– A Basic Framework
and
Internal Control
Risk Management
1
FOREWORD
Since the formation of the Corporate Governance Committee in 1995, the Hong Kong Institute of Certified
Public Accountants is proud to have been playing a leading role in promoting greater awareness and
higher standards of corporate governance in Hong Kong. The Institute believes that good corporate
governance is fundamental to attracting investment, stimulating economic growth and reducing the cost
of capital. It is also vital to Hong Kong’s role as one of the world’s major financial centres and the premier
international capital market for Mainland China and the region.
We are supportive, therefore, of the Stock Exchange of Hong Kong Limited’s recent amendments to the
Listing Rules to introduce the Code on Corporate Governance Practices (“the Code”) and the requirements
in relation to the Corporate Governance Report. These changes will raise the bar for listed companies in
Hong Kong in terms of their corporate governance practices and disclosures.
This guide on internal control and risk management has been developed at the invitation of the Stock
Exchange, with the primary objective of providing general guidance and recommendations on a basic
framework of internal control and risk management. It draws on important overseas studies, which are
acknowledged benchmarks of international good practice while, at the same time, takes into account
the current situation of the Hong Kong market. We believe that the principles and recommendations
contained in this guide should help listed companies to understand and implement the requirements in
the Code relating to internal control, and to devise their own internal control procedures that have regard
to the specific circumstances and characteristics of their business.
Enhancing corporate governance is not simply a matter of imposing rules and laws but about promoting
and developing an ethical and healthy corporate culture. I hope that this guide makes it abundantly
clear that establishing a sound system of internal control and reviewing its effectiveness is not an exercise
in learning how to comply with unwelcome and onerous regulatory requirements but, rather, it is about
implementing mechanisms that will help a company to achieve its corporate objectives and fulfil the
expectations of its shareholders and stakeholders. At the basic level, the guide emphasises that, as a
precondition for having effective controls, a company must ensure that it has clear objectives that are
agreed by the board and well-understood by the senior management and employees. The company
should then identify, assess and prioritise the risks that could prevent it from achieving those objectives,
and establish processes to manage them effectively. It must also have in place early warning indicators so
that if things go off course, the situation is quickly identified and brought to the attention of the appropriate
people for action. For this to happen, there also needs to be good communication and an effective flow
of information, both internally and with external parties, such as auditors and regulators. Finally, ongoing
monitoring and reviews of the system are required because the business environment and conditions
continue to change.
Unfortunately, there are far too many companies where some, or all, of these elements have been lacking
and, indeed, some of them have failed because of it, despite having, on paper, good business prospects.
Some have grown too fast, and generally outrun the ability of their internal control and risk management
mechanisms to cope, others have failed to install proper internal checks and balances and have thus
failed to identify the early signs of problems, and yet others have succumbed to the force of personality
of dominant board members and controlling shareholders, whose ethical values fall short of market
– A Basic Framework
and
Internal Control
Risk Management
2
expectations and the public interest. We are all familiar with examples of the type and should learn from
them. While good internal controls cannot be a panacea for all corporate problems, they can help to
provide a reasonable assurance that a sound business in the hands of decision makers with good sense
and judgement will succeed in its objectives.
I hope that it will be obvious to the reader of this guide that it focuses as much on protecting the
business and creating an environment where it can thrive and increase shareholder value, as it does on
compliance with rules and regulations. Good ethical governance embraces good corporate governance,
and an effective system of corporate governance should enable both compliance and performance to be
achieved to the reasonable expectation of shareholders and stakeholders. This is why effective internal
controls and risk management mechanisms should be incorporated within a company’s normal
management and governance processes, and should constitute part of its framework of accountability
and regular reporting to shareholders.
In keeping with the Code, the immediate targets of this guide are listed companies and their subsidiaries
and, beyond this, other companies in the group. However, I hope that companies that are not (or not yet)
listed and other interested parties will also find this guide to be a useful reference.
Edward K.F. Chow
President, and Chairman, Internal Control and Risk Management Guide Task Force
Hong Kong Institute of Certified Public Accountants
June 2005
– A Basic Framework
and
Internal Control
Risk Management
3
COMPOSITION OF THE INSTITUTE’S 2005
CORPORATE GOVERNANCE COMMITTEE
Chairman: Chew Fook Aun Kyard Ltd.
