The audit committee has a particular role acting independently from the executive to ensure that the interests of shareholders are properly protected in relation to financial reporting and internal control.
- Brian May has chaired the committee since July 2013. He is a serving finance director of a FTSE 100 company and chartered accountant and is considered by the board to have recent and relevant financial experience;
- All members of the committee are independent non-executive directors and the Board is satisfied that the committee as a whole has sectoral competence and its members have an appropriate level of experience of corporate financial matters;
- Other regular attendees at meetings include the Chairman, the CEO, the CFO, the company secretary, the head of audit and risk, the group controller, and representatives from the external auditor KPMG LLP (KPMG);
- The representatives from KPMG and the head of audit and risk are each afforded time with the committee and the company secretary to raise freely any concerns they may have without management being present; and
- The committee is authorised to seek outside legal or other independent professional advice as it sees fit, but has not done so during the year.
Terms of reference – unitedutilities.com/corporate-governance
Audit committee members
Brian May (chair)
Alison Goligher (relinquished 1 July 2017)
Paulette Rowe (appointed 1 July 2017)
All directors have a duty to act in a way that they consider, in good faith, would be most likely to promote the success of the company for the benefit of its members as a whole and have regard to other stakeholders as set out in s172 of the Companies Act 2006. The Disclosure and Transparency Rules set out the need for an audit committee and the responsibilities that the committee should fulfil.
In the '2016 Guidance on Audit Committees', which accompanies the 2016 UK Corporate Governance Code against which we are reporting this year, the FRC articulated that whilst all directors have a duty to act in the interests of the company, the audit committee has a particular role, acting independently from the executive to ensure that the interests of shareholders are properly protected in relation to financial reporting and internal control. However, the board has overall responsibility for an organisation's approach to risk management and internal control.
In my following report I have sought to provide shareholders with an understanding of the work that we have done to provide assurance on the integrity of the 2017/18 annual report and financial statements. In reviewing the group's financial statements the committee reviews both the judgements made by management, whether management's accounting policies are appropriate, and the external audit work undertaken by KPMG as set out in the audit plan. KPMG present their audit plan to the committee before the work starts, it includes the areas on which the audit will focus and the materiality thresholds. KPMG's independent auditor's report, setting out its opinions and conclusions, can be found here. Information on the committee's overview of the group's internal controls and risk management activities can be found below.
During the year the committee asked KPMG to perform an in-depth internal quality performance review of the 2016/17 audit as a consequence of the Financial Reporting Council's Audit Quality Report (FRC's AQR) of the 2015/16 audit. As reported in the 2016/17 audit committee report, we were satisfied that KPMG had taken appropriate action to enhance the quality of their audit process relating to the 2016/17 audit. The committee was satisfied with the findings of the in-depth internal quality performance review which were presented to it in September 2017 (see below).
Our 2018 long-term viability statement can be found in the Corporate governance report; we continue to be of the opinion that a period of five years is appropriate to assess the group's viability given the nature of the business and the regulatory investment and planning cycles; and the underlying protection afforded by Ofwat's primary duties to protect consumers' interests, by promoting effective competition wherever appropriate, secure that the company can finance the proper carrying out of these functions – in particular through securing reasonable returns on capital, and secure that water and wastewater supply systems have long-term resilience and that the company takes steps to meet long-term demands for water supplies and wastewater supplies. Further information on our long-term planning cycles can be found in our business model section in the strategic report.
Much of the work of the committee is necessarily targeted at the regulated activities of UUW, which represent over 98 per cent of group revenues and is a reflection of our commitment to safeguarding the interests of our stakeholders, particularly our shareholders and customers.
The committee also reviews the internal control and risk management processes, leaving the review of the significant risks to be undertaken by the board with support from the group audit and risk board (see How we manage risks, and Audit committee).
As chair of the committee I reiterate the board's view (see Letter from the Chairman) that the committee as a whole has sectoral competence as disclosed in the biographies of the relevant committee members (see the biographies of the directors). All members contribute to the work of the committee and have the skills and necessary degree of financial literacy. As non-executive directors, my colleagues and I are of an independent mindset and would have no hesitation in seeking clarification and a full explanation from management or the external auditor on any matter we feel necessary.
