Audit Committee report

Code principle
Audit, Risk and Internal Control

Deirdre Mahlan

Chair of the Audit Committee

I am pleased to report on the Committee's activities during the year, my final year serving on the Committee and the Board. It has been a privilege to be part of this great organisation.

Members

Deirdre Mahlan (Chair)

Dr Ruba Borno

Alison Brittain

Caroline Donahue

Luiz Fleury

Jonathan Howell

George Rose

Introduction

The purpose of this report is to describe how the Committee has carried out its responsibilities during the year. Our overarching objectives include ensuring the integrity of the Group’s financial reporting, that any judgments made are appropriate, that the external auditor is effective in its role, and being robust in ensuring that we have an effective internal control framework to manage the risks Experian faces.

During the year ended 31 March 2022, the Committee has ensured that it has had oversight of all of these areas with particular focus on a range of principal and emerging risks such as cyber security, data management and privacy, fraud and regulatory compliance. We received updates during the year from both internal audit and KPMG on the impact COVID-19 had on audit activities and adjustments made in working practices to allow for remote working, and were satisfied with actions taken. In addition, the Committee has received regular reports on internal audits, business integrity and controls assurance work, compliance allegation and investigation processes, as well as updates on the steps being taken to address internal audit findings, controls issues and investigations.

This report also contains details of the significant issues we considered in relation to the financial statements and how these were addressed, and our process for concluding that this Annual Report is fair, balanced and understandable.

The Committee was in place throughout the year ended 31 March 2022.

See more about our Board committees

Quick facts

Deirdre Mahlan has chaired the Committee since January 2015. Deirdre is a qualified accountant with an MBA and has many years’ experience in senior finance roles, most recently as Chief Financial Officer of Diageo plc.
Jonathan Howell will succeed Deirdre as Chair with effect from 1 July 2022.
All members of the Committee are independent non-executive directors and the Board considers them to have an appropriate level of experience.
Deirdre Mahlan, George Rose and Jonathan Howell are considered to have recent and relevant financial experience, in line with the UK Corporate Governance Code.
The Committee met four times during the year, with each scheduled meeting timed to coincide with key dates in the Group’s financial reporting and audit cycle.
Regular attendees at meetings include the Chair, the executive directors, the Group General Counsel, the Head of Global Internal Audit, the Global Financial Controller, the Global Chief Technology Officer, the Chief Information Security Officer and representatives from KPMG LLP (the external auditor). Other invitees include the Group Chief Risk Officer and Director of Corporate Finance.
At the end of each scheduled meeting, the external auditor and the Head of Global Internal Audit meet with the Committee to discuss any matters without management being present.
The Committee is authorised to seek outside legal or other independent professional advice as it sees fit.

Committee’s key roles and responsibilities

The Board believes the Audit Committee to be a central pillar for effective corporate governance by providing independent and impartial oversight of the Company’s relevant functions. The Committee's responsibilities include:

Monitoring the integrity of the financial statements and reviewing significant financial reporting judgments contained in them.
Reviewing internal financial controls and the Group’s internal control and risk management systems.
Reviewing the effectiveness and quality of the audit process and the independence and objectivity of the external auditor.
Monitoring and reviewing the effectiveness of the internal audit function.
Developing and implementing policy on engaging the external auditor to supply non-audit services, taking into account relevant guidance.
Approving the external auditor’s remuneration and terms of engagement, and making recommendations about its re-appointment.

