insight Spring 2006

Hong Kong Code on Corporate Governance Practices
- Section C.2: Internal Controls

by Gordon Hau

The Hong Kong Code on Corporate Governance Practices (The Code) Section C.2 on Internal Controls became effective on 1 July 2005. We would like to introduce you to a framework that we believe could help listed companies understand and implement the requirements of the Code relating to internal controls, and devise their own internal control practices pertaining to the specific characteristics and environment of their business.

Overview of Section C.2
First, let's revisit section C.2 of the Code on Internal Controls. It sets out the principle of good governance and provides two levels of recommendations for internal controls: the code provisions and the recommended best practices.

All listed companies are expected to comply with the code provisions and give considered reasons for any deviations in their interim reports and annual reports. The recommended best practices are provided as guidance. The listed companies may devise their own internal control practices on such terms as they consider appropriate.

The principle of Section C.2 is that the board should ensure that the issuer maintains sound and effective internal controls to safeguard the shareholders' investments and the issuer's assets. The code Provisions that the directors should at least annually conduct a review of the effectiveness of the internal control systems of the issuer and its subsidiaries and report to shareholders that they have done so in their Corporate Governance Report. The review should cover all material controls, including financial, operational and compliance controls and risk management functions.

Corporate governance report
What do directors need to report annually in relation to the Code of internal controls?

Section 3(d) in Appendix 23 and Appendix 16 of the main board and the GEM listing rules respectively suggest that listed companies disclose the following details relating to internal controls in their annual Corporate Governance Report:

•	an explanation of how the system of internal control has been defined for the listed issuer;
•	procedures and internal controls for the handling and dissemination of price sensitive information;
•	whether the listed issuer has an internal audit function;
•	how often internal controls are reviewed;
•	a statement that the directors have reviewed the effectiveness of the system of internal control and whether they consider the internal control systems to be effective and adequate (design and operation effectiveness);
•	criteria for the directors to assess the effectiveness of the internal control system (testing approach and size of test data);
•	the period which the review covers;
•	details of any significant areas of concern which may affect shareholders;
•	significant views or proposals put forward by the audit committee; and
•	where a listed issuer has not conducted a review of its internal control during the year, an explanation why it has not done so (non-compliance).

Internal audit framework
What do directors need to do to ensure that their listed companies maintain sound and effective internal controls and evaluate their internal controls environment periodically, hence allowing them to prepare the Corporate Governance Report?

This is a mammoth task that requires erudite planning, and dedicated and specialised resources. In the rest of this article, we introduce our Internal Audit Framework. It relies heavily on a corporate level risk assessment process to drive the audit plan and ensure focus on the elements of greatest risk.
　　

Table 1 Grant Thornton's internal audit framework

The diagram set out above outlines Grant Thornton's Internal Audit Framework which includes the following 6 elements:

1. Governance Structure
2. Risk Assessment and Scoping
3. Individual Internal Audit
4. Special Projects & Follow-up
5. Risk & Control Report
6. Management of the Internal Audit

Governance
The framework defines and helps to establish internal audit activity to support effective implementation and monitoring of good corporate governance, compliance with legal and regulatory requirements, operational efficiency and safety, and project management.

Risk assessment and scoping
Risk Assessment is an exercise that analyses risk factors and takes a cross-business look at the range of business activities, processes and major projects. Key risk indicators include economic data, industry trends, competitors' behaviour, external factors, management capabilities and financial information.

On an annual basis, most listed companies are not able to conduct an internal audit over 100% of their business activities. It is not feasible or practical in terms of resources and costs, particularly for companies operating multiple businesses and/or with multiple geographical locations. The Code does not specify the annual coverage requirement, but international best practice normally recommends a "large portion" of a company's operations and financial position, which can be understood to mean around 60% to 70% coverage. It is the responsibility of the Audit Committee to determine the appropriate coverage. The best starting point is to analyse the financial risks, to assess material risks, consider other risks, and then prioritise which business units and processes to audit and test. Quantitative considerations such as planning materiality (e.g. 5% of pre-tax income) are used to determine which business units and processes are individually significant. The key output of the Risk Assessment process is the internal audit plan which outlines objectives, coverage, resources required and a schedule for delivering the internal audit projects.

Individual internal audit
After the Risk Assessments, the audit plan needs to be carried out. Each individual audit consists of four major steps: (i) a risk assessment of the audit area, (ii) a plan for the audit based on the risk assessment, analysis and testing of the internal control environment, (iii) reporting of findings and recommendations, and (iv) on-going follow up on the recommendations.

Special projects & follow-up
The fourth area of the framework includes special projects of an internal control nature. These could include support to projects to ensure that effective controls are built into new or updated systems, provision of internal control awareness and education, or the undertaking of special and sensitive projects on behalf of the Audit Committee.

Risk and control report
A programme of internal audits will result in a significant amount of information being generated about the effectiveness of controls and management of risk in individual areas and processes across the company. A consolidated Risk and Control Report, compiled on an annual basis provides the Audit Committee and executive management with a single picture of the internal control environment, enabling an assessment of priorities and potential exposures across the company. This report will help the Audit Committee in preparing the Corporate Governance Report as required by the Listing Rules.

Management of the internal audit
The framework recognises the importance of managing the Internal Audit function effectively, ensuring achievement of defined objectives within mandated timeframes, limited resources and an authorised budget. The internal audits are normally conducted by an Internal Audit Department reporting directly to the Audit Committee. It is very common for companies to outsource or co-source the planning and internal audit to professional parties.

Conclusions
We hope that our framework will help listed companies to incorporate effective internal controls and risk management mechanisms into their normal management and governance processes. This in turn will help them protect their business and create an environment where it can thrive and increase shareholder value.

gordon.hau@gthk.com.hk

Back

Main