The Directors have responsibility for ensuring that management maintain an effective system of risk management and internal control and for reviewing its effectiveness. Such a system is designed to manage rather than eliminate the risk of failure to achieve business objectives and can only provide reasonable and not absolute assurance against material misstatement or loss.
Barclays is committed to operating within a strong system of internal control that enables business to be transacted and risk taken without exposing itself to unacceptable potential losses or reputational damage. The Group Internal Control and Assurance Framework (GICAF) is the overarching framework that sets out Barclays approach to internal governance. It establishes the mechanisms and processes by which the Board directs the organisation, through setting the tone and expectations from the top, delegating its authority and monitoring compliance. The purpose of the GICAF is to identify and set minimum requirements in respect of the main risks to achieving the Group’s strategic objectives and to provide reasonable assurance that internal controls are effective. The key elements of the Group’s system of internal control, which is aligned to the recommendations of The Committee of Sponsoring Organizations of the Treadway Commission (COSO), are set out in the risk control frameworks relating to each of the Group’s Key Risks and in the Group operational risk framework. As well as incorporating our internal requirements, these reflect material Group-wide legal and regulatory requirements relating to internal control and assurance. The GICAF is reviewed and approved on behalf of the Chief Executive by the Group Governance and Control Committee at least annually. The Board Risk Committee also reviews the GICAF annually.
Effectiveness of internal controls
The Directors review the effectiveness of the system of internal control semi-annually. An internal control compliance certification process is conducted throughout the Group in support of this review. Key controls are also assessed on a regular basis for both design and operating effectiveness. Issues arising out of business unit risk and control assessments are considered to identify pervasive themes. Where appropriate, issues affecting more than one business unit may be categorised as having Group level significance and are reported to the Board Audit Committee via the Group Governance and Control Committee. The Board Audit Committee monitors resolution of any identified control issues of Group level significance through to a satisfactory conclusion. In addition, regular reports are made to the Board Audit Committee by management, internal audit and the finance, compliance and legal functions covering in particular financial controls, compliance and operational controls.
Risk control framework
Processes are in place for identifying, evaluating and managing the significant risks facing the Group in accordance with the guidance ‘Internal Control: Revised Guidance for Directors on the Combined Code’ published by the Financial Reporting Council (the Turnbull Guidance). The Board regularly reviews these processes through its principal Board Committees. During 2011, the Principal Risks Policy, a material component of the GICAF, was updated to ensure that governance of non-financial risks was expanded and aligned to the structures already in place for financial risks. Regular risk reports are made to the Board covering risks of Group significance including credit risk, market risk, funding risk, operational risk and legal risk. The Board Risk Committee receives reports covering the Principal Risks as well as reports on risk measurement methodologies and risk appetite. Further details of risk management procedures are given in the Risk Management section.
Legal entity governance
During 2011, the Group developed an enhanced policy for the governance of subsidiary entities, increasing focus on, and ensuring senior management’s line of sight to, the legal entity structure of the Group. A framework of varying minimum standards has been introduced, with the most onerous requirements being placed on larger or more complex subsidiaries that are deemed to carry greater risk. Compliance with the enhanced policy is overseen by the Groups Legal Entity Review Committee.
Controls over financial reporting
A framework of disclosure controls and procedures is in place to support the approval of the Group’s financial statements. The Legal and Technical Review Committee is responsible for reviewing the Group’s financial reports and disclosures to ensure that they have been subject to adequate verification and comply with legal and technical requirements, and reports its conclusions to the Disclosure Committee. The Disclosure Committee, which is chaired by the Group Finance Director, considers the content, accuracy and tone of the disclosures, reporting its conclusions to the Group Executive Committee and the Board Audit Committee, both of which review its conclusions and provide further challenge. Finally, the Board reviews and approves results announcements and the Annual Report for publication and ensures that appropriate disclosures have been made. This governance process is in place to ensure both management and the Board are given sufficient opportunity to review and challenge the Group’s financial statements and other significant disclosures before they are made public. It also provides assurance for the Chief Executive and Group Finance Director when providing certifications as required under the Sarbanes-Oxley Act 2002 and recommended by the Turnbull Guidance.
Throughout the year ended 31 December 2011, and to date, the Group has operated a system of risk management and internal control, which provides reasonable assurance of effective and efficient operations covering all controls, including financial and operational controls and compliance with laws and regulations.
Management’s report on internal control over financial reporting
Management is responsible for establishing and maintaining adequate internal control over financial reporting. Internal control over financial reporting is a process designed under the supervision of the principal executive and principal financial officers to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external reporting purposes in accordance with International Financial Reporting Standards (IFRS) as adopted by the European Union and the International Accounting Standards Board (IASB).
Internal control over financial reporting includes policies and procedures that pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect transactions and dispositions of assets; provide reasonable assurances that transactions are recorded as necessary to permit preparation of financial statements in accordance with IFRS and that receipts and expenditures are being made only in accordance with authorisations of management and the respective Directors; and provide reasonable assurance regarding prevention or timely detection of unauthorised acquisition, use or disposition of assets that could have a material effect on the financial statements.
Internal control systems, no matter how well designed, have inherent limitations and may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that internal controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.
Management has assessed the effectiveness of internal control over financial reporting as of 31 December 2011. In making its assessment, Management has utilised the criteria set forth by COSO. Management concluded that, based on its assessment, the internal control over financial reporting was effective as of 31 December 2011. Our independent registered public accounting firm has issued a report on the Group’s internal control over financial reporting.
The system of internal financial and operational controls is also subject to regulatory oversight in the United Kingdom and overseas. Further information on supervision by the financial services regulators is provided under Supervision and Regulation in the Risk Management.
Changes in internal control over financial reporting
There have been no changes in the Groups internal control over financial reporting that occurred during the period covered by this report which have materially affected or are reasonably likely to materially affect the Groups internal control over financial reporting.