Committee activities in FY22

May 2021		September 2021		November 2021		March 2022
Reviewed the preliminary results announcement and the Annual Report, and papers in relation to: year-end accounting matters the preparation of the financial statements on the going concern basis (see also note 2 to the Group financial statements) the making of a viability statement recommendation to the Board the fair, balanced and understandable assessment the making of management representations. Reviewed the 2021 Annual Report to ensure it was fair, balanced and understandable and provided information enabling an assessment of Experian’s position and performance, business model and strategy. Reviewed the Risk Management Framework and Summary of Assurance. Reviewed the external auditor’s year-end report, including independence considerations. Reviewed non-audit fees.		Considered the FY22 external audit plan with the external auditor, including its scope and materiality. The plan included the external auditor’s response to developments in the business during the year, developments in the audit process, the Group’s risk assessment and the coverage of the audit. Reviewed the effectiveness of the external auditor (see page 120 ‘External auditor’). Evaluated the performance of the Global Internal Audit function (see page 120 ‘Internal audit’) and assessed the impact of COVID-19. Reviewed the Compliance Management Programme overview from the Global Head of Compliance; assessed the Compliance terms of reference and received annual compliance training. Reviewed fraud and Confidential Helpline updates. Reviewed the Group’s Treasury Policy. Approved the Committee’s annual meeting schedule and reviewed the Committee’s performance against its terms of reference. Received a briefing on the proposed Internal Controls over Financial Reporting (ICFR) requirement. Received an update on the new Information Security Risk Management framework.		Reviewed the half-yearly financial report announcement, and papers in relation to: half-year accounting matters the preparation of the half-yearly report on the going concern basis a fair, balanced and understandable assessment the making of management representations. Reviewed the external auditor’s half-year report, including independence considerations.		Reviewed the principal accounting policies, pre-year-end accounting matters and updates on the year-end financial statements and financial review. Reviewed the external auditor’s pre-year-end report, including scope, status and controls findings. Reviewed the Global Internal Audit strategy and annual plan. Reviewed the Group’s non-audit fee policy and the Group audit fee. Reviewed the Group’s Tax Policy. Reviewed Confidential Helpline update. Considered the re-appointment of the external auditor.

All meetings

Reviewed an Information Security update from the Chief Information Security Officer at each scheduled meeting. This is a standing item on the Committee agenda, given its importance to the Group.

Reviewed full or summary Risk Management updates at each meeting, including status of and changes to the Group’s principal risks, material litigation, regulatory developments and details of any emerging risks.

An internal audit update was presented by the Head of Global Internal Audit at each meeting, and discussed by the Committee, including the status of the audit plan, audit findings and themes in the reporting period, and progress on any overdue audit actions.

Significant issues

The table below summarises the significant matters considered by the Committee in relation to the Group and Company financial statements and the way they were concluded. These matters, together with any other significant considerations of the Committee, are reported to the Board. The minutes of each Audit Committee meeting are also circulated to all members of the Board.

Matter considered		Challenge and conclusion
Tax
The Committee received a regular update from management on the adequacy of provisions in respect of significant open tax matters. The review included details of ongoing correspondence with tax authorities in the UK, the USA and Brazil and the principal areas of tax challenge.		The Committee agreed that the assessment of the uncertain tax positions was appropriate and that the judgment taken in respect of the year-end provision in the Group financial statements was reasonable. The Committee also noted the evolving and complex tax laws that applied to the Group and the uncertainty that these might bring. It concluded that the Group tax risk disclosures were appropriate.
Impairment review – goodwill and other intangible assets
A summary of the annual impairment analysis and underlying process was provided to the Committee. Particular attention was given to EMEA and Asia Pacific, where restructuring activities were ongoing, with uncommitted restructuring activities needing to be excluded from the forecasts. The recoverable amounts of the assets of all segments continued to sufficiently exceed their carrying amounts.		The Committee scrutinised the methodology and assumptions applied by management. The Committee challenged management on the changes to the forecast, particularly in EMEA, and on how management had ensured no restructuring-related savings were included in the model. The overall strategy for the impacted segments and the potential impacts that might be seen in future were also discussed. The Committee noted the headroom and the sensitivity to changes in assumptions and concurred with the proposed disclosure of these in note 20 to the Group financial statements.
Impairment review – other assets
A summary of the review process for other assets was provided to the Committee. The review indicated that an impairment was required in one of the Group’s associates.		The Committee scrutinised the methodology and assumptions applied by management. The Committee noted the changes in trading performance, against the forecast, of the associate and debated with management the future strategy for this investment. The Committee concurred with management’s conclusion that a write-down of the associate was required, and that the assets should be treated as held-for-sale.
Acquisitions and disposals
The Committee received an update on the acquisitions made during the year, notably the acquisitions of Gabi Personal Insurance Agency, Inc. and Tax Credit Co., LLC in North America. The disposal of our Russian operations and our associate stake in the Cheetah Digital business were also discussed.		The Committee noted these acquisitions included elements of contingent consideration, and that an independent external valuer had assisted with these valuations along with those of the acquired assets and liabilities. The Committee challenged management on the allocation of goodwill to the disposal of our Russian operations, noting the unique circumstances and the impact of various methods that might be used for the allocation. The Committee approved the valuation of the acquisition intangibles and contingent consideration, along with the allocation of goodwill to our Russian operations.
Litigation and regulatory matters
The Committee received an update and analysis of open litigation and regulatory matters affecting the Group, including the enforcement notice from the UK Information Commissioner’s Office.		The Committee concluded that these matters had been appropriately provided for at 31 March 2022. The Committee considered and concurred with the proposed contingent liability disclosures included in the notes to the Group financial statements.
Restructuring
The proposed restructuring activities in EMEA and Asia Pacific were discussed with the Committee. In addition to the impact on goodwill impairment noted above, the Committee also considered whether any assets were held for sale, if restructuring provisions were required and noted the expenditure on restructuring activities.		The Committee discussed in detail the strategy for the impacted segments and the timing of programme elements. Given the current stage of the activities the Committee concluded that no assets should be held for sale and no restructuring provisions recorded. The Committee concluded that the recording of the restructuring costs was appropriate.

