Listed companies on the mainland appear to be demonstrating a better grasp of internal control and risk management, especially since the economic downturn, while their counterparts in Hong Kong are lagging, according to a Deloitte enterprise risk services practice survey this year. Much of the emphasis on internal control is tied to the United States introduction of the Sarbanes-Oxley Act, which triggered a tightening of corporate governance rules around the world. Local versions of the legislation have since been implemented in South Korea and Japan, and the mainland's first enterprise risk management standard, for example, came into effect from July 1 and applies to all listed companies. In Hong Kong, a greater focus on internal controls has been driven by regulatory requirements. For example, the sponsor of a company preparing to list must now perform internal control due diligence work in accordance with Practice Note 21, which typically covers the company's internal controls in financial, operational and compliance risks. Hong Kong's Code on Corporate Governance, which came into effect in 2005, also contains a provision that requires boards of listed companies to perform a risk assessment on an annual basis, declare their completion of this assessment and confirm the effectiveness of the company's internal control systems in its annual report. While there is general awareness of internal control among listed companies in Hong Kong, its effectiveness in practical terms is dependant on management's attitudes towards risk management, according to Patty Wu, partner in internal audit, risk and compliance services at KPMG China. 'Hong Kong listed companies are required to disclose in their annual reports that they have performed the risk assessment. But, unlike what's required by the US Sarbanes Oxley Act, companies are not required to disclose the control weaknesses or deficiencies identified. 'It all depends on whether companies want to devote resources in enhancing the transparency of their corporate governance practices and internal control systems. Companies with a strong reputation and strong belief in corporate governance may implement controls over wider aspects of business risks to keep abreast of leading corporate governance practices than merely going through a compliance exercise,' she said. The Deloitte survey found that only about a third of organisations in Hong Kong were confident that they had identified all mission critical risks and that they had well defined, effective processes for handling major risk events. Hugh Gozzard, principal in the firm's enterprise risk services practice, said that while the survey acknowledged increased interest in its application and implementation it was not as robust or as widespread as it could be. 'There's a small core of companies doing quite a lot but the rest are not showing much maturity in their risk management practices and are struggling to get going with these,' he said. The Deloitte survey indicated that all enterprises recognised that tightened internal control could help guard against risks and provide a reasonable assurance towards their normal operations. But only 30 per cent believed that tightened internal control could help manage and save costs, and some respondents thought implementing internal control would increase the workload of their staff, and costs and other expenses to some extent, instead of bringing in efficiency. This implies that corporate management may not fully understand the functions of internal control. According to Eric Chia, managing partner, risk, Ernst & Young, a common approach taken by management towards internal controls is to strengthen their internal audit department or for those that lack an internal audit function, to set one up. 'In the past, internal audit has always been a road to assess and monitor but with the risk management concept and the drive towards efficiency there's now a demand for wider coverage and to value-added services,' he said. 'While some companies are strictly driven out of compliance regulation others like to implement risk management to help them improve their performance. Keeping the company out of trouble from a compliance and regulation perspective, and having a good risk management function or internal control department gives management good risk information to help them improve business performance,' Chia said. According to the Deloitte survey, those companies that had stronger risk management practices tended to use it as a tool for enhancing their value by focusing on risks that related directly to their competitiveness, and not just on achieving compliance or protecting their assets. Gozzard said: 'They used risk management for the development of their business, formally applying risk information as part of the decision-making process on such matters as what businesses to acquire, what to invest in and what products to launch.' Accountants had a key role to play in risk management because financial risk was relevant to nearly all business decisions, he said. As companies become more risk-focused in their business decision-making then there is a stronger role for accountants to advise on the financial risks concerned. 'Factors such as return on investment, cash-flow and working capital should be addressed in every major business decision. 'With their strong focus on risk and control, accountants have a key role in advising the board and management as to what risks exist and how they should be addressed,' Gozzard said.