Our approach to risk

As highlighted in the strategy and risk sections of the strategic report, risk management is inherent to our management thinking and business-planning processes. The Board has overall responsibility for establishing and maintaining our risk management and internal control systems.

See more on our Principal risks and mitigation and our risk management framework in Managing our risk.

The Board also approved the statement of Principal risks and uncertainties. 

Progress in 2024/25

Each quarter, our CEO and CFO provide a compliance certificate connected to the preparation of our financial results. This includes the policies and procedures for areas of the business under their responsibility and confirms the existence of adequate internal control systems throughout the year. Our committee reviews any exceptions noted in this exercise.

See more on the key features of our internal control system, which assures the accuracy and reliability of our financial reporting.

Working to minimise the risk of fraud, bribery and corruption

Minimising the risk of fraud is one of the key priorities for internal audit, and we do this in a range of ways. These include assessing the quality of balance sheet reconciliations, key judgement matters, tenders and quotations, and controls over payments and associated applications.

The committee received and reviewed reports of attempted and actual fraud incidents during the year. We received comprehensive updates from management on the incidents and reviewed the root cause analysis and remediation plans to address gaps noted.

The committee will continue to monitor the implementation of these plans across all markets, through management updates followed by verification from the internal audit team.

We continue to focus on limiting our potential exposure to bribery and corruption risks, for example by providing mandatory training, reviewing financial records and developing our policies and procedures. Our contract management system includes mandatory certification to our Code of Conduct and anti-bribery and corruption policy. Each year, every employee must take part in computer-based training on anti-bribery and corruption and our Code of Conduct.

Our internal audit team reviews our anti-bribery compliance programme to assess its continued effectiveness. We will continue to assess bribery risks in our markets to refine and improve our anti-bribery compliance programme.

Our committee also monitors and oversees procedures around allegations of improper behaviour and employee complaints.

Whistleblowing procedures

Our whistleblowing programme is a confidential channel through which employees can report unethical practices or wrongdoing. We have an independent whistleblowing process managed by an external professional services firm from its centre of excellence in South Africa.

Throughout the reporting period, we received updates on the volume of reports, key themes emerging from these reports and the results of related investigations. We assess the reports for the category and level of concern and consider these in line with a protocol for review, investigation, action, closure and feedback. This is done independent of management where necessary and involving senior business unit or HR management as appropriate.

We continue to monitor the volume, geographic distribution and range of reports made to the hotline to understand key themes, the results of investigations undertaken, significant regional compliance concerns, and whether access to this facility is less understood or publicised in some countries.

During the 12 months ended 31 March 2025, we investigated 73 incidents (2024: 67) received through various touchpoints and our formal whistleblowing channels. These incidents varied in magnitude and the measures taken in response have been reported to our committee. Of these 73 cases, 89% have been closed. Reports containing allegations of breaches of our Code of Conduct were thoroughly investigated and disciplinary action was taken where appropriate.

The majority of reports received during the period were human resource issues that indicated no compliance concerns or serious breaches of our Code of Conduct.

Our committee chair reports to the Board at each of its meetings on the operation of our Code of Conduct, and anti-bribery, corruption and whistleblowing procedures. This report contains enough detail to enable the Board to oversee these areas and make sure arrangements are in place for a proportionate and independent investigation of related matters and for follow-up action.

Assessing our internal control environment 

The assessment of the operation and effectiveness of the Group’s internal control over financial reporting framework continues to be a priority for the committee during the financial year. This also became important given our secondary listing on the Nigerian Stock Exchange (NGX) where a directive was issued by the Nigerian Securities and Exchange Commission (SEC) requiring companies to comply with Sections 60 to 63 of the Nigerian Investment and Securities Act (ISA) on internal controls.

While the UK Corporate Governance Code issued in 2024 places responsibility on the Board to certify the effectiveness of material internal control, the Nigerian Securities and Exchange Commission requires the CEO and CFO to provide certification and further mandates the statutory auditors of the Company (Deloitte LLP) to provide a limited assurance report on the operating effectiveness of the internal controls over financial reporting.

