Regular reviews of internal controls help companies to identify emerging risks and comply with regulations
Checks at all staff levels and subsidiaries can reassure stakeholders that their interests are protected
A robust and effective internal control system is particularly important to publicly-listed companies.
While its focuses may vary, depending on the size and industry of the company, top management needs to ensure that internal control measures are being carried out by staff at all levels, and their procedures are also reviewed regularly for their effectiveness and the identification of emerging risks.
Unlike a private company, where the shareholders and management can exercise their decision-making in daily operations, shareholders of listed companies are merely capital providers. So, the establishment of a robust internal control system would enhance the company’s corporate governance and assure stakeholders that their interests are protected, according to Ricky Cheng, director and head of risk advisory at BDO.
A publicly listed company’s internal control system should focus on compliance with rules and regulations required by law and especially the regulators, he says. This is because non-compliance or practices in deviation from the requirements may lead to disciplinary actions by the regulators, Cheng adds. Another focus should be on disclosure and transparency, which are the cornerstones of good corporate governance because the stakeholders are relying on the information provided by the listed company to make their informed investment decisions.
In Hong Kong, all publicly-listed companies are required to carry out an annual internal control review. This procedure should have two main focuses, according to Roy Lo Wa-kei, managing partner of Shingwing (HK) CPA. The first is on the top management to ensure that the board of directors can operate the company effectively, while the second is on different business circles, such as finance, human resources, income and expenses management and IT environments. Lo says for companies seeking an initial public offering, a major problem in internal control is that their management style may not keep up with the changes.
“As they change from a private company to a public company, they need to manage the company differently,” he says. “To operate the business effectively as a public company, they often need to reinforce the composition and administration of the board of directors, and add more transparency in their functions.”
Because no internal control system can meet all needs, the establishment of adequate internal control measures is a matter of judgement for the listed company’s management, as every company may have a different risk-management philosophy, and acceptance of residual risk levels, Cheng says.
“For instance, a prudent management may require more levels of approval controls than [another] that is willing to take more risks,” he adds. “Nevertheless, while the same internal control framework may be applied in both large and smaller companies, the depth of internal control measures may be different.”
The focus on internal control measures also varies from industry to industry, Lo says. For example, companies of the new economies tend to focus more on the security of their IT systems, online transactions and internet faults because many of their business transactions are done online; and for the financial industry, compliance with legal and regulators’ requirements is more important.
For large companies, effective communication is important to ensure that the internal control measures can be carried out by staff at all levels and also in its subsidiaries, Lo says. Meanwhile, smaller companies tend to focus more on developing a corporate culture because this can help the execution of internal controls.
Cheng says to ensure that the internal control measures are implemented on a continuing basis, there is a need for an independent internal audit function to develop a risk-based internal audit plan; to conduct reviews to cover high-risk areas; and to check whether internal controls are running as designed to mitigate the risks.
Management may also apply analytical review procedures to analyse operation patterns, Cheng says. “The best way to deal with it is to establish an enterprise risk management framework,” he says.
“Some of the analytical tools such as key risk indicators, control risk self-assessments and key performance indicators may be deployed to identify changes in trends and practices that could alert the management to pay more attention to a certain risk.”
Lo says a simple way to evaluate the effectiveness of internal control measures is a matrix to analyse the probability of the risk and its impact to the company. The company should allocate more resources to those risks that are more likely to happen and have a higher impact on the company, he says.