香港的内控与风险管理框架

– A Basic Framework and Internal Control Risk Management 1 FOREWORD Since the formation of the Corporate Governance Committee in 1995, the Hong Kong Institute of Certified Public Accountants is proud to have been playing a leading role in promoting greater awareness and higher standards of corporate governance in Hong Kong. The Institute believes that good corporate governance is fundamental to attracting investment, stimulating economic growth and reducing the cost of capital. It is also vital to Hong Kong’s role as one of the world’s major financial centres and the premier international capital market for Mainland China and the region. We are supportive, therefore, of the Stock Exchange of Hong Kong Limited’s recent amendments to the Listing Rules to introduce the Code on Corporate Governance Practices (“the Code”) and the requirements in relation to the Corporate Governance Report. These changes will raise the bar for listed companies in Hong Kong in terms of their corporate governance practices and disclosures. This guide on internal control and risk management has been developed at the invitation of the Stock Exchange, with the primary objective of providing general guidance and recommendations on a basic framework of internal control and risk management. It draws on important overseas studies, which are acknowledged benchmarks of international good practice while, at the same time, takes into account the current situation of the Hong Kong market. We believe that the principles and recommendations contained in this guide should help listed companies to understand and implement the requirements in the Code relating to internal control, and to devise their own internal control procedures that have regard to the specific circumstances and characteristics of their business. Enhancing corporate governance is not simply a matter of imposing rules and laws but about promoting and developing an ethical and healthy corporate culture. I hope that this guide makes it abundantly clear that establishing a sound system of internal control and reviewing its effectiveness is not an exercise in learning how to comply with unwelcome and onerous regulatory requirements but, rather, it is about implementing mechanisms that will help a company to achieve its corporate objectives and fulfil the expectations of its shareholders and stakeholders. At the basic level, the guide emphasises that, as a precondition for having effective controls, a company must ensure that it has clear objectives that are agreed by the board and well-understood by the senior management and employees. The company should then identify, assess and prioritise the risks that could prevent it from achieving those objectives, and establish processes to manage them effectively. It must also have in place early warning indicators so that if things go off course, the situation is quickly identified and brought to the attention of the appropriate people for action. For this to happen, there also needs to be good communication and an effective flow of information, both internally and with external parties, such as auditors and regulators. Finally, ongoing monitoring and reviews of the system are required because the business environment and conditions continue to change. Unfortunately, there are far too many companies where some, or all, of these elements have been lacking and, indeed, some of them have failed because of it, despite having, on paper, good business prospects. Some have grown too fast, and generally outrun the ability of their internal control and risk management mechanisms to cope, others have failed to install proper internal checks and balances and have thus failed to identify the early signs of problems, and yet others have succumbed to the force of personality of dominant board members and controlling shareholders, whose ethical values fall short of market – A Basic Framework and Internal Control Risk Management 2 expectations and the public interest. We are all familiar with examples of the type and should learn from them. While good internal controls cannot be a panacea for all corporate problems, they can help to provide a reasonable assurance that a sound business in the hands of decision makers with good sense and judgement will succeed in its objectives. I hope that it will be obvious to the reader of this guide that it focuses as much on protecting the business and creating an environment where it can thrive and increase shareholder value, as it does on compliance with rules and regulations. Good ethical governance embraces good corporate governance, and an effective system of corporate governance should enable both compliance and performance to be achieved to the reasonable expectation of shareholders and stakeholders. This is why effective internal controls and risk management mechanisms should be incorporated within a company’s normal management