With the updated Corporate Governance Code (CG Code) in the Main Board Listing Rules and GEM Listing Rules, having effective and adequate risk management and internal control systems is becoming more important for listed companies in Hong Kong. Valor is here to assist you to provide confirmation to the board on the effectiveness of these systems.
Risk Advisory Services
Overview
Internal Audit Function
The Corporate Governance Code states that an issuer should have an internal audit function. An internal audit function generally carries out the analysis and independent appraisal of the adequacy and effectiveness of the issuer’s risk management and internal control systems.
Internal Control and Risk Management Systems
Valor’s professionals consist of Certified Internal Auditor and CPA who are competent and qualified in providing reasonable assurance on the effectiveness and adequacy of the internal control and risk management systems.
An issuer’s internal control and risk management systems are designed to manage the risk of failure to achieve business objectives, and provide reasonable assurance against material misstatement or loss.
With a view to providing reasonable assurance, we can come to your office from time to time and provide the internal audit function as an external consultant.
Scope of Work of Internal Audit Function
The scope of work of internal audit function usually includes:
• Conduct risk identification, assessment and develop internal audit plan with the management and the board
• Develop internal control framework based on COSO Internal Control – Integrated Framework (2013)
• Develop risk management framework based on COSO ERM Integrated Framework (2017) or any other framework
• Setup internal control and risk management policy with the management
• Conduct financial and operational audits based on the approved audit plan
• Setup risk register, evaluate the risks likelihood/impact and decide on risk responses with the management
• Monitor the significant risks and update the risk status continuously with the management
• Provide analytics and benchmarks to evaluate the risk status of the significant risks
• Assist the board to conduct regular reviews on the issuer’s internal control and risk management systems
• Identity internal control weaknesses and recommend remedies
• Monitor the follow-up actions agreed upon in response to the recommendations
• Provide internal control and risk management related training to the board, the management and the staffs
Internal Control Review
In light of increasing importance on good corporate governance, internal control review can help ensure the implemented internal control system is as effective and adequate as the board intended. The review facilitates identification of internal control deficiencies and recommendation for remedial actions.
Scope of Work of Internal Control Review
Internal Control Review provides an overall assessment on the effectiveness and adequacy of the internal control systems of various business units in an organization to address the relevant risks. Internal control is a process designed to facilitate the achievement of objectives, including effectiveness and efficiency of operations; integrity of financial reporting; compliance with applicable laws and regulations; and prevention of fraud.
Valor’s professionals consist of Certified Internal Auditor and CPA who are competent and qualified in reviewing the internal control system of your company and subsidiaries.
The scope of work of internal control review usually includes the review on the issuer’s implementation of the followings:
• Policies and procedures of various business units
• Entity level control including organizational structure, job descriptions, authorization matrix, code of conduct and etc.;
• Segregation of duties and responsibilities;
• Authorization and approval process;
• Performance review, monitoring and control procedures;
• Safeguarding of assets;
• Completeness, accuracy and exchange of information;
• Manpower management;
• Regulatory compliance; and
• Cost and benefit of control.
Business Units for Internal Control Review
Common business units/cycles for internal control review:
• Revenue, receipt and receivable management
• Purchase/sub-contracting, payment and payable management;
• Bank and cash management;
• Project management;
• Research and development management;
• Investment management;
• Financial reporting and disclosure;
• Compliance management and corporate governance practice;
• Human resource and payroll management;
• Information technology (general controls); and
• Fixed assets management.
During the internal control review process, Valor shall:
• Identify weaknesses (if any) in the selected business units/cycles, whether due to fraud or error;
• Propose recommendations to remedy the weaknesses identified (if any); and
• Report the findings to the board.
Risk Management Review
The Corporate Governance Code requires the board to be responsible for evaluating and determining the nature and extent of the risks it is willing to take in achieving the issuer’s strategic objectives. The board has to ensure the establishment and maintenance of appropriate and effective risk management system, to oversee the system on an ongoing basis and conduct a review on the effectiveness of the system at least annually.
Risk Management System
An effective risk management system should give an organization a clear view of both internal and external risk factors that the organization is exposed to. The system provides information and resources for the management to define the organization’s risk appetite and risk response so that risks can be mitigated while pursuing the business objectives. The risks identified are documented into a risk register with a risk matrix which evaluates the likelihood and impact of the risks. Risks are commonly classified into 4 categories:
• Strategic Risk
• Operational Risk
• Financial Risk
• Compliance Risk
Valor’s professionals consist of Certified Internal Auditor and CPA who are competent and qualified in reviewing the risk management system of your company and subsidiaries.
Scope of Work of Risk Management Review
The scope of work of risk management review usually includes:
• Review the risk management policy and framework
• Review the risks in the risk register, evaluate the risks likelihood/impact and risk responses with the management.
• Review the monitor the significant risks and update the risk status with the management
• Provide analytics and benchmarks to evaluate the risk status of the significant risks
• Assist the board to conduct regular reviews on the issuer’s risk management system
• Provide risk management training to the board, the management and the staffs