Fair, balanced and understandable – what do we do?

Each year, in line with the UK Corporate Governance Code and the Committee’s terms of reference, the Committee is asked to consider whether or not, in its opinion, the Annual Report is fair, balanced and understandable (FBU) and whether or not it provides the information necessary for shareholders to assess the Group’s position and performance, business model and strategy. There is an established process to support the Audit Committee in making this assessment, and we follow broadly the same process for the Group’s half-yearly financial report.

The main elements of the process are:

A list of ‘key areas to focus on’ was previously shared with the Annual Report team. The team is reminded of the requirement annually and asked to reflect this in their drafting.
An internal FBU committee considered the Annual Report in May 2022, ahead of the Audit Committee meeting. A wide range of functions are represented on this committee, including executives from finance, communications, investor relations, legal and corporate secretariat. The external auditor also supports the committee.
In advance of its May 2022 meeting, the Audit Committee received a near-final draft of the Annual Report, together with a reminder of the areas to focus on. The FBU committee’s observations and conclusions were also relayed to the Audit Committee.
Following its review this year, the Audit Committee concluded that it was appropriate to confirm to the Board that the 2022 Annual Report was fair, balanced and understandable, and provided the information necessary for shareholders to assess the Group’s position and performance, business model and strategy. The FBU statement appears in the Directors’ report.

The 'key areas to focus on' included ensuring that:

The overall message of the narrative reporting is consistent with the primary financial statements.
The overall message of the narrative reporting is appropriate, in the context of the industry and the wider economic environment.
The Annual Report is consistent with messages already communicated to investors, analysts and other stakeholders.
The Annual Report, taken as a whole, is fair, balanced and understandable.
The Chair and Chief Executive Officer’s statements include a balanced view of the Group’s performance and prospects, and of the industry and market as a whole.
Any summaries or highlights capture the big picture of the Group appropriately.
Case studies or examples are of strategic importance and do not over-emphasise immaterial matters.

Internal audit

There is an agreed four-year evaluation cycle for Experian’s Internal Audit function, the structure of which is a full external quality assessment every four years, and follow-up interim external quality assessments and internal reviews in the intervening period.

In September 2021, the Committee reviewed the conclusions of an internal evaluation of Internal Audit, which comprised: internal quality assurance results; post-audit stakeholder feedback; key internal metrics; self-assessment against the International Standards for the Professional Practice of Internal Auditing and the Code of Ethics by the Head of Global Internal Audit; and a survey of principal stakeholders for areas requiring improvement. All audits that had been assessed using Internal Audit’s quality assurance process were rated positively, with strong adherence to standards and processes.

