Trends of Risk Management and Internal Controls
37
Trends of Risk Management and Internal Controls Presented by: Ms. Melissa Fung Venue: HKICPA, 27/F, Wu Chung House, 213 Queen's Road East, Wanchai Date: 17 September 2018
Transcript of Trends of Risk Management and Internal Controls
Presented by: Ms. Melissa Fung
Venue: HKICPA, 27/F, Wu Chung House,
213 Queen's Road East, Wanchai
Date: 17 September 2018
Disclaimer
The materials of this seminar / workshop / conference are intended to provide
general information and guidance on the subject concerned. Examples and
other materials in this seminar / workshop / conference are only for illustrative
purposes and should not be relied upon for technical answers. The Hong Kong
Institute of Certified Public Accountants (The Institute), the speaker(s) and the
firm(s) that the speaker(s) is representing take no responsibility for any errors
or omissions in, or for the loss incurred by individuals or companies due to the
use of, the materials of this seminar / workshop / conference.
No claims, action or legal proceedings in connection with this
seminar/workshop/conference brought by any individuals or companies having
reference to the materials on this seminar / workshop / conference will be
entertained by the Institute, the speaker(s) and the firm(s) that the speaker(s) is
representing.
All rights reserved. No part of this publication may be reproduced, stored in a
retrieval system or transmitted, in any form of by any means, electronic,
mechanical, photocopying, recording or otherwise, without the prior written
permission of the Institute.
Risk Management and Internal Controls
Important Note
The materials of this seminar are intended to provide general information and guidance on the subject concerned, and shall not be construed as any advice, opinion or recommendation given by Deloitte Advisory (Hong Kong) limited and/or its personnel (“DAHK”). DAHK take no responsibility for any errors or omissions in, or for the loss incurred by individuals or companies arising from the use of the materials of this seminar.
© 2018. For information, contact Deloitte China.
Risk
Potential for loss or reduced opportunity for gain that adversely affects the achievement of the organization’s objectives
Financial
Reputation
Operation
IT
Strategy
Cyber Risk 3%
Financial Risk 8%
Uncontrollable Risk 9%
Regulatory Risk 11%
Strategic & Reputation Risk
partnership decisions • Crisis management • Sustainability
• Talent recruitment and retention • Senior management secession plan • Third parties Risk
• Government / Political risk • Global economic fluctuation
• Hong Kong Listing Rule Compliance
• Financial reporting and disclosure risk
• Foreign exchange risk • Cash flow management
• Confidential info leakage • Cyber attack
Common Top Risks Identified by Listed Companies We Served
© 2018. For information, contact Deloitte China.
Enterprise Risk
Management (“ERM”)
“… a process, effected by an entity's board of directors, management and other personnel…., designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
“the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value.”
(from COSO)
1. Formal risk management system
2. Risk-based internal audit (“IA”)
3. Annual review of IA and risk management
4. Disclosure of IA and risk management practices
Risk Management - The HKEX’s Requirements
© 2018. For information, contact Deloitte China.
Key Considerations
• Does your company have a risk management framework to determine the definition, roles and responsibilities, policies and procedures of risk management?
• Does your company have a governance structure that supports the implementation of risk management mechanism?
• Does your company have a structured approach to identify, assess and manage risk?
• Does the board take the lead in determining the company’s levels of risk tolerance and risk policies?
• Does the management provide risk related information (e.g. risk report) to the board?
• Are risks officially and formally discussed in the board meetings?
• Does the management of your company periodically review the effectiveness of the risk management mechanism?
Risk Management
1. Governance Structure
Sc or
e fr
ERM orientation
Enterprise Risk Management Phase 1 – Develop an Overall ERM Framework
© 2018. For information, contact Deloitte China.
Identify risks to value
Determine risk criteria & appetite
Prioritize & assess risks identified
© 2018. For information, contact Deloitte China.
Identify risks to value
Determine risk criteria & appetite
2. Vulnerability
Enterprise Risk Management Phase 2 – Identify and Prioritize Risks
© 2018. For information, contact Deloitte China.
Identify risks to value
Determine risk criteria & appetite
© 2018. For information, contact Deloitte China.
Develop risk prevention plan and risk indicators
Establish additional action plan/flagging
mechanism
Enterprise Risk Management Phase 3 – Develop and Adopt Risk Response Program
© 2018. For information, contact Deloitte China.