and governance processes, and should constitute part of its framework of accountability and regular reporting to shareholders. In keeping with the Code, the immediate targets of this guide are listed companies and their subsidiaries and, beyond this, other companies in the group. However, I hope that companies that are not (or not yet) listed and other interested parties will also find this guide to be a useful reference. Edward K.F. Chow President, and Chairman, Internal Control and Risk Management Guide Task Force Hong Kong Institute of Certified Public Accountants June 2005 – A Basic Framework and Internal Control Risk Management 3 COMPOSITION OF THE INSTITUTE’S 2005 CORPORATE GOVERNANCE COMMITTEE Chairman: Chew Fook Aun Kyard Ltd. Deputy Chairmen: Michael K.H. Chan Lam Soon (Hong Kong) Ltd. Richard George Deloitte Touche Tohmatsu Members: Nicholas Allen PricewaterhouseCoopers David Cheng HLB Hodgson Impey Cheng Gordon W.E. Jones Companies Registry Quinn Y.K. Law The Wharf (Holdings) Ltd. Stephen Lee KPMG Kenneth G. Morrison Moores Rowland Mazars Peter Nixon Potential Associates Ltd. Keith Pogson Ernst & Young James Siu Li & Fung Ltd. Tommy Tam National Electronics (Consolidated) Ltd. Nancy Tse Hospital Authority Jim Wardell Horwath Corporate Advisory Services Ltd. Secretaries: Peter Tisman Director, Specialist Practices, Hong Kong Institute of CPAs Mary Lam Assistant Director, Specialist Practices, Hong Kong Institute of CPAs COMPOSITION OF THE INTERNAL CONTROL AND RISK MANAGEMENT GUIDE TASK FORCE Chairman: Edward K.F. Chow China Infrastructure Group Holdings Plc. Members: Chew Fook Aun Kyard Ltd. Michael K.H. Chan Lam Soon (Hong Kong) Ltd. Richard George Deloitte Touche Tohmatsu Stephen Lee KPMG Guy Look Sa Sa International Holdings Ltd. Peter Nixon Potential Associates Ltd. James Siu Li & Fung Ltd. Secretaries: Peter Tisman Director, Specialist Practices, Hong Kong Institute of CPAs Mary Lam Assistant Director, Specialist Practices, Hong Kong Institute of CPAs – A Basic Framework and Internal Control Risk Management 4 CONTENTS A. OBJECTIVES 1.0 Background 2.0 Listing Rule requirements on internal control 3.0 Objectives of the guide 4.0 Applicability of the guide B. IMPLEMENTING INTERNAL CONTROL AND RISK MANAGEMENT 1.0 Framework and scope of internal control 2.0 Elements of a sound system of internal control 3.0 Need for training 4.0 Risk management 5.0 Embedding the process C. RESPONSIBILITIES FOR INTERNAL CONTROL AND RISK MANAGEMENT, AND THE PROCESS OF REVIEW 1.0 The Board 2.0 Board policies 3.0 Internal audit function 4.0 Audit committee 5.0 Other parties in the system APPENDICES I. The concept and scope of internal control II. Further information on the components of a system of internal control III. Possible risks faced by a company IV. Bibliography and other references – A Basic Framework and Internal Control Risk Management 5 A. OBJECTIVES 1.0 Background 1.1 The Stock Exchange of Hong Kong Limited (“Stock Exchange”) published the Code on Corporate Governance Practices (“the Code”) and Corporate Governance Report in November 2004. These were subsequently incorporated into Appendices 14 and 23 of the Main Board Listing Rules and Appendices 15 and 16 of the Growth Enterprise Market (“GEM”) Listing Rules respectively. The Code, with one exception, became effective for accounting periods commencing on or after 1 January 2005. The exception is in respect of Code provision C.2 on internal controls and the proposed disclosure requirements in the Corporate Governance Report relating to listed issuers’ internal controls, which take effect for accounting periods commencing on or after 1 July 2005. 1.2 The Stock Exchange invited the Hong Kong Institute of Certified Public Accountants (“the Institute”) to issue further guidance to help listed issuers understand and implement the Code requirements relating to internal control and devise their internal control procedures. 1.3 The Institute agreed to take up the Stock Exchange’s invitation. A task force, set up under the Corporate Governance Committee and including representatives from the Auditing and Assurance Standards Committee and the Professional Accountants in Business Committee, was formed to undertake the project. 2.0 Listing Rule requirements on internal control 2.1 Principle C.2 of the Code states that: “The board should ensure that the issuer maintains sound and effective internal controls to safeguard the shareholders’ investment and the issuer’s assets.” 2.2 Code provision C.2.1 on “Internal Controls” states that: “The directors should at least annually conduct a review of the effectiveness of the system of internal control of the issuer and its subsidiaries and report to shareholders that they have done so in their Corporate Governance Report. The review should cover all material controls, including financial, operational and compliance controls and risk management functions.” 