consultation conclusion on risk …...Øa statement that a review of the effectiveness of the risk...
TRANSCRIPT
CONSULTATION CONCLUSION ON RISK MANAGEMENT AND INTERNAL CONTROL: REVIEW OF THE CORPORATE GOVERNANCE CODE AND CORPORATE GOVERNANCE REPORT
Melissa Fung
Partner, Enterprise Risk Services,
Deloitte Touche Tohmatsu
26 January 2016
Consultation Conclusion on Risk Management and Internal Control: Review of The Corporate Governance Code and Corporate Governance Report
Melissa FungPartnerEnterprise Risk ServicesDeloitte Touche Tohmatsu
Table of Contents
Overview of Consultation Conclusion
Your Challenges• Internal Audit Effectiveness• Enterprise Risk Management
Questions and Answers
2
The Hong Kong Stock Exchange (“HKEx”) published a Consultation Conclusion on Risk Management and Internal Control: Review of The Corporate Governance Code and Corporate Governance Report (the “Code”) in December 2014.
Implementation of the Code amendments will apply to accounting periods beginning on or after 1 January 2016.
Overview of Consultation Conclusion
#1: Risk management and internal control Current Requirement: • The existing title of Section C.2 of the Code is simply “Internal Controls”
Issue of Current Requirement: • To emphasize that internal control is an integrated part of risk management, this should be
reflected in the title of the Code
Consultation Conclusion: • Amend the title of Section C.2 of the Code as “Risk management and internal control”
3
Current Requirement:• Principle C.2 states that the board should ensure that the issuer maintains sound and effective internal
controls to safeguard shareholders’ investment and the issuer’s assets
Issues of Current Requirement:• Insufficient weight to risks and risk management in relation to internal control• Risk not managed on an enterprise basis and not adjusted to corporate strategy• Current Principle too narrow in scope
Consultation Conclusion:• Amend Principle C.2 to state that the board is responsible for evaluating the risks it is willing to
take in achieving the issuer’s strategic objectives and ensuring the issuer establishes andmaintains appropriate and effective risk management and internal control systems
• The board should oversee management in the design, implementation and monitoring of the riskmanagement and internal control systems, and management should provide confirmation to theboard on the effectiveness of these systems
4
Overview of Consultation Conclusion (Cont’d)#2: Responsibilities of the board and management
Current Requirement:• CP C.2.1 states that the directors of an issuer should at least annually conduct a review of the
effectiveness of the issuer’s internal control systems• RBP C.2.3 states the content of board’s annual review• RBP C.2.4 states the disclosure requirements in the Corporate Governance Report, a narrative
statement on how the listed issuers have complied with internal control code provisions during thereporting period.
• Section S – Recommended Disclosures on Internal Controls
Issues of Current Requirement:• Inadequate disclosure relating to annual review• Insufficient consideration given by issuers when conducting their annual review due to lack of authority
from the provision (RBP C.2.3)• In relation to CP C.2.1, the board does not simply discharge its duties relating to an issuer’s risk
management and internal control systems by way of a one-off annual review
5
Overview of Consultation Conclusion (Cont’d)#3: Annual review and disclosure in the Corporate Governance Report
6
Consultation Conclusion:• Amend CP C.2.1 to add the board should oversee the issuer’s risk management and internal control
systems on an ongoing basis.
• Upgrade RBP C.2.3 “Board’s Annual Review” to CP:Ø the changes, since the last annual review, in the nature and extent of significant risks, and the
issuer’s ability to respond to changes in its business and the external environment
Ø the scope and quality of management’s ongoing monitoring of risks and of the internalcontrol system, and where applicable, the work of its internal audit function and other assuranceproviders
Ø the extent and frequency of communication of monitoring results to the board (or boardcommittee(s)) which enables it to assess control of the issuer and the effectiveness of riskmanagement
Ø significant control failings or weaknesses that have been identified during the period. Also, theextent to which they have resulted in unforeseen outcomes or contingencies that have had, couldhave had, or may in the future have, a material impact on the issuer’s financial performance orcondition
Ø the effectiveness of the issuer’s processes for financial reporting and Listing Rule compliance
Overview of Consultation Conclusion (Cont’d)#3: Annual review and disclosure in the Corporate Governance Report
7
Consultation Conclusion:• Upgrade RBP C.2.4 “CG Report Disclosure” to CPØ the process used to identify, evaluate and manage significant risks
Ø The main features of risk management and internal control systems
Ø an acknowledgement by the board that it is responsible for the risk management and internal controlsystems and reviewing their effectiveness. It should also explain that such systems are designed tomanage rather than eliminate the risk of failure to achieve business objectives, and can only providereasonable and not absolute assurance against material misstatement or loss
Ø the process used to review the effectiveness of the risk management and internal controlsystems and to resolve material internal control defects
Ø the procedures and internal controls for the handling and dissemination of inside information
• Section S - Upgrade to Mandatory Disclosures most of the Recommended Disclosures inrelation to internal controls:Ø whether the issuer has an internal audit function;Ø how often the risk management and internal control systems are reviewed, the period covered, and
where an issuer has not conducted a review during the year, an explanation why not; andØ a statement that a review of the effectiveness of the risk management and internal control systems
has been conducted and whether the issuer considers them effective and adequate.