Develop risk prevention plan and risk indicators
Establish additional action plan/flagging systems
Set up status tracking mechanism
Enterprise Risk Management Phase 3 – Develop and Adopt Risk Response Program
© 2018. For information, contact Deloitte China.
The Extended Enterprise Risk
In today’s business world, companies rarely go to market alone.
Corporate growth and business success are increasingly supported through complex supply chains, outsourcing and licensing. Products and services are now, more than ever, created, marketed and delivered through strategic alliances and joint development arrangements. Greater reliance is being placed on business partners in forming the overall value chain to achieve competitiveness and serve end customers.
These “external” or “extended” business relationships (“Third Parties”) comprise what is now a widespread business risk:
The Extended Enterprise risk
Why is This Important?
Source: Deloitte, 2016 “Third Party Governance & Risk Management” survey.
87% of respondents have a faced disruptive incident with third-parties in
last 2-3 years of which 39% faced major disruption or complete third-party failure.
88.6% of respondents had low to moderate level of confidence in quality of their third party risk management processes.
26.2 Reputational
20.6 Breach of sensitive
© 2018. For information, contact Deloitte China.
Common Third Party Risks
• Information security • Data security • Data privacy • Physical security
• Corruption • Data protection • Market-specific
• Continuity planning/Disaster recovery • Product recall
• Environment • Hazardous materials • Health and safety
• Identification • Protection • Development • Research • Licensing
• Measurement • Service delivery and
standards • Revenue leakage • Over-charging
© 2018. For information, contact Deloitte China.
Why Should We Pay More Attention to 3rd Party Risks?
• Increased revenues
Global Risks Landscape 2017
© 2018. For information, contact Deloitte China.
* The Global Risks Report 2017, World Economic Forum
Global Risks Landscape 2017
© 2018. For information, contact Deloitte China.
For the first time, all five environmental risks feature among the most likely and most impactful risks facing the world
How Important Are Sustainability Risks?
Financial Risk Operational Risk
Labor practices Data privacy Food safety
……..
© 2018. For information, contact Deloitte China.
Integrating Sustainability with Risk Management
Risk Management Sustainability
HKSE Main Board Listing Rules Appendix 27, #9:
In line with the Corporate Governance Code, the board is responsible for evaluating and determining the issuer’s ESG-related risks, and ensuring that appropriate and effective ESG risk management and internal control systems are in place.
© 2018. For information, contact Deloitte China.
Internal Control
What is Internal Control?
Why was it invented?
The COSO definition
Internal Control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
What is Internal Control?
Inherent Risk Internal Control
Tolerance
Proper internal control can reduce the risk faced by the enterprise to its acceptable risk level but cannot eliminate all the risk.
Risk and Internal Control
• Coverage / completeness
Unclear roles and responsibility
engagement
Absence of audit trail
Limitation of Internal Control
Non applicable for non-
Management Override
• Internal Controls, no matter how well designed and operated, cannot provide an absolute assurance of achieving an entity's control objectives.
© 2018. For information, contact Deloitte China.
Setting-up an Internal Control Assessment
Entity
Identify the subsidiaries, affiliates, joint ventures and other branches that
should be included
Risk
that the audit should be focused on
© 2018. For information, contact Deloitte China.
Scoping - Examples
Expenditure Management Process • Policies and Procedures • Purchase Requisition Process • Supplier Selection and Evaluation • Contract Management • Processing and Approval of Purchase Orders • Processing Accounts Payable, Accounts Payable
Settlement Review and Approval of Payment • Processing and Approval of Employee
Disbursements and Office Expenses • Maintenance of Supplier Master File • Segregation of Duties Over Expenditure
Management Process
Revenue Management Process (Retail Store) • Policies and Procedures • Pricing/discount Policies • Advertising and Promotion Management • Handling of Cash Receipts and Invoicing • Physical Controls on Cash Registers • Closing of Daily Sales • Sales Revenue Recognition • Settlement with Shopping Mall • Custody of Cash on Hand • Handling of Complaints, and Sales return/ Exchange/
Refund to Customers • Management of Shopping Vouchers/ Gift Coupons • Obsolete Stock Arrangements • Inventory Reporting • Sales Management reporting • Segregation of Duties over Revenue Management Process
Human Resources (HR) and Payroll Management • Policies and Procedures • Salary Determination and Approvals • Calculating and Processing of Payroll • Managing Payroll Records • Performance Evaluation Process • Employee Bonus Determination and Approval • Compliance Monitoring with Labour Laws and
Regulations • Pension Plans and Occupational Schemes, Policies and
Contributions • Housing, Medical and other Allowance Determination and
Approval • Segregation of Duties over the HR & Payroll Management
Process
Fixed Assets Management • Policies and Procedures • Acquisition of Fixed Assets (including Vendor Selection
and Contract Management) • Capitalisation of Assets under Construction (including
Staff Costs Capitalisation) • Depreciation of Fixed Assets • Disposal/ Transfer of Fixed Assets • Maintenance of Fixed Assets (including Valuation and
Impairment Assessment) • Managing and Safeguarding Fixed Assets • Maintenance of Fixed Assets Master File • Segregation of Duties over Fixed Assets Management
Process
Internal Control Assessment mainly focus on two areas:
