Risk Management and Internal Control
Home > Investor Relations > Sino Hotels (Holdings) Limited > Corporate Governance > Risk Management and Internal Control
The Board has the overall responsibility for evaluating and determining the nature and extent of the risks it is willing to take in achieving the Company’s strategic objectives, and ensuring that the Company establishes and maintains appropriate and effective risk management and internal control systems. The Audit Committee is delegated with the authority from the Board to oversee the risk management and internal control systems.
Effective risk management is important to the Company’s achievement of its strategic goals. To this end, the Company adopts an Enterprise Risk Management (“ERM”) approach to assist the Audit Committee and the Board in discharging its risk management responsibilities and individual business units in managing the key risks faced by the Company.
The Company’s internal control system is built on a sound control environment with a strong commitment to ethical values. The system includes an appropriate organizational structure with clearly defined responsibilities, accountability and authorities underpinning proper segregation of duties, complemented by monitoring and reporting mechanism to ensure proper checks and balances. Policies and procedures covering key business processes are established and communicated to staff, and are regularly reviewed to ensure continued relevance and effectiveness, and for continuous improvement.

The Company’s internal control framework is fully integrated with the risk management framework. The ERM is a process whereby risks together with the relevant controls are assessed, evaluated and reviewed on an ongoing basis. All the significant risks identified are mapped to and incorporated in the annual internal audit plan. Key controls are subject to review and testing by the Internal Audit Department in order to assess their adequacy and effectiveness.

Internal Audit

The Internal Audit Department provides independent assurance as to the existence of adequate and effective controls in the operations of the Company’s business units. The Head of Internal Audit Department reports directly to the Audit Committee. In performing its duties, the Internal Audit Department has free and unfettered access to information and to meet with any of the department heads or persons-in-charge. 

The Internal Audit Department adopts a risk-based audit approach. It conducts annual risk assessment and devises a 3-year-rolling internal audit plan which is reviewed and approved by the Audit Committee. Depending on the nature and exposure of the risks of individual business units, the Internal Audit Department performs audit reviews on their operations, and makes recurring and impromptu site investigations on selected risk areas to ensure the effectiveness of the controls implemented by the relevant business units. The findings regarding control weaknesses are communicated to the business units concerned. Major audit findings and recommendations are reported to the Audit Committee, which in turn reports to the Board. The implementation of the agreed actions in response to the identified audit issues are tracked and followed up regularly, and the status is reported to the Audit Committee.

Internal Control Self-assessment

To further enhance the risk management and internal control systems, an internal control self-assessment process was introduced during the year ended 30th June, 2017. On an annual basis, the head of each business unit conducts internal control self-assessment with reference to the 17 principles of the COSO (The Committee of Sponsoring Organizations of the Treadway Commission) 2013 Internal Control – Integrated Framework. They systemically review and assess the effectiveness of all the internal controls over their business operations that are in place to mitigate the risks, through the use of internal control self-assessment questionnaires. The summary results of the self-assessment are reported to the Board through the Audit Committee and form part of the annual assessment of the adequacy and effectiveness of the risk management and internal control systems.

Evaluation of the Adequacy of Resources of the Company’s Accounting and Financial Reporting Function, and Internal Audit Function

For the year ended 30th June, 2017, the Internal Audit Department conducted an assessment and concluded that the resources, staff qualifications and experience, training programmes and budget of the Company’s accounting and financial reporting function were adequate. The Head of Internal Audit Department, in conjunction with the Human Resources Department, also carried out a review of the internal audit function and concluded that its resources, staff qualifications and experience, training programmes and budget were adequate. The review results were reported to the Audit Committee.

Based on the above, the Board and the Audit Committee were satisfied with the adequacy of the resources, staff qualifications and experience, training programmes and budget of the Company’s accounting and financial reporting function, and internal audit function.

Review of the Effectiveness of Risk Management and Internal Control Systems

The Board has the overall responsibility for the risk management and internal control systems and reviewing their effectiveness. Such systems are designed to manage rather than eliminate the risks of failure to achieve business objectives, and can only provide reasonable but not absolute assurance against material misstatement or loss.

On behalf of the Board, the Audit Committee evaluates the effectiveness of the Company’s risk management and internal control systems at least annually. For the financial year ended 30th June, 2017, the Audit Committee, with the assistance of the Internal Audit Committee, conducted a review of the effectiveness of the Group’s risk management and internal control systems covering all the material controls, including environmental, social and governance related risks, financial, operational and compliance controls. Throughout the year, the Audit Committee also oversaw the risk management system on an ongoing basis through various activities including reviewing and approving the ERM Policy and Framework as well as the ERM reports.
For the financial year ended 30th June, 2017, the Board received a confirmation statement from management on the effectiveness of the risk management and internal control systems. The confirmation is based on:
• the work performed by management in identifying, evaluating, monitoring and managing the existing, new and emerging risks on an ongoing basis;
• the results of formal risk assessments conducted quarterly during the year in accordance with the approved ERM Policy and Framework;
• the responses of individual business units to the questionnaires prepared for the Group-wide internal control self-assessment; and
• the independent verification and assurance provided through work done by the Internal Audit Department and the external auditor.
In the light of the above, the Board and the Audit Committee concluded that the risk management and internal control systems of the Group were effective and adequate. Despite there were no significant control failings or weaknesses and areas of concern identified during the year, the risk management and internal control systems will be regularly reviewed for continuous improvement.