Internal controls

Table: Components of risk management and internal control systems
Component 1 Corporate Culture / Control environment This refers to the issuer’s overall culture of internal controls, i.e. the issuer’s control environment. It is important that throughout the various levels of the issuer’s operation and staff, there is a commitment to integrity, compliance and ethical behaviour. This commitment starts at the board level as the right “tone from the top” is required to achieve buy-in across the organization.	1.	Integrity and Ethical Values – There is a firm commitment to ethical standards and culture of integrity, including through appropriate policies and procedures (whistleblowing policy, code of conduct, etc.).
2.	Independent Board Oversight – The board maintains independence from management and exercises appropriate oversight of the internal control system’s implementation (among others, through the audit committee).
3.	Organizational Structure – There is a defined structure of authority and responsibility to implement operational, reporting, compliance, and business objectives.
4.	Human Resources – Staff recruitment, development and retention is focused on alignment with the issuer’s objectives, in particular in terms of culture, integrity and compliance.
5.	Accountability – There is a system of responsibility and accountability in place that includes regular reviews of staff performance including on compliance metrics related to the internal control systems.
Component 2 Risk Assessment This refers to ongoing risk assessment across all aspects of the issuer’s business. An issuer needs to operate with clear objectives which allow for an ongoing analysis of risks (including fraud risk) to such objectives – this includes identifying and analysing significant change to (among other things) ensure internal controls remain effective.	6.	Identification of Objectives – Establish strategic operational, reporting, and compliance objectives to allow for the identification of potential risks and the impact of such risks to the objectives.
7.	Identification of Risks – Conduct assessment of risks for the issuer’s objectives, and adopt plans for risk management.
8.	Fraud Risks –Consider fraud risks and adopt appropriate steps to manage such risks.
9.	Impact on Internal Controls – Consider the impact of its risk assessment on its internal control systems and make any changes as required.
Component 3 Internal Controls This describes the internal control systems / control activities put in place to respond to the risk assessment and mitigate the identified risks. This includes activities, processes, policies and communications required to establish a strong framework of internal controls and respond adequately to risks.	10.	Internal Controls – The Issuer adopts and implements a system of internal controls (or control activities) to manage and mitigate risks.
11.	Technology – The internal control systems include appropriate controls over technology / IT infrastructure.
12.	Policies / Procedures – The internal control system is supported by appropriate policies and procedures.
Component 4 Information and Communication This requires an issuer to put in place procedures to ensure that the internal control systems are supported by appropriate and up-to-date information and data, and, for such information to be adequately communicated internally and externally (as applicable).	13.	Information and Data – To ensure proper operation of the risk assessment and internal control systems, the issuer deploys accurate, timely, and sufficiently detailed information and/or data (issuers should also critically assess the impact of the use of AI on such processes).
14.	Internal Communication – Relevant information is communicated in a timely and thorough manner to support the effective operation of the internal control systems.
15.	External Communication – Communication designed to support the effective operation of internal control systems should also involve external stakeholders (as required).
Component 5 Monitoring This requires an issuer to continuously monitor the internal control systems and ensure that they remain fit for purpose, and that potential deficiencies are communicated in a timely manner such that and appropriate actions can be taken.	16.	Ongoing Monitoring – Conduct ongoing monitoring and periodic reviews of the internal control systems effectiveness. The monitoring should involve internal and external resources (as appropriate).
17.	Reporting – Results of the ongoing monitoring and review should be reported to management and the board (and other relevant stakeholders) in a timely manner, in particular if deficiencies have been identified and/or changes to the existing systems are required.
Source: The Internal Control—Integrated Framework (ICIF-2013) published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) formed by five global accountancy and auditing organizations. See also the Hong Kong Institute of Certified Public Accountants, Technical Bulletin, Assistance Options to New Applicants and Sponsors in connection with Due Diligence Obligations, including Internal Controls over Financial Reporting (AATB1).

Table: Components of risk management and internal control systems

Components

Principles

Component 1
Corporate Culture / Control environment

This refers to the issuer’s overall culture of internal controls, i.e. the issuer’s control environment.

It is important that throughout the various levels of the issuer’s operation and staff, there is a commitment to integrity, compliance and ethical behaviour. This commitment starts at the board level as the right “tone from the top” is required to achieve buy-in across the organization.

Integrity and Ethical Values – There is a firm commitment to ethical standards and culture of integrity, including through appropriate policies and procedures (whistleblowing policy, code of conduct, etc.).

Independent Board Oversight – The board maintains independence from management and exercises appropriate oversight of the internal control system’s implementation (among others, through the audit committee).