Overview of Consultation Conclusion (Cont’d)#3: Annual review and disclosure in the Corporate Governance Report
Current Requirement:• Under the existing Code, it is an RBP for issuers without an internal audit function to review the need for
one on an annual basis and disclose the outcome of this review in the Corporate Governance Report(RBP C.2.6)
Issues of Current Requirement:• Internal audit function plays an important role as third line of defense• Concerns for the independence of existing internal audit function
Consultation Conclusion:• Upgrade to a CP from existing RBP for issuers to have an internal audit function
• Amend existing CP to state that the board’s annual review should ensure the adequacy ofresources, staff qualifications and experience, training programmes and budget of thecompany’s internal audit function
8
Overview of Consultation Conclusion (Cont’d)#4: Internal audit
Internal Audit Effectiveness
Internal AuditYour Challenges?
Consult with Audit Committee and review the effectiveness, resources,
scope of work of IA Function
Set-up IA Function (In-house / Co-source / Outsource
Model)
• Conduct IA Projects and report to AC on a regular basis
• Enhance internal controls mechanism
Company with IA Function Company without IA Function
10
11
Reporting Line Resources Sharing
AC Mgt
IA
AC Mgt
IA
1. Reporting to AC Only
2. Dual Reporting
Listed Holding
2. Decentralisation
Listed Subsidiary
IA
1. Centralisation
Listed Holding
Listed Subsidiary
IA
IA
Internal Audit Set-upYour Challenges?
Internal Audit Effectiveness
Conventional Audit Mainstream Audit
Entities prioritized based on financial risk
Internal Audit + some management involvement
Detector role
Assurance on Financial + Compliance control
Accounting /information technology (“IT”)
Compliance + Financial
Audit work programs for key processes/controls
Reactive (after the fact)
Manual with some automation
Recommendation focus on control effectiveness
Leading-Edge Audit
Focus on strategic, business and process risk
Board and Management
Advisory / Consultative
Business Risk Assurance
Multi-disciplinary (Industry specific)
Enterprise-wide Risks
Risk frameworks, self-Assessment, Risk Indicators
Proactive (fraud indicators)
Automation & risk database
Recommendation on risk mitigation & preventive measures
Risk Focus
Audit “entity” based on rotation plan
Internal Audit
Checker role
Compliance with policies & procedures
Accounting background
Compliance
Compliance program
Not addressed
None, mainly manual
Small “findings”. Compliance focus recommendations
Governance Responsibility
Style
Competency/Skills
Stakeholders’ Expectations
Results
Focus
Toolkit
Fraud
Technology
Objectives/ Mandate
Organization/
Management
People
Methodologies/Process
Performance
Factors
The Internal Audit Function Maturity Model is used to assess the performance of an internal audit function in terms of organization/management, stakeholders’ expectations, people, methodologies/process etc.
Can your internal audit function meet your needs and expectation?
12
Enterprise Risk Management
14
Key ConsiderationsRisk Management
• Does your company have a risk management framework to determine the definition, roles and responsibilities, policies and procedures of risk management?
• Does your company have a governance structure that supports the implementation ofrisk management mechanism?
• Does your company have a structured approach to identify, assess and manage risk?
• Does the board take the lead in determining the company’s levels of risk toleranceand risk policies?
• Does the management provide risk related information (e.g. risk report) to the board?
• Are risks officially and formally discussed in the board meetings?
• Does the management of your company periodically review the effectiveness of therisk management mechanism?
