The Exchange Consults on Internal Controls Section of the Corporate Governance Code
The Stock Exchange of Hong Kong Limited (the Exchange) has published a consultation paper (Consultation Paper) (see archive) on proposed changes to the internal controls section of the Corporate Governance Code and Corporate Governance Report (Code) (Appendix 14 of the Main Board Rules and Appendix 15 of the GEM Rules).
In line with developments in other jurisdictions, the Exchange considers that the internal controls section of the Code should place greater emphasis on risk management. It also proposes to amend the Code to delineate the roles and responsibilities of an issuer’s board, management and internal audit function in relation to its risk management and internal control systems, and specify the minimum disclosures required in the Corporate Governance Report.
Against this background, the proposals set out in the Consultation Paper are intended to:
Emphasise that internal controls are an integrated part of risk management;
Enhance accountability of the board by clearly defining their roles and responsibilities in risk management and internal controls;
Improve transparency of the issuer’s risk management and internal controls by upgrading the recommendation for issuers to disclose their policies, process, and details of the annual review; and
Strengthen oversight of the risk management and internal control systems by upgrading the recommendation for issuers to have an internal audit function.
The proposals set out in the Consultation Paper covers the following areas:
|A. Risk management and internal control|
|B. Responsibilities of the board and management|
|C. Annual review and disclosure in the Corporate Governance Report|
|D. Internal audit|
|E. Audit Committee’s role|
A. Risk management and internal control
In order to emphasise that internal control is an integrated part of risk management, the Exchange proposes to amend the title of Section C.2 “Internal Control” of the Code to “Risk Management and Internal Control”.
B. Responsibilities of the board and management
Currently, Principle C.2 states that the board should ensure that the issuer maintains sound and effective internal controls to safeguard shareholders’ investment and the issuer’s assets. The Exchange is of the view that the Principle does not give sufficient weight to risks and risk management in relation to internal control. Nor does it emphasise that the board and management of an issuer have important roles to play in respect of an issuer’s risk management and internal control systems.
In order to clearly delineate the respective responsibilities of the various bodies within an issuer, the Exchange proposes to amend Principle C.2 in the following ways:
to state that the board is responsible for evaluating the risks it is willing to take in achieving the issuer’s objectives and ensuring the establishment and maintenance of effective risk management and internal control systems;
to state that the management is responsible for designing, implementing and monitoring the risk management and internal control systems. The management should also provide assurance to the board on the effectiveness of the systems;
to remove from the Principle the wording “to safeguard shareholders’ investment and the issuer’s assets” since the Exchange considers this to be too narrow in scope; and
introduce a new Recommended Best Practice (RBP) to state that the board may disclose in the Corporate Governance Report that it has received assurance from management on the effectiveness of the issuer’s risk management and internal control systems.
C. Annual review and disclosure in the Corporate Governance Report
In order to highlight the importance of the provision and focus issuers’ attention on the risk management and internal control matters they should consider in their annual reviews, the Exchange proposes to upgrade the current RBP C.2.3 to a Code Provision. RBP C.2.3 states that the annual review of the board of an issuer should consider:
The changes since the last annual review in the nature and extent of significant risks;
The scope and quality of management’s ongoing monitoring of risks and the internal control systems, and where applicable, the work of the internal audit function;
The extent and frequency of communication of monitoring results to the board;
Significant control failings or weaknesses that have been identified during the period; and
The effectiveness of the issuer’s processes for financial reporting and Listing Rule compliance.
In order to encourage more substantive and meaningful disclosure of issuers’ risk management and internal control systems and the substance of the annual reviews, the Exchange proposes to upgrade RBP C.2.4 to a Code Provision.
Currently, RBP C.2.4 states that issuers should disclose, in the Corporate Governance Report, a narrative statement on how they have complied with the internal control code provisions during the reporting period. It also sets out the particular disclosures that issuers should make, including:
the process used to identify, evaluate and manage significant risks;
additional information to explain the main features of the risk management and internal control systems;
an acknowledgement by the board that it is responsible for the internal control system and reviewing its effectiveness;
the process used to review the effectiveness of the internal control system; and
the process used to resolve material internal control defects.