We have worked to enhance this report and make it more informative for the reader and we continue to be committed to providing meaningful disclosure of the committee's activities. As chair of the audit committee, I am intent on ensuring that the committee's agenda is kept under review and keeps abreast of relevant developments. The details of the annual evaluation process of the committee's performance, which was conducted by Lintstock Consultants, can be found in the Corporate governance report.
The following report was approved by the committee at its meeting held on 16 May 2018.
Chairman of the audit committee
Pictured: Paulette Rowe, Brian May and Stephen Carter
Main responsibilities of the committee
- Make a recommendation to the board for the appointment or reappointment of the auditor, and to be responsible for the tender of the audit from time to time and to agree the fees paid to the auditor;
- Establish policies for the provision of any non-audit services by the auditor;
- Review the scope and the results of the annual audit and report to the board on the effectiveness of the audit process and how the independence and objectivity of the auditor has been safeguarded;
- Review the half-year and annual financial statements and any announcements relating to financial performance, including reporting to the board on the significant issues considered by the committee in relation to the financial statements and how these were addressed;
- Review the scope, remit and effectiveness of the internal audit function and the group's internal control and risk management systems;
- Review the group's procedures for whistleblowing, reporting fraud and other inappropriate behaviour and to receive reports relating thereto; and
- Report to the board on how it has discharged its responsibilities.
What has been on the committee's agenda during the year
The committee has an extensive agenda of items of business focusing on the audit, assurance and risk processes within the business which it deals with in conjunction with senior management, the auditor, the internal audit function and the financial reporting team. In doing so it ensures that high standards of financial governance in line with the regulatory framework as well as market practice for audit committees going forward are maintained. There were four scheduled meetings of the committee during the year. Items of business considered by the committee during the year are set out in the table below.
- Considered the issues and findings brought to the committee's attention by the internal audit team and satisfying itself that management has resolved or is in the process of resolving any outstanding issues or concerns;
- Reviewed the reports from the financial reporting team on the financial statements, and considering matters such as the accounting judgements and policies being applied and how the statutory audit contributed to the integrity of the financial reporting;
- Reviewed the regulatory reporting process relating to the annual performance report for UUW as required to be submitted to Ofwat and noted the differences between the regulatory and statutory accounts;
- Reviewed the company's responses to changes to International Financial Reporting Standards (IFRS) in particular IFRS 9 financial instruments, IFRS 15 revenue from contracts with customers and IFRS 16 leases;
- Reviewed the proposed audit strategy for the 2017/18 statutory audit, including the level of materiality applied by KPMG, audit reports from KPMG on the financial statements and the areas of particular focus for the 2017/18 audit and tasking management to resolve any issues relating to internal controls and risk management systems;
- Reviewed the basis of preparation of the financial statements as a going concern (prior to making its recommendations to the board) as set out in the accounting policies;
- Reviewed the long-term viability statement prior to making its recommendations to the board;
- Reviewed the results of the committee's assessment of the effectiveness of the 2016/17 external audit and confirmation of the independence of the auditor and made a recommendation to the board on the reappointment of KPMG at the forthcoming annual general meeting;
- Reviewed the 2017/18 annual report and financial statements and provided a recommendation to the board that they complied with the Code principle to be 'fair, balanced and understandable';
- Reviewed KPMG's internal quality performance report in relation to its review of the 2016/17 audit;
- Monitored the completion of actions relating to the risk management framework identified following the Lancashire water quality incident;
- Reviewed the effectiveness of the risk management and internal control systems prior to making a recommendation to the board;
- Reviewed the statutory audit fee for the year ended 31 March 2018;
- Reviewed and approved the non-audit services and related fees provided by the statutory auditor for the year 2017/2018; approval of a revised policy on non-audit services provided by the auditor for 2018/19 which is in accordance with the European Union Audit Directive and Audit Regulation which came into force in the UK from 17 June 2016;
- Monitored incidents of whistleblowing and fraud reporting;
- Biannual oversight and monitoring of the group's compliance with the Bribery Act which the board then reviews annually;
- Approved the strategic internal audit planning approach and reviewed reports on the work of the internal audit function from the head of audit and risk;
- Reviewed the quality and effectiveness of internal audit and the effectiveness of the current co-source arrangements; and
- Reviewed the committee's terms of reference and the conclusions of the committee's annual evaluation. The externally facilitated evaluation was undertaken as part of the overall board evaluation. The review explored: time management and the composition of the committee; the committee's processes and support; and the agenda and work of the committee. All elements of the workings of the committee reviewed were highly rated. It was concluded that the committee continued to be effective.
