Audit and Risk Committee continued 96 Vodafone Group Plc Annual Report 2026
Strategic report
Governance
Financials
Other information
During the year-end close process, the Committee was informed of an error relating to the assessment of the recoverability of a deferred tax asset for a new UK tax group that was formed after the completion of the merger of Vodafone UK and Three UK. This arose from a design and operating deficiency in our internal controls over financial reporting relating to deferred tax accounting. Details of this are set out on page 126. The Committee reviewed management’s assessment of the issue including the root cause, the financial reporting impact and management’s response to the control deficiency, which was classified as a material weakness. It will continue to monitor progress against remediation plans and seek assurance over the design and sustained operating effectiveness of enhanced controls before considering the matter remediated. It was concluded that internal control over financial reporting under Section 404 of the US Sarbanes Oxley Act was, as a result, not effective. More broadly, where specific areas for improvement were identified across the full scope of our work, remediation actions have been identified. This allows us to provide positive assurance to the Board to help fulfil its existing controls obligations under the UK Corporate Governance Code. ‘Speak Up’ channel The Group operates a ‘Speak Up’ channel that enables employees to anonymously raise concerns about possible irregularities. The Committee received an update on the operation of the channel together with the output of any resulting investigations from the Chief Human Resources Officer.
This activity was supported by (i) reports from the Group Audit Director, (ii) a review of the Group’s principal risks with the Group Risk and Assurance Director, and (iii) reviews of the Group’s second line of defence with the Global Director of Compliance and Business Integrity, the Group Risk and Assurance Director and the Group Audit Director. Management is responsible for establishing and maintaining adequate internal controls over financial reporting and has responsibility for assessing the effectiveness of those controls. During the year, the Committee received regular updates from management on the Group’s Section 404 compliance programme and the broader financial control environment. The Committee continued to challenge management to ensure that the nature, scope and precision of control activities evolve appropriately in response to changes in the Group’s risk profile, including the introduction of new or non-routine processes. The Committee also took an active role in monitoring the Group’s compliance activities, including receiving reports during the year covering programme-level strategy, the scope of compliance work performed and the results of controls testing. The Committee also received updates from the external auditor on the status and findings of its work. The Committee has completed its review of the effectiveness of the Group’s system of internal control, including risk management, during the year and up to the date of this Annual Report. The review covered all material controls including financial, operating and compliance controls.
Management is responsible for ensuring that issues raised by Internal Audit are addressed within an agreed timetable, and the Committee reviews their timely completion. The Internal Audit function continues to strengthen its effectiveness by investing in new approaches and technologies, particularly artificial intelligence. Its advanced use of data analytics is enabling broader coverage, deeper testing, and more insightful analysis. Assessment of the Group’s system of internal control, including the risk management framework The Group’s risk assessment processes and the way in which significant business risks are managed is an area of focus for the Committee. The Committee’s activity here was led primarily, but not solely, by the Group’s assessment of its principal and emerging risks and uncertainties as set out on pages 60 to 62, and a range of mitigations as set out on page 63. The Group has an internal control environment designed to protect the business from the material risks that have been identified. Management is responsible for establishing and maintaining adequate internal controls, and the Committee has responsibility for reviewing the effectiveness of those controls. Oversight of the Group’s compliance activities in relation to Section 404 of the US Sarbanes-Oxley Act also falls within the Committee’s remit. The Committee considered the process by which Group management assessed the control environment, in accordance with both the requirements of the Guidance on Risk Management, Internal Control and Related Financial and Business Reporting published by the FRC and Section 404 of the US Sarbanes-Oxley Act.
Powered by FlippingBook