Governance

Internal audit

The internal audit function is fully independent of the day-to-day operations of the Group. It is involved in the assessment of the quality of risk management and internal control and helps to promote and further develop effective risk management within the businesses. Certain internal audit assignments (such as those requiring specialist expertise) continue to be outsourced by the Head of Internal Audit to KPMG LLP as required. A policy has been established regarding the recruitment of staff from both KPMG LLP and PricewaterhouseCoopers LLP. The Head of Internal Audit attends all Audit Committee meetings in addition to having regular meetings with the chairman of that committee. The Audit Committee reviews key performance indicators relating to the activity of the department.

Internal control

In a decentralised Group, where local management has considerable autonomy to run and develop their businesses, a well designed system of internal control is necessary to safeguard shareholders' investment and the Company's assets. The Directors have overall responsibility for the Group's systems of internal control and for reviewing their effectiveness. In accordance with the guidance set out in the Turnbull Report 'Internal Control: Guidance for Directors on the Combined Code', an ongoing process has been established for identifying, managing and evaluating the risks faced by the Group and has been in place for the full financial year and up to the date on which the financial statements were approved.

These systems are designed to manage rather than eliminate business risk; safeguard the Group's assets against material loss; fairly report the Group's performance and position; and to ensure compliance with relevant legislation, regulation and best practice, including that related to social, environmental and ethical matters. The systems provide reasonable, not absolute, assurance against material misstatement or loss and are reviewed by the Board regularly to deal with changing circumstances.

Summaries of the key financial risks inherent in the Group's business are given in the Performance review and in note 26. Risk assessment and evaluation is an integral part of the Group's annual planning cycle. Each business documents the strategic objectives and the effectiveness of the Group's systems of internal control and, as part of this review, each business area and function has been required to identify and document each significant risk, together with the mitigating actions implemented to manage, monitor and report to management on the effectiveness of actions taken.

Group operating companies also submit risk management and internal control representation letters biannually to the Chief Financial Officer, with comments on the control environment within their operations. The Chief Financial Officer summarises these submissions for the Audit Committee and the Executive Committee. The chairman of the Audit Committee reports to the Board on any matters which have arisen from the committee's review of the way in which the risk management and internal control processes have been applied, or any breakdowns in, or exceptions to, these procedures. These processes have been in place throughout the year ended 31 July 2008 and have continued to the date of this report. The Board has reviewed the effectiveness of the Group's system of internal control for the year under review and a summary of the principal control structures and processes in place across the Group is set out below.

Control structures

Whilst the Board has overall responsibility for the Group's system of internal control and for reviewing its effectiveness, it has delegated responsibility for the risk management and internal control programme to the Chief Financial Officer. The detailed review of risk management and internal control has been delegated to the Audit Committee. The management of each Group company is responsible for risk management and internal control within its own business and for ensuring compliance with the Group's policies and procedures. Each Group company has appointed a risk director whose primary role in such capacity is to ensure compliance by local management with the Group's risk management and internal control programme. Both the internal and external auditors have reviewed the overall approach adopted by the Group towards its risk management activities so as to reinforce these internal control requirements.

Control processes

The Board reviews its strategic plans and objectives on an annual basis and approves Group company budgets and strategies in light of these. Control is exercised at Group, continental, cluster and subsidiary board level through monthly monitoring of performance by comparison to budgets, forecasts and cash targets and by regular visits to Group companies by the Group Chief Executive, Chief Financial Officer and continental CEOs. The Board has formal procedures in place for the approval of investment, acquisition and disposal projects, with designated levels of authority, supported by post-investment review processes for major acquisitions or disposals and capital expenditure. The Board takes account of social, environmental and ethical matters in relation to the Group's businesses when reviewing the risks faced by the Group. The Board is conscious of the effect such matters may have on the short- and long-term value of the Company.