Conquering the Corporate Governance Code – How Well Are Hong Kong Listed Companies Addressing New Requirements?

December 2017

Conquering the Corporate Governance Code – How well are Hong Kong listed companies addressing new requirements?

www.pwchk.com Key messages

• Corporates have strengthened their risk management (RM) and internal control (IC) measures, and most of the listed companies we reviewed have complied with the disclosure requirements of the revised Hong Kong Corporate Governance Code issued by the Hong Kong Stock Exchange. Nevertheless, companies still need to put greater effort into improving reporting to the Board of directors and the effectiveness of their internal audit (IA) functions. • Companies emphasise more on RM and IC in response to different kinds of disruption. About 78% of companies analysed disclosed their process used to identify, evaluate and manage significant risks, which represents an increase of 33% from last year. However, only 50% depicted the main features of both the RM and IC systems. Management of listed companies should examine their current RM and IC systems, and clearly identify and disclose the main features of the systems. • 97% of companies analysed disclosed that they had an IA function. However, only 36% provided details of the review of IA functions – including adequacy of resources, staff qualifications and experience, training programmes and budget of the IA function. Listed companies should regularly assess the effectiveness of their IA function. • While 92% of companies analysed disclosed that they conducted an annual review of the RM and IC systems, only 54% provided details of the process used to review the effectiveness of systems and to resolve material IC deficiencies. The Board should assess the robustness of their annual review mechanism to ensure that they have conducted the review properly and sufficiently, and to address any IC defects in a timely manner. • Using control self-assessment (CSA) as a tool to identify and assess the level of risks and effectiveness of controls is getting more popular. Nearly half of the companies analysed, with a 12% increase from last year, disclosed that they adopted a CSA approach to assess internal control, reinforce control ownership and raise awareness among operation managers. Table of Contents

1 Introduction 2 Executive Summary 3 Background 4 Methodology 5 Market Trends 5 Risk management and internal control 9 Internal audit 11 Annual review of risk management and internal control systems 14 The Roadmap Forward 15 Appendix 1: Extract of Corporate Governance Code and Corporate Governance Report (Appendix 14 of the Hong Kong Main Board Listing Rules) 18 Appendix 2: List of companies included in the analysis (by category) 18 Hang Seng Index 19 Hang Seng China Enterprises Index 19 Financial services 20 Real estate 20 Retail 21 Technology 22 Appendix 3: Areas of Focus of Our Study Introduction

The Hong Kong Stock Exchange has revised the Corporate Governance Code and Corporate Governance Report (Appendix 14 of the Main Board Listing Rules), which requires Hong Kong listed companies to enhance their standard of corporate governance and make relevant statements / disclosures in their annual reports. The amendments of the Corporate Governance Code (CG Code) have become effective for issuers’ accounting periods beginning on or after 1 January 2016.

In 2016, PwC Hong Kong (PwC) conducted a comprehensive study, Cracking the Corporate Governance Code – How ready are Hong Kong listed companies in meeting new requirements? to assess the readiness of listed companies in responding to the new requirements of the revised CG Code in the areas of risk management and internal control. Please refer to https://goo.gl/MCkonh for details.

In 2017, we have carried out a second wave of the Study, Conquering the Corporate Governance Code – How well are Hong Kong listed companies addressing new requirements? This analysis followed a similar approach to that adopted in our 2016 analysis – we have included companies from the broader Hang Seng Index, the Hang Seng China Enterprises Index, as well as across four industries (i.e. financial services, real estate, retail and technology).

This new Study had two main goals. First, to provide directors, executives and managers with a thorough analysis on how well listed companies are responding to the new requirements of the revised CG Code, and to give insights into the prevalence level of adopting risk management and internal control practices in the market. Second, the Study was designed to help companies look for further opportunities to review their corporate governance structure; enhance management accountability; strengthen RM and IC systems; transform the internal audit function and assess its effectiveness; and improve business performance and efficiency. With our substantial experience in helping companies navigate new requirements of the Listing Rules including the CG Code, we have seen successful examples of how companies have used this exercise to help themselves better manage different stakeholders’ expectations.

Embracing good corporate governance is a continuous process and it can improve investor relations; protect shareholders’ interests; and increase a company’s competitiveness. Eventually, it is a performance matter instead of a compliance issue.