Enterprise Risk ManagementIs risk management embedded into strategic decision making and daily operation?
Deloitte’s Risk Intelligence Framework
Common Risk Infrastructure
Executive Management Responsibility
Objective Assurance & Monitoring
Business Unit Responsibility
Support of Pervasive Functions
Common Definition of Risk
Common Risk Framework
Roles & Responsibilities
Transparency for Governing Bodies
15
16
1. Governance Structure
Board
Risk CommitteeAC
Board
Risk Steering
Committee
AC
2. Roles and Responsibilities
Board
Executive Management
Chief Risk Officer?
Business Unit
Internal Audit
Board
Risk Steering
Committee
Risk Management Governance Structure
A.
B.
C.
Scor
e fr
om
1 to
5
Diagnose existing ERM capabilities
Formulate overall objectives/strategy
Set up ERM taskforce/roadmap and
ERM orientation
Enterprise Risk Management (Cont’d)Phase 1 – Develop an overall ERM framework
17
Identify risks to value
Determine risk criteria & appetite
Prioritize & assess risks identified
Assign risk ownership
Enterprise Risk Management (Cont’d)Phase 2 – Identify and prioritize risks
18
Identify risks to value
Determine risk criteria & appetite
Prioritize & assess risks
identified Assign risk ownership
Enterprise Risk Management (Cont’d)Phase 2 – Identify and prioritize risks
19
Develop risk prevention plan and risk indicators
Establish additional action plan/flagging
systemsSet up status tracking
mechanism
Phase 3 – Develop and Adopt Risk Response Program
20
Enterprise Risk Management (Cont’d)
Develop risk prevention plan and risk indicators
Establish additional action plan/flagging systems
Set up status tracking mechanism
Phase 3 – Develop and Adopt Risk Response Program
21
Enterprise Risk Management (Cont’d)
About Deloitte GlobalDeloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in theregion of 200,000 professionals, all committed to becoming the standard of excellence.
About Deloitte in Greater ChinaWe are one of the leading professional services providers with 22 offices in Beijing, Hong Kong, Shanghai, Taipei, Chengdu, Chongqing, Dalian, Guangzhou, Hangzhou, Harbin, Hsinchu, Jinan,Kaohsiung, Macau, Nanjing, Shenzhen, Suzhou, Taichung, Tainan, Tianjin, Wuhan and Xiamen in Greater China. We have nearly 13,500 people working on a collaborative basis to serve clients,subject to local applicable laws.
About Deloitte ChinaThe Deloitte brand first came to China in 1917 when a Deloitte office was opened in Shanghai. Now the Deloitte China network of firms, backed by the global Deloitte network, deliver a full rangeof audit, tax, consulting and financial advisory services to local, multinational and growth enterprise clients in China. We have considerable experience in China and have been a significantcontributor to the development of China's accounting standards, taxation system and local professional accountants.
********These materials and the information contained herein are provided by Deloitte Touche Tohmatsu and are intended to provide general information on a particular subject or subjects and are not anexhaustive treatment of such subject(s). Accordingly, the information in these materials is not intended to constitute accounting, tax, legal, investment, consulting, or other professional advice orservices. The information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that mightaffect your personal finances or business, you should consult a qualified professional adviser.
These materials and the information contained therein are provided as is, and Deloitte Touche Tohmatsu makes no express or implied representations or warranties regarding these materials orthe information contained therein. Without limiting the foregoing, Deloitte Touche Tohmatsu does not warrant that the materials or information contained therein will be error-free or will meet anyparticular criteria of performance or quality. Deloitte Touche Tohmatsu expressly disclaims all implied warranties, including, without limitation, warranties of merchantability, title, fitness for aparticular purpose, non-infringement, compatibility, security, and accuracy.
Your use of these materials and information contained therein is at your own risk, and you assume full responsibility and risk of loss resulting from the use thereof. Deloitte Touche Tohmatsu willnot be liable for any special, indirect, incidental, consequential, or punitive damages or any other damages whatsoever, whether in an action of contract, statute, tort (including, without limitation,negligence), or otherwise, relating to the use of these materials or the information contained therein.
If any of the foregoing is not fully enforceable for any reason, the remainder shall nonetheless continue to apply.
›Q & A
› Please submit your text
questions and comments
using the Questions Panel.
THANKS
Your needs are always our highest concern.
We cordially invite you to answer the following questions to enable us to further enhance our services to you.
Thank You!