1、 A Basic FrameworkandInternal ControlRisk Management1FOREWORDSince the formation of the Corporate Governance Committee in 1995, the Hong Kong Institute of CertifiedPublic Accountants is proud to have been playing a leading role in promoting greater awareness andhigher standards of corporate governan
2、ce in Hong Kong. The Institute believes that good corporategovernance is fundamental to attracting investment, stimulating economic growth and reducing the costof capital. It is also vital to Hong Kongs role as one of the worlds major financial centres and the premierinternational capital market for
3、 Mainland China and the region.We are supportive, therefore, of the Stock Exchange of Hong Kong Limiteds recent amendments to theListing Rules to introduce the Code on Corporate Governance Practices (“the Code”) and the requirementsin relation to the Corporate Governance Report. These changes will r
4、aise the bar for listed companies inHong Kong in terms of their corporate governance practices and disclosures.This guide on internal control and risk management has been developed at the invitation of the StockExchange, with the primary objective of providing general guidance and recommendations on
5、 a basicframework of internal control and risk management. It draws on important overseas studies, which areacknowledged benchmarks of international good practice while, at the same time, takes into accountthe current situation of the Hong Kong market. We believe that the principles and recommendati
6、onscontained in this guide should help listed companies to understand and implement the requirements inthe Code relating to internal control, and to devise their own internal control procedures that have regardto the specific circumstances and characteristics of their business.Enhancing corporate go
7、vernance is not simply a matter of imposing rules and laws but about promotingand developing an ethical and healthy corporate culture. I hope that this guide makes it abundantlyclear that establishing a sound system of internal control and reviewing its effectiveness is not an exercisein learning ho
8、w to comply with unwelcome and onerous regulatory requirements but, rather, it is aboutimplementing mechanisms that will help a company to achieve its corporate objectives and fulfil theexpectations of its shareholders and stakeholders. At the basic level, the guide emphasises that, as aprecondition
9、 for having effective controls, a company must ensure that it has clear objectives that areagreed by the board and well-understood by the senior management and employees. The companyshould then identify, assess and prioritise the risks that could prevent it from achieving those objectives,and establ
10、ish processes to manage them effectively. It must also have in place early warning indicators sothat if things go off course, the situation is quickly identified and brought to the attention of the appropriatepeople for action. For this to happen, there also needs to be good communication and an eff
11、ective flowof information, both internally and with external parties, such as auditors and regulators. Finally, ongoingmonitoring and reviews of the system are required because the business environment and conditionscontinue to change.Unfortunately, there are far too many companies where some, or al
12、l, of these elements have been lackingand, indeed, some of them have failed because of it, despite having, on paper, good business prospects.Some have grown too fast, and generally outrun the ability of their internal control and risk managementmechanisms to cope, others have failed to install prope
13、r internal checks and balances and have thusfailed to identify the early signs of problems, and yet others have succumbed to the force of personalityof dominant board members and controlling shareholders, whose ethical values fall short of market A Basic FrameworkandInternal ControlRisk Management2e
14、xpectations and the public interest. We are all familiar with examples of the type and should learn fromthem. While good internal controls cannot be a panacea for all corporate problems, they can help toprovide a reasonable assurance that a sound business in the hands of decision makers with good se
15、nseand judgement will succeed in its objectives.I hope that it will be obvious to the reader of this guide that it focuses as much on protecting thebusiness and creating an environment where it can thrive and increase shareholder value, as it does oncompliance with rules and regulations. Good ethica
16、l governance embraces good corporate governance,and an effective system of corporate governance should enable both compliance and performance to beachieved to the reasonable expectation of shareholders and stakeholders. This is why effective internalcontrols and risk management mechanisms should be
17、incorporated within a companys normalmanagement and governance processes, and should constitute part of its framework of accountabilityand regular reporting to shareholders.In keeping with the Code, the immediate targets of this guide are listed companies and their subsidiariesand, beyond this, othe