The stakeholder feedback was strong with Internal Audit seen as highly effective, professional and independent. The survey respondents highlighted Internal Audit’s strong resourcing, purpose and mandate, and audit delivery. A small number of opportunities for development and improvements were noted in some categories, with key feedback focused on further improvements in reporting. Feedback received from stakeholders in respect of FY21 post-audit reviews was positive, with a high average rating from respondents, which was broadly in line with the previous year.

External auditor

Tenure and tendering

KPMG LLP (KPMG) has been the Company’s auditor since July 2016, following the conclusion of the audit tender process in September 2015. There are currently no contractual obligations restricting our choice of external auditor and we confirm that we have complied on a voluntary basis (as a non-UK-incorporated company) with the provisions of the UK Competition and Markets Authority (Mandatory Use of Competitive Tender Processes and Audit Committee responsibilities) Order 2014 for the financial year under review.

Effectiveness, audit quality, independence and appointment

At its September 2021 meeting, the Audit Committee reviewed and discussed KPMG’s audit strategy for the year ended 31 March 2022. In November 2021, and March and May 2022, the Committee received detailed updates on the audit’s progress, which included details of the external auditor’s actions, such as the audit procedures undertaken, the audit’s coverage, the segregation of duties and the status of any significant findings, as well as details of key matters arising from the audit and assessments of management’s judgments on them; and reviewed the content of the independence letter and the management representation letter, as well as engagement terms.

The Committee formally reviews the effectiveness of the external auditor at its September meeting. Experian Internal Audit supports the Committee with this by issuing questionnaires to Board members, senior operational and functional management and senior regional, finance and treasury leadership. As part of the evaluation, the UK Financial Reporting Council’s (FRC’s) Guidance on Audit Committees was reviewed to ensure that best practice was being followed. The evaluation focused on the four key areas used in the FRC’s December 2019 ‘Practice aid for audit committees’: mind-set and culture; skills, character and knowledge; quality control; and judgment. The Committee also reflected on the assurance on financial statements, the audit teams and communication, as well as considering external regulatory updates on the external auditor received during the year.

The overall results of the evaluation were positive. Communication was predominantly strong and clear. While there are areas that could be improved, against a backdrop of COVID-19 challenges, KPMG had provided an effective audit in challenging circumstances, and it was noted there had been a strong performance from the KPMG team in keeping to timelines. There were no concerns regarding the independence of the audit team, the technical knowledge of KPMG or the way in which judgments were explained. The Committee concluded, based on feedback and information obtained during its other work, that the external auditor had performed effectively, and that the Group and the auditor had complied with relevant guidance.

The Committee also evaluates the quality of the audit (along with the effectiveness review described above) in the following ways:

Evaluation of external auditor (process described above) – All respondents agreed that the external audit was sufficiently thorough and focused on the most important risk areas for Experian, including new areas in the FY21 accounts. Improvement was needed in the subsidiary financial statements process with timing challenges, duplication of testing and co-ordination between various KPMG teams observed. No necessary improvements were noted with regard to the external auditor's judgment and communication, particularly as to technical issues, estimates, discussing potential issues and management letter content.

Meeting attendance by the external auditor – KPMG attend all Committee meetings and, during the year, reported to the Committee on the components of the audit plan, additional or forthcoming requirements or regulatory changes, audit findings and interim audit findings. These reports, the private sessions held with the Committee, and the level of challenge applied by the external auditor to management, are opportunities for KPMG to demonstrate and articulate (and for the Committee to assess and challenge, as required) the quality of the audit work.

FRC Audit Quality Inspection Report (AQR) – in July 2021, the FRC published its AQR for KPMG, which was focused on the key areas requiring action by KPMG to safeguard and enhance audit quality. This provided the Committee with an external perspective on the quality of audits by KPMG, and the Committee noted the FRC’s comments on certain KPMG audits and also that improvements were identified in the level of challenge and scepticism on high-risk audits, which was a key finding of the prior year’s report. The report also noted good practice in the audit of going concern. In response to the findings, KPMG subsequently updated the Committee on the investment being made in audit quality, talent retention, diversity, and the ongoing monitoring that was in place.

