides the information necessary for shareholders to assess the Group’s position and performance, business model and strategy. There is an established process to support the Audit Committee in making this assessment, and we follow broadly the same process for the Group’s half-yearly financial report.
Internal audit
There is an agreed four-year evaluation cycle for Experian’s Internal Audit function, the structure of which is a full external quality assessment every four years, and follow-up interim external quality assessments and internal reviews in the intervening period.
In September 2021, the Committee reviewed the conclusions of an internal evaluation of Internal Audit, which comprised: internal quality assurance results; post-audit stakeholder feedback; key internal metrics; self-assessment against the International Standards for the Professional Practice of Internal Auditing and the Code of Ethics by the Head of Global Internal Audit; and a survey of principal stakeholders for areas requiring improvement. All audits that had been assessed using Internal Audit’s quality assurance process were rated positively, with strong adherence to standards and processes.
The stakeholder feedback was strong with Internal Audit seen as highly effective, professional and independent. The survey respondents highlighted Internal Audit’s strong resourcing, purpose and mandate, and audit delivery. A small number of opportunities for development and improvements were noted in some categories, with key feedback focused on further improvements in reporting. Feedback received from stakeholders in respect of FY21 post-audit reviews was positive, with a high average rating from respondents, which was broadly in line with the previous year.
External auditor
Tenure and tendering
KPMG LLP (KPMG) has been the Company’s auditor since July 2016, following the conclusion of the audit tender process in September 2015. There are currently no contractual obligations restricting our choice of external auditor and we confirm that we have complied on a voluntary basis (as a non-UK-incorporated company) with the provisions of the UK Competition and Markets Authority (Mandatory Use of Competitive Tender Processes and Audit Committee responsibilities) Order 2014 for the financial year under review.
Effectiveness, audit quality, independence and appointment
At its September 2021 meeting, the Audit Committee reviewed and discussed KPMG’s audit strategy for the year ended 31 March 2022. In November 2021, and March and May 2022, the Committee received detailed updates on the audit’s progress, which included details of the external auditor’s actions, such as the audit procedures undertaken, the audit’s coverage, the segregation of duties and the status of any significant findings, as well as details of key matters arising from the audit and assessments of management’s judgments on them; and reviewed the content of the independence letter and the management representation letter, as well as engagement terms.
The Committee formally reviews the effectiveness of the external auditor at its September meeting. Experian Internal Audit supports the Committee with this by issuing questionnaires to Board members, senior operational and functional management and senior regional, finance and treasury leadership. As part of the evaluation, the UK Financial Reporting Council’s (FRC’s) Guidance on Audit Committees was reviewed to ensure that best practice was being followed. The evaluation focused on the four key areas used in the FRC’s December 2019 ‘Practice aid for audit committees’: mind-set and culture; skills, character and knowledge; quality control; and judgment. The Committee also reflected on the assurance on financial statements, the audit teams and communication, as well as considering external regulatory updates on the external auditor received during the year.
The overall results of the evaluation were positive. Communication was predominantly strong and clear. While there are areas that could be improved, against a backdrop of COVID-19 challenges, KPMG had provided an effective audit in challenging circumstances, and it was noted there had been a strong performance from the KPMG team in keeping to timelines. There were no concerns regarding the independence of the audit team, the technical knowledge of KPMG or the way in which judgments were explained. The Committee concluded, based on feedback and information obtained during its other work, that the external auditor had performed effectively, and that the Group and the auditor had complied with relevant guidance.
The Committee also evaluates the quality of the audit (along with the effectiveness review described above) in the following ways:
Evaluation of external auditor (process described above) – All respondents agreed that the external audit was sufficiently thorough and focused on the most important risk areas for Experian, including new areas in the FY21 accounts. Improvement was needed in the subsidiary financial statements process with timing challenges, duplication of testing and co-ordination between various KPMG teams observed. No necessary improvements were noted with regard to the external auditor's judgment and communication, particularly as to technical issues, estimates, discussing potential issues and management letter content.
Meeting attendance by the external auditor – KPMG attend all Committee meetings and, during the year, reported to the Committee on the components of the audit plan, additional or forthcoming requirements or regulatory changes, audit findings and interim audit findings. These reports, the private sessions held with the Committee, and the level of challenge applied by the external auditor to management, are opportunities for KPMG to demonstrate and articulate (and for the Committee to assess and challenge, as required) the quality of the audit work.
FRC Audit Quality Inspection Report (AQR) – in July 2021, the FRC published its AQR for KPMG, which was focused on the key areas requiring action by KPMG to safeguard and enhance audit quality. This provided the Committee with an external perspective on the quality of audits by KPMG, and the Committee noted the FRC’s comments on certain KPMG audits and also that improvements were identified in the level of challenge and scepticism on high-risk audits, which was a key finding of the prior year’s report. The report also noted good practice in the audit of going concern. In response to the findings, KPMG subsequently updated the Committee on the investment being made in audit quality, talent retention, diversity, and the ongoing monitoring that was in place.