Sincerely, PwC Corporate Governance Partners and Team

1 Executive Summary

In an increasingly challenging business C. Annual review of RM & IC systems environment, having a robust risk While 92% of companies in the Study management (RM) and internal control disclosed that they conducted an (IC) system has become more essential annual review of the RM and IC when responding to disruptions, such as systems, only 54% provided details of cyber-attacks and financial crimes. In the process used to review the systems’ general, listed companies have become effectiveness and to resolve material IC more proactive in meeting the tightened deficiencies. RM and IC requirements of the Corporate Governance Code (CG Code). In addition, nearly half of the companies analysed, with a 12% To understand the extent of Hong Kong increase from last year, disclosed that listed companies’ adoption of new CG they adopted a control self-assessment Code requirements, PwC has conducted approach to assess internal controls a second consecutive study on the and reinforce control ownership and Corporate Governance reports (CG raise awareness among operation reports) of 223 companies in the Hang managers. However, only 31% of the Seng Index and Hang Seng Chinese companies disclosed that they had Enterprises Index, as well as in four received management confirmation on sectors: financial services, real estate, the RM and IC systems effectiveness. retail and technology. Based on the findings in this Study, some The main findings of this Study are recommendations are listed below for described in the following three listed companies to consider: categories: • Management of listed companies A. Risk management and internal should examine their RM and IC control systems and clearly identify and disclose the main features of the RM A majority of Hong Kong listed and IC systems. companies analysed (78%) disclosed the process used to identify, evaluate • Listed companies should review their and manage significant risks. IA function, particularly focusing on However, only half of them disclosed the adequacy of resources, staff the main features of the RM and IC qualifications and experience, training systems, whereas 37% did not programmes and budget of the IA provide disclosure of the main function. features of both the RM and IC • The Board should consider increasing systems. Also, companies with the transparency of the process used to disclosures on procedures and review the RM & IC systems internal controls for handling and effectiveness and to resolve material IC dissemination of inside information deficiencies, and ensure such disclosure increased significantly from 43% (in is properly made in the CG report. 2016) to 87% in our 2017 Study. • Companies should understand if there B. Internal audit (IA) function are any gaps or improvement areas in Overall, 97% of the companies in this fulfilling the RM & IC disclosure Study disclosed they had an IA requirements of the CG Code. For function, while only 36% disclosed example, if control self-assessments are information regarding their review of not currently used, management could the adequacy of resources, staff use this approach to help assess qualifications and experience, controls underlying key business training programmes and budget of processes, and to assist management in the IA function. providing confirmation to the Board on the systems effectiveness. 2 Background

The Hong Kong Stock Exchange published its consultation conclusions on risk management and internal control on 19 December 2014, and subsequently issued amendments to the Corporate Governance Code and Corporate Governance Report1 (the Code). The main objective of the revisions was to improve the standard of corporate governance among listed companies in Hong Kong.

The revisions to the Code made five key changes: • Incorporating risk management into the Code where appropriate; • Revising Principle C.2 to define the roles and responsibilities of the Board and management; • Clarifying that the Board has an ongoing responsibility to oversee the issuer’s risk management and internal control systems; • Upgrading to Code Provisions the recommendations in relation to the annual review and disclosures in the corporate governance report; and • Upgrading to a Code Provision the recommendation that issuers should have an internal audit function, and those without to review the need for one on an annual basis.

In 2016, PwC performed a comprehensive study, Cracking the Corporate Governance Code – How ready are Hong Kong listed companies in meeting new requirements? to assess the readiness of listed companies in responding to the revised Tips risk management and internal control requirements of the The principle underlying the Code Provisions under Section C.2 is to note that revised Corporate Governance Code. the Board is responsible for evaluating and determining the nature and extent of the risks In 2017, we have conducted a second wave of the Study, it is willing to take in achieving the issuer’s Conquering the Corporate Governance Code – How well are strategic objectives, and ensuring that the issuer Hong Kong listed companies addressing new requirements? establishes and maintains appropriate and effective RM and IC systems. The Board should oversee management in that analyses the current disclosure practices of the revised the design, implementation and monitoring of the RM and Code Provisions and Recommended Best Practices in IC systems, and management should provide a confirmation relation to risk management and internal control to assess to the Board on the effectiveness of these systems. the readiness of the 43 Hang Seng Index2 companies, 40

Source: Hang Seng Chinese Enterprises Index entities and 140 Corporate Governance Code and Corporate Governance Report- companies in four different industry sectors in complying What are the changes?, PwC Hong Kong, May 2015 with the new requirements. Please refer to Appendix 1 for https://goo.gl/tFMkMI details of Code Provisions, Recommended Best Practices and mandatory disclosure requirements.