How we assessed whether 'the annual report and accounts, taken as a whole, is fair, balanced and understandable and provides the information necessary for shareholders to assess the company's position and performance, business model and strategy'
The committee, further to the board's request, has reviewed the annual report and financial statements with the intention of providing advice to the board on whether, as required by the Code, 'the annual report and accounts, taken as a whole, is fair, balanced and understandable and provides the information necessary for shareholders to assess the company's position and performance, business model and strategy'.
To make this assessment, the committee received copies of the annual report and financial statements to review during the drafting process to ensure that the key messages being followed in the annual report were aligned with the company's position, performance and strategy being pursued and that the narrative sections of the annual report were consistent with the financial statements. The significant issues considered by the committee in relation to the financial statements were consistent with those identified by the external auditor in their report.
The committee received regular updates on the calculation of underlying operating profit measures as one of the principal alternative performance measures (APMs). A guide to APMs can be found in the Financial performance section. APMs are used in accordance with the ESMA guidelines and management highlight any impact on APMs as a result of changes to accounting methods/transactions.
The key performance indicators included in the strategic report were, amongst others, those used by management and some of which reflect the regulatory measures to be monitored by either Ofwat, the DWI or the EA during the 2015–20 period.
In addition, the committee was satisfied that all the key events and issues which had been reported to the board in the CEO's monthly report during the year, both good and bad, had been adequately referenced or reflected within the annual report.
How we assessed the effectiveness of the external audit process
The committee, on behalf of the board, is responsible for the relationship with the external auditor, and part of that role is to examine the effectiveness of the audit process. Audit quality is a key requirement of the external audit process.
We reported last year that the FRC had undertaken a review of KPMG's audit of the company for the 2015/16 financial year, referred to as the FRC's AQR, and it was confirmed that KPMG had taken appropriate action to enhance the quality of the audit process for the 2016/17 financial year.
The committee asked KPMG to undertake an in-depth internal quality performance review of the 2016/17 audit. The review was undertaken by a recently retired partner of KPMG who regularly undertakes quality control reviews of KPMG audits. The reviewer confirmed to the committee that the principal findings of the FRC's AQR had been adequately addressed in the 2016/17 audit. KPMG work to their own audit quality framework, with a view to ensuring that their employees concentrate on the fundamental skills and behaviours required to deliver an appropriate and independent opinion. As a further commitment to improving audit quality, KPMG provided extra resource, to supplement the usual audit team ensuring additional oversight and review of the 2017/18 audit.
Prior to the statutory audit work starting, KPMG presented the strategy and scope of the audit for the forthcoming financial year, highlighting any areas which would be given special consideration. KPMG then report against this audit scope at subsequent committee meetings providing an opportunity for the committee to monitor progress. Private meetings are held at each committee meeting between the audit committee, the company secretary and representatives of the external auditor without management being present in order to encourage open and transparent feedback by both parties.
On completion of the audit process at the full-year, all members of the committee, as well as key members of the senior management team and those who regularly provide input into the audit committee or have regular contact with the auditor, were required to complete a feedback questionnaire seeking their views on how well KPMG performed the year-end audit.
Views of the respondents were sought in terms of:
- The robustness of the audit process and degree of challenge to matters of significant audit risk and areas of management subjectivity;
- The quality of the delivery of the audit;
- The expertise of the audit team conducting the audit;
- That the degree of professional scepticism applied by the auditor was appropriate;
- The appropriateness of the communication between the committee and the auditor in terms of technical issues;
- The quality of the service they gave;
- Their views on the quality of the interaction between the audit partner, the audit director and the company; and
- Whether the statutory audit contributed to the group's financial reporting.
The feedback was collated and presented to the committee's meeting in November 2017, at which the conclusions were discussed and any opportunities for improvement brought to the attention of the external auditor.
In summary, the committee concluded that the overall external audit process and services provided by KPMG were satisfactory and effective.
How we assessed the independence of our external auditor
There are two aspects to auditor independence that the committee monitors to ensure that the external auditor remains independent of the company.