18、r companies in the group. However, I hope that companies that are not (or not yet)listed and other interested parties will also find this guide to be a useful reference.Edward K.F. ChowPresident, and Chairman, Internal Control and Risk Management Guide Task ForceHong Kong Institute of Certified Publ
19、ic AccountantsJune 2005 A Basic FrameworkandInternal ControlRisk Management3COMPOSITION OF THE INSTITUTES 2005CORPORATE GOVERNANCE COMMITTEEChairman: Chew Fook Aun Kyard Ltd.Deputy Chairmen: Michael K.H. Chan Lam Soon (Hong Kong) Ltd.Richard George Deloitte Touche TohmatsuMembers: Nicholas Allen Pri
20、cewaterhouseCoopersDavid Cheng HLB Hodgson Impey ChengGordon W.E. Jones Companies RegistryQuinn Y.K. Law The Wharf (Holdings) Ltd.Stephen Lee KPMGKenneth G. Morrison Moores Rowland MazarsPeter Nixon Potential Associates Ltd.Keith Pogson Ernst (ii) help provide a framework/basis that can be used to d
21、evelop and assess the effectivenessof internal control in a company; and(iii) reflect sound business practice whereby internal control is embedded in the businessand management processes by which a company pursues its objectives.3.3 The Stock Exchange indicated that in preparing the Code, it had, in
22、 particular, taken intoaccount the principles and guidelines set out in the revised Combined Code on CorporateGovernance (“the Combined Code”) issued by the Financial Reporting Council in the UnitedKingdom (“UK”) in July 2003. The Preamble to the Combined Code makes reference tospecific guidance on
23、how to comply with particular parts of the Combined Code. InternalControl: Guidance for Directors on the Combined Code (“the Turnbull Guidance”)1is theguidance relevant to the provisions on internal control. In preparing this guide, the Institutehas referred to the Turnbull Guidance.3.4 The Institut
24、e considers that the report, Internal Control Integrated Framework, issued by theCommittee of Sponsoring Organizations of the Treadway Commission (“COSO”) in the UnitedStates, in 1992, contains a definition of internal control and a conceptual framework that areconstructive and relevant. Where appro
25、priate, therefore, this guide adopts the approach outlinedin the COSO report.1Internal Control: Guidance for Directors on the Combined Code published by the Institute of Chartered Accountants in Englandand Wales in the UK in September 1999. A Basic FrameworkandInternal ControlRisk Management73.5 Boa
26、rds of listed companies are encouraged to make reference to this guide in: assessing how the company has applied Code principle C.2; implementing the requirements of Code provision C.2.1; and reporting on these matters to shareholders in the Corporate Governance Report.3.6 Directors are expected to
27、exercise judgement in reviewing how the company has implementedthe requirements of the Code relating to internal control and reporting to shareholders thereon.3.7 The guidance set out herein in relation to establishing a sound system of internal control andreviewing its effectiveness should be incor
28、porated by the company within its normalmanagement and governance processes, from a corporate governance point of view, as partof the accountability of a companys board and management to shareholders, and shouldnot be treated as a separate exercise undertaken to meet regulatory requirements issued a
29、ndenforced by a securities market regulator.4.0 Applicability of the guide4.1 This guide is aimed primarily at listed companies and their subsidiaries, to which Code provisionC.2.1 applies. However, listed companies are very diverse in nature. Internal controls shouldbe tailored to an individual com
30、panys own particular characteristics and circumstances, whichmay depend upon, for example, its industry, size and organisational structure. Accordingly, itis not appropriate to adopt a “one size fits all” approach.4.2 It is believed that the principles and recommendations contained in this guide wil
31、l provide auseful reference for most listed companies, although they may need to be adapted accordingto the circumstances of the company concerned. All companies that are part of a listedgroup are encouraged to take on board these principles and recommendations, and it ishoped that companies in gene
32、ral that wish to implement or enhance their system of internalcontrol will find this guide to be a useful reference.4.3 Throughout the guide, where reference is made to “company”, it should be taken, whereapplicable, as referring to the group of which the reporting company is the parent company.For
33、groups of companies, the review of the effectiveness of internal control and the report tothe shareholders should be from the perspective of the group as a whole, e.g., groups ofcompanies should review the effectiveness of all significant controls at all significant locations.4.4 Where material join
