D. AUDIT, INTERNAL CONTROL AND RISK MANAGEMENT
D.1 Financial reporting
The board should present a balanced, clear and comprehensible assessment of the company’s performance, position and prospects.
Management should provide sufficient explanation and information to the board to enable it to make an informed assessment of financial and other information put before it for approval.
Management should provide all members of the board with monthly updates giving a balanced and understandable assessment of the issuer’s performance, position and prospects in sufficient detail to enable the board as a whole and each director to discharge their duties under rule 5.01 and Chapter 17.
Note: The information provided may include background or explanatory information relating to matters to be brought before the board, copies of disclosure documents, budgets, forecasts and monthly and other relevant internal financial statements such as monthly management accounts and management updates. For budgets, any material variance between the projections and actual results should also be disclosed and explained.
The directors should acknowledge in the Corporate Governance Report their responsibility for preparing the accounts. There should be a statement by the auditors about their reporting responsibilities in the auditors’ report on the financial statements. Unless it is inappropriate to assume that the company will continue in business, the directors should prepare the accounts on a going concern basis, with supporting assumptions or qualifications as necessary. Where the directors are aware of material uncertainties relating to events or conditions that may cast significant doubt on the issuer’s ability to continue as a going concern, they should be clearly and prominently disclosed and discussed at length in the Corporate Governance Report. The Corporate Governance Report should contain sufficient information for investors to understand the severity and significance of matters. To a reasonable and appropriate extent, the issuer may refer to other parts of the annual report. These references should be clear and unambiguous, and the Corporate Governance Report should not contain only a cross-reference without any discussion of the matter.
The board should present a balanced, clear and understandable assessment in annual and interim reports and other financial disclosures required by the GEM Listing Rules. It should also do so for reports to regulators and information disclosed under statutory requirements.
D.2 Risk management and internal control
The board is responsible for evaluating and determining the nature and extent of the risks it is willing to take in achieving the issuer’s strategic objectives, and ensuring that the issuer establishes and maintains appropriate and effective risk management and internal control systems. Such risks would include, amongst others, material risks relating to ESG (please refer to the ESG Reporting Guide in Appendix 20 to the GEM Listing Rules for further information). The board should oversee management in the design, implementation and monitoring of the risk management and internal control systems, and management should provide a confirmation to the board on the effectiveness of these systems.
The board should oversee the issuer’s risk management and internal control systems on an ongoing basis, ensure that a review of the effectiveness of the issuer’s and its subsidiaries’ risk management and internal control systems has been conducted at least annually and report to shareholders that it has done so in its Corporate Governance Report. The review should cover all material controls, including financial, operational and compliance controls.
The board’s annual review should, in particular, ensure the adequacy of resources, staff qualifications and experience, training programmes and budget of the issuer’s accounting, internal audit, financial reporting functions, as well as those relating to the issuer’s ESG performance and reporting.
The board’s annual review should, in particular, consider:
(a) the changes, since the last annual review, in the nature and extent of significant risks (including ESG risks), and the issuer’s ability to respond to changes in its business and the external environment;
(b) the scope and quality of management’s ongoing monitoring of risks (including ESG risks) and of the internal control systems, and where applicable, the work of its internal audit function and other assurance providers;
(c) the extent and frequency of communication of monitoring results to the board (or board committee(s)) which enables it to assess control of the issuer and the effectiveness of risk management;
(d) significant control failings or weaknesses that have been identified during the period. Also, the extent to which they have resulted in unforeseen outcomes or contingencies that have had, could have had, or may in the future have, a material impact on the issuer’s financial performance or condition; and
(e) the effectiveness of the issuer’s processes for financial reporting and GEM Listing Rule compliance.
Issuers should disclose, in the Corporate Governance Report, a narrative statement on how they have complied with the risk management and internal control code provisions during the reporting period. In particular, they should disclose:
(a) the process used to identify, evaluate and manage significant risks;
(b) the main features of the risk management and internal control systems;
(c) an acknowledgement by the board that it is responsible for the risk management and internal control systems and reviewing their effectiveness. It should also explain that such systems are designed to manage rather than eliminate the risk of failure to achieve business objectives, and can only provide reasonable and not absolute assurance against material misstatement or loss;
(d) the process used to review the effectiveness of the risk management and internal control systems and to resolve material internal control defects; and
(e) the procedures and internal controls for the handling and dissemination of inside information.
The issuer should have an internal audit function. Issuers without an internal audit function should review the need for one on an annual basis and should disclose the reasons for the absence of such a function in the Corporate Governance Report.
1 An internal audit function generally carries out the analysis and independent appraisal of the adequacy and effectiveness of the issuer’s risk management and internal control systems.
2 A group with multiple listed issuers may share group resources to carry out the internal audit function for members of the group.
The issuer should establish a whistleblowing policy and system for employees and those who deal with the issuer (e.g. customers and suppliers) to raise concerns, in confidence and anonymity, with the audit committee (or any designated committee comprising a majority of independent non-executive directors) about possible improprieties in any matter related to the issuer.