1 https://goo.gl/tHJA4u 2 There are 50 companies in the HSI, but only 43 corporate reports were publicly available when we 3 conducted this Study. Methodology

The Corporate Governance Code (CG Code) sets out a • The Hang Seng Index (HSI): PwC examined the available number of principles including Code Provisions and CG reports from all 43 constituent companies of the HSI. Recommended Best Practices. Issuers are required to state HSI is one of the oldest stock market indices in Hong whether they have complied with the Code Provisions for Kong. Publicly launched on 24 November 1969, the HSI the relevant accounting period in their annual financial has become the most widely quoted indicator of the reports and interim reports. Where the issuer deviates from performance of the Hong Kong stock market and is used a code provision, the issuer must give considered reasons. for developing numerous market measures to help The Recommended Best Practices are for guidance only. investors make their investment decisions. It represents a broad cross-section of publicly-listed companies in Hong In order to understand how listed companies of different Kong. industries are responding to the CG Code changes, PwC • The Hang Seng China Enterprises Index (HSCEI): PwC conducted another comprehensive analysis of corporate examined CG reports from all 40 constituent companies governance reports (CG reports) of companies in the of the HSCEI. The HSCEI was launched one year after the following categories by stock index and industry (See first H-share company was listed on the Stock Exchange Appendix 2 for a full listing of the companies included in the of Hong Kong. It tracks the performance of large 2017 analysis by index/industry). A full list of the questions Mainland China enterprises listed in Hong Kong in the used in this Study can be found in Appendix 3. Please note form of H-shares3. that this Study is conducted solely based on what we can observe, which may not reflect the actual situation of • PwC also selected key companies from four sectors to individual companies in real life. analyse: financial services (40 companies), real estate (40 companies), retail (30 companies) and technology (30 The objective of this Study is to determine the companies’ companies). The largest companies were selected for level of compliance with the revised CG Code from 1 inclusion in this analysis, determined by the size of the January 2016, based on the relevant disclosure in CG overall market capitalisation with an accounting period reports. that ended at or before 31 March 2017.

Graph 1: Company coverage of PwC study of risk management and internal control disclosure in corporate governance reports

Total

* There are 50 companies in the HSI, but only 43 CG reports were available when we conducted this Study.

3 H-Share is a share of a company incorporated in Mainland China that is listed on the Hong Kong Stock Exchange or other foreign exchanges. H-shares are still regulated by Chinese law, but they are denominated in Hong Kong dollars and traded in the same way as other equities on the Hong Kong Stock Exchange. 4 Market Trends

From our review of the risk management and internal 78% of analysed companies disclosed their control disclosures in over 220 corporate governance process used to identify, evaluate and manage reports (CG reports), some key market trends are identified significant risks, with an increase of 33 % from and categorised into the following three areas: our Study last year. • Risk management and internal control PwC’s 2017 Study found that 78% of analysed companies • Internal audit function disclosed the process used to identify, evaluate and manage • Annual review of risk management and internal significant risks. There is a 33% increase from our prior year control systems Study. Among indices, Hang Seng Index (HSI) companies continued to stay ahead of the curve: 84% of HSI companies Risk management (RM) and internal disclosed their risk management practices, while only 80% of The Hang Seng China Enterprises Index (HSCEI) control (IC) companies did, which represents 20% and 57% increases The latest CG Code puts a new emphasis on risk from prior year respectively. From an industry perspective, management. Listed companies are required to develop a greater variance was observed in disclosure rates: processes to identify, evaluate and manage significant risks, financial services companies (90%) continued to top the list, and determine main features of RM and IC systems. Some followed by real estate (78%), technology (73%) and retail companies have already been using CG reports as a public (67%) companies, with a significant increase of making platform to detail what type of risk management processes such disclosure varying from 20% (for real estate) to 54% are currently in place; to provide a description of the key (for retail) from last year. risks they face; and to include mitigation measures they use to address these risks. Boards are also given an important Financial services companies are typically exposed to a responsibility — they need to oversee management in the wider spectrum of risks, such as credit risks and market design, implementation and monitoring of the RM and IC risks, and usually they have a designated risk management systems, and ensure that effective systems are established department. Accordingly, the identification, evaluation and and maintained. management of risks would be expected to be more robust than other industries and therefore better disclosure. On the other hand, for real estate entities, housing markets (in both Hong Kong and Mainland China) boomed with rapid, record-breaking sales and price growth in 2016. The tightening of government policies in the property markets gave real estate companies an opportunity to reflect on the importance of setting up a process to identify, evaluate and manage significant risks.

Tips COSO’s Fundamental Principle: “Good risk management and internal control are necessary for long term success of all organisations.”

The new COSO 2017 ERM Focused Framework – Enterprise Risk Management (ERM) – Integrating with Strategy and Performance “clarifies the importance of ERM in strategic planning and embedding it throughout an organisation, because risk influences and aligns strategy and performance across all departments and functions.”

Source: References: Enterprise Risk Management Integrating with Strategy and Performance • The top changes to the COSO ERM Framework you need to know now, (2017), The Committee of Sponsoring Organizations of the Treadway PwC Risk Insights blog, 2017 Commission, 2017 https://goo.gl/huv2ix https://goo.gl/JirUWw • Risk in Review 2017 – Going the Distance, PwC, 2017 https://goo.gl/EaFnVu https://goo.gl/JuBD56 • What you need to know about the new COSO ERM Framework, PwC Global Risk podcast series Episode 1, PwC, 2017 https://goo.gl/UeXd59

5 Only half of the analysed companies disclosed main features of both the internal control and risk management systems, while 37% of the companies did not make such disclosure at all.

