Accountability and Audit

(Extracted from Annual Report 2021)

Financial Reporting

The Board acknowledges its responsibility for:

• the proper stewardship of the Company’s affairs, to ensure the integrity of financial information
• preparing annual and interim financial statements and other related information that give a true and fair view of the Group’s affairs and of its results and cash flows for the relevant periods, in accordance with Hong Kong Financial Reporting Standards and the Hong Kong Companies Ordinance
• selecting appropriate accounting policies and ensuring that these are consistently applied
• making judgements and estimates that are prudent and reasonable
• ensuring that the application of the going concern assumption is appropriate

Risk Management and Internal Control

The Board acknowledges its responsibility to establish, maintain and review the effectiveness of the Group’s risk management and internal control systems. This responsibility is primarily fulfilled on its behalf by the Audit Committee as discussed on pages 96 to 97.

The foundation of strong risk management and internal control systems is dependent on the ethics and culture of the organisation, the quality and competence of its personnel, the direction provided by the Board, and the effectiveness of management.

Since profits are, in part, the reward for successful risk taking in business, the risk management and internal control systems are designed to manage rather than eliminate the risk of failure to achieve business objectives, and can only provide reasonable and not absolute assurance against material misstatement or loss.

The key components of the Group’s control structure are as follows:

Culture: The Board believes that good governance reflects the culture of an organisation. This is more significant than any written procedures.

The Company aims at all times to act ethically and with integrity, and to instil this behaviour in all its employees by example from the Board down. The Company has a Code of Conduct, which is posted on its internal intranet site.

The Company is committed to developing and maintaining high professional and ethical standards. These are reflected in the rigorous selection process and career development plans for all employees. The organisation prides itself on being a long-term employer which instils in individuals, as they progress through the Group, a thorough understanding of the Company’s ways of thinking and acting.

Channels of communication are clearly established, allowing employees a means of communicating their views upwards with a willingness on the part of more senior personnel to listen. Employees are aware that, whenever the unexpected occurs, attention should be given not only to the event itself, but also to determining the cause.

Through the Company’s Code of Conduct, employees are encouraged (and instructed as to how) to report control deficiencies or suspicions of impropriety to those who are in a position to take necessary action.

Risk assessment: The Board of Directors and the management each have a responsibility to identify and analyse the risks underlying the achievement of business objectives, and to determine how such risks should be managed and mitigated.

Management structure: The Group has a clear organisational structure that, to the extent required, delegates the day-to-day responsibility for the design, documentation and implementation of procedures and monitoring of risk. Individuals appreciate where they will be held accountable in this process.

A control self-assessment process requires management to assess, through the use of detailed questionnaires, the adequacy and effectiveness of risk management and internal controls over the reliability of financial reporting, the effectiveness and efficiency of operations and compliance with applicable laws and regulations. This process and its results are reviewed by internal auditors and form part of the Audit Committee’s annual assessment of control effectiveness.

Controls and review: The control environment comprises policies and procedures intended to ensure that relevant management directives are carried out and actions that may be needed to address risks are taken. These may include approvals and verifications, reviews, safeguarding of assets and segregation of duties. Control activities can be divided into operations, financial reporting and compliance, although there may, on occasion, be some overlap between them. The typical control activities include:

• analytical reviews: for example, conducting reviews of actual performance versus budgets, forecasts, prior periods and competitors
• direct functional or activity management: reviews of performance reports, conducted by managers in charge of functions or activities
• information-processing: performing controls intended to check the authorisation of transactions and the accuracy and completeness of their reporting, for example, exception reports
• physical controls: ensuring equipment, inventories, securities and other assets are safeguarded and subjected to periodic checks
• performance indicators: carrying out analyses of different sets of data, operational and financial, examining the relationships between them, and taking corrective action where necessary
• segregation of duties: dividing and segregating duties among different people, with a view to strengthening checks and minimising the risk of errors and abuse

The Company has in place effective processes and systems for the identification, capture and reporting of operational, financial and compliance-related information in a form and time-frame intended to ensure that staff carry out their designated responsibilities.

Internal audit: Independent of management, the Internal Audit department reports directly to the Audit Committee and performs regular reviews of key risk areas and monitors compliance with Group accounting, financial and operational procedures. The role of Internal Audit is discussed further on pages 97 and 98.