During the year, the committee reviewed management’s plan and progress towards full compliance to the above requirement and also approved the adoption of the Internal Control – Integrated Framework (2013), issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as the framework which the Group would use to assess controls. The committee received regular updates from management on the progress made to comply with the above requirements and the results of management’s own testing to ensure that controls have been appropriately implemented and are effective.

To provide the committee and the Board with additionally assurance, the Group engaged an external independent evaluation by a Big 4 audit firm in Nigeria, who separately assessed the Group’s compliance with the Nigerian SEC requirements and the effectiveness of the Group’s controls. The Committee also considered the work of internal audit on controls. 

Following this work, the committee was satisfied with the effectiveness of the Group’s internal controls over financial reporting and recommended that appropriate disclosures be made to comply with the Nigeria SEC requirements, with no material control deficiencies identified.

The Group and committee now plan to use this work as a necessary foundation in the journey towards complying with the requirements of Provision 29 of the new UK Corporate Governance Code, noting that the Nigerian SEC requirements only cover financial reporting controls.

The Group’s internal controls over financial reporting disclosures in compliance with ISA in Nigeria are included in the Directors' responsibilities statement. An attestation report from Deloitte UK on management’s assessment of the entity’s internal control over financial reporting is included in the limited assurance section.

Internal audit

The internal audit team provides independent and objective assurance over the design and operating effectiveness of the Group’s system of internal control. Our internal audit team considers compliance with internal policies, regulatory obligations and fraud risk mitigation as part of its independent testing and evaluation. The team is composed of individuals at the Group office and in the operating markets.

Airtel Africa has an internal audit co-sourcing model, where the internal audit activity is supplemented through a partnership with EY as the internal audit service partner. This ensures access to additional specialist skills and an extended knowledge base. The team is governed by the internal audit charter, as approved by the Audit and Risk Committee, and is headed by our chief internal auditor who reports to the committee and the Group CEO. The committee chair regularly meets with the chief internal auditor to discuss the team’s activity and any significant issues arising from its work.

The committee approves the annual audit plan at a special sitting at the beginning of each financial year. We then receive quarterly updates on activities and progress against the plan. During the year, internal audit focused on principal risks as well as emerging key risks, including regulatory compliance, cyber and Information security, and network resilience. The team also undertook a more targeted assurance over the policies and procedures implemented at OpCo level to determine if core processes and controls were adequately defined, documented and available to staff.

All key findings and the corresponding mitigation plans from management are reported quarterly to our committee. We focus more on unsatisfactory audit results and conduct an in-depth review with risk owners for a comprehensive view of how management will address the findings. Internal audit monitors the implementation of all action plans and validates this once completed by management. The committee also reviewed the annual internal audit work plan, received periodic reports on the results of the internal audit work, and monitored management’s responsiveness to the internal auditor’s findings.

In evaluating the work, effectiveness and independence of internal audit, our committee drew its own conclusion based on our experience and regular contact with the chief internal auditor and our internal audit partners.

During the year, the audit team also focused on enhancing its methodology to enable more collaboration between assurance functions, the extended integration of data analytics in audit delivery, and improved learning and development for the audit team. The audit team also continues to work with management to review and monitor fraud risks. All internal audits now consider the risk of fraud.

The key controls programme is now embedded into the internal control programme. We began a review of the programme during the year to ensure that controls continue to address the core risk areas for each function including the Group’s principal risks. This has been completed for Airtel Money and should be completed for the other business functions during the first half of the new financial year. Our committee continues to monitor this programme through half-yearly validation of testing results presented by the internal audit team. To further enhance the assurance of internal control, the audit team validates business key risk indicators and entity- level controls and reports on these to the committee (quarterly and yearly respectively).

The continuous controls monitoring programme has been successfully implemented for the Airtel Money and the Mobile Services business units. This programme (including the technology used) is evolving, and more controls will be included as data becomes available. All business functions will be onboarded and the frequency of testing increased over the next year.