1. Design of Internal Control; and
2. Operating Effectiveness of Internal Control.
Methodology of Internal Control Assessment
Interview Walkthrough
• Factual findings and root causes
• Implications and risks
© 2018. For information, contact Deloitte China.
The Evolution of Internal Audit Function
Conventional Audit Mainstream Audit
Internal Audit + some management involvement
Detector role
Accounting /information technology (“IT”)
Reactive (after the fact)
Manual with some automation
Leading-Edge Audit
Board and Management
Proactive (fraud indicators)
Automation & risk database
Risk Focus
Internal Audit
Checker role
Governance Responsibility
© 2018. For information, contact Deloitte China.
About Deloitte Global Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.
Deloitte provides audit & assurance, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500® companies through a globally connected network of member firms in more than 150 countries bringing world-class capabilities, insights, and high-quality service to address clients’ most complex business challenges. To learn more about how Deloitte’s approximately 245,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter.
About Deloitte China The Deloitte brand first came to China in 1917 when a Deloitte office was opened in Shanghai. Now the Deloitte China network of firms, backed by the global Deloitte network, deliver a full range of audit & assurance, consulting, financial advisory, risk advisory and tax services to local, multinational and growth enterprise clients in China. We have considerable experience in China and have been a significant contributor to the development of China's accounting standards, taxation system and local professional accountants. To learn more about how Deloitte makes an impact that matters in the China marketplace, please connect with our Deloitte China social media platforms via www2.deloitte.com/cn/en/social-media.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively the “Deloitte Network”) is by means of this communication, rendering professional advice or services. None of the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.
© 2018. For information, contact Deloitte China.
Venue: HKICPA, 27/F, Wu Chung House,
213 Queen's Road East, Wanchai
Date: 17 September 2018
Disclaimer
The materials of this seminar / workshop / conference are intended to provide
general information and guidance on the subject concerned. Examples and
other materials in this seminar / workshop / conference are only for illustrative
purposes and should not be relied upon for technical answers. The Hong Kong
Institute of Certified Public Accountants (The Institute), the speaker(s) and the
firm(s) that the speaker(s) is representing take no responsibility for any errors
or omissions in, or for the loss incurred by individuals or companies due to the
use of, the materials of this seminar / workshop / conference.
No claims, action or legal proceedings in connection with this
seminar/workshop/conference brought by any individuals or companies having
reference to the materials on this seminar / workshop / conference will be
entertained by the Institute, the speaker(s) and the firm(s) that the speaker(s) is
representing.
All rights reserved. No part of this publication may be reproduced, stored in a
retrieval system or transmitted, in any form of by any means, electronic,
mechanical, photocopying, recording or otherwise, without the prior written
permission of the Institute.
Risk Management and Internal Controls
Important Note
The materials of this seminar are intended to provide general information and guidance on the subject concerned, and shall not be construed as any advice, opinion or recommendation given by Deloitte Advisory (Hong Kong) limited and/or its personnel (“DAHK”). DAHK take no responsibility for any errors or omissions in, or for the loss incurred by individuals or companies arising from the use of the materials of this seminar.
© 2018. For information, contact Deloitte China.
Risk
Potential for loss or reduced opportunity for gain that adversely affects the achievement of the organization’s objectives
Financial
Reputation
Operation
IT
Strategy
Cyber Risk 3%
Financial Risk 8%
Uncontrollable Risk 9%
Regulatory Risk 11%
Strategic & Reputation Risk
partnership decisions • Crisis management • Sustainability
• Talent recruitment and retention • Senior management secession plan • Third parties Risk
• Government / Political risk • Global economic fluctuation
• Hong Kong Listing Rule Compliance
• Financial reporting and disclosure risk
• Foreign exchange risk • Cash flow management
• Confidential info leakage • Cyber attack
Common Top Risks Identified by Listed Companies We Served
© 2018. For information, contact Deloitte China.