Deputy Chairmen: Michael K.H. Chan Lam Soon (Hong Kong) Ltd.
Richard George Deloitte Touche Tohmatsu
Members: Nicholas Allen PricewaterhouseCoopers
David Cheng HLB Hodgson Impey Cheng
Gordon W.E. Jones Companies Registry
Quinn Y.K. Law The Wharf (Holdings) Ltd.
Stephen Lee KPMG
Kenneth G. Morrison Moores Rowland Mazars
Peter Nixon Potential Associates Ltd.
Keith Pogson Ernst & Young
James Siu Li & Fung Ltd.
Tommy Tam National Electronics (Consolidated) Ltd.
Nancy Tse Hospital Authority
Jim Wardell Horwath Corporate Advisory Services Ltd.
Secretaries: Peter Tisman Director, Specialist Practices,
Hong Kong Institute of CPAs
Mary Lam Assistant Director, Specialist Practices,
Hong Kong Institute of CPAs
COMPOSITION OF THE INTERNAL CONTROL AND
RISK MANAGEMENT GUIDE TASK FORCE
Chairman: Edward K.F. Chow China Infrastructure Group Holdings Plc.
Members: Chew Fook Aun Kyard Ltd.
Michael K.H. Chan Lam Soon (Hong Kong) Ltd.
Richard George Deloitte Touche Tohmatsu
Stephen Lee KPMG
Guy Look Sa Sa International Holdings Ltd.
Peter Nixon Potential Associates Ltd.
James Siu Li & Fung Ltd.
Secretaries: Peter Tisman Director, Specialist Practices,
Hong Kong Institute of CPAs
Mary Lam Assistant Director, Specialist Practices,
Hong Kong Institute of CPAs
– A Basic Framework
and
Internal Control
Risk Management
4
CONTENTS
A. OBJECTIVES
1.0 Background
2.0 Listing Rule requirements on internal control
3.0 Objectives of the guide
4.0 Applicability of the guide
B. IMPLEMENTING INTERNAL CONTROL AND RISK MANAGEMENT
1.0 Framework and scope of internal control
2.0 Elements of a sound system of internal control
3.0 Need for training
4.0 Risk management
5.0 Embedding the process
C. RESPONSIBILITIES FOR INTERNAL CONTROL AND RISK MANAGEMENT,
AND THE PROCESS OF REVIEW
1.0 The Board
2.0 Board policies
3.0 Internal audit function
4.0 Audit committee
5.0 Other parties in the system
APPENDICES
I. The concept and scope of internal control
II. Further information on the components of a system of internal control
III. Possible risks faced by a company
IV. Bibliography and other references
– A Basic Framework
and
Internal Control
Risk Management
5
A. OBJECTIVES
1.0 Background
1.1 The Stock Exchange of Hong Kong Limited (“Stock Exchange”) published the Code on Corporate
Governance Practices (“the Code”) and Corporate Governance Report in November 2004.
These were subsequently incorporated into Appendices 14 and 23 of the Main Board Listing
Rules and Appendices 15 and 16 of the Growth Enterprise Market (“GEM”) Listing Rules
respectively. The Code, with one exception, became effective for accounting periods commencing
on or after 1 January 2005. The exception is in respect of Code provision C.2 on internal
controls and the proposed disclosure requirements in the Corporate Governance Report relating
to listed issuers’ internal controls, which take effect for accounting periods commencing on or
after 1 July 2005.
1.2 The Stock Exchange invited the Hong Kong Institute of Certified Public Accountants (“the
Institute”) to issue further guidance to help listed issuers understand and implement the
Code requirements relating to internal control and devise their internal control procedures.
1.3 The Institute agreed to take up the Stock Exchange’s invitation. A task force, set up under
the Corporate Governance Committee and including representatives from the Auditing and
Assurance Standards Committee and the Professional Accountants in Business Committee,
was formed to undertake the project.
2.0 Listing Rule requirements on internal control
2.1 Principle C.2 of the Code states that: “The board should ensure that the issuer maintains
sound and effective internal controls to safeguard the shareholders’ investment and the
issuer’s assets.”
2.2 Code provision C.2.1 on “Internal Controls” states that: “The directors should at least annually
conduct a review of the effectiveness of the system of internal control of the issuer and its
subsidiaries and report to shareholders that they have done so in their Corporate Governance
Report. The review should cover all material controls, including financial, operational and
compliance controls and risk management functions.”