PwC’s 2017 Study revealed that 50% of the analysed companies provided disclosure on main features of both IC and RM systems, while 37% of the companies did not provide disclosure regarding the main features of the two systems at all. It indicates that quite a large portion of listed companies might have overlooked this Code Provision requirement.

67% HSI entities disclosed main features of both systems, while only 35% HSCEI companies did it. From an industry perspective, 63% of the technology companies provided disclosure of main features of both the IC and RM systems and 27% of them did not provide such disclosure. Technology is a fast growing industry, and companies are facing emerging risks and disruptive challenges, so technology companies, including start-ups are beginning to realise the importance of internal control and risk management. Both real estate companies (52%) and financial services companies (58%) were above average in Area of focus: Did the issuer disclose the process used to making such disclosure. Yet, 33% of real estate companies identify, evaluate and manage significant risks in its CG report? and 20% of the financial services companies did not disclose it respectively. Retail companies lagged behind significantly Graph 2: Results of disclosure of process used to identify, as only 17% of them disclosed the main features of the evaluate and manage significant risks systems, and 77% of them did not make such disclosure at all.

2016 2015 78% 45% +33% Area of focus: Did the issuer disclose main features of the IC 84% 64% +20% 80% 23% +57% and RM systems in the CG report? 78% 58% +20% 67% 13% +54% 73% 33% +40% Graph 3: Disclosure of main features of the RM and IC 90% 63% +27% systems

Overall 50 2 11 37

HSI 67 2 12 19

HSCEI 35 3 22 40

Real 52 3 12 33 estate

Retail 17 6 77 Overall Retail Technology 63 10 27 HSI Technology Financial HSCEI Financial services 58 3 19 20 services Real estate Disclosure on both RM and IC systems Disclosure on IC only Disclosure on RM only No disclosure

6 Majority of the companies analysed provided 58% of the analysed companies provided description of key risks and mitigation measures. disclosure of the risk management measures of the key risks, while financial services entities When examining if companies described their key risks outperformed it than other industries. and/or disclosed how those risks were measured, large variances were noted among the analysed companies. PwC’s Study indicated that 58% of analysed companies disclosed risk management measures in their CG reports, This year’s Study revealed that 77% of analysed companies with a 26% increase from last year. Again, HSCEI described their key risks in the CG report, compared to 39% companies (75%) surpassed HSI companies (65%) on in the prior year (PY), which represents a 38% increase making such disclosure, with a respective increases of 35% year-on-year. Although HSI companies were above the and 21% form prior year. Given more rigorous risk average with nearly 60% of companies describing key risks, management requirements, financial services companies and only 25% of HSCEI companies offered such description continued to outperform the other 3 industries, with 95% of in their CG reports in 2015, HSCEI companies (95%) the companies having disclosed mitigation measures to surpassed HSI companies (79%) in their disclosures in address key risks (PY: 80%). The industry with the second 2016, which significantly narrows the gap between the two highest disclosure rate is retail. Its disclosure rate increased indices. On an industry basis, financial services led the from 3% in 2015 to 57% in 2016, representing a significant sectors, with 100% of the analysed companies describing year-on-year increase of 54%. Meanwhile, real estate (45%) key risks (PY: 70%), followed by 83% of retail companies and technology (37%) companies continued to lag behind. (PY: 20%), 70% of real estate companies (PY: 50%), and only 50% of technology companies (PY: 10%) provided such Overall, financial services outperformed other industries in details in their CG reports. Risks continued to be a major disclosing risk management practices. Risk management is focus for financial services companies. With tighter essential and form part of the financial services business in regulations such as Basel III, financial services companies providing financial products and services. Given its business are likely to be more transparent in describing the key risks. nature, which often involves providing credit and financing to customers, poor risk management would result in direct Area of focus: Is there any description of key risks disclosed in financial losses to financial institutions. Furthermore, the issuer’s corporate governance report? various regulators such as the Hong Kong Monetary Authority (HKMA) and Securities and Futures Commission Graph 4: Description of the key risks (SFC) of Hong Kong impose vast regulatory requirements in regards to identifying, monitoring and reporting key risks. Financial 100 Failure to comply may result in regulatory breaches with services 70 undesirable consequences. 50 Technology 10 Area of focus: Did the issuer disclose its risk management 83 measures of the key risks? Retail 20

Real 70 Graph 5: Disclosure of the risk management measures of the 50 estate key risks HSCEI 95 25 Financial 95 HSI 79 60 services 80 37 77 Technology Overall 10 39 57 Retail 3 2016 2015 Real 45 estate 23