Organizational Structure – There is a defined structure of authority and responsibility to implement operational, reporting, compliance, and business objectives.

Human Resources – Staff recruitment, development and retention is focused on alignment with the issuer’s objectives, in particular in terms of culture, integrity and compliance.

Accountability – There is a system of responsibility and accountability in place that includes regular reviews of staff performance including on compliance metrics related to the internal control systems.

Component 2
Risk Assessment

This refers to ongoing risk assessment across all aspects of the issuer’s business. An issuer needs to operate with clear objectives which allow for an ongoing analysis of risks (including fraud risk) to such objectives – this includes identifying and analysing significant change to (among other things) ensure internal controls remain effective.

Identification of Objectives – Establish strategic operational, reporting, and compliance objectives to allow for the identification of potential risks and the impact of such risks to the objectives.

Identification of Risks – Conduct assessment of risks for the issuer’s objectives, and adopt plans for risk management.

Fraud Risks –Consider fraud risks and adopt appropriate steps to manage such risks.

Impact on Internal Controls – Consider the impact of its risk assessment on its internal control systems and make any changes as required.

Component 3
Internal Controls

This describes the internal control systems / control activities put in place to respond to the risk assessment and mitigate the identified risks. This includes activities, processes, policies and communications required to establish a strong framework of internal controls and respond adequately to risks.

10.

Internal Controls – The Issuer adopts and implements a system of internal controls (or control activities) to manage and mitigate risks.

11.

Technology – The internal control systems include appropriate controls over technology / IT infrastructure.

12.

Policies / Procedures – The internal control system is supported by appropriate policies and procedures.

Component 4
Information and Communication

This requires an issuer to put in place procedures to ensure that the internal control systems are supported by appropriate and up-to-date information and data, and, for such information to be adequately communicated internally and externally (as applicable).

13.

Information and Data – To ensure proper operation of the risk assessment and internal control systems, the issuer deploys accurate, timely, and sufficiently detailed information and/or data (issuers should also critically assess the impact of the use of AI on such processes).

14.

Internal Communication – Relevant information is communicated in a timely and thorough manner to support the effective operation of the internal control systems.

15.

External Communication – Communication designed to support the effective operation of internal control systems should also involve external stakeholders (as required).

Component 5
Monitoring

This requires an issuer to continuously monitor the internal control systems and ensure that they remain fit for purpose, and that potential deficiencies are communicated in a timely manner such that and appropriate actions can be taken.

16.

Ongoing Monitoring – Conduct ongoing monitoring and periodic reviews of the internal control systems effectiveness. The monitoring should involve internal and external resources (as appropriate).

17.

Reporting – Results of the ongoing monitoring and review should be reported to management and the board (and other relevant stakeholders) in a timely manner, in particular if deficiencies have been identified and/or changes to the existing systems are required.

Source: The Internal Control—Integrated Framework (ICIF-2013) published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) formed by five global accountancy and auditing organizations. See also the Hong Kong Institute of Certified Public Accountants, Technical Bulletin, Assistance Options to New Applicants and Sponsors in connection with Due Diligence Obligations, including Internal Controls over Financial Reporting (AATB1).