Enterprise Risk
Management (“ERM”)
“… a process, effected by an entity's board of directors, management and other personnel…., designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
“the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value.”
(from COSO)
1. Formal risk management system
2. Risk-based internal audit (“IA”)
3. Annual review of IA and risk management
4. Disclosure of IA and risk management practices
Risk Management - The HKEX’s Requirements
© 2018. For information, contact Deloitte China.
Key Considerations
• Does your company have a risk management framework to determine the definition, roles and responsibilities, policies and procedures of risk management?
• Does your company have a governance structure that supports the implementation of risk management mechanism?
• Does your company have a structured approach to identify, assess and manage risk?
• Does the board take the lead in determining the company’s levels of risk tolerance and risk policies?
• Does the management provide risk related information (e.g. risk report) to the board?
• Are risks officially and formally discussed in the board meetings?
• Does the management of your company periodically review the effectiveness of the risk management mechanism?
Risk Management
1. Governance Structure
Sc or
e fr
ERM orientation
Enterprise Risk Management Phase 1 – Develop an Overall ERM Framework
© 2018. For information, contact Deloitte China.
Identify risks to value
Determine risk criteria & appetite
Prioritize & assess risks identified
© 2018. For information, contact Deloitte China.
Identify risks to value
Determine risk criteria & appetite
2. Vulnerability
Enterprise Risk Management Phase 2 – Identify and Prioritize Risks
© 2018. For information, contact Deloitte China.
Identify risks to value
Determine risk criteria & appetite
© 2018. For information, contact Deloitte China.
Develop risk prevention plan and risk indicators
Establish additional action plan/flagging
mechanism
Enterprise Risk Management Phase 3 – Develop and Adopt Risk Response Program
© 2018. For information, contact Deloitte China.
Develop risk prevention plan and risk indicators
Establish additional action plan/flagging systems
Set up status tracking mechanism
Enterprise Risk Management Phase 3 – Develop and Adopt Risk Response Program
© 2018. For information, contact Deloitte China.
The Extended Enterprise Risk
In today’s business world, companies rarely go to market alone.
Corporate growth and business success are increasingly supported through complex supply chains, outsourcing and licensing. Products and services are now, more than ever, created, marketed and delivered through strategic alliances and joint development arrangements. Greater reliance is being placed on business partners in forming the overall value chain to achieve competitiveness and serve end customers.
These “external” or “extended” business relationships (“Third Parties”) comprise what is now a widespread business risk:
The Extended Enterprise risk
Why is This Important?
Source: Deloitte, 2016 “Third Party Governance & Risk Management” survey.
87% of respondents have a faced disruptive incident with third-parties in
last 2-3 years of which 39% faced major disruption or complete third-party failure.
88.6% of respondents had low to moderate level of confidence in quality of their third party risk management processes.
26.2 Reputational
20.6 Breach of sensitive
© 2018. For information, contact Deloitte China.
Common Third Party Risks
• Information security • Data security • Data privacy • Physical security
• Corruption • Data protection • Market-specific
• Continuity planning/Disaster recovery • Product recall
• Environment • Hazardous materials • Health and safety
• Identification • Protection • Development • Research • Licensing
• Measurement • Service delivery and
standards • Revenue leakage • Over-charging
© 2018. For information, contact Deloitte China.
Why Should We Pay More Attention to 3rd Party Risks?
• Increased revenues
Global Risks Landscape 2017
© 2018. For information, contact Deloitte China.
* The Global Risks Report 2017, World Economic Forum
Global Risks Landscape 2017
© 2018. For information, contact Deloitte China.
For the first time, all five environmental risks feature among the most likely and most impactful risks facing the world
How Important Are Sustainability Risks?
Financial Risk Operational Risk
Labor practices Data privacy Food safety
……..
© 2018. For information, contact Deloitte China.
Integrating Sustainability with Risk Management
Risk Management Sustainability
HKSE Main Board Listing Rules Appendix 27, #9:
In line with the Corporate Governance Code, the board is responsible for evaluating and determining the issuer’s ESG-related risks, and ensuring that appropriate and effective ESG risk management and internal control systems are in place.
© 2018. For information, contact Deloitte China.
Internal Control
What is Internal Control?