2.3 The recommended best practices in relation to reviewing internal controls and the related
disclosures are set out in C.2.2 to C.2.5 of the Code. Listed companies are encouraged to
adopt the recommended best practices.
2.4 The note to paragraph 2 of Appendix 23 (Main Board Listing Rules) and Appendix 16 (GEM
Listing Rules), which sets out the specific disclosures pertaining to the Code provisions that a
listed issuer is expected to make in its Corporate Governance Report, contains the following
disclosure in relation to the Code provision on “Internal Controls”:
“(3) a statement that the board has conducted a review of the effectiveness of the system of
internal control of the issuer and its subsidiaries (C.2.1 of the Code).”
– A Basic Framework
and
Internal Control
Risk Management
6
2.5 Where a listed issuer includes a statement on the review of its system of internal control in
the annual report, pursuant to provision C.2.1 of the Code, it is encouraged to disclose the
details set out in paragraph 3(d) of Appendix 23 of the Main Board Listing Rules and Appendix
16 of the GEM Listing Rules, as appropriate.
3.0 Objectives of the guide
3.1 The primary objective of this guide is to provide general guidance and recommendations on
a basic framework of internal control. This should help listed issuers understand and implement
the requirements in the Code relating to internal control, and to devise their own internal
control procedures that take account of the particular circumstances and characteristics of
their own business and operation. The guide is not intended to be exhaustive or prescriptive,
but should nevertheless be useful to directors, managers and other personnel that are
accountable for control in a company.
3.2 It is also intended to:
(i) help improve understanding of the conceptual framework of internal control and risk
management;
(ii) help provide a framework/basis that can be used to develop and assess the effectiveness
of internal control in a company; and
(iii) reflect sound business practice whereby internal control is embedded in the business
and management processes by which a company pursues its objectives.
3.3 The Stock Exchange indicated that in preparing the Code, it had, in particular, taken into
account the principles and guidelines set out in the revised Combined Code on Corporate
Governance (“the Combined Code”) issued by the Financial Reporting Council in the United
Kingdom (“UK”) in July 2003. The Preamble to the Combined Code makes reference to
specific guidance on how to comply with particular parts of the Combined Code. Internal
Control: Guidance for Directors on the Combined Code (“the Turnbull Guidance”)1 is the
guidance relevant to the provisions on internal control. In preparing this guide, the Institute
has referred to the Turnbull Guidance.
3.4 The Institute considers that the report, Internal Control – Integrated Framework, issued by the
Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) in the United
States, in 1992, contains a definition of internal control and a conceptual framework that are
constructive and relevant. Where appropriate, therefore, this guide adopts the approach outlined
in the COSO report.
1 Internal Control: Guidance for Directors on the Combined Code published by the Institute of Chartered Accountants in England
and Wales in the UK in September 1999.
– A Basic Framework
and
Internal Control
Risk Management
7
3.5 Boards of listed companies are encouraged to make reference to this guide in:
• assessing how the company has applied Code principle C.2;
• implementing the requirements of Code provision C.2.1; and
• reporting on these matters to shareholders in the Corporate Governance Report.
3.6 Directors are expected to exercise judgement in reviewing how the company has implemented
the requirements of the Code relating to internal control and reporting to shareholders thereon.
3.7 The guidance set out herein in relation to establishing a sound system of internal control and
reviewing its effectiveness should be incorporated by the company within its normal
management and governance processes, from a corporate governance point of view, as part
of the accountability of a company’s board and management to shareholders, and should
not be treated as a separate exercise undertaken to meet regulatory requirements issued and
enforced by a securities market regulator.
4.0 Applicability of the guide
4.1 This guide is aimed primarily at listed companies and their subsidiaries, to which Code provision
C.2.1 applies. However, listed companies are very diverse in nature. Internal controls should
be tailored to an individual company’s own particular characteristics and circumstances, which
may depend upon, for example, its industry, size and organisational structure. Accordingly, it
is not appropriate to adopt a “one size fits all” approach.
4.2 It is believed that the principles and recommendations contained in this guide will provide a
useful reference for most listed companies, although they may need to be adapted according
to the circumstances of the company concerned. All companies that are part of a listed
group are encouraged to take on board these principles and recommendations, and it is
hoped that companies in general that wish to implement or enhance their system of internal
control will find this guide to be a useful reference.