2.3 The recommended best practices in relation to reviewing internal controls and the related disclosures are set out in C.2.2 to C.2.5 of the Code. Listed companies are encouraged to adopt the recommended best practices. 2.4 The note to paragraph 2 of Appendix 23 (Main Board Listing Rules) and Appendix 16 (GEM Listing Rules), which sets out the specific disclosures pertaining to the Code provisions that a listed issuer is expected to make in its Corporate Governance Report, contains the following disclosure in relation to the Code provision on “Internal Controls”: “(3) a statement that the board has conducted a review of the effectiveness of the system of internal control of the issuer and its subsidiaries (C.2.1 of the Code).” – A Basic Framework and Internal Control Risk Management 6 2.5 Where a listed issuer includes a statement on the review of its system of internal control in the annual report, pursuant to provision C.2.1 of the Code, it is encouraged to disclose the details set out in paragraph 3(d) of Appendix 23 of the Main Board Listing Rules and Appendix 16 of the GEM Listing Rules, as appropriate. 3.0 Objectives of the guide 3.1 The primary objective of this guide is to provide general guidance and recommendations on a basic framework of internal control. This should help listed issuers understand and implement the requirements in the Code relating to internal control, and to devise their own internal control procedures that take account of the particular circumstances and characteristics of their own business and operation. The guide is not intended to be exhaustive or prescriptive, but should nevertheless be useful to directors, managers and other personnel that are accountable for control in a company. 3.2 It is also intended to: (i) help improve understanding of the conceptual framework of internal control and risk management; (ii) help provide a framework/basis that can be used to develop and assess the effectiveness of internal control in a company; and (iii) reflect sound business practice whereby internal control is embedded in the business and management processes by which a company pursues its objectives. 3.3 The Stock Exchange indicated that in preparing the Code, it had, in particular, taken into account the principles and guidelines set out in the revised Combined Code on Corporate Governance (“the Combined Code”) issued by the Financial Reporting Council in the United Kingdom (“UK”) in July 2003. The Preamble to the Combined Code makes reference to specific guidance on how to comply with particular parts of the Combined Code. Internal Control: Guidance for Directors on the Combined Code (“the Turnbull Guidance”)1 is the guidance relevant to the provisions on internal control. In preparing this guide, the Institute has referred to the Turnbull Guidance. 3.4 The Institute considers that the report, Internal Control – Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) in the United States, in 1992, contains a definition of internal control and a conceptual framework that are constructive and relevant. Where appropriate, therefore, this guide adopts the approach outlined in the COSO report. 1 Internal Control: Guidance for Directors on the Combined Code published by the Institute of Chartered Accountants in England and Wales in the UK in September 1999. – A Basic Framework and Internal Control Risk Management 7 3.5 Boards of listed companies are encouraged to make reference to this guide in: • assessing how the company has applied Code principle C.2; • implementing the requirements of Code provision C.2.1; and • reporting on these matters to shareholders in the Corporate Governance Report. 3.6 Directors are expected to exercise judgement in reviewing how the company has implemented the requirements of the Code relating to internal control and reporting to shareholders thereon. 3.7 The guidance set out herein in relation to establishing a sound system of internal control and reviewing its effectiveness should be incorporated by the company within its normal management and governance processes, from a corporate governance point of view, as part of the accountability of a company’s board and management to shareholders, and should not be treated as a separate exercise undertaken to meet regulatory requirements issued and enforced by a securities market regulator. 4.0 Applicability of the guide 4.1 This guide is aimed primarily at listed companies and their subsidiaries, to which Code provision C.2.1 applies. However, listed companies are very diverse in nature. Internal controls should be tailored to an individual company’s own particular characteristics and circumstances, which may depend upon, for example, its industry, size and organisational structure. Accordingly, it is not appropriate to adopt a “one size fits all” approach. 