Technology and processes – KPMG employ a ‘hub’ approach in order to perform standardised testing for each local market. This approach includes the use of data analytics techniques, which supplies audit evidence over significant quantities of data, and this provides a perspective on audit quality to the Committee. Independence is an important element of the external audit. To ensure auditor objectivity and independence, the Committee reviews potential threats to independence and the associated safeguards during the year. The safeguards that KPMG had in place during the year to maintain independence included annual confirmation by KPMG staff of compliance with ethics and independence policies and procedures. KPMG also had in place underlying safeguards to maintain independence by: instilling professional values; communications; internal accountability; risk management; and independent reviews. They also ensured that there was appropriate pre-approval for non-audit services, which are provided only if permissible under relevant ethical standards. The Committee concluded that the external auditor had maintained its independence throughout the year.
Non-audit services
KPMG provides other services to Experian. To ensure auditor objectivity and independence, we have a policy relating to providing such services. The policy includes financial limits above which any proposed non-audit services must be pre-approved, depending on the expenditure proposed. The Committee receives half-yearly reports providing details of non-audit assignments carried out by the external auditor, together with the related fees. Under the policy, non-audit fees paid to KPMG are capped at 30% of the fees for audit services, except in exceptional circumstances. Pre-approval by the Audit Committee or Audit Committee Chair is required in that situation. An analysis of fees paid to the external auditor for the year ended 31 March 2022 is set out in note 13 to the Group financial statements.
Provision of non-audit services
Background
The Audit Committee annually reviews the policy on the provision of non-audit services and recruitment of former auditor employees and the latest review took place in March 2022. The updated policy, which is set out below, recognises the importance of the external auditor’s independence and objectivity.
Policy
The external auditor is prohibited from providing any services other than those directly associated with the audit or required by legislation. These are limited to:
- Reporting required by a competent authority or regulator, under UK law or regulation for example:
- reporting to a regulator on client assets;
- in relation to entities regulated under the UK Financial Services and Markets Act 2000 (FSMA), reports under s166 and s340 of FSMA;
- reporting to a regulator on regulatory financial statements; and
- reporting on a Solvency and Financial Condition Report under Solvency II
- Reporting on internal financial controls when required by law or regulation
- Reporting on the iXBRL tagging of financial statements in accordance with European Single Electronic Format (ESEF) for annual financial reporting
- In the case of a controlled undertaking incorporated and based in a third country, reporting required by law or regulation in that jurisdiction where the auditor is permitted to undertake that engagement
- Reports required by or supplied to competent authorities/regulators supervising the audited entity, where the authority/regulator has either specified the auditor to provide the service or identified to the entity that the auditor would be an appropriate choice for service provider
- Audit and other services provided as auditor of the entity, or as reporting accountant where the services are required by law or regulation
- Reviews of interim financial information; and providing verification of interim profits
- Extended audit or assurance work where the work is integrated with the audit work and is performed on the same principal terms and conditions
- Services which support the entity in fulfilling an obligation required by law or regulation, where the provision of such services is time critical and the subject matter of the engagement is price sensitive
- Reporting on government grants
- Reporting on covenant or loan agreements which require independent verification
- Additional assurance work on material included within the Annual Report
- Services which have been the subject of an application to a competent authority.
The appointment of the external auditor for any non-audit work up to US$50,000 must be approved by the Group Financial Controller. The appointment of the external auditor for any non-audit work where the expected fees are over US$50,000 and up to US$100,000 requires the approval, in advance, of the Group Chief Financial Officer. Where the expected fees are over US$100,000, the approval of the Chair of the Audit Committee is required in advance.
Where cumulative annual fees exceed the 30% annual limit, all expenditure must be approved by the Audit Committee. All expenditure is subject to a tender process, unless express permission is provided by the Chair of the Audit Committee, the Chief Financial Officer or the Group Financial Controller based on the above approval limits. Any expenditure below US$100,000 not subject to a tender will be notified to the Chair of the Audit Committee.
Commercial agreements where Experian provides services to the auditor must be approved by the Group Financial Controller and not exceed the lower of 5% of the local Experian entity’s total revenue and US$250,000, and all transactions should be undertaken on an arm’s length basis. Transactions in excess of this limit require approval of the Chair of the Audit Committee in advance.
The Committee will receive half-yearly reports providing details of assignments and related fees carried out by the external auditor in addition to their normal work.
Following the year-end audit, neither Experian nor any of its subsidiary companies will employ any audit partner or audit team member in a position which could have a significant influence on the Group’s accounting policies or the content of its financial statements until a cooling-off period has elapsed. The cooling-off period is two years in respect of an audit partner, and one year in respect of a director, where they have worked on the audit of Experian plc or its subsidiaries.