34、t ventures and associates have not been dealt with as part of the groupfor the purposes of applying this guidance, companies are encouraged to disclose this. Wherethey exist, alternative sources of risk management and internal control assurance applied tothese entities should also be disclosed. A Ba
35、sic FrameworkandInternal ControlRisk Management8B. IMPLEMENTING INTERNAL CONTROL ANDRISK MANAGEMENT1.0 Framework and scope of internal control1.1 There is no simple definition of “internal control”. However, as indicated in paragraph A.3.4above, where appropriate, this guide adopts the definition an
36、d conceptual framework describedin the COSO report, which the Institute regards as a useful model. (See also Appendix I).1.2 The COSO report defines internal control as a process designed to provide reasonable assuranceregarding the achievement of objectives in relation to the following: Effectivene
37、ss and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations1.3 Internal control is fundamental to the successful operation and day-to-day running of a businessand it assists the company in achieving its business objectives. As indicated above, t
38、he scopeof internal control is very broad. It encompasses all controls incorporated into the strategic,governance and management processes, covering the companys entire range of activitiesand operations, and not just those directly related to financial operations and reporting. Itsscope is not confi
39、ned to those aspects of a business that could broadly be defined as compliancematters, but extends also to the performance aspects of a business. (See Figure 1.)1.4 Internal controls need to be responsive to the specific nature and needs of the business.Hence, they should seek to reflect sound busin
40、ess practice, remain relevant over time in thecontinuously evolving business environment and enable the company to respond to the specificneeds of the business or industry.Figure 1: Internal Control FrameworkAchieving business objectivesInternal Control andRisk ManagementCompliance Performance A Bas
41、ic FrameworkandInternal ControlRisk Management91.5 It is important that control should not be seen as a burden on business but, rather, the meansby which business opportunities are maximised and potential losses associated with unwantedevents reduced. Furthermore, successful companies should not all
42、ow themselves to becomecomplacent or blinded by their own success. There are numerous examples of companieswhose success has been jeopardised by a lack of, or deficiencies in, internal controls.1.6 At the same time, the cost/benefit equation is also relevant to any internal control system.Cost/benef
43、it considerations should be taken into account both in the overall design of thesystem and in the context of risk identification, assessment and prioritisation.Function of internal control1.7 Control is not synonymous with managing and does not constitute everything involved in themanagement of a co
44、mpany. While it aims to support the achievement of business objectives,and should serve as an early warning system of possible impediments to achieving thoseobjectives, internal control does not, on the other hand, indicate what objectives to set.While it can help to ensure that reliable information
45、 is made available for decision-making,implementation and monitoring, and can facilitate assessment and reporting on the resultsof actions taken, it does not take the place of the management in making strategic andoperational decisions. In addition, decisions about whether to act and what action to
46、takeare outside the scope of internal control.1.8 It follows from the above that there are inherent limitations in control. A sound and well-designed system of internal control reduces, but cannot eliminate, the possibility of poorjudgement in decision-making; human error or mistake; control activit
47、ies and processes beingdeliberately circumvented by the collusion of employees or others; management overridingcontrols; and the occurrence of unforeseeable circumstances.1.9 A sound system of internal control therefore helps to provide reasonable, but not absolute,assurance that a company will avoi
48、d being hindered in achieving its business objectives, or inthe orderly and legitimate conduct of its business, by circumstances that may reasonably beforeseen. A system of internal control cannot, however, provide protection with certaintyagainst a company failing to meet its business objectives or
49、 against all material errors, losses,fraud, or breaches of laws or regulations.1.10 As noted in paragraph A.4.1 above, no two companies will, or should, have identical internalcontrol systems. Companies and their control differ by industry, size and organisationalstructure, and by culture and management philosophy. Therefore, while all companies needeach of the components (referred to in paragraph B.2.2 below) to ensure adequate controlover their activities, each will have a unique internal control system tailored to meet its owncircumstances. The management will have to