4.2 It is believed that the principles and recommendations contained in this guide will provide a useful reference for most listed companies, although they may need to be adapted according to the circumstances of the company concerned. All companies that are part of a listed group are encouraged to take on board these principles and recommendations, and it is hoped that companies in general that wish to implement or enhance their system of internal control will find this guide to be a useful reference. 4.3 Throughout the guide, where reference is made to “company”, it should be taken, where applicable, as referring to the group of which the reporting company is the parent company. For groups of companies, the review of the effectiveness of internal control and the report to the shareholders should be from the perspective of the group as a whole, e.g., groups of companies should review the effectiveness of all significant controls at all significant locations. 4.4 Where material joint ventures and associates have not been dealt with as part of the group for the purposes of applying this guidance, companies are encouraged to disclose this. Where they exist, alternative sources of risk management and internal control assurance applied to these entities should also be disclosed. – A Basic Framework and Internal Control Risk Management 8 B. IMPLEMENTING INTERNAL CONTROL AND RISK MANAGEMENT 1.0 Framework and scope of internal control 1.1 There is no simple definition of “internal control”. However, as indicated in paragraph A.3.4 above, where appropriate, this guide adopts the definition and conceptual framework described in the COSO report, which the Institute regards as a useful model. (See also Appendix I). 1.2 The COSO report defines internal control as a process designed to provide reasonable assurance regarding the achievement of objectives in relation to the following: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations 1.3 Internal control is fundamental to the successful operation and day-to-day running of a business and it assists the company in achieving its business objectives. As indicated above, the scope of internal control is very broad. It encompasses all controls incorporated into the strategic, governance and management processes, covering the company’s entire range of activities and operations, and not just those directly related to financial operations and reporting. Its scope is not confined to those aspects of a business that could broadly be defined as compliance matters, but extends also to the performance aspects of a business. (See Figure 1.) 1.4 Internal controls need to be responsive to the specific nature and needs of the business. Hence, they should seek to reflect sound business practice, remain relevant over time in the continuously evolving business environment and enable the company to respond to the specific needs of the business or industry. Figure 1: Internal Control Framework Achieving business objectives Internal Control and Risk Management Compliance Performance – A Basic Framework and Internal Control Risk Management 9 1.5 It is important that control should not be seen as a burden on business but, rather, the means by which business opportunities are maximised and potential losses associated with unwanted events reduced. Furthermore, successful companies should not allow themselves to become complacent or blinded by their own success. There are numerous examples of companies whose success has been jeopardised by a lack of, or deficiencies in, internal controls. 1.6 At the same time, the cost/benefit equation is also relevant to any internal control system. Cost/benefit considerations should be taken into account both in the overall design of the system and in the context of risk identification, assessment and prioritisation. Function of internal control 1.7 Control is not synonymous with managing and does not constitute everything involved in the management of a company. While it aims to support the achievement of business objectives, and should serve as an early warning system of possible impediments to achieving those objectives, internal control does not, on the other hand, indicate what objectives to set. While it can help to ensure that reliable information is made available for decision-making, implementation and monitoring, and can facilitate assessment and reporting on the results of actions taken, it does not take the place of the management in making strategic and operational decisions. In addition, decisions about whether to act and what action to take are outside the scope of internal control. 1.8 It follows from the above that there are inherent limitations in control. A sound and well- designed system of internal control reduces, but cannot eliminate, the possibility of poor judgement in decision-making; human error or mistake; control activities and processes being deliberately circumvented by the collusion of employees or others; management