INTERNAL CONTROL FRAMEWORK KPMG completed internal audit reviews of payroll, core In 2015 the Committee adopted a formal internal control financial controls and IT general controls and a cyber framework, covering the following areas: business ethics security maturity assessment in the year, and a number including anti-bribery controls; accountabilities; people of recommendations were made. Additional resource management, including succession planning; development was allocated by management to implement priority and alignment of incentives; risk management processes; improvements, a number of which have been completed. internal financial control; crisis management; monitoring In response to the cyber risk materiality assessment and reporting. Since that date, the business has grown management also decided to adopt the more mature significantly and its complexity has increased. and formal framework of ISO27001. As reported last year, in 2019 we appointed KPMG as our CYBER SECURITY AND DATA PROTECTION/GDPR Internal Auditor, and their first project was to complete an Cyber and data security remains one of the most important independent internal controls ‘health check’ which was risk areas and it is a standing Committee agenda item, as well presented to the Committee in June 2020. A number of areas as being one of the Board’s principal risks, as outlined in the for improvement were identified, the first phase of which the ‘Risks and Uncertainties’ section on page 86 of this Annual Committee, Board and Executive Board supported and built Report. into a detailed and costed programme for FY21 onwards. The initial focus of the plan has been in the areas of: payroll; core At its ‘What keeps us awake at night?’ discussion in June, cyber controls in finance and supporting IT controls. Good progress and data security was highlighted as a risk that is increasing has been made during the year against the agreed actions. in both likelihood and severity as cyber criminals become The report has also informed the priorities in the Internal more sophisticated, and the Board has supported the Chief Audit plan described below. Information Officer, who joinedthe business in April, on his plans to increase the capability and resource of Dunelm’s In December 2020, the Board appointed Deloitte to carry internal cyber and data security team. A Head of Information out an end-to-end assessment of our operating capabilities, Security has been appointed, and the resource in the team processes and technologies to ensure that we have the will be furtherincreased in FY22. In the meantime planned foundations in place to support our ambitious strategic improvements will continue. An externally facilitated ‘desktop’ growth plans. The output of this assessment has been simulation involving a cyber breach scenario was conducted in built into a three-year plan to update our core systems and July 2021, and the learnings implemented into our crisis plan. processes. While progress is being monitored by the Board, the Committee has oversight of any aspects that impact There were no reportable data breaches in the year. internal controls and risk management. AUDIT AND CORPORATE GOVERNANCE REFORM INTERNAL AUDIT The Committee has considered and continues to monitor the KPMG completed its first full year as Internal Auditor in FY21. proposed audit and corporate governance reforms set out in the consultation paper issued by Department for Business, Reviews completed in the year are set out below: Energy and Industrial Strategy (BEIS) in March 2021. The Board and the Committee support measures that increase Payroll the quality of governance, audit and transparency for the benefit of our shareholders and other stakeholders. As usual, Core financial controls and IT general controls we will aim to apply any changes that are implemented in a Cyber security maturity assessment pragmatic way, which adds value to our business. As noted above, KPMG also conducted a risk assurance Approved by the Board on 8 September 2021. mapping exercise in the year. Reports were discussed by the Committee and the Board and a number of recommendations made; these have been reviewed by management and Ian Bull actions have been and are being taken to address them, with appropriate resource andinvestment allocated. The Chair of the Audit and Risk Committee Committee monitored progress against actions agreed 8 September 2021 following these reports, as well as the reports received in FY20. The majority of these have been completed in the agreed timescale, and the actions have been incorporated into the rolling internal audit plan. DUNELM GROUP PLC ANNUAL REPORT & ACCOUNTS 2021 137 GOVERNANCESTRATEGIC REPORT FINANCIAL STATEMENTSOTHER INFORMATION