Accountability and Audit
The board recognises the importance of the integrity of its financial information and acknowledges its responsibility for preparing financial statements that give a true and fair view of the Group’s affairs, its results and cash flows in accordance with the Hong Kong Financial Reporting Standards and the Hong Kong Companies Ordinance. The board endeavours to present to shareholders a balanced and understandable assessment of the Company’s performance, position and prospects. Accordingly, appropriate accounting policies are selected and applied consistently, and judgments and estimates made by the management for financial reporting purposes are prudent and reasonable.
New or revised accounting standards became effective during the year, and those most significant and relevant to the Group are disclosed in Note 2 to the consolidated financial statements on pages 166 to 167.
The responsibilities of the external auditors with respect to the accounts for the year ended 31 December 2016 are set out in the Independent Auditor’s Report on pages 303 to 310.
External auditors and their remuneration
The external auditors perform independent reviews or audits of the financial statements prepared by the management. PwC was engaged as the Company’s external auditor since 1989 and retired at the close of the annual general meeting held on 16 May 2013. KPMG was engaged in place of PwC as the Company’s external auditor and subsequently retired at the close of the annual general meeting held on 2 June 2015 (“2015 AGM”). Since then, PwC has been appointed as the Company’s external auditor in place of KPMG with effect from the close of the 2015 AGM as its largest listed subsidiary, China CITIC Bank Corporation Limited was required to change its external auditor. For 2016, PwC’s fees were approximately as follows:
Statutory audit fee: HK$75 million (2015: HK$73 million).
Fees for other services, including special audits, advisory services relating to systems and tax services: HK$25 million (2015: HK$7 million).
Other audit firms provided statutory audit services at a fee of approximately HK$81 million (2015: HK$90 million) as well as other services for fees of HK$31 million (2015: HK$16 million).
Risk management and internal control
The Group’s risk management and internal control systems are designed to reduce or manage risk to an acceptable level for the Group. They do not eliminate the risk of failure to achieve business objectives, however, can only provide reasonable assurance that the business objectives of CITIC Limited in the following areas are achieved:
- effectiveness and efficiency of operations, including the achievement of performance and operating targets and the safeguarding of assets;
- reliability of financial and operating information provided by the management, including management accounts and statutory and public financial reports; and
- compliance with applicable laws and regulations by business units and functions.
Overview of risk management and internal control
The risk management and internal control system of CITIC Limited is established along the core concepts of risk management and internal control released by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and the Basic Standard for Enterprise Internal Control jointly issued by five ministries and commissions (Ministry of Finance, CSRC, National Audit Office, CBRC and CIRC) in 2008, as well as relevant guidelines and governmental policies.
The framework of risk management and internal control adopted by CITIC Limited is illustrated below:
The risk management and internal control system of CITIC Limited comprises “Four Levels” and “Three Lines of Defence” based on the corporate governance structure. The “Four Levels” are the (i) board of directors, (ii) management and several committees, (iii) risk management functions of CITIC Limited, and (iv) member companies. The “Three Lines of Defence” are the (i) first line of defence comprised by business units of each level of CITIC Limited, (ii) second line of defence comprised by the risk management functions of each level of CITIC Limited, and (iii) third line of defence comprised by the internal audit departments or functions of each level of CITIC Limited.
The board has overall responsibility for maintaining a sound and effective risk management and internal control system. The audit and risk management committee acts on behalf of the board in providing oversight of the Group's financial reporting system, risk management and internal control systems, reviews and monitors the effectiveness of the internal audit function, and reviews the Group’s policies and practices on corporate governance.
As a sub-committee of the Executive Committee, the Asset and Liability Management Committee (“ALCO”) has been established to monitor financial risks of the Group in accordance with the relevant treasury and financial risk management policies. Based on the annual budget, ALCO reviews CITIC Limited’s financing plan and instruments, oversees fund management and cash flow positions, and manages risks relating to counterparties, interest rates, currencies, commodities, commitments and contingent liabilities. It is also responsible for formulating hedging policy and approving the use of new risk management tools.
