- Ongoing inadequacies in financial controls have resulted in BT submitting its consolidated accounts with caveats.
- IT system weaknesses, and insufficiently robust review of elements of financial information are the source of concerns.
- Governance and compliance solutions from SAP have been flagged as supporting greater resilience for the Group’s future financial controls and risk management.
BT Group’s Annual Report for FY19–20 revealed that the operator was unable to address material weaknesses in its reporting structure and was therefore required to flag to market authorities that there was once again a raised risk of unidentified financial misstatements within its consolidated results. Work is ongoing to remedy the weaknesses, and it appears that back office solutions provider SAP has been tasked with bringing risk management processes up to scratch.
In recent years, BT Group has experienced significant problems with its financial reporting — most notably the BT Italia scandal (BTwatch, #280, #283, and passim) — and has had to acknowledge material weakness in three of the past four years. It appears that a financial controls enhancement programme sparked by the discovery of problems in Italy unearthed additional ongoing problems with risk assessment management and general controls related to IT systems. BT has been quick to stress that the identified weaknesses have not resulted in the identification of any misstatements to date. However, the concern remains that a misstatement would not come to light in a timely manner with the controls currently in place.
A material weakness is described by the USA’s Public Company Accounting Oversight Board as a “deficiency, or a combination of deficiencies, in internal control over financial reporting”, creating a reasonable possibility that a misstatement would not be identified or prevented in a timely manner.
IT vulnerabilities and outsourcing risks
Among the recent problems with BT’s general controls on the IT systems used for financial functions, it was discovered that, within EE, SAP privileged user access to systems was being provided to contractors without sufficient records being kept of work undertaken and any changes made. This weakness, highlighted in May 2019, has now been rectified, and was noted alongside improvements, including strengthening of passwords on legacy systems, and ensuring access to internal systems is terminated promptly when an authorised user leaves the company.
In terms of risk assessment, BT’s Annual Report for FY18–19 had stated that risks associated with material received from some outsourced service organisations working in IT and pension assets valuation had not been properly assessed. Also, it had noted that some information provided by BT entities contributing to the consolidated reports had not been properly assessed for accuracy and completeness. During FY19–20, related transactional risk points were identified and mapped to address internal issues, while documentation and testing of information provided by outsourced organisations was recorded and tested to minimise the risk of misstatements.
Nonetheless, and despite an expectation that all necessary improvements could be finished in FY19–20, the testing and strengthening of all the Group’s remediation plans was not completed in time for external auditor KPMG and BT’s management committee to determine that the material weakness in financial controls has been fully addressed in time for the latest Annual Report.
SAP to the rescue
Although it appears that legacy EE deployments of SAP were among the areas where risk management weaknesses were identified, the Group has turned to the solutions provider for its SAP Governance, Risk and Compliance module to support end‑to‑end monitoring of financial controls and help remedy the problems.
At the end of 2019, SAP trumpeted a new deal with BT Group to support transformation programmes in areas including finance and human resources, with risk compliance among the areas supported by the S/4 HANA Finance application (BTwatch, #309).