HSCEI 75 40

HSI 65 44 58 Overall 32

2016 2015

7 87% of companies analysed disclosed procedures Questions to ask: and internal controls for handling and ? • Have you made reference to the dissemination of inside information. Committee of Sponsoring Organisations (COSO) Enterprise Risk Management Properly handling inside information is one of the emerging Framework in making disclosures in the issues that more companies focus on and has been CG report? If so, how ready are you in emphasised in the revised CG Code. adopting the new COSO 2017 Enterprise Risk Management Framework? Out of the listed companies analysed, 87% had disclosures • How do you identify and manage emerging risks? related to handling inside information in their CG reports. It • Do you have a proper risks monitoring mechanism (e.g. use is a significant improvement of 44% year-on-year when of key risk indicators) and reporting protocol in place to compared to 43% of the companies providing the ensure risks are well managed? disclosures in prior year. 91% of the HSI constituents made the disclosures in our 2017 Study (PY: 58%), slightly outperforming the HSCEI constituents at 88% (PY: 30%). From an industry perspective, there was a big jump for all industries: 70% increase for companies in retail, 45% Tips Management of companies could use key increase for financial services companies, and 22% increase risk indicators (KRIs) as a risk monitoring mechanism to enhance the existing risk for real estate entities, with disclosure rates of 93%, 90%, management system. KRIs are metrics or in and 85%, respectively. For financial services companies, the form of dashboards that could be used by inside information may also include other companies as well companies to monitor and mitigate risk as as its own (e.g. providing services to other listed increased risk can be detected by KRIs at an early companies), therefore the handing of inside information is stage. Using the KRIs as an early warning indicator allows companies to monitor the key risks on a regular basis; expected to be more stringent and hence more disclosures monitor business operational risks; find out root causes of in this regard. Technology companies continued to lag risk events; increase the awareness of key risk areas to the behind other industries at about 77% disclosure rate senior management; and enhance the internal controls (PY: 23%). corresponding to the identified key risks.

Area of focus: Did the issuer disclose the procedures and internal controls for the handling and dissemination of inside information in the CG report?

Graph 6: Disclosure of procedures and internal controls over inside information

2016 2015

Financial 90 10 Financial 55 45 services services

Technology 77 23 Technology 23 77

Retail 93 7 Retail 23 77

Real Real 85 15 63 37 estate estate

HSCEI 88 12 HSCEI 30 70

HSI 91 9 HSI 58 42

Overall 87 13 Overall 43 57

0 10 20 30 40 50 60 70 80 90 100 % 0 10 20 30 40 50 60 70 80 90 100 %

Disclosed Not disclosed Disclosed Not disclosed

8 Internal audit (IA) Area of focus: Did the issuer disclose the existence of an IA function in the CG The importance of the IA function is highlighted as another report? (Top graph) area of key changes in the Corporate Governance Code (CG Did the Board’s annual review specifically disclose that it has Code). Previously, companies were only recommended to assessed the adequacy of resources, staff qualifications and have an IA function as a Recommended Best Practice; and experience, training programmes and budget of the issuer’s now this is a Code Provision effective from 1 January 2016. accounting, IA and financial reporting function? (Bottom graph) The three major revisions to the CG Code for the IA function are summarised below: Graph 7: Results of presence of IA function among analysed companies • Upgraded from Recommended Best Practice C.2.6 to Code Provision C.2.5: Issuers should have an IA function, and 97 for those who do not have it should review the need for it 100 on an annual basis and disclose the reasons for the 100 absence of the IA function in the CG report. Existence of IA function 98 • New CP C. 2.5 states that IA function carries out the 2016 100 analysis and independent appraisal of the adequacy and 87 effectiveness of the risk management (RM) and internal 100 control (IC) systems. Annual review 36 of the adequacy 44 • Amended CP C.2.2. states that the Board’s annual review of resources, should ensure the adequacy of resources, staff staff qualifications 10 and experience, 58 qualifications and experience, training programmes and training 30 programmes and budget of the issuer’s IA function (in addition to its 33 budget of the accounting and financial reporting functions). IA function 18 97% of companies analysed disclosed that they had 0 20 40 60 80 100 % an internal audit function, only 36% provided details over the disclosure of their review such as the Overall Retail resources and qualifications of internal audit staff. HSI Technology 97% of companies analysed in this year’s Study revealed HSCEI Financial services that they had an IA function in their CG reports, with all of Real estate the reviewed HSI and HSCEI companies making the disclosure. Among industries, financial services (100%) and retail (100%) companies had the highest rates of disclosure followed by real estate (98%), and technology companies lagged behind with a disclosure rate of 87%.