The KPMG Engagement Letter further prohibits Experian from soliciting the employment of any audit team member for three months following completion of the audit, without KPMG's consent.
The Committee will receive an update if any audit team members are recruited into senior positions by Experian, followed thereafter by annual reporting on numbers of former auditor senior employees should any remain.
Risk management and internal control
The Board is responsible for maintaining and reviewing the effectiveness of our risk management activities from a strategic, financial, and operational perspective. These activities are designed to identify and manage, rather than eliminate, the risk of failure to achieve business objectives or to successfully deliver our business strategy.
The risk management process is designed to identify, assess, respond to, report on and monitor the risks that threaten our ability to achieve our business strategy and objectives, within our risk appetite.
There is an ongoing process for identifying, evaluating and managing the principal and emerging risks we face. This process was in place for the financial year and up to the date of approval of this Annual Report. Full details of our risk management and internal control systems and processes can be found in the Risk management section of the Strategic report on page 85. The Audit Committee considers emerging risks with management as part of the standing risk management update it receives.
The specific processes underlying the elements of our risk framework are set out below.
Step 1 Risk identification |
|
Step 2 Risk assessment |
|
Step 3 Risk response |
|
Step 4 Risk reporting and monitoring |
|
We follow the Three Lines of Defence approach to risk management. Risks are owned and managed within the business and reviewed by our businesses at least quarterly. Global governance teams review risks and controls, including those relating to information security, compliance and business continuity. Global Internal Audit assesses our risks and controls independently and objectively. The results of these reviews feed into our reporting cycle, including through the risk management governance structure outlined above.
Risk management is essential in a global, innovation-driven business such as Experian. It helps to create long-term shareholder value and protects our business, people, assets, capital and reputation. It operates at all levels throughout the organisation, across regions, business activities and operational support functions.
Our approach to risk management encourages clear decisions about which risks we take and how we manage them, based on an understanding of their potential customer, financial, regulatory, consumer, legal and reputational impact. As risk management and internal control systems are designed to manage rather than eliminate the risk of failure to achieve business objectives, they can provide reasonable but not absolute assurance against material financial misstatement or loss.
For our Three Lines of Defence see page 86
Effectiveness of the risk management and internal control systems
Experian’s risk programme is regularly reviewed, and in FY18 there was an external benchmarking exercise conducted by PwC. Based on that review, goals were set to further improve different elements of the risk management programme, to ensure the Group remains current with best-in-class risk management practices and to keep pace with changes to both internal and external environments. We engaged an external firm again in FY22 to assess the current state and identify opportunities for improvement. The scope was focused generally on risk management organisational structure and management, with a particular emphasis on operational risk management. The output of the external review work was used to adjust the Enterprise Risk Management (ERM) programme and set goals for the next one to three years. The Audit Committee Chair noted that the update to the Committee allowed it to better connect the various pieces of the ERM framework and further understand overall accountability. The implementation plan contained a number of recommendations on operational risk which would be implemented over a two-year period. The Audit Committee noted the need for further increased role-specific training, and investment for a high level of training in operational risk. The Group also continues to build out its emerging risk dashboard.
In line with the Code, the Audit Committee monitors our risk management and internal control systems, robustly assesses the principal risks identified by our risk assessment processes (including those that would threaten our business model, future performance, solvency or liquidity), and monitors actions taken to mitigate them.
For certain joint arrangements, the Board relies on the systems of internal control operating within Experian partners’ infrastructure and the obligations of partners’ boards, relating to the effectiveness of their own systems. The Code requires companies to review the effectiveness of their risk management and internal control systems, at least annually. The Audit Committee performs this review under delegated authority from the Board.
Following this year’s review, the Board considers that the information it received enabled it to review the effectiveness of the Group’s system of internal control in accordance with the FRC’s ‘Guidance on Risk Management, Internal Control and Related Financial and Business Reporting’ and that the system has no significant failings or weaknesses.
For more on our approach to risk management see pages 85 to 92
Additional financial reporting internal controls
We have detailed policies and procedures in place to ensure the accuracy and reliability of our financial reporting and the preparation of Group financial statements. This includes our comprehensive Global Accounting Policy and Standards Manual, which contains the detailed requirements of International Financial Reporting Standards (IFRS). The Group’s Financial Reporting team owns the Global Accounting Policy and Standards and we have rolled them out across the Group, obliging all Group companies to follow their requirements. The main objectives of the Policy and Standards are to: provide standards for accounting issues and to act as a reference document for both Experian employees and external auditors; allow for preparation of consistent and well-defined information for financial reporting requirements under IFRS; provide a set of measures to be used for both quantitative and qualitative assessments of Group performance; increase the efficiency of the reporting process; and provide a guide for educating Group personnel in approved standardised finance and accounting procedures.