Vodafone 2024 Annual Report

93 Vodafone Group Plc Annual Report 2024

Strategic report



Other information

Internal control and risk management The Committee has the primary responsibility for the oversight of the Group’s system of internal control, including the risk management framework, the compliance framework and the work of the Internal The Internal Audit function provides independent and objective assurance over the design and operating effectiveness of the system of internal control, through a risk-based approach. The function reports into the Committee and, administratively, to the Chief Financial Officer. The function is composed of teams across Group functions and local markets. This enables access to specialist skills through centres of excellence and ensures local knowledge and experience. Cooperation with professional bodies and an information technology research firm has ensured access to additional specialist skills and an advanced knowledge base. Internal Audit activities are based on a robust methodology and the internal quality assurance improvement programme ensures conformity with the International Professional Practices framework, Audit function. Internal Audit which includes the IIA standards and code of ethics and the continuous development of the audit methodology applied. The conformity is reviewed and verified through an external quality assessment by an independent consultancy firm every three years. The Committee has a standing agenda item to cover Internal Audit-related topics. Prior to the start of each financial year, the Committee reviews and approves the annual audit plan, assesses the adequacy of the budget and resources and reviews the strategic initiatives for the continuous improvement of the function’s effectiveness. The audit plan is determined by considering Internal Audit’s rolling review framework and the outputs of a data-driven risk assessment. The Committee reviews progress against the approved audit plan and the results of Internal Audit activities, with a strong focus on unsatisfactory audit results and cross-entity audits, which are audits that are performed across multiple markets with the same scope. Audit results are analysed by process and entity to highlight both changes in the control environment and areas that require attention. During the year, Internal Audit coverage focused on principal risks, including Cyber threat, Data management and privacy and Adverse macro-economic conditions. Through the thematic reviews, assurance was provided across a broad range of areas, including: customer device financing; discount management; Vodafone Business billing processes; M-Pesa operations; security of enterprise customer-provided equipment (‘CPE’); management of end-of-life software risks; identity management; shadow IT; management of network stock; management of payment systems; data privacy; management of customer master data; and the physical security of critical assets. The activities performed by the shared service organisation continue to receive ongoing focus due to their significance across many processes. Management is responsible for ensuring that issues raised by Internal Audit are addressed within an agreed timetable, and the Committee reviews their timely completion. The last independent review of the effectiveness of the Group’s Internal Audit function was performed by Deloitte LLP in January 2022, and the results were presented to the Committee. The review concluded that the Internal Audit function operated in accordance with the Global Institute of Internal Auditors’ International Professional Practices Framework, is at the top of its peer group range and demonstrates areas of innovative practice.

The Internal Audit function continues to invest in several initiatives to improve its effectiveness, particularly in the adoption of new technologies. The innovative use of data analytics has provided broader and deeper audit testing and driven increased insights. Assessment of the Group’s system of internal control, including the risk management framework The Group’s risk assessment process and the way in which significant business risks are managed is an area of focus for the Committee. The Committee’s activity here was led primarily, but not solely, by the Group’s assessment of its principal and emerging risks and uncertainties. Cyber threats remain a major focus for the Committee given the continual threats in this area. The Group has an internal control environment designed to protect the business from the material risks that have been identified. Management is responsible for establishing and maintaining adequate internal controls and the Committee has responsibility for ensuring the effectiveness of those controls. The Committee reviewed the process by which Group management assessed the control environment, in accordance with the requirements of the Guidance on Risk Management, Internal Control and Related Financial and Business Reporting published by the FRC. This activity was supported by (i) reports from the Group Audit Director, (ii) a review of the Group’s principal risks with the Global Head of Risk, (iii) a review of the Group’s second line of defence and policy simplification with the Group General Counsel and Company Secretary, and (iv) a fraud update from the Global Corporate Security and Resilience Director and Global Head of Fraud Management and Investigations. The Group operates a ‘Speak Up’ channel that enables employees to anonymously raise concerns about possible irregularities. The Committee received an update on the operation of the channel together with the output of any resulting investigations. The Committee has completed its review of the effectiveness of the Group’s system of internal control, including risk management, during the year and up to the date of this Annual Report. The review covered all material controls including financial, operating and compliance controls. The Committee confirms that the system of internal control operated effectively for the 2024 financial year. Where specific areas for improvement were identified, mitigating alternative controls and processes were in place. This allows us to provide positive assurance to the Board to help fulfil its obligations under the Code. Compliance with section 404 of the US Sarbanes-Oxley Act Oversight of the Group’s compliance activities in relation to section 404 of the US Sarbanes-Oxley Act and policy compliance reviews also fall within the Committee’s remit. Management is responsible for establishing and maintaining adequate internal controls over financial reporting, and we have responsibility for ensuring the effectiveness of these controls. The Committee received updates on the Group’s work in relation to section 404 compliance and the Group’s broader financial control environment during the year. We continue to challenge management on ensuring the nature and scope of control activities evolve to ensure key risks continue to be adequately mitigated. The Committee also took an active role in monitoring the Group’s compliance activities, including receiving reports from management in the year covering programme-level strategy, the scope of compliance work performed and the results of controls testing. The external auditor also reports the status of its work in relation to controls in its reports to the Committee.

Powered by