First, in assessing the independence of the auditor from the company the committee takes into account the information and assurances provided by the external auditor confirming that all its partners and staff involved with the audit are independent of any links to United Utilities. KPMG confirmed that all its partners and staff complied with their ethics and independence policies and procedures which are fully consistent with the FRC's Revised Ethical Standard 2016 (FRC's Ethical Standard) including that none of its employees working on our audit hold any shares in United Utilities Group PLC. KPMG is also required to provide written disclosure at the planning stage of the audit about any significant relationships and matters that may reasonably be thought to have an impact on its objectivity and independence and that of the lead partner and the audit team. The lead partner must change every five years and other senior audit staff rotate at regular intervals.
Second, the committee develops and recommends to the board the company's policy on non-audit services and associated fees that are paid to KPMG. The EU Audit Directive (2014/56/EU) and Audit Regulation (537/2014) (the Regulation) came into force in the UK on 17 June 2016. Associated guidance was included in the FRC's Ethical Standard, which prohibits the statutory auditor from providing certain non-audit services to public interest entities (i.e. United Utilities Group PLC) as such services could impede their independence. The FRC's Ethical Standard clarified that non-audit services would be subject to a fee cap of no more than 70 per cent of the average annual statutory audit fee for the three consecutive financial periods preceding the financial period in which the cap will apply. The cap will first apply for the group in the year ending 31 March 2021 and, as such, the year ended 31 March 2018 will be the first year of the initial three-year rolling period over which the annual statutory audit fee will be measured for this purpose. In March 2017, the committee revised its non-audit services policy incorporating the 70 per cent fee cap as described above with effect from 1 April 2017. Furthermore, a limit of £10,000 is applied for individual items that the CFO can approve, with individual items in excess of £10,000 requiring the approval of the committee.
Fees for non-audit services are shown in the bar chart below (2018: £80,000) and represent 21 per cent of the total audit fees. Non-audit services fees for the prior years (2017: £201,000; 2016: £288,000) were considerably higher reflecting the inclusion of fees paid to Makinson Cowell, a subsidiary of KPMG, which provided investor relations services to the group until 31 March 2017. Such services are regarded to be a prohibited service under the Regulation. Fees paid to KPMG also include the cost of the UUW regulatory assurance work they undertake which is separate to the regulatory audit. Whilst this work could be performed by a different firm, the information is in fact more granular breakdowns of data that forms part of the statutory audit, and by KPMG undertaking the work it reduces duplication and saves considerable cost.
Work undertaken by KPMG in auditing management's methodology and processes in the implementation of the new international financial reporting standards and related disclosures and judgements is included in the statutory audit fee.
Taking into account our findings in relation to the effectiveness of the audit process and in relation to the independence of KPMG, the committee was satisfied that KPMG continues to be independent, and free from any conflicting interest with the group.
External auditor reappointment
We last undertook a formal tender process for statutory audit services in 2011. KPMG commenced their appointment as auditor and presented their first report to shareholders for the year ended 31 March 2012. Audit partners must rotate every five years. Bill Meredith, who has considerable audit experience of other FTSE 100 utility companies, was appointed as the lead audit partner for the year ended 31 March 2017. The 2017/18 year end audit has been KPMG's seventh consecutive year in office as statutory auditor. As previously reported, the most recent audit tender review was undertaken in September 2015, when it was concluded that the committee would next undertake a competitive tender for statutory audit services for the year ended 31 March 2022, most probably during 2020. This was felt to be an appropriate point in the regulatory cycle, due to the benefits of having an experienced audit team in place in the run-up to the 2019 price determination for the regulatory period commencing on 1 April 2020. United Utilities has complied fully with the provisions of The Statutory Audit Services for Large Companies Market Investigation (Mandatory Use of Competitive Tender Processes and Audit Committee Responsibilities) Order 2014 for the year ended 31 March 2018.
As a result, the committee recommended to the board that KPMG be proposed for reappointment at the forthcoming AGM in July 2018. There are no contractual obligations that restrict the committee's choice of external auditor; the recommendation is free from third-party influence and no auditor liability agreement has been entered into.
- Statutory audit - group and company
- Statutory audit - subsidiaries
- Regulatory audit services provided by the statutory auditor
- Other non-audit services
- Prior year comparatives for 2016 in the above table have been re-presented to reflect the classification of services provided by the auditor that will be adopted prospectively in accordance with the audit committee's policy.
Significant issues considered by the committee in relation to the financial statements and how these were addressed
In relation to the group's financial statements, the committee reviewed the following principal areas of judgement (as noted in the accounting policies):
Capitalisation of fixed assets
Fixed assets (see note 9 and note 10) represent a subjective area, particularly in relation to costs permitted for capitalisation and depreciation policy.
