Principle 4 — Risk management and internal control systems
"The Board must ensure that the Reporting Entity has an adequate, effective, well-defined and well-integrated risk management, internal control and compliance framework."
46. The Board should, at least annually, conduct a review of the effectiveness of the Reporting Entity's risk management, internal control and compliance framework and should report to the Shareholders that it has done so. The review should cover all aspects of material controls, including management, financial, operational and compliance controls and risk management systems. The Board may satisfy this requirement by instructing an external auditor to undertake the review and report to it on its outcome. They should satisfy themselves on the integrity of financial information and that financial controls and systems of risk management are robust and effective.
47. The Board should establish formal and transparent arrangements for considering how it should apply the financial reporting and internal control systems, and for maintaining an appropriate relationship with its auditors.
48. The Board should establish policies and procedures for the identification and oversight and management of material business risks and disclose a summary of those policies and procedures in its annual report. The Board should also ensure that Senior Management implements the requisite risk management and internal control systems to manage material risks.