Table: Scope for annual reviews of the risk management and internal control systems
Component 1 Corporate Culture / Control environment	Assessment of integrity and ethical values across the organization, including: What are the relevant policies and procedures (including on code of conduct, conflict of interest, whistleblowing, handling of complaints); what is the approach to legal and regulatory compliance (including compliance with the Listing Rules and the Corporate Governance Code); how is staff / management remuneration assessed.
Assessment of board independence and performance, including: What is the level of independence, experience and respective roles and responsibilities of board members; is there a process for the declaration of interest; what is the composition of the board committees; whether the terms of reference of the board committees remain appropriate and what is the level of communication between the board and its committees; are directors’ interests being declared.
Assessment of management performance and commitment to internal controls, including: What is the quality of financial reporting (including but not limited to relevance, reliability, comparability and timeliness); what are the operational goals and policies & procedures in pursuit of such goals; is there sufficient attention to and frequency of discussions on governance, risk and internal control related topics.
Assessment of organizational structure, including: What are the relevant legal entities, business units, etc. and their responsibilities; how do the reporting lines (in particular between management and business units) work.
Assessment of financial reporting competencies, including: What is the level of staffing and is the experience and qualification of staff members adequate, in particular in relation to governance / financial reporting; what is the level of training.
Assessment of responsibilities and delegation, including: What are the relevant roles and responsibilities, level of authority, assignment of authority and delegation, relevant policies and procedures (including on override of authority).
Assessment of human resources performance, including: What policies and procedures are in place, what is their practical implementation in relation to recruitment, training, performance evaluation, promotion, compensation, termination.
Assessment of legal / regulatory compliance, including: What is the level of compliance with (i) (financial) reporting requirements, (ii) laws and regulations (including Listing Rule compliance), and what are the internal control systems in place to procure such compliance, and monitor and report potential deficiencies.
Component 2 Risk Assessment	Assessment of objectives, including: Are there clear objectives in terms of the issuer’s operations / business, financial reporting and regulatory / legal compliance.
Assessment of risk assessment and management procedures, including: What are the processes in place for risk assessment and management; regulatory and legal compliance; fraud identification and prevention; is there an ongoing monitoring of the operating environment and potential risks; are there (business) contingency plans; are financial reporting risks assessed.
Component 3 Internal Controls	Detailed assessment of internal controls in place, including: Analysis of policies and procedures, relevant roles and responsibilities, segregation of duties, record keeping and an assessment of compliance with laws / regulations across all aspects of the issuer’s operation, such as: Sales, accounts receivable and collection; Procurement, accounts payable and payment; Inventory management, including logistics; Production and costing; Human resources and payroll; Fixed assets; Cash and treasury management; Insurance; Financial reporting and disclosure controls; Taxes; and IT system (general and application) controls.
Component 4 Information and Communication	Assessment of use of information and existing level of communication in relation to: Corporate planning, budgeting, forecasting; Reporting from and to management (including without limitation monthly updates to the board as required by the CG Code); Internal communication, including policies / procedures for monitoring and detecting confidential / sensitive information, possible conflicts, notifiable / connected transactions (Chapters 14 and 14A of Listing Rules), other legal or regulatory exposure; External communication, including policies / procedures on communication with external parties, distribution of annual/ interim reports and publication of results announcements (including pursuant to Listing Rules 13.46, 13.48 and 13.49), handling of inside information and leakage of sensitive information (including pursuant to Listing Rule 13.09 and Part XIVA of the Securities and Futures Ordinance (Cap. 571 of the Laws of Hong Kong)), regulatory enquiries (including pursuant to Listing Rule 13.10); Level of confidentiality applied to communication and dissemination of (sensitive) information; Level of data protection across the organization, including against cyber threats and data theft, and compliance with applicable personal data laws.
Component 5 Monitoring	Assessment of monitoring functions, policies and procedures, including: Board / management level monitoring; Internal audit (or other function) monitoring, including: Role / responsibility of monitoring function; Interaction with external auditor / providers; Evaluation and mitigation of deficiencies; Escalation / reporting to management / board; Implementation of internal controls / policies. Channels for reporting / whistleblowing; Management letter and internal control findings communicated by external auditor and/or service providers; Level of monitoring of legal / regulatory compliance.
Source: The Internal Control—Integrated Framework (ICIF-2013) published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) formed by five global accountancy and auditing organizations. See also the Hong Kong Institute of Certified Public Accountants, Technical Bulletin, Assistance Options to New Applicants and Sponsors in connection with Due Diligence Obligations, including Internal Controls over Financial Reporting (AATB1).

Table: Scope for annual reviews of the risk management and internal control systems

Components

Scope for Annual Review

Component 1
Corporate Culture / Control environment

Assessment of integrity and ethical values across the organization, including:

What are the relevant policies and procedures (including on code of conduct, conflict of interest, whistleblowing, handling of complaints); what is the approach to legal and regulatory compliance (including compliance with the Listing Rules and the Corporate Governance Code); how is staff / management remuneration assessed.

Assessment of board independence and performance, including:

What is the level of independence, experience and respective roles and responsibilities of board members; is there a process for the declaration of interest; what is the composition of the board committees; whether the terms of reference of the board committees remain appropriate and what is the level of communication between the board and its committees; are directors’ interests being declared.

Assessment of management performance and commitment to internal controls, including:

What is the quality of financial reporting (including but not limited to relevance, reliability, comparability and timeliness); what are the operational goals and policies & procedures in pursuit of such goals; is there sufficient attention to and frequency of discussions on governance, risk and internal control related topics.

Assessment of organizational structure, including:

What are the relevant legal entities, business units, etc. and their responsibilities; how do the reporting lines (in particular between management and business units) work.

Assessment of financial reporting competencies, including:

What is the level of staffing and is the experience and qualification of staff members adequate, in particular in relation to governance / financial reporting; what is the level of training.

Assessment of responsibilities and delegation, including:

What are the relevant roles and responsibilities, level of authority, assignment of authority and delegation, relevant policies and procedures (including on override of authority).