- In considering the work performed by KPMG during the year in this area, the committee assessed the reasonableness of the group's capitalisation policy and the basis on which expenditure is determined to relate to the enhancement or maintenance of assets. These were both deemed to be appropriate; and
- The committee also reviewed the recovery of the capital overhead rate which management has applied during the year and which the committee had approved in the year ended 31 March 2015 for the five-year regulatory period ending 31 March 2020. The committee concluded that the rate still remained appropriate.
Revenue recognition and allowance for doubtful receivables
Due to the nature of the group's business, the extent to which revenue is recognised and doubtful customer debts are provided against is an area of considerable judgement and estimation.
- The committee reviewed the current levels of doubtful debt and credit note provisioning (see note 14) for more detail). The committee challenged management over the appropriateness of the overall levels of provisioning following these reviews and was satisfied that the resulting net debtor balance was appropriate.
The group's defined benefit retirement schemes are an area of considerable judgement, the performance and position of which is sensitive to the assumptions made.
- The committee sought from management an understanding as to the factors which led to the increase in the IAS 19 net retirement benefit surplus during the period and noted that the scheme specific funding basis had not been impacted by this volatility. Management presented an explanatory note (see A5 Retirement benefits) in order to communicate most effectively what is a complex area for the benefit of the group's stakeholders. The committee was satisfied with the explanations provided by management and following a review of the explanatory note approved its inclusion in the financial statements; and
- The committee reviewed the methodology and assumptions used in calculating the defined benefit scheme IAS 19 surplus (see A5 Retirement benefits for more details). The group employs the services of an external actuary to perform these calculations and determine the appropriate assumptions to make. KPMG presented a report showing how the assumptions applied compared to their client base. After considering the above, the committee concluded that the approach taken and assumptions made were appropriate and fairly balanced in determining the net retirement benefit surplus.
Provisions and contingencies
The group makes provisions for contractual and legal claims which, by their nature, are subjective and require management to arrive at a best estimate as to the probable outcomes and costs associated with each individual case.
- The committee received regular updates on new and existing claims being made against the group and the extent to which these have been provided for (see note 19). The committee focused their attention on the more significant items and discussed the judgements made by management in arriving at appropriate provisions in relation to these matters; and
- Based upon the facts behind each provision and taking account of any relevant legal advice that may have been received as well as the past experience of management in making such provisions and challenging where necessary the views taken by management and through the assurance provided by KPMG who cover these as part of their audit, the committee concluded that the provisions management had made were appropriate.
Carrying value of loans to and investments in joint ventures
The group has interests relating to its joint ventures in the form of equity investments (see note 11) and loans receivable (see A6 Related party transactions), the recoverability of which are considered with reference to the estimated future cash flows of the joint ventures. Management tests whether any impairment exists in relation to the equity investments and loans receivable if adverse changes in conditions associated with the joint ventures suggest that this is appropriate. The committee scrutinised the impairment assessments performed by management during the year by reviewing the valuations that underpin the carrying values of these amounts and challenging the methodology and assumptions used. Following robust discussion on this issue, the committee confirmed that it was satisfied that the carrying values of these interests as at the reporting date were recoverable.
Derivative financial instruments
The group has a significant value of swap instruments, the valuation of which is based upon models which require certain judgements and assumptions to be made (see A4 Financial risk management). Management performs periodic checks to ensure that the model derived valuations agree back to third-party valuations and KPMG check a sample against their own valuation models. It was confirmed to the committee that such testing had been undertaken during the year and there were no significant issues identified.
Underlying operating profit adjustments
During the year the committee considered and challenged management's treatment of items as adjustments to underlying operating profit (see Financial performance) and satisfied itself that those items being reported as adjustments met the requirements of the group's policy.
In reading the above significant issues considered by the committee, shareholders might also wish to examine the auditor's report and their assessment of risks of material misstatement in the Independent auditor's report.
New accounting standards
The group will adopt a number of new accounting standards in the coming years, with IFRS 9 'Financial Instruments' and IFRS 15 'Revenue from Contracts with Customers' becoming effective on 1 April 2018 and IFRS 16 'Leases' coming into effect on 1 April 2019. The committee reviewed and approved the proposed judgements and disclosures associated with the implementation of these standards, with a particular focus on those relating to accounting for capital income under IFRS 15.
Read more about Our business model
Read more about the Principal risks and uncertainties
Read more online at www.unitedutilities.com/corporate/about-us/our-future-plans/our-long-term-strategy/
The main features of the group's internal controls and risk management systems are summarised below:
a. Internal audit function
The internal audit function is a key element of the group's corporate governance framework. Its role is to provide independent and objective assurance, advice and insight on governance, risk management and internal control to the audit committee, the board and to senior management. It supports the organisation's vision and objectives by evaluating and assessing the effectiveness of risk management systems, business policies and processes, systems and key internal controls. In addition to reviewing the effectiveness of these areas and reporting on aspects of the group's compliance with them, internal audit makes recommendations to address any key issues and improve processes, and as such, provides an indication of the behaviours being exhibited by employees in the areas under review. Once any recommendations are agreed with management, the internal audit monitors their implementation and reports to the committee on progress made at every meeting.
A five-year strategic audit planning approach is applied. This facilitates an efficient deployment of internal audit resource in providing assurance coverage over time across the whole business, as well as greater variation in the nature, depth and breadth of audit activities. This strategic approach supports the annual audit plan, which is then endorsed by management, and which the committee also approves. The plan focuses the team's work on those areas of greatest risk to the business. Building on the strategic planning approach, the development of the plan considers risk assessments, issues raised by management, areas of business and regulatory change, prior audit findings and the cyclical review programme. The purpose, scope and authority of internal audit is defined within its charter which is approved annually by the audit committee.
The in-house team is expanded as and when required with additional resource and skills sourced from external providers – primarily PwC at present. The committee keeps the relationship with PwC under review to ensure the independence of the internal audit function is maintained and there is a documented process to manage possible conflicts of interest with the co-sourced resource. In the course of its work, the internal audit function also liaises with the statutory auditor, discussing relevant aspects of their respective activities which ultimately supports the assurance provided to the audit committee and board. During the year, the committee reviewed the current operating model in particular the balance of in-house versus co-sourced resource and concluded that, while minor improvements were identified, the current approach was satisfactory.
b. Assessing the effectiveness of the internal audit function
The effectiveness of the internal audit function's work is continually monitored using a variety of inputs including the ongoing audit reports received, the audit committee's interaction with the head of audit and risk, an annual review of the department's internal quality assurance report, a quarterly summary dashboard providing a snapshot of the progress against the internal audit plan tabled at each committee meeting as well as any other periodic quality reporting requested.
An annual stakeholder survey in the form of a feedback questionnaire is circulated to committee members, senior management and other managers who have regular contact with the internal audit function, including representatives from the external auditor KPMG and the co-source audit provider PwC. The responses were anonymous to encourage open and honest feedback, and were consistently favourable as were previous surveys.
From time to time, the quality and effectiveness of the internal audit function is also assessed externally, and was most recently undertaken in 2015. Taking all these elements into account, the committee concluded that the internal audit function was effective and appropriate resources were available as required. An external assessment will next be undertaken in 2018/19.
Internal audit, led by the head of audit and risk, covers the group's principal activities and reports to the committee and functionally to the CFO. The head of audit and risk attends all scheduled meetings of the audit committee, and has the opportunity to raise any matters with the members of the committee at these meetings without the presence of management. He is also in regular contact with the chair of the committee outside of the committee meetings.
c. Risk management systems
The committee receives updates and reports from the head of audit and risk on key activities relating to the company's risk management systems and processes at every meeting. These are then reported to the board, as appropriate. The group designs its risk management activities in order to manage rather than eliminate the risk of failure to achieve its strategic objectives.
The CFO has executive responsibility for risk management and is supported in this role by the head of audit and risk and the corporate risk manager and his team. The group audit and risk board (GARB) is a sub-committee of the executive team. The GARB meets quarterly and reviews the governance processes and the effectiveness and performance of these processes along with the identification of emerging trends and themes within and across the business. The work of the GARB then feeds into the information and assurance processes of the audit committee and into the board's assessment of risk exposures and the strategies to manage these risks.
Supplementing the more detailed ongoing risk management activities within each business area, the bi-annual business unit risk assessment process (BURA) seeks to identify how well risk management is embedded across the different teams in the business. The BURA involves a high level review of the effectiveness of the controls that each business unit has in place to mitigate risks relating to activities in their business area, while also identifying new and emerging risks and generally to facilitate improvements in the way risks are managed. The outcome of the BURA process is communicated to the executive team and the board. This then forms the basis of the determination of the most significant risks that the company faces which are then reviewed by the board. The group utilises risk management software to underpin the company's risk management process. The maturity of the risk management framework and its application across the business is assessed on an annual basis against a defined maturity model. This assessment provides an objective appraisal of the degree of maturity in how the risk management system is being applied and the quality of each risk in terms of quantification and management. The results of the maturity assessment are reported to the GARB, and actions agreed with business units.
An external assessment of the risk management process took place in 2015/16 as part of the internal investigation of the Lancashire water quality incident that occurred in August 2015. The committee was responsible for monitoring progress of the implementation of the actions identified to improve the risk management framework. It was confirmed to the committee that all relevant actions had been completed in November 2017. An internal audit confirmed the completion of the Lancashire water quality incident risk management actions and reaffirmed that the risk management framework was in line with good practice.
d. Internal controls
The committee reviews the group's internal control systems and receives updates on the findings of internal audit's investigations at every meeting, prior to reporting any significant matters to the board. Internal control systems are part of our 'business as usual' activities and are documented in the company's internal control manual which covers financial, operational and compliance controls and processes. Internal control systems are the responsibility of the CFO, with the support of the GARB, the financial control team and the internal audit team, although the head of audit and risk and his team are directly accountable to the audit committee.
Confirmation that the controls and processes are being adhered to throughout the business is the responsibility of managers, but is continually tested by the work of the internal audit team as part of its annual plan of work which the committee approves each year as well as aspects being tested by other internal assurance providers. Compliance with the internal control system is monitored annually by the completion of a self-assessment checklist by senior managers in consultation with their teams. The results are then reviewed and audited on a sample basis by the internal audit team and reported to the committee.
e. Whistleblowing, anti-fraud and anti-bribery
The audit committee is responsible for reviewing the group's arrangements for individuals to raise concerns and the arrangements for investigation of such matters and for the company's procedures for detecting fraud and systems and controls for preventing other inappropriate behaviour. The group's whistleblowing policy supports the culture within the group where genuine concerns may be reported and investigated without reprisals for whistleblowers.
The company operates an independently provided, confidential reporting telephone helpline and web portal for employees to raise matters of concern in relation to fraud, dishonesty, corruption, theft, security and bribery. Furthermore, employees are encouraged to raise any matters relating to health and safety and any activities of the business which have caused or may cause damage to the environment, such as pollution or other contamination. Alternatively, any matters of concern can also be raised with their manager, their human resources business partner or another senior manager. Employees can remain anonymous if they wish. All concerns are investigated fully, whether they are raised with a manager, or via the confidential helpline/web portal.
In the first instance of an incident being reported, a summary of the allegations are passed to the fraud and whistleblowing committee (consisting of the company secretary, customer services and people director, commercial director and head of internal audit and risk) to decide on the appropriate course of action and investigation and by whom.
The audit committee is kept fully appraised in regular updates on the progress of investigation of cases of whistleblowing and alleged fraud and the findings of any investigation and remedial actions. A number of employees have been selected and received specialist training in order to conduct investigations of cases of whistleblowing and alleged fraud.
The company has an anti-bribery policy to prevent bribery being committed on its behalf, which all employees must follow, and processes in place to monitor compliance with the policy. As part of the anti-bribery programme, employees are also required to comply with the group's hospitality policy. The hospitality policy permits employees to accept proportionate and reasonable hospitality for legitimate business purposes only. Our employees and representatives of our suppliers must also comply with the group's sustainable supply chain charter which explains that we will not tolerate corruption, bribery and unfair anti-competitive actions and we expect our suppliers to comply with applicable laws and regulations and in particular never to offer or accept any undue payment or other consideration, directly or indirectly, for the purposes of inducing any person or entity to act contrary to their prescribed duties.
As part of the internal control self-assessment checklist (part of the group's internal control processes), senior managers in consultation with their teams are required to confirm, amongst other things, that they have complied with the group's anti-bribery and hospitality policies. The anti-bribery programme is monitored and reviewed biannually by the committee.
The anti-bribery policy is available on the company's website at unitedutilities.com/corporate/about-us/governance/
The sustainable supply chain charter is available at unitedutilities.com/corporate/responsibility/stakeholders/suppliers/