Risk Management and Internal Control System
The Board of the Company is fully responsible for establishing and maintaining an appropriate and effective risk management and internal control system to safeguard the investment of the shareholders and the assets of the Group. The Company has set up the internal control system and risk management mechanism in compliance with the COSO standards and defined management structure and its authority. This aims at ensuring the efficient and effective utilization of the resources of the Company to assist the Company to achieve its business targets and safeguard its assets, with a view to preventing unauthorized utilization or treatment of the resources of the Company, securing appropriate accounting records to provide reliable financial data for internal use or external dissemination, so as to ensure that the operating activities are in compliance with relevant laws and rules. The above control system is designed to manage rather than eliminate the risk of failure to achieve business objectives, and can only provide reasonable and not absolute assurance against material misstatement or loss.
The Company attaches great importance to risk management in the course of its daily operation. With a decade of development since the listing, the Company has established a risk management culture appropriate to its business practices. The Company put in place a set of practicable risk management methods as well as a sound organization structure and management mechanism for risk management, which solidified risk management procedures, enhanced risk management efficiency and basically established a comprehensive risk management mechanism. In 2017, the Company took into account the requirements of Rule C.2 of the Corporate Governance Code of the Stock Exchange and continued to strengthen the identification, classification and assessment and control of risks and closely monitored any possible material risks, without any material risk issue during the year. After strict identification and assessment and analysis of risks, the Company conducted assessment on the potential risks that the Company may be exposed to in 2018, such as market risks and financial risks, and proposed practicable corresponding solutions. The Company formulated the annual risk management report which sets out the risk management work in 2017 and the assessment of material risks and the control plan for 2018.
Since its listing in 2006, the Company has formulated the internal control manual, internal control assessment rules and other systems based on the COSO internal control framework. Over the years, the Company has striven to improve the systems related to internal control and risk management in light of the changes in internal and external operating environments and business development requirements. In 2017, in light of the internal and external regulatory requirements and its management needs, innovation and transformation, environment change of management and polices and actual conditions, the Company made amendments to its internal control manual and updated the internal control authority lists of its provincial companies.
The risk management department of the Company has established an internal audit division. In 2017, the Company further strengthened audit supervision, and attached importance to the utilization of the results of audit, so as to foster management improvement and to prevent loophole. The above work plays an important role in supporting the Board, the management and the risk management and internal control assessment. The internal audit division is responsible for the daily risk management and internal control of the Company, and providing objective report to the Audit Committee and the Board to ensure that the Board and the management will maintain and operate proper risk management and internal control system in accordance with the pre-determined procedures and standards.
The Company has formulated guidelines on information disclosure management to regulate the disclosure of the periodical result announcements, sensitive information and other important information of the Company and to make proper disclosure in accordance with the requirements of the Stock Exchange. The Company has established a progressive accountability, verification and reviewing system, to ensure the truthfulness, accuracy and timeliness of information disclosure. The Company will appoint external independent advisors, such as legal advisors, for reviewing and verifying when necessary. The Executive Vice President and the Company Secretary of the Company are responsible for coordinating and organizing information disclosure to ensure the compliance of the information disclosure. The Company Secretary is responsible for the daily management of information disclosure, including the disclosure of inside information. The Company also has the Office of the Board to assist in the detailed work regarding information disclosure.
In order to fulfill the requirements of the Hong Kong Stock Exchange, to ensure connected transactions are carried out according to the pricing policy or mechanism under the framework agreements and to regulate and enhance the management of connected transactions, the Company has formulated the Administrative Measures on Connected Transactions of China Communications Services Corporation Limited. The Company enters into a connected transaction framework agreement with China Telecommunications Corporation and applies for the annual caps of connected transactions every three years. At the end of each year, the Company evaluates the connected transactions entered into in each province in the previous year. The risk identification and control targets for connected transactions formulated by the Company are set out in the internal control manual. A series of internal control procedures have been established in respect of the submission, confirmation and delivery of budgets for connected transactions, signing and execution of contracts, reconciliation with connected parties, data verification, accounting, verification of information disclosure and information disclosure, and on-going improvements are made to the management process for connected transactions.
The Group is committed to strengthening its internal control and risk management (as summarized in below figure) and has established a sound internal control foundation.
Annual Risk Management and Internal Control Assessment
The Company continues to focus on strengthening internal control and risk management and has sound internal control and management systems in place. The main internal control and risk management measures of the Company in 2017 are summarized as below:
In 2017, the internal audit division of the Company took the lead in organizing self-assessment for internal control within the whole Group. Based on comprehensive assessment, the self-assessment exercise for internal control focuses on the assessment of key control aspects and control points identified after the risk identification, including cash management, contract management, subcontracting management and inventory management, aiming to assess the effectiveness of the design and implementation of the internal control system. According to its actual needs, the Company carried out a special self-assessment which covered all of its subsidiaries.
The internal control self-assessment was conducted under the supervision of the Company’s working group on risk management. The internal audit division organized and coordinated the assessment of key processes conducted by the relevant departments. The business departments played a leading role in the internal control self-assessment, which could tackle the risk management issues from the sources, further promote the effective combination between the self-assessment and daily operation management and ensure the effectiveness of the self-assessment work. By vesting the control points within the processes to each person-in-charge by the implementation departments, the Company allocated the assessment work among specific staff in the control points to ensure that the width and depth of the internal control assessment comply with the requirements.
After the completion of the assessment, the Company focused on prevention of material risks, and reviewed and examined the design and implementation of its internal control and risk management systems. The Company also formulated practical and effective rectification measures in relation to defects identified during the selfassessment, aiming to make on-going improvements to the internal control system and process so that it could function better to prevent risks and contribute to good management practice. Meanwhile, in the subsequent internal audit, attention was paid to the effectiveness of the internal control for various businesses and inspection was made on assessment of internal control and rectification of defects