Accountability and audit
(i) Financial reporting
The Board acknowledges that it is its responsibility to prepare the consolidated financial statements and to present a balanced, clear and comprehensive assessment of the performance, position and prospects of the Group in the interim and annual reports of the Group.
The reporting responsibility of the Company’s auditor on the consolidated financial statements of the Group is set out in the “Independent Auditor’s Report” on pages 98 to 105 of this annual report.
(ii) Risk management and internal control
(a) Responsibilities of the Board and management
The Board acknowledges that it is responsible for maintaining an appropriate and effective risk management and internal control systems in the Group and reviewing the systems effectiveness to safeguard the Group’s assets and shareholders’ interests. These risk management and internal control systems can only reasonably, but do not absolutely ensure the non-occurrence of material misstatement, significant loss, error or fraud and they are designed to manage, rather than eliminate the risk of failure in the Group’s operational systems to achieve its business objectives.
Management of the Company is responsible for designing, implementing and monitoring the risk management and internal control systems; and providing confirmation to the Audit Committee on the systems effectiveness through the completion of controls self-assessment on key business processes in the Group.
(b) Risk Management
To provide sound and effective risk management, the Board has established an enterprise risk management framework which includes the following key features:
- Risk Governance Structure
The Group’s risk governance structure comprises of day-to-day operational management and control, risk and compliance oversight, and independent assurance. The Group has developed a risk management policy which outlines the principles and procedures for the Group to manage its risks and also clearly defines roles and responsibilities of each of the multiple layers of the structure, including the Board, the Audit Committee, department heads, staff at operational levels and the internal audit, in order to achieve the Group’s strategic and operational goals and objectives.
A robust risk management process is developed to identify, evaluate and manage significant risks. The risk management process includes the following elements:
- Risk identification – Identify the risks faced by the Group.
- Risk assessment and prioritization – Analyze the identified risks based on two dimensions: potential impact and likelihood of occurrence; prioritize key risks and confirm top risks.
- Risk treatment – Select an appropriate risk treatment and develop the relevant risk management strategies for identified key risks.
- Control activities – Controls must be designed, evaluated and implemented on the identified risks.
- Risk monitoring – Perform ongoing and periodic monitoring of risks to ensure the risk management strategies are operating effectively.
- Risk reporting – Consolidate the results from the risk assessment; establish detailed action plan; and report to management and the Audit Committee in a timely manner.
The Group maintains a risk register, which includes information of key enterprise-level risks, their potential consequences, likelihood, impact and overall risk rating. Risk owners will execute risk mitigation actions and respond to their assigned risks in the risk register based on the Board’s risk tolerance. On an annual basis, the risks in the risk register are reevaluated, with consideration of potential new or emerging risks. Also, depending on changes in circumstances and the external environment, risk tolerances and risk responses are adjusted accordingly.
(c) Internal Control
The Group has implemented an internal control system in accordance with an integrated internal control framework established by the COSO (Committee of Sponsoring Organizations of the Treadway Commission), which comprises five main features and principal components of internal control: the control environment, risk assessment, control activities, information and communication, and monitoring activities.
The Group has an Internal Audit Department which used a risk-based approach to derive an internal audit plan and it is approved by the Audit Committee on an annual basis to assess the adequacy, effectiveness, efficiency and reliability of internal control procedures over financial, operational and compliance activities of the Group. The results of the independent reviews together with the recommended remedial actions, in the form of internal audit reports, are submitted to the Audit Committee and management on a regular basis. Follow-up reviews are performed to ensure that all identified issues have been resolved satisfactorily.
The Head of the Internal Audit Department reports directly to the Audit Committee. During the year, the Internal Audit Department conducted reviews and reported the status of implementation of follow-up actions on control deficiencies. Relevant recommendations reported by the Internal Audit Department will be implemented by management to enhance the Group’s internal control policies, procedures and practices, and to resolve material internal control deficiencies in a timely manner.
The Group has also developed an Inside Information Disclosure Policy and internal controls for the handling and dissemination of inside information to ensure consistent and timely disclosure, and fulfilment of the Group’s disclosure obligations. The Group has also established and implemented procedures to guide its staff on how to report, escalate and handle inside information, and strictly prohibit them from any unauthorized use of inside information.
(d) Review of Systems Effectiveness
Through the Audit Committee, the Board had conducted an annual review of the effectiveness and adequacy of the risk management and internal control systems by reviewing the work performed by the Internal Audit Department and the controls self-assessment on key business processes performed by management for the year ended 31 March 2020. The review covered all material controls, including financial, operational and compliance controls, and risk management functions. The scope and quality of ongoing monitoring of risks and the internal control systems have been assessed. The changes in the nature and extent of significant risks faced by the Group and response plans have been evaluated. The Board considered that the risk management and internal control systems are functioning effectively and adequately.
During the review, the Board also assessed and was satisfied with the adequacy of the resources, staff qualification and experience, training programmes and budget of the Group’s accounting, financial reporting and internal audit functions. Qualified personnel throughout the Group maintains and monitors these internal control procedures on an ongoing basis.
The Board is satisfied that the Group has fully complied with the code provisions C.2 on risk management and internal control set out in the CG Code as set forth in the Appendix 14 of the Listing Rules for the year ended 31 March 2020.
(iii) Audit Committee
An Audit Committee was established by the Company with clear terms of reference to review and supervise the financial reporting process, and the risk management and internal control of the Group. The Audit Committee comprises three Independent Non-Executive Directors, Mr. Abraham Shek, Mr. Andrew Fan and Dr. Eddy Li. The committee held four meetings during the year to discuss the relationship with the external auditor, to review the consolidated interim financial information for the six months ended 30 September 2019 and the consolidated annual financial statements for the year ended 31 March 2020 of the Group, and to evaluate the risk management and internal control systems of the Group.
The attendance record of each committee member is as follows:
*Terms of Reference
(iv) Auditor’s remuneration
During the year, the remuneration paid or payable to the principal auditor, PricewaterhouseCoopers, is set out as follows: