Principle 4 — Risk management and internal control systems
"The Board must ensure that the Reporting Entity has an adequate, effective, well-defined and well-integrated risk management, internal control and compliance framework."46. The Board should, at least annually, conduct a review of the effectiveness of the Reporting Entity's risk management, internal control and compliance framework and should report to the Shareholders that it has done so. The review should cover all aspects of material controls, including management, financial, operational and compliance controls and risk management systems. The Board may satisfy this requirement by instructing an external auditor to undertake the review and report to it on its outcome. They should satisfy themselves on the integrity of financial information and that financial controls and systems of risk management are robust and effective.47. The Board should establish formal and transparent arrangements for considering how it should apply the financial reporting and internal control systems, and for maintaining an appropriate relationship with its auditors.48. The Board should establish policies and procedures for the identification and oversight and management of material business risks and disclose a summary of those policies and procedures in its annual report. The Board should also ensure that Senior Management implements the requisite risk management and internal control systems to manage material risks.
Audit committee49. The Board should establish and maintain an audit committee to monitor and review the Reporting Entity's internal audit function and other internal controls. The main roles and responsibilities of the audit committee should be set out in written terms of reference, be available on the website of the Reporting Entity and include at least the following:a. monitoring the integrity of the financial statements of the Reporting Entity and any formal announcements relating to the Reporting Entity 's financial performance and reviewing significant financial reporting judgements contained in them;b. reviewing the Reporting Entity's internal financial controls and, unless expressly addressed by a separate risk committee of the Board or the Board itself, internal controls and risk management systems;c. monitoring and reviewing the effectiveness of the Reporting Entity's internal audit function;d. making recommendations to the Board in respect of the appointment, re-appointment, removal and terms of engagement, including remuneration, of the external auditor;e. reviewing and monitoring the external auditor's independence and objectivity and the effectiveness of the audit process;f. developing and implementing policy on the engagement of the external auditor to supply non-audit services; andg. reviewing the adequacy of arrangements by which staff of the Reporting Entity may, in confidence, raise concerns about possible improprieties in matters of financial reporting or other matters to ensure that arrangements are in place for the proportionate and independent investigation of such matters and for appropriate follow-up action.50. The Board should appoint at least two independent non-executive Directors to the audit committee. At least one of the independent non-executive Directors appointed to the audit committee should have recent and relevant financial expertise. The chair of the audit committee should be an independent non-executive Director.51. A separate section of the annual report should describe the work of the audit committee in discharging its responsibilities. The annual report should also explain to Shareholders how, if the auditor provides non-audit services, auditor objectivity and independence is safeguarded.