The results show a wider gap among companies on providing Questions to ask: details of the resources and qualifications of IA staff. Indeed, ? • Does your IA function have adequate 36% of analysed companies disclosed that they had covered resources and required skill sets, such as the IA function in their annual review to assess and ensure cyber security to respond to key and the adequacy of resources, qualifications and experience, emerging risks? training programmes, and budget of their IA function, • Is your IA function meeting your expectations, i.e. giving compared to 20% in the prior year. While companies in the you value and providing you with sufficient comfort over the HSI boasted a disclosure rate (44%) higher than the average, IC and RM systems? the HSCEI companies were significantly below the average at • Have you conducted a periodic quality assessment on the 10%. On an industry basis, real estate companies (58%) IA function; for example, every 3 or 5 years? outperformed the other industries with a year-on-year • What framework do you use to assess the effectiveness of increase of 38%. This indicates that more real estate the IA function? companies realise the importance of having an independent IA function as their third line of defence to the organisation. The other industries were all below average: Technology (33%), retail (30%), and financial services (18%).

9 Tips Quality assessment on the IA function An effective review of the IA function can be performed by referring to a benchmark of established standards. One potential benchmark for reference is The Institute of Internal Auditors’ Standards for the Professional Practice of Internal Auditing (SSPIA). The Standards provide companies with a comprehensive explanation of the IA function, as well as providing details on how the function should be implemented. The Standards will be a good reference for a “gap analysis” or ‘quality assessment review of the IA function, helping companies to understand where potential improvements can be made in the existing IA function.

Source: International Standards for the Professional Practice of Internal Auditing, The Institute of Internal Auditors, 2012 https://goo.gl/ac4o2m

References: • Internal Audit Matters | Combined Assurance - How do Boards obtain comfort over controls governance?, PwC Hong Kong, 2016 https://goo.gl/altLMc • The Importance of having an Effective Resourcing Solution for your Internal Audit Function amid Today’s Challenges — What suits you the best?, PwC Hong Kong, 2016 https://goo.gl/0QmyjK • 2017 State of the Internal Audit Profession Study, PwC, 2017 https://goo.gl/azqVD9 • The Eight Attributes: Delivering Internal Audit Excellence as Stakeholders Expect More https://goo.gl/ySSQWe

For those who would like to transform or enhance the IA function, these are some areas for consideration, together with an approach for corporates to take steps forward and make the changes towards a more value-adding IA function.

Technology audit function Use of data Innovative & value analytics reporting enhancement tasks

To drive a more effective and To ensure all emerging risk areas To promote visualisation in reporting efficient internal audit approach are properly covered by IA, and that meets the needs and and help you identify potential areas optimise controls underlying each increasing heightened of risk and opportunities for you key process in different businesses expectations of stakeholders

Graph 8: An approach to transforming IA

Strategy and risk People Process Technology

Strategic objectives Capabilities assessment Audit cycle improvements Optimisation of technology • Understand what the • Capabilities assessment • Align internal audit with • Reduce the labour content strategic objectives of the organisation’s strategic of audits by increasing the • Inventory of existing skills organisation are objectives effectiveness of lower-risk • Conduct gap analysis audits Stakeholder value • Reduce audit cycle time by • Understand what drives/ • Determine adequacy of conducting more targeted • Provide real time devalues stakeholder value resources to respond to all audits monitoring of significant within the organisation key risks risks • Increase value derived Strategic risks Talent management from focus on higher-risk • Explore areas where • Understand what the • Use of internal and areas technology can streamline strategic risks of the external resources or standardise a process • Improve communication to organisation are • Consider implementing a stakeholders through • Test entire data rotational staffing model to concise, impactful reports populations electronically attract and retain talent

10 Annual review of risk management (RM) Disclosure of the process used to review risk and internal control (IC) systems management and internal control systems effectiveness lagged. The revised CG Code highlights the Board’s ongoing responsibility to oversee RM and IC systems. The amended 54% of the companies analysed in the 2017 Study disclosed Code Provision C2.1 puts forth new requirements that: the process used to review RM and IC systems effectiveness and to resolve material IC deficiencies, representing an • The Board should oversee the issuer’s RM and IC systems increase of 17% from prior year. The disclosure rates for HSI on an ongoing basis and; companies remained relatively stable at 63% while HSCEI • The Board should also ensure that a review of the issuer’s companies increased by 20% to 33%. Among industries, and subsidiaries’ RM and IC systems has been conducted retail companies outperformed the others as their disclosure at least annually and report to shareholders that it has rate increased the most from 10% to 70%. In contrary, the done so in the CG report. financial services companies that disclosed the process decreased by 7% to 48% in 2016. Due to the complexity of Majority of analysed companies disclosed the review organisation structure for financial services companies, the of risk management and internal control systems. process to review the effectiveness of the RM and IC systems could be complicated and such review might be managed This year’s Study reveals that 92% of companies analysed separately across different line of businesses, therefore performed an annual review of both the RM and IC systems, rendering it difficult to disclose. representing an increase of 23% from prior year. 93% of HSI constituents and 86% of HSCEI entities also made such Area of focus: Did the issuer disclose the process used to disclosures, which represents a 7% and 25% increase over review the effectiveness of the RM and IC systems and to the last year respectively. For industries, retail companies resolve material IC deficiencies? (97%) outperformed real estate (93%), technology (93%) and financial services (90%). This area has one of the Graph 10: Disclosure of the process used to review the RM and IC systems effectiveness and to resolve material IC highest disclosure rates in the 2017 Study. deficiencies

