Georgia Healthcare Group PLC Annual Report 2018 Governance Audit Committee Report continued Risk management and internal control systems continued 1.Risk management systems continued The Committee is pleased to report that, over 2018, this revised approach toward risk management continues to be embedded across the Group. The risk team has given great focus on toward proactively assisting management in mitigating risks that had been identified. As a consequence, risk mitigation activities are being agreed and acted upon by management ever more promptly, and the understanding across the Group of business risk and risk management activity, at all levels of the business, is growing. This in turn is impacting positively upon the quality of risk reporting, both to management and to the Committee, which continues to improve. The Committee continues to consider risk at both the strategic and business level, and these considerations inform the assessment of the Group’s principal risks and uncertainties, as included elsewhere in this Annual Report. During 2018, the Committee has reviewed a number of strategic, operational and reputational risks, including those related to cyber risk and information security, internal or external fraud or misconduct, as well as undertaking a wider review of strategic, political, business, and environmental and social risks. For more details on the risks facing the business, please see the Principal Risks and Uncertainties section (pages 53 to 59) in this report. The Committee has also considered and confirmed to the Board that its work is performed in accordance with the provisions in the Code and the Financial Reporting Council’s (“FRC”) associated Guidance on Risk Management, Internal Control and Related Financial and Business Reporting. Based on the above, we are satisfied that our overall internal control framework is effective. 2. Internal Audit The Internal Audit function has continued to evolve throughout 2018. Internal audit covers financial, operational and clinical matters identified as key risk areas by the CEO, the CFO, the Head of Clinical Operations and the Head of Risk. Those matters are then presented to and agreed with the Audit and Clinical Quality and Safety Committees so that the focus of internal audit activity is on those issues that are most likely to materially impact on the delivery of the Group’s strategy, thereby ensuring a direct link between the work of the internal audit team and the Group’s strategic objectives. The Internal Audit department serves as the Group’s independent assurance over the adequacy and effectiveness of the corporate and business risk management processes and systems of internal control in place across the Group. The Audit Committee monitors the scope, extent and effectiveness of the Group’s Non-Clinical Audit function. The Committee reviews and approves the Non-Clinical Internal Audit Policy and oversees delivery against the Non-Clinical Internal Audit Plan, which is designed using a risk-based approach aligned to the Group’s wider strategic priorities. Internal audits of clinical processes are reported directly to the Clinical Quality and Safety Committee and are reported upon further in the report of that Committee. Throughout the year, the Committee received regular reports from the Non-Clinical Internal Audit department on its audit activities and significant findings on a range of business-specific areas, including on accounts receivable management processes across the Group, complaints handling processes and a number of follow-up audits to monitor progress on previously identified issues. The Committee is confident that the audit processes in place are effective in identifying control weaknesses and corrective measures. While pleased with the progress that is being made by the Internal Audit team in identifying areas for improvement, and in the ways in which team is getting buy-in from across the business, the Committee will continue to challenge both the Internal Audit function and management more widely to assure focus on the most important issues and improve the speed with which identified deficiencies are acted upon. We also considered the quality of reporting by the Internal Audit function to the Audit Committee. On this basis, the Committee continues to conclude that the Internal Audit function is effective and respected by management and conforms to the standards set by the Institute of Internal Auditors. The Committee is pleased to report that during 2018 and up to the date of this Annual Report, our Internal Audit team did not find any significant weaknesses in our risk management processes or internal controls. The Chief Risk Officer and Head of Internal Audit have direct access to the Audit Committee and the opportunity to discuss matters with the Audit Committee without other members of management present. We also monitor the staffing of the Non-Clinical Internal Audit function as well as the relevant qualifications and experience of the team. 3. External audit With respect to our responsibilities for the external audit process on behalf of the Board, we: • approved the annual audit plan, which includes setting the areas of responsibility, scope of the audit and key risks identified; • oversaw the audit engagement, including the degree to which the external auditor was able to effectively assess key accounting and audit judgements; • reviewed the findings of the external audit team with the external auditor, together with the level of errors identified during the audit; • monitored the responsiveness of the relevant management teams to the external auditor’s findings and recommendations along with any corrective measures taken; • reviewed the content of the management letter issued by the external auditor; • reviewed the qualifications, expertise and resources of the external auditor; • monitored the extent of the external auditor’s independence and objectivity as well as their compliance with ethical, professional and regulatory requirements; • reviewed the level of audit fees and the cost-effectiveness of the audit; • monitored the rotation of key partners of the external audit in accordance with applicable legislation; and • recommended the appointment of the external auditor (as detailed below). 78