Skip to Content

Assessment of Risk Management and Internal Control Effectiveness

Updated: 01 Jun 2016
  • The Risk Committee is delegated by the Board with responsibilities to oversee the Group’s overall Risk Management Framework and to advise the Board on the Group’s risk-related matters. It is also responsible for approving the Group’s risk policies and assessing the effectiveness of the Group’s risk controls/mitigation tools.
  • The Audit Committee, on behalf of the Board, assesses the adequacy and effectiveness of the internal control system in detecting fraud, irregularities or infringement of laws, rules and regulations or material control failures on a regular basis by reviewing the work and findings of Internal Audit Department (IAD). The Audit Committee has delegated authority from the Board from reviewing the adequacy of resources, staff qualifications and experience, training programmes and budget of the Group’s accounting, internal audit and financial reporting functions on an annual basis and monitoring HKEX’s compliance with the requirements of the Corporate Governance Code in respect of risk management and internal controls.
  • The Group’s risk management and internal control systems are reviewed regularly by the management, Group Risk Management Department (GRMD) and IAD. The management’s annual confirmation on the effectiveness of the Group’s risk management and internal control systems is reviewed/endorsed by the Audit Committee/Risk Committee and is submitted to the Board for its review.
  • Divisions and departments assess effectiveness of existing controls, provide treatment plans where required, and monitor risk mitigating activities.
  • The Group Risk Management Department reports risks regularly at appropriate management levels within the Group and provides assurance on the progress of treatment plans. HKEX conducts an annual Group-wide review based on the Group’s Enterprise Risk Management Framework to assess the risks relevant to both existing and new businesses of the Group. Details of the Group Risk Report, including the top risks to the Group, changes in the nature and extent of the significant risks, and associated action plans and controls, are set out in the Risk Committee Report.
  • IAD conducts independent reviews of the adequacy and effectiveness of the Group’s internal control system and regularly reports the review results to the Board through the Audit Committee. The IAD’s work covers all material controls, including financial, operational, IT, compliance and risk management controls, and includes an assessment of the Group’s internal control system using the COSO standards to confirm its effectiveness in the following aspects:
    • the provision of sufficient explanation and information to the Audit Committee and the Board to enable effective assessment of the state of controls across the Group in areas such as the reliability of financial reporting, compliance with applicable laws, rules and regulations, and the effectiveness of risk management controls
    • the responses to changes in the Group’s business and external environment
    • the efficiency in rectifying identified internal control deficiencies and implementing recommendations of IAD, external auditor and/or regulator
    • the promptness in handling operating errors or failures
    • the control of inside information in accordance with Part XIVA of the SFO (Chapter 571 of the Laws of Hong Kong), the SFC's guidelines as well as the Group’s Continuous Disclosure and Communication Policy
loading