Risk Management and Internal Control
(Extracted from the Corporate Governance Report contained in the Company's 2015/16 Annual Report dated 8 September 2016)
The Board has the overall responsibility for maintaining sound and effective risk management and internal control systems to safeguard the Group’s assets and stakeholders’ interests, as well as for reviewing the effectiveness of the systems. The Board assesses the effectiveness of the risk management and internal control systems through the reviews performed by the Audit and Risk Management Committee, executive management and both internal and external auditors. The Group’s internal control system was developed based on the COSO (the Committee of Sponsoring Organizations of the Treadway Commission) principles as follows:
(i) Control Environment
- demonstrates a commitment to integrity and ethical values
- the Board demonstrates independence from management and exercises oversight of the development and performance of internal control
- management establishes, with Board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives
- demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives
- holds individuals accountable for their internal control responsibilities in the pursuit of objectives
(ii) Risk Assessment
- specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives
- identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed
- considers the potential for fraud in assessing risks to the achievement of objectives
- identifies and assesses changes that could significantly impact the system of internal control
(iii) Control Activities
- selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels
- selects and develops general control activities over technology to support the achievement of objectives
- deploys control activities through policies that establish what is expected and procedures that put policies into place
(iv) Information and Communication
- obtains or generates and uses relevant, quality information to support the functioning of internal control
- internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control
- communicates with external parties regarding matters affecting the functioning of internal control
- selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning
- evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the Board, as appropriate
The internal control system aims at safeguarding assets from inappropriate use, maintaining proper accounts and ensuring compliance with regulations. Management is primarily responsible for the design, implementation and maintenance of the internal controls. The system is designed to provide reasonable, but not absolute, assurance against misstatement or loss, and to manage risks of failure in the Group’s operational systems.
The Group’s internal control system includes a well-established organizational structure with clearly defined lines of responsibility and authority. Policies and procedures are laid down for its key business processes and business units covering project development, tendering, sales and leasing, financial reporting, human resources and computer systems.
The Group’s Code of Conduct, freely accessible on the Group’s intranet, is maintained and communicated to all employees for compliance. In addition, a whistleblowing policy was established for our employees to raise concerns in confidence about suspected misconducts, malpractices or fraudulent activities relating to the Group. The identity of the whistleblower will be treated with the strictest confidence.
The Board reviewed the Group’s risk management and internal control systems for the year ended 30 June 2016, including financial, operational and compliance controls. The Board’s review includes considering the internal control evaluations conducted by the Audit and Risk Management Committee, executive management and the internal and external auditors. The annual review also considered the adequacy of resources, staff qualifications and experience, training programs and budget of the Group’s accounting, internal audit and financial reporting functions.
The Group’s Internal Audit Department has been established for more than 20 years and the department has direct access to the Audit and Risk Management Committee. The department has rights to access all records, assets and personnel as stipulated in the Internal Audit Charter. The department follows a risk-based approach to formulate the audit plan. The risks for departments and business units are assessed using the pre-determined risk criteria. The assessment results are consolidated and ranked from an enterprise-wide perspective. The Audit and Risk Management Committee reviews and approves annually the audit plan, which is formulated based on the risk assessment result. Summaries of major audit findings and control weaknesses, if any, are reviewed by the Audit and Risk Management Committee. The department monitors the follow-up actions agreed upon in response to recommendations.