Area of focus: Did the Board perform at least an annual review 2016 2015 of the RM and IC systems for the issuer? 54% 37% +17% 63% 64% -1% 33% 13% +20% 55% 48% +7% Graph 9: Results of annual review of IC and RM systems 70% 10% +60% 57% 17% +40% 48% 55% -7% Financial 2016 90 10 services 2015 80 18 2016 93 3 Technology 2015 53 43 2016 97 3 Retail 2015 57 43 Real 2016 93 3 estate 2015 75 23

HSCEI 2016 85 15 2015 60 38 2016 93 0 HSI 2015 86 12 2016 92 5 Overall 2015 69 28 Overall Retail 0 10 20 30 40 50 60 70 80 90 100 % HSI Technology HSCEI Financial services % of annual % of annual Real estate review of IC and review of RM systems IC system only

11 Almost half of the companies analysed adopted a Questions to ask: control self-assessment framework to assess ? • Do you consider your current review internal controls and reinforce controls ownership. process sound and sufficient so that it can meet the new CG Code disclosure Using CSA as a tool to identify and assess the level of risks requirements in relation to an annual and effectiveness of controls is getting more common. review of the RM and IC systems? Nearly half of the companies analysed, with 12% increase • Do you feel comfortable providing a positive statement to from last year, disclosed that they adopted a CSA approach confirm that the RM and IC systems are effective? to assess internal controls and reinforce control ownership • Do you have proper processes in place to assess the and awareness to operation managers. effectiveness of your RM and IC systems? There was a large variance across indices and industries on using CSA. The adoption rate among HSCEI constituents was 90% (PY: 65%), while HSI’s adoption rate was 65% (PY: Tips Establishing and maintaining strong internal 48%), representing increases of 35% and 17% respectively. controls are critical for the success of any However, only 5% of the directors of these HSCEI organisation. Regulations also require that companies disclosed that they received a management companies report to shareholders that its RM confirmation of the systems’ effectiveness (PY: 3%). HSI and IC systems are operating effectively. In companies had a much smaller disclosure gap between the this connection, management are required to provide a confirmation to the Board on the number of companies adopting the CSA practices (65%) and effectiveness of the RM and IC systems. directors of those companies receiving management For management to provide such “confirmation”, many confirmation (49%). leading organisations have implemented a control self- assessment (CSA) framework. This allows management to The four industries analysed in this Study show very verify that controls are working as expected. By linking key different adoption rates: 83% of financial services risks to controls, management can carry out periodic testing to form an in-house assessment of their existing (“as-is”) companies adopted CSA (PY: 75%), with only 28% of controls that address their key risks, identify weaknesses on directors of those companies disclosing their receipt of internal controls and facilitate the formulation of action plans management confirmation (PY: 13%), while only 33% of to address any identified weaknesses. A CSA programme real estate companies (PY: 28%), 30% of technology also helps to reinforce control ownership and awareness to companies (PY: 10%) and 17% of retail companies (PY: 3%) line managers. The CSA assessment can be conducted through a variety of different means such as questionnaires or disclosed that they had adopted the CSA. This might checklists. The process can be reviewed by internal auditors indicate that most management did not have the comfort to and form part of the Board’s assessment of control confirm their systems’ effectiveness. effectiveness.

12 Area of focus: • Did management disclose that they have used CSA in their review? (Graph 11) • Did the Board disclose that it has received a confirmation from management on the effectiveness of the issuer’s RM and IC systems? (Graph 12)

Graph 11: Disclosure of adoption of CSA

verall HSI HSCEI Real estate

Retail Technology Financial services

Graph 12: Disclosure of directors’ receipt of management confirmation on systems effectiveness

Overall 31

HSI 49

HSCEI 5

Real estate 38

Retail 23

Technology 30

Financial services 28

0 50 100

Confirmation on effectiveness of IC and RM systems

Questions to ask: ? • Are there any challenges or concerns that hinder you from providing a management confirmation on the systems effectiveness to the Board of directors?

• Were your CSA process and results reviewed by the IA function or qualified external parties before the Board’s assessment?

13 The Roadmap Forward

According to a pulse survey4 conducted in a series of recent PwC seminars and client events held in Hong Kong and Mainland China in July, August and September 2017, less than 25% of participants responded that they were having an effective and adequate internal control system. This Study also illustrated diverging patterns of adoption among companies in different sectors, particularly in the areas of risk management practices, reporting to the Board and internal audit function, even though the Code Provision requirements in relation to risk management and internal control have become in-force from 2016.