Why was it invented?
The COSO definition
Internal Control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
What is Internal Control?
Inherent Risk Internal Control
Tolerance
Proper internal control can reduce the risk faced by the enterprise to its acceptable risk level but cannot eliminate all the risk.
Risk and Internal Control
• Coverage / completeness
Unclear roles and responsibility
engagement
Absence of audit trail
Limitation of Internal Control
Non applicable for non-
Management Override
• Internal Controls, no matter how well designed and operated, cannot provide an absolute assurance of achieving an entity's control objectives.
© 2018. For information, contact Deloitte China.
Setting-up an Internal Control Assessment
Entity
Identify the subsidiaries, affiliates, joint ventures and other branches that
should be included
Risk
that the audit should be focused on
© 2018. For information, contact Deloitte China.
Scoping - Examples
Expenditure Management Process • Policies and Procedures • Purchase Requisition Process • Supplier Selection and Evaluation • Contract Management • Processing and Approval of Purchase Orders • Processing Accounts Payable, Accounts Payable
Settlement Review and Approval of Payment • Processing and Approval of Employee
Disbursements and Office Expenses • Maintenance of Supplier Master File • Segregation of Duties Over Expenditure
Management Process
Revenue Management Process (Retail Store) • Policies and Procedures • Pricing/discount Policies • Advertising and Promotion Management • Handling of Cash Receipts and Invoicing • Physical Controls on Cash Registers • Closing of Daily Sales • Sales Revenue Recognition • Settlement with Shopping Mall • Custody of Cash on Hand • Handling of Complaints, and Sales return/ Exchange/
Refund to Customers • Management of Shopping Vouchers/ Gift Coupons • Obsolete Stock Arrangements • Inventory Reporting • Sales Management reporting • Segregation of Duties over Revenue Management Process
Human Resources (HR) and Payroll Management • Policies and Procedures • Salary Determination and Approvals • Calculating and Processing of Payroll • Managing Payroll Records • Performance Evaluation Process • Employee Bonus Determination and Approval • Compliance Monitoring with Labour Laws and
Regulations • Pension Plans and Occupational Schemes, Policies and
Contributions • Housing, Medical and other Allowance Determination and
Approval • Segregation of Duties over the HR & Payroll Management
Process
Fixed Assets Management • Policies and Procedures • Acquisition of Fixed Assets (including Vendor Selection
and Contract Management) • Capitalisation of Assets under Construction (including
Staff Costs Capitalisation) • Depreciation of Fixed Assets • Disposal/ Transfer of Fixed Assets • Maintenance of Fixed Assets (including Valuation and
Impairment Assessment) • Managing and Safeguarding Fixed Assets • Maintenance of Fixed Assets Master File • Segregation of Duties over Fixed Assets Management
Process
Internal Control Assessment mainly focus on two areas:
1. Design of Internal Control; and
2. Operating Effectiveness of Internal Control.
Methodology of Internal Control Assessment
Interview Walkthrough
• Factual findings and root causes
• Implications and risks
© 2018. For information, contact Deloitte China.
The Evolution of Internal Audit Function
Conventional Audit Mainstream Audit
Internal Audit + some management involvement
Detector role
Accounting /information technology (“IT”)
Reactive (after the fact)
Manual with some automation
Leading-Edge Audit
Board and Management
Proactive (fraud indicators)
Automation & risk database
Risk Focus
Internal Audit
Checker role
Governance Responsibility
© 2018. For information, contact Deloitte China.
About Deloitte Global Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.
Deloitte provides audit & assurance, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500® companies through a globally connected network of member firms in more than 150 countries bringing world-class capabilities, insights, and high-quality service to address clients’ most complex business challenges. To learn more about how Deloitte’s approximately 245,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter.
About Deloitte China The Deloitte brand first came to China in 1917 when a Deloitte office was opened in Shanghai. Now the Deloitte China network of firms, backed by the global Deloitte network, deliver a full range of audit & assurance, consulting, financial advisory, risk advisory and tax services to local, multinational and growth enterprise clients in China. We have considerable experience in China and have been a significant contributor to the development of China's accounting standards, taxation system and local professional accountants. To learn more about how Deloitte makes an impact that matters in the China marketplace, please connect with our Deloitte China social media platforms via www2.deloitte.com/cn/en/social-media.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively the “Deloitte Network”) is by means of this communication, rendering professional advice or services. None of the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.
© 2018. For information, contact Deloitte China.