The issuer should establish policy(ies) and system(s) that promote and support anti-corruption laws and regulations.
Recommended Best Practices
The board may disclose in the Corporate Governance Report that it has received a confirmation from management on the effectiveness of the issuer’s risk management and internal control systems.
The board may disclose in the Corporate Governance Report details of any significant areas of concern.
D.3 Audit Committee
The board should establish formal and transparent arrangements to consider how it will apply financial reporting, risk management and internal control principles and maintain an appropriate relationship with the issuer’s auditors. The audit committee established under the GEM Listing Rules should have clear terms of reference.
Full minutes of audit committee meetings should be kept by a duly appointed secretary of the meeting (who should normally be the company secretary). Draft and final versions of minutes of the meetings should be sent to all committee members for their comment and records, within a reasonable time after the meeting.
A former partner of the issuer’s existing auditing firm should be prohibited from acting as a member of its audit committee for a period of two years from the date of the person ceasing:
(a) to be a partner of the firm; or
(b) to have any financial interest in the firm,
whichever is later.
The audit committee’s terms of reference should include at least:-
Relationship with the issuer’s auditors
(a) to be primarily responsible for making recommendations to the board on the appointment, reappointment and removal of the external auditor, and to approve the remuneration and terms of engagement of the external auditor, and any questions of its resignation or dismissal;
(b) to review and monitor the external auditor’s independence and objectivity and the effectiveness of the audit process in accordance with applicable standards. The audit committee should discuss with the auditor the nature and scope of the audit and reporting obligations before the audit commences;
(c) to develop and implement policy on engaging an external auditor to supply non-audit services. For this purpose, “external auditor” includes any entity that is under common control, ownership or management with the audit firm or any entity that a reasonable and informed third party knowing all relevant information would reasonably conclude to be part of the audit firm nationally or internationally. The audit committee should report to the board, identifying and making recommendations on any matters where action or improvement is needed;
Review of the issuer’s financial information
(d) to monitor integrity of the issuer’s financial statements and annual report and accounts, half-year report and, quarterly reports, and to review significant financial reporting judgements contained in them. In reviewing these reports before submission to the board, the committee should focus particularly on:-
(i) any changes in accounting policies and practices;
(ii) major judgmental areas;
(iii) significant adjustments resulting from audit;
(iv) the going concern assumptions and any qualifications;
(v) compliance with accounting standards; and
(vi) compliance with the GEM Listing Rules and legal requirements in relation to financial reporting;
(e) Regarding (d) above:-
(i) members of the committee should liaise with the board and senior management and the committee must meet, at least twice a year, with the issuer’s auditors; and
(ii) the committee should consider any significant or unusual items that are, or may need to be, reflected in the report and accounts, it should give due consideration to any matters that have been raised by the issuer’s staff responsible for the accounting and financial reporting function, compliance officer or auditors;
Oversight of the issuer’s financial reporting system, risk management and internal control systems
(f) to review the issuer’s financial controls, and unless expressly addressed by a separate board risk committee, or by the board itself, to review the issuer’s risk management and internal control systems;
(g) to discuss the risk management and internal control systems with management to ensure that management has performed its duty to have effective systems. This discussion should include the adequacy of resources, staff qualifications and experience, training programmes and budget of the issuer’s accounting and financial reporting function;
(h) to consider major investigation findings on risk management and internal control matters as delegated by the board or on its own initiative and management’s response to these findings;
(i) where an internal audit function exists, to ensure co-ordination between the internal and external auditors, and to ensure that the internal audit function is adequately resourced and has appropriate standing within the issuer, and to review and monitor its effectiveness;
(j) to review the group’s financial and accounting policies and practices;
(k) to review the external auditor’s management letter, any material queries raised by the auditor to management about accounting records, financial accounts or systems of control and management’s response;
(l) to ensure that the board will provide a timely response to the issues raised in the external auditor’s management letter;
(m) to report to the board on the matters in this code provision; and
(n) to consider other topics, as defined by the board.
The audit committee should make available its terms of reference, explaining its role and the authority delegated to it by the board by including them on the GEM website and the issuer’s website.
Where the board disagrees with the audit committee’s view on the selection, appointment, resignation or dismissal of the external auditors, the issuer should include in the Corporate Governance Report a statement from the audit committee explaining its recommendation and also the reason(s) why the board has taken a different view.
The audit committee should be provided with sufficient resources to perform its duties.
The terms of reference of the audit committee should also require it:
(a) to review arrangements employees of the issuer can use, in confidence, to raise concerns about possible improprieties in financial reporting, internal control or other matters. The audit committee should ensure that proper arrangements are in place for fair and independent investigation of these matters and for appropriate follow-up action; and
(b) to act as the key representative body for overseeing the issuer’s relations with the external auditor.
The audit committee should establish a whistleblowing policy and system for employees and those who deal with the issuer (e.g. customers and suppliers) to raise concerns, in confidence, with the audit committee about possible improprieties in any matter related to the issuer.