Technology and processes – KPMG employ a ‘hub’ approach in order to perform standardised testing for each local market. This approach includes the use of data analytics techniques, which supplies audit evidence over significant quantities of data, and this provides a perspective on audit quality to the Committee. Independence is an important element of the external audit. To ensure auditor objectivity and independence, the Committee reviews potential threats to independence and the associated safeguards during the year. The safeguards that KPMG had in place during the year to maintain independence included annual confirmation by KPMG staff of compliance with ethics and independence policies and procedures. KPMG also had in place underlying safeguards to maintain independence by: instilling professional values; communications; internal accountability; risk management; and independent reviews. They also ensured that there was appropriate pre-approval for non-audit services, which are provided only if permissible under relevant ethical standards. The Committee concluded that the external auditor had maintained its independence throughout the year.

Non-audit services

KPMG provides other services to Experian. To ensure auditor objectivity and independence, we have a policy relating to providing such services. The policy includes financial limits above which any proposed non-audit services must be pre-approved, depending on the expenditure proposed. The Committee receives half-yearly reports providing details of non-audit assignments carried out by the external auditor, together with the related fees. Under the policy, non-audit fees paid to KPMG are capped at 30% of the fees for audit services, except in exceptional circumstances. Pre-approval by the Audit Committee or Audit Committee Chair is required in that situation. An analysis of fees paid to the external auditor for the year ended 31 March 2022 is set out in note 13 to the Group financial statements.

Provision of non-audit services

Background

The Audit Committee annually reviews the policy on the provision of non-audit services and recruitment of former auditor employees and the latest review took place in March 2022. The updated policy, which is set out below, recognises the importance of the external auditor’s independence and objectivity.

Policy

The external auditor is prohibited from providing any services other than those directly associated with the audit or required by legislation. These are limited to:

Reporting required by a competent authority or regulator, under UK law or regulation for example:
reporting to a regulator on client assets;
in relation to entities regulated under the UK Financial Services and Markets Act 2000 (FSMA), reports under s166 and s340 of FSMA;
reporting to a regulator on regulatory financial statements; and
reporting on a Solvency and Financial Condition Report under Solvency II
Reporting on internal financial controls when required by law or regulation
Reporting on the iXBRL tagging of financial statements in accordance with European Single Electronic Format (ESEF) for annual financial reporting
In the case of a controlled undertaking incorporated and based in a third country, reporting required by law or regulation in that jurisdiction where the auditor is permitted to undertake that engagement
Reports required by or supplied to competent authorities/regulators supervising the audited entity, where the authority/regulator has either specified the auditor to provide the service or identified to the entity that the auditor would be an appropriate choice for service provider
Audit and other services provided as auditor of the entity, or as reporting accountant where the services are required by law or regulation
Reviews of interim financial information; and providing verification of interim profits
Extended audit or assurance work where the work is integrated with the audit work and is performed on the same principal terms and conditions
Services which support the entity in fulfilling an obligation required by law or regulation, where the provision of such services is time critical and the subject matter of the engagement is price sensitive
Reporting on government grants
Reporting on covenant or loan agreements which require independent verification
Additional assurance work on material included within the Annual Report
Services which have been the subject of an application to a competent authority.

The appointment of the external auditor for any non-audit work up to US$50,000 must be approved by the Group Financial Controller. The appointment of the external auditor for any non-audit work where the expected fees are over US$50,000 and up to US$100,000 requires the approval, in advance, of the Group Chief Financial Officer. Where the expected fees are over US$100,000, the approval of the Chair of the Audit Committee is required in advance.