Companies may be at different stages in adoption and need assistance in different areas. Based on the findings of the Study, PwC has identified six key areas for the “roadmap forward” where companies may have questions or need further information to help assess their current progress.

4 Details of PwC Corporate Governance Seminars in 2017 can be found at https://goo.gl/aFhSs3 14 Appendix 1: Extract of Corporate Governance Code and Corporate Governance Report (Appendix 14 of the Hong Kong Main Board Listing Rules)

This section outlines Code Provisions, Recommended Best Practices and mandatory disclosure requirements in relation to risk management and internal control, with details provided below:

C.2 Risk management and internal control

Principle

The board is responsible for evaluating and determining the nature and extent of the risks it is willing to take in achieving the issuer’s strategic objectives, and ensuring that the issuer establishes and maintains appropriate and effective risk management and internal control systems. The board should oversee management in the design, implementation and monitoring of the risk management and internal control systems, and management should provide a confirmation to the board on the effectiveness of these systems.

Source: The above principle is extracted from page 14 of Corporate Governance Code and Corporate Governance Report (Appendix 14 of the Hong Kong Main Board Listing Rules).

Code Provisions5

C.2.1

The board should oversee the issuer’s risk management and internal control systems on an ongoing basis, ensure that a review of the effectiveness of the issuer’s and its subsidiaries’ risk management and internal control systems has been conducted at least annually and report to shareholders that it has done so in its Corporate Governance Report. The review should cover all material controls, including financial, operational and compliance controls.

C.2.2

The board’s annual review should, in particular, ensure the adequacy of resources, staff qualifications and experience, training programmes and budget of the issuer’s accounting, internal audit and financial reporting functions.

5 Issuers are expected to comply with the Code Provisions. Where they deviate from any of the Code Provision 15 requirements, they must give considered reasons and disclose them in the CG Reports. C.2.3

The board’s annual review should, in particular, consider: a. the changes, since the last annual review, in the nature and extent of significant risks, and the issuer’s ability to respond to changes in its business and the external environment; b. the scope and quality of management’s ongoing monitoring of risks and of the internal control systems, and where applicable, the work of its internal audit function and other assurance providers; c. the extent and frequency of communication of monitoring results to the board (or board committee(s)) which enables it to assess control of the issuer and the effectiveness of risk management; d. significant control failings or weaknesses that have been identified during the period. Also, the extent to which they have resulted in unforeseen outcomes or contingencies that have had, could have had, or may in the future have, a material impact on the issuer’s financial performance or condition; and e. the effectiveness of the issuer’s processes for financial reporting and Listing Rule compliance.

C.2.4

Issuers should disclose, in the Corporate Governance Report, a narrative statement on how they have complied with the risk management and internal control code provisions during the reporting period. In particular, they should disclose: a. the process used to identify, evaluate and manage significant risks; b. the main features of the risk management and internal control systems; c. an acknowledgement by the board that it is responsible for the risk management and internal control systems and reviewing their effectiveness. It should also explain that such systems are designed to manage rather than eliminate the risk of failure to achieve business objectives, and can only provide reasonable and not absolute assurance against material misstatement or loss; d. the process used to review the effectiveness of the risk management and internal control systems and to resolve material internal control defects; and e. the procedures and internal controls for the handling and dissemination of inside information.

C.2.5

The issuer should have an internal audit function. Issuers without an internal audit function should review the need for one on an annual basis and should disclose the reasons for the absence of such a function in the Corporate Governance Report.

Source: The above Code Provisions are extracted from pages 15-16 of Corporate Governance Code and Corporate Governance Report (Appendix 14 of the Hong Kong Main Board Listing Rules).

16 Recommended Best Practices

C.2.6

The board may disclose in the corporate governance Report that it has received a confirmation from management on the effectiveness of the issuer’s risk management and internal control systems.

C.2.7

The board may disclose in the corporate governance Report details of any significant areas of concern.

Source: The above Recommended Best Practices are extracted from page 16 of Corporate Governance Code and Corporate Governance Report (Appendix 14 of the Hong Kong Main Board Listing Rules).

Mandatory disclosure requirements

Risk management and Internal control

Where an issuer includes the board’s statement that it has conducted a review of its risk management and internal control systems in the annual report under code provision C.2.1, it must disclose the following: a. whether the issuer has an internal audit function; b. how often the risk management and internal control systems are reviewed, the period covered, and where an issuer has not conducted a review during the year, an explanation why not; and c. a statement that a review of the effectiveness of the risk management and internal control systems has been conducted and whether the issuer considers them effective and adequate.

Source: The above mandatory disclosure requirements are extracted from page 30 of Corporate Governance Code and Corporate Governance Report (Appendix 14 of the Hong Kong Main Board Listing Rules).

17 Appendix 2: List of companies included in the study (by category)

A. Hang Seng Index