The Exchange further proposes to amend the wording of proposed CP C.2.4 to incorporate risk management where appropriate, to simplify the requirements and remove ambiguous language, and to make clear that the risk management and internal control systems are designed to manage rather than eliminate risks.
Recommended disclosures under Paragraph S of the Code
The Exchange proposes to upgrade the existing recommendation under paragraph (a)(ii) of Section S, amend it to include the handling of “other regulatory compliance risks”, and include it under the proposed CP C.2.4. Currently, under the provision, issuers are recommended to disclose their procedures and internal controls for handling and disseminating inside information.
Further, most of the existing Recommended Disclosures in relation to internal controls under Section S are proposed to be upgraded to Mandatory Disclosures, with the title of the section amended to incorporate “risk management”. In summary, this will mandatorily require issuers to disclose:
whether they have an internal audit function;
how often the risk management and internal control systems are reviewed, the period covered, and where an issuer has not conducted a review during the year, an explanation why not;
a statement that a review of the effectiveness of the risk management and internal control systems has been conducted and whether the issuer considers them effective and adequate; and
significant views or proposals put forward by the audit committee.
The existing recommendation under paragraph (a)(ix) recommends issuers to disclose details of any significant areas of concern. This recommendation is proposed to be moved to a new RBP C.2.7. The wording of this provision is proposed to be amended to widen its application so that it no longer restricts disclosure to significant areas of concerns “which may affect shareholders”.
In order to emphasise the responsibility of the board for overseeing an issuer’s risk management and internal control systems and that this responsibility is not discharged by a one-off annual review, the Exchange proposes to amend the existing CP C.2.1 to add that the board should oversee the issuer’s risk management and internal control systems on an ongoing basis.
CP C.2.1 is also proposed to be amended to state that the board, rather than the directors, is responsible for overseeing the issuer’s risk management and internal control systems. This is to reiterate the existing policy that the board remains collectively responsible.
Removal of several recommendations
The following Recommended Disclosures or RBPs are proposed to be removed on the basis that they seem obvious, redundant and oddly misplaced:
RBP C.2.5: Issuers should ensure their disclosures provide meaningful information and do not give a misleading impression (RBP C.2.5);
Section S paragraph (a)(i): Issuers are recommended to disclose an explanation of how the internal control system has been defined for the issuer;
Section S paragraph (a)(vii): Issuers are recommended to disclose the directors’ criteria for assessing the effectiveness of the internal control system.
D. Internal audit
The Exchange proposes to upgrade RBP C.2.6 to a Code Provision and amend it to state that issuers should have an internal audit function, and those without an internal audit function should review the need for one on an annual basis and disclose the reasons for the absence of such function in the Corporate Governance Report. This is to emphasise the importance of the internal audit function as the “third line of defence”.
The Exchange notes in the Consultation Paper that it is common for issuers to engage external service providers to perform the internal audit function. The Exchange considers that issuers may comply with the proposed CP either by way of an in-house internal audit function or an outsourced one.
New notes to this provision are proposed to clarify that:
the role of the internal audit function is to carry out the analysis and independent appraisal of the adequacy and effectiveness of an issuer’s risk management and internal control systems; and
a group with multiple listed issuers may share group resources of the holding company to carry out the internal audit function for members of the group.
The Exchange also proposes to amend the existing CP C.2.2 to state that the board’s annual review should ensure the adequacy of resources, staff qualifications and experience, training programmes and budget of the issuer’s internal audit function, in addition to its accounting and financial reporting functions.
E. Audit Committee’s role
The Exchange proposes to amend the audit committee Principle C.3 and CP C.3.3 to incorporate risk management, where appropriate. At the same time, the Exchange does not propose to amend the Code to provide for the establishment of a separate board risk committee.
The purpose of this proposal is to ensure consistency throughout the internal controls and audit committee sections of the Code. Also, while a separate board risk committee could be an effective way to focus issuers on risk management and internal control matters, the Exchange recognises that this should be a matter left to issuers to decide as establishing another board committee may be a strain on resources for some issuers.