4.3 Throughout the guide, where reference is made to “company”, it should be taken, where
applicable, as referring to the group of which the reporting company is the parent company.
For groups of companies, the review of the effectiveness of internal control and the report to
the shareholders should be from the perspective of the group as a whole, e.g., groups of
companies should review the effectiveness of all significant controls at all significant locations.
4.4 Where material joint ventures and associates have not been dealt with as part of the group
for the purposes of applying this guidance, companies are encouraged to disclose this. Where
they exist, alternative sources of risk management and internal control assurance applied to
these entities should also be disclosed.
– A Basic Framework
and
Internal Control
Risk Management
8
B. IMPLEMENTING INTERNAL CONTROL AND
RISK MANAGEMENT
1.0 Framework and scope of internal control
1.1 There is no simple definition of “internal control”. However, as indicated in paragraph A.3.4
above, where appropriate, this guide adopts the definition and conceptual framework described
in the COSO report, which the Institute regards as a useful model. (See also Appendix I).
1.2 The COSO report defines internal control as a process designed to provide reasonable assurance
regarding the achievement of objectives in relation to the following:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations
1.3 Internal control is fundamental to the successful operation and day-to-day running of a business
and it assists the company in achieving its business objectives. As indicated above, the scope
of internal control is very broad. It encompasses all controls incorporated into the strategic,
governance and management processes, covering the company’s entire range of activities
and operations, and not just those directly related to financial operations and reporting. Its
scope is not confined to those aspects of a business that could broadly be defined as compliance
matters, but extends also to the performance aspects of a business. (See Figure 1.)
1.4 Internal controls need to be responsive to the specific nature and needs of the business.
Hence, they should seek to reflect sound business practice, remain relevant over time in the
continuously evolving business environment and enable the company to respond to the specific
needs of the business or industry.
Figure 1: Internal Control Framework
Achieving business objectives
Internal Control and
Risk Management
Compliance Performance
– A Basic Framework
and
Internal Control
Risk Management
9
1.5 It is important that control should not be seen as a burden on business but, rather, the means
by which business opportunities are maximised and potential losses associated with unwanted
events reduced. Furthermore, successful companies should not allow themselves to become
complacent or blinded by their own success. There are numerous examples of companies
whose success has been jeopardised by a lack of, or deficiencies in, internal controls.
1.6 At the same time, the cost/benefit equation is also relevant to any internal control system.
Cost/benefit considerations should be taken into account both in the overall design of the
system and in the context of risk identification, assessment and prioritisation.
Function of internal control
1.7 Control is not synonymous with managing and does not constitute everything involved in the
management of a company. While it aims to support the achievement of business objectives,
and should serve as an early warning system of possible impediments to achieving those
objectives, internal control does not, on the other hand, indicate what objectives to set.
While it can help to ensure that reliable information is made available for decision-making,
implementation and monitoring, and can facilitate assessment and reporting on the results
of actions taken, it does not take the place of the management in making strategic and
operational decisions. In addition, decisions about whether to act and what action to take
are outside the scope of internal control.
1.8 It follows from the above that there are inherent limitations in control. A sound and well-
designed system of internal control reduces, but cannot eliminate, the possibility of poor
judgement in decision-making; human error or mistake; control activities and processes being
deliberately circumvented by the collusion of employees or others; management
本文档为【香港的内控与风险管理框架】,请使用软件OFFICE或WPS软件打开。作品中的文字与图均可以修改和编辑,
图片更改请在作品中右键图片并更换,文字修改请直接点击文字进行修改,也可以新增和删除文档中的内容。
该文档来自用户分享,如有侵权行为请发邮件ishare@vip.sina.com联系网站客服,我们会及时删除。
[版权声明] 本站所有资料为用户分享产生,若发现您的权利被侵害,请联系客服邮件isharekefu@iask.cn,我们尽快处理。
本作品所展示的图片、画像、字体、音乐的版权可能需版权方额外授权,请谨慎使用。
网站提供的党政主题相关内容(国旗、国徽、党徽..)目的在于配合国家政策宣传,仅限个人学习分享使用,禁止用于任何广告和商用目的。