JFU Approach to Meeting the New Listing Rule Requirements

This note sets out our analysis of the C.2.4 and C.2.5 requirements and proposed approach to meeting such requirements, with a summary of action pointers that can be adopted as risk management and internal control policy initiatives.

Analysis of C.2.4 and C.2.5 Requirements

• Issuers should disclose, in the Corporate Governance Report, a narrative statement on how they have complied with the risk management and internal control code provisions during the reporting period. In particular, they should disclose (C.2.4) :

1. the process used to identify, evaluate and manage significant risks
2. the main features of the Systems
3. an acknowledgement by the board that it is responsible for the Systems and for reviewing their effectiveness. It should also explain that such systems are designed to manage rather than eliminate the risk of failure to achieve business objectives, and can only provide reasonable and not absolute assurance against material misstatement or loss
4. the process used to review the effectiveness of the Systems
5. the procedures and internal controls for the handling and dissemination of inside information

• The issuer should have an internal audit function (C.2.5).

JFU Approach 4(a) - (e)

An issuer can first devise a policy statement on risk management and internal control. Upon implementation, the issuer can present the statement in the CGR as a disclosure statement in compliance with C.2.4, where the issuer has undertaken all the actions or policy initiatives and the AR report concludes that there is no material departure in practice from the policy as stated.

In the circumstances that there are any material departures, the disclosure statement is modified accordingly. Any modification is then communicated to the board for its attention and follow up.

4(a) - (e) Action Pointers

• Adopt policy statement
• Implement policy initiatives / actions
• Ensure AR report concludes no material departures
• Adopt policy statement as disclosure statement
• Adopt policy statement with modifications, communicated to board for follow up

JFU Approach 5

The workgroup ("WG") as mentioned in JFU Approach 1(a), "Risk Management and Internal Control Practice - Part 2(1)" dated 21 October 2015 comprises senior members of the management drawn from finance, operation and legal functions to be responsible for the design, setup and working of the Systems. The administrator that facilitates the running of workgroup can be the internal auditor or his / her deputy. Thereby, the internal auditor takes on a formal and pivotal role in ensuring the proper running of the Systems.

For smaller issuers, maintaining a fully fledged internal audit team can be expensive. One option is to outsource the internal audit function to professional service providers. While this is a feasible option from a compliance point of view, it could deter internalization of the internal audit expertise, and prevent it from being assimilated into the corporate fabric of the issuer. A practical compromise can be outsourcing the function while having one or two in house young professionals to work with the experienced staff from the service provider in order to build up sufficient internal resources over time.