Assessment of human resources performance, including:

What policies and procedures are in place, what is their practical implementation in relation to recruitment, training, performance evaluation, promotion, compensation, termination.

Assessment of legal / regulatory compliance, including:

What is the level of compliance with (i) (financial) reporting requirements, (ii) laws and regulations (including Listing Rule compliance), and what are the internal control systems in place to procure such compliance, and monitor and report potential deficiencies.

Component 2
Risk Assessment

Assessment of objectives, including:

Are there clear objectives in terms of the issuer’s operations / business, financial reporting and regulatory / legal compliance.

Assessment of risk assessment and management procedures, including:

What are the processes in place for risk assessment and management; regulatory and legal compliance; fraud identification and prevention; is there an ongoing monitoring of the operating environment and potential risks; are there (business) contingency plans; are financial reporting risks assessed.

Component 3
Internal Controls

Detailed assessment of internal controls in place, including:

Analysis of policies and procedures, relevant roles and responsibilities, segregation of duties, record keeping and an assessment of compliance with laws / regulations across all aspects of the issuer’s operation, such as:

Sales, accounts receivable and collection;
Procurement, accounts payable and payment;
Inventory management, including logistics;
Production and costing;
Human resources and payroll;
Fixed assets;
Cash and treasury management;
Insurance;
Financial reporting and disclosure controls;
Taxes; and
IT system (general and application) controls.

Component 4
Information and Communication

Assessment of use of information and existing level of communication in relation to:

Corporate planning, budgeting, forecasting;
Reporting from and to management (including without limitation monthly updates to the board as required by the CG Code);
Internal communication, including policies / procedures for monitoring and detecting confidential / sensitive information, possible conflicts, notifiable / connected transactions (Chapters 14 and 14A of Listing Rules), other legal or regulatory exposure;
External communication, including policies / procedures on communication with external parties, distribution of annual/ interim reports and publication of results announcements (including pursuant to Listing Rules 13.46, 13.48 and 13.49), handling of inside information and leakage of sensitive information (including pursuant to Listing Rule 13.09 and Part XIVA of the Securities and Futures Ordinance (Cap. 571 of the Laws of Hong Kong)), regulatory enquiries (including pursuant to Listing Rule 13.10);
Level of confidentiality applied to communication and dissemination of (sensitive) information;
Level of data protection across the organization, including against cyber threats and data theft, and compliance with applicable personal data laws.

Component 5
Monitoring

Assessment of monitoring functions, policies and procedures, including:

Board / management level monitoring;
Internal audit (or other function) monitoring, including:
- Role / responsibility of monitoring function;
- Interaction with external auditor / providers;
- Evaluation and mitigation of deficiencies;
- Escalation / reporting to management / board;
- Implementation of internal controls / policies.
Channels for reporting / whistleblowing;
Management letter and internal control findings communicated by external auditor and/or service providers;
Level of monitoring of legal / regulatory compliance.

Internal Controls

Components of risk management and internal control systems

While there is no “one-size-fits-all” approach to designing an effective and appropriate system of risk management and internal controls, international bodies have developed a framework setting out components that should be covered by an issuer’s internal controls. When designing their risk management and internal control systems, issuers can consider and apply these components in accordance with their unique risk profile and circumstances.

Table: Components of risk management and internal control systems

Monitoring and review of internal control systems

The board is responsible for putting in place a proper process and procedures to govern the ongoing monitoring and the periodic reviews of the issuer’s risk management and internal control systems.
The board may delegate the monitoring and control activities to board committees, management, and internal and external functions. The board should, however, maintain oversight and apply independent and professional judgment on any reports it receives on the effectiveness of the risk management and internal control systems. The board should also consider whether the issuer in its particular circumstances may benefit from the engagement of independent third parties (such as external auditors or consultants) to facilitate the ongoing monitoring or the periodic reviews.
The Corporate Governance Code requires that issuers conduct reviews of the risk management and internal control systems’ effectiveness at least annually. The board should assess the frequency and scope (e.g. whole or parts of the systems) of the review, taking into account the particular situation of the issuer. For example, more frequent reviews may be appropriate where significant control failings and weaknesses were identified in prior reviews, and review intervals of one year may be too long for assessing the effectiveness of the adopted remedial measures.
The board should plan how the review should be conducted and how relevant work will be distributed among the issuer’s management and internal departments and external providers. The board is also responsible for ensuring that the review process is adequately resourced. It is important to document and keep a record of the steps taken, and the outcome of the review of the risk management and internal control systems’ effectiveness (including any assurance that the board has received).

Scope for annual reviews

Practical considerations for disclosure on risk management and internal controls