Where cumulative annual fees exceed the 30% annual limit, all expenditure must be approved by the Audit Committee. All expenditure is subject to a tender process, unless express permission is provided by the Chair of the Audit Committee, the Chief Financial Officer or the Group Financial Controller based on the above approval limits. Any expenditure below US$100,000 not subject to a tender will be notified to the Chair of the Audit Committee.

Commercial agreements where Experian provides services to the auditor must be approved by the Group Financial Controller and not exceed the lower of 5% of the local Experian entity’s total revenue and US$250,000, and all transactions should be undertaken on an arm’s length basis. Transactions in excess of this limit require approval of the Chair of the Audit Committee in advance.

The Committee will receive half-yearly reports providing details of assignments and related fees carried out by the external auditor in addition to their normal work.

Following the year-end audit, neither Experian nor any of its subsidiary companies will employ any audit partner or audit team member in a position which could have a significant influence on the Group’s accounting policies or the content of its financial statements until a cooling-off period has elapsed. The cooling-off period is two years in respect of an audit partner, and one year in respect of a director, where they have worked on the audit of Experian plc or its subsidiaries.

The KPMG Engagement Letter further prohibits Experian from soliciting the employment of any audit team member for three months following completion of the audit, without KPMG's consent.

The Committee will receive an update if any audit team members are recruited into senior positions by Experian, followed thereafter by annual reporting on numbers of former auditor senior employees should any remain.

Risk management and internal control

The Board is responsible for maintaining and reviewing the effectiveness of our risk management activities from a strategic, financial, and operational perspective. These activities are designed to identify and manage, rather than eliminate, the risk of failure to achieve business objectives or to successfully deliver our business strategy.

The risk management process is designed to identify, assess, respond to, report on and monitor the risks that threaten our ability to achieve our business strategy and objectives, within our risk appetite.

There is an ongoing process for identifying, evaluating and managing the principal and emerging risks we face. This process was in place for the financial year and up to the date of approval of this Annual Report. Full details of our risk management and internal control systems and processes can be found in the Risk management section of the Strategic report on page 85. The Audit Committee considers emerging risks with management as part of the standing risk management update it receives.

The specific processes underlying the elements of our risk framework are set out below.

Step 1 Risk identification	Identify and escalate new, emerging or changing risks, significant incidents, significant control gaps and risk acceptances Consider external factors arising from our operating environment and internal risks arising from the nature of our business, our controls and processes, and our management decisions
Step 2 Risk assessment	Assess the potential impact of each strategic, operational, regulatory and financial risk on the achievement of our business objectives, and the Group’s corresponding risk appetite Produce Board-level and Group-level finance reports, including financial summaries, results, forecasts and revenue trends, investor relations analysis and detailed business trading summaries Follow formal review and approval procedures for major transactions, capital expenditure and revenue expenditure Evaluate compliance with policies and standards that address risk management, compliance, accounting, treasury management, fraud, information security, business continuity and third-party risk Monitor budgetary and performance reviews tied to KPIs and achievement of objectives Conduct detailed performance reviews at a regional level Report to Regional Risk Management Committees, the Security and Continuity Steering Committee and Executive Risk Management Committee, and the Audit Committee on the status of principal and emerging risks, the progress of strategic projects and acquisitions, and escalation of significant accepted risks Global Internal Audit report to the Audit Committee on assurance testing and Confidential Helpline investigation results Group Compliance report to the Audit Committee on fraud management and overall Compliance management Apply a risk scoring system, based on our assessment of the probability of a risk materialising, and its impact if it does Require executive management confirmations of compliance with our corporate governance processes and control environment
Step 3 Risk response	Apply active risk remediation strategies, including issue management, internal controls, formal risk acceptance processes, insurance and specialised treasury instruments Use formal review and approval procedures for significant accepted risks Accept or remediate the current risk and control environment Determine corrective action if required
Step 4 Risk reporting and monitoring	Maintain comprehensive risk registers representing the current risk and control environment, using a software solution to provide enhanced monitoring Ongoing review of principal risks identified by the Group’s risk assessment processes Report on risk to the Audit Committee, addressing material and emerging risks, including information security, business continuity, and regulatory compliance, as well as material litigation Review of controls and follow-ups by management, governance functions such as Compliance, the Global Security Office, Global Internal Audit and third parties Use Global Internal Audit to independently assess the adequacy and effectiveness of the system of internal controls Review by the Audit Committee of the effectiveness of our systems of risk management and internal control