The Group has established an audit, risk and internal control team, which constantly reviews policies and work related to audit supervision, risk management and internal control (including but not limited to investment authorisation, the code of conduct, fund management by subsidiaries, guarantees and payments), in order to enhance its management and control over these areas.
Relevant departments of CITIC Limited are responsible for communicating and implementing the decisions, monitoring the adherence of the management policies and preparing relevant reports. All units have the responsibility for identifying, effectively managing and reporting risks on a timely basis, in accordance with the overall risk framework under the management policies and within the scope of authorisation.
CITIC Limited is committed to constantly improving its risk management and internal control framework at all levels; strengthening the risk assessment and monitoring of major projects and key businesses; staying fully informed of the operations, financial condition and major business progress of its subsidiaries through off-site monitoring, on-site inspections and other means to assess the risks that may arise; reporting on a timely basis any weaknesses and potential risks; supervising and implementing management and control measures; and improving the completeness and effectiveness of its risk management and internal control practices across the Group.
Key control policies and measures
The Group’s risk management and internal control are primarily the collective responsibilities of management and the employee. For consistent compliance by every person in the Group, the following key control policies and measures have been implemented:
Monitoring of risk management and internal control effectiveness
During the year, the audit and risk management committee assessed the effectiveness of the risk management and internal control systems on behalf of the board. The reviews covered material controls, including financial, operational and compliance controls, the adequacy of the resources, qualifications and experience of employees in the internal audit, risk management, accounting and financial reporting functions, as well as the sufficiency of training sessions and related budgets.
The main risk management and internal control reviews during the year were as follows:
The board and the management will establish sufficient and effective supervision, management and controls through the risk management and internal control framework of CITIC Limited, which will ensure compliance with the Listing Rules and other legal or regulatory requirements of the jurisdictions in which the Group operates, in order to constantly improve the risk management and internal control system.
CITIC Limited regards internal audit as an important part of the supervisory function of the board and the audit and risk management committee. The primary objective of internal audit, which is set out in the internal audit charter, is to provide independent and objective internal assurance and consulting services, evaluate and improve the effectiveness of risk management and internal control processes for the Company so as to add value and improve the Company’s operations and accomplish its objectives.
Under the internal audit charter of CITIC Limited, the internal audit department can obtain and access all records, personnel and physical properties relevant to internal audit. The head of the internal audit department has unrestricted access to the board and senior management.
The responsibilities of the internal audit are set out in the internal audit charter, which stipulates that (a) examination and assessment are conducted in respect of risk management and internal control to evaluate whether risks related to the following are effectively controlled: achievement of strategic objectives, reliability and integrity of financial and operational information, efficiency and effectiveness of operations, safeguarding of assets, and compliance with the laws, regulations and policies of the Company; (b) follow-up audits and other measures are conducted to track and examine corrective actions in respect of audit findings; (c) special audits are conducted when required by the board and senior management.
Internal audit staffing and tasks completed in 2016
At 31 December 2016, CITIC Limited had approximately 400 1 internal audit staff members in the internal audit departments of the head office and major subsidiaries, providing audit services to various business units and functions of the Company.
During the year, the internal audit department prepared an annual internal audit plan in accordance with risk- based principles. Pursuant to the approved annual plan, detailed audit planning for each audit was devised, followed by field audits and discussions with management. Audit reports addressed to the management were prepared by the internal audit department after completion of the audits. Work reports were also tabled for review at each meeting of the audit and risk management committee, which included audit findings and follow- up results, work progress and staffing of internal audit. The internal audit department issued audit reports on various business segments and subsidiaries of the Company.
Other tasks performed by the internal audit department during the year included the following:
- Implementation of internal audit assessment to evaluate the audit work of major subsidiaries in terms of management, quality, performance, communication and coordination, in order to facilitate the effective execution of internal audit.
- Continuous training and development programme, including online training, sharing sessions and seminars, for internal audit staff to enhance their audit skills and knowledge.