Risk Management and Internal Control Practice - Part 1
Source : JFU
14 October 2015
Are you Ready for the New Listing Rule Requirements?
The Hong Kong Stock Exchange issued new code provisions in Appendix 14 (C.2) of the Listing Rules which will be effective on 1 January 2016 regarding the effectiveness of a listed company’s risk management and internal control. Highlight of the new code provisions includes:
- Requirement that the board of directors ("BOD") give an assessment of the company’s risk management and internal control effectiveness in its Corporate Governance Report.
- Definition of the roles and responsibilities of the BOD and management regarding the Company’s risk management and internal control.
- Emphasis on BOD’s continuous monitoring of the integrity and effectiveness of the risk management and internal control systems.
- Requirement to disclose significant finding identified in the Corporate Governance Report.
- Emphasis on the internal audit function to strengthen the monitoring of the risk management and internal control systems. All listed companies must disclose its compliance with the new code provisions and any significant finding in their Corporate Governance Report.
Our firm has devised a model practice to comply with the new code provisions, which we are happy to share with our clients and friends. Before we do so, let's firstly take a look at the new listing rule requirements on risk management and internal control.
Listing Rule Requirements
By way of code provisions set out in Appendix 14 (C.2), the Listing Rule requires that:
- The board should oversee the issuer's risk management and internal control systems ("Systems") on an ongoing basis, ensure that a review of the effectiveness of the issuer's and its subsidiaries' Systems has been conducted at least annually and report to the shareholders that it has done so in its Corporate Governance Report. The review should cover all material controls, including financial, operational and compliance controls. (C.2.1)
- The board's annual review should, in particular, ensure the adequacy of resources, staff qualifications and experience, training programmes and budget of the issuer's accounting, internal audit and financial reporting functions. (C.2.2)
- The board's annual review should, in particular, consider (C.2.3):
- the changes, since the last annual review, in the nature and extent of significant risks, and the issuer's ability to respond to changes in its business and the external environment;
- the scope and quality of management's ongoing monitoring of risks and of the internal control systems, and where applicable, the work of its internal audit function and other assurance providers;
- the extent and frequency of communication of monitoring results to the board which enables it to assess control of the issuer and the effectiveness of risk management;
- significant control failings or weaknesses that have been identified during the period. Also, the extent to which they have resulted in unforeseen outcomes or contingencies that have had, could have had, or may in the future have, a material impact on the issuer's financial performance or condition; and
- the effectiveness of the issuer's processes for financial reporting and Listing Rule compliance.
- Issuers should disclose, in the Corporate Governance Report, a narrative statement on how they have complied with the risk management and internal control code provisions during the reporting period. In particular, they should disclose (C.2.4) :
- the process used to identify, evaluate and manage significant risks;
- the main features of the Systems
- an acknowledgement by the board that it is responsible for the Systems and reviewing their effectiveness. It should also explain that such systems are designed to manage rather than eliminate the risk of failure to achieve business objectives, and can only provide reasonable and not absolute assurance against material misstatement or loss;
- the process used to review the effectiveness of the Systems
- the procedures and internal controls for the handling and dissemination of inside information
- The issuer should have an internal audit function (C.2.5).
Ms. Law for more information
Tel: +(852) 3719 6000