Risk management and internal control systems review

Through a combination of ongoing and annual reviews, the Board is able to review the effectiveness of the Group’s risk management and internal control systems

We follow the Three Lines of Defence approach to risk management. Risks are owned and managed within the business and reviewed by our businesses at least quarterly. Global governance teams review risks and controls, including those relating to information security, compliance and business continuity. Global Internal Audit assesses our risks and controls independently and objectively. The results of these reviews feed into our reporting cycle, including through the risk management governance structure outlined above.

Risk management is essential in a global, innovation-driven business such as Experian. It helps to create long-term shareholder value and protects our business, people, assets, capital and reputation. It operates at all levels throughout the organisation, across regions, business activities and operational support functions.

Our approach to risk management encourages clear decisions about which risks we take and how we manage them, based on an understanding of their potential customer, financial, regulatory, consumer, legal and reputational impact. As risk management and internal control systems are designed to manage rather than eliminate the risk of failure to achieve business objectives, they can provide reasonable but not absolute assurance against material financial misstatement or loss.

For our Three Lines of Defence see page 86

Effectiveness of the risk management and internal control systems

Experian’s risk programme is regularly reviewed, and in FY18 there was an external benchmarking exercise conducted by PwC. Based on that review, goals were set to further improve different elements of the risk management programme, to ensure the Group remains current with best-in-class risk management practices and to keep pace with changes to both internal and external environments. We engaged an external firm again in FY22 to assess the current state and identify opportunities for improvement. The scope was focused generally on risk management organisational structure and management, with a particular emphasis on operational risk management. The output of the external review work was used to adjust the Enterprise Risk Management (ERM) programme and set goals for the next one to three years. The Audit Committee Chair noted that the update to the Committee allowed it to better connect the various pieces of the ERM framework and further understand overall accountability. The implementation plan contained a number of recommendations on operational risk which would be implemented over a two-year period. The Audit Committee noted the need for further increased role-specific training, and investment for a high level of training in operational risk. The Group also continues to build out its emerging risk dashboard.

In line with the Code, the Audit Committee monitors our risk management and internal control systems, robustly assesses the principal risks identified by our risk assessment processes (including those that would threaten our business model, future performance, solvency or liquidity), and monitors actions taken to mitigate them.

For certain joint arrangements, the Board relies on the systems of internal control operating within Experian partners’ infrastructure and the obligations of partners’ boards, relating to the effectiveness of their own systems. The Code requires companies to review the effectiveness of their risk management and internal control systems, at least annually. The Audit Committee performs this review under delegated authority from the Board.

Following this year’s review, the Board considers that the information it received enabled it to review the effectiveness of the Group’s system of internal control in accordance with the FRC’s ‘Guidance on Risk Management, Internal Control and Related Financial and Business Reporting’ and that the system has no significant failings or weaknesses.

For more on our approach to risk management see pages 85 to 92

Additional financial reporting internal controls

We have detailed policies and procedures in place to ensure the accuracy and reliability of our financial reporting and the preparation of Group financial statements. This includes our comprehensive Global Accounting Policy and Standards Manual, which contains the detailed requirements of International Financial Reporting Standards (IFRS). The Group’s Financial Reporting team owns the Global Accounting Policy and Standards and we have rolled them out across the Group, obliging all Group companies to follow their requirements. The main objectives of the Policy and Standards are to: provide standards for accounting issues and to act as a reference document for both Experian employees and external auditors; allow for preparation of consistent and well-defined information for financial reporting requirements under IFRS; provide a set of measures to be used for both quantitative and qualitative assessments of Group performance; increase the efficiency of the reporting process; and provide a guide for educating Group personnel in approved standardised finance and accounting procedures.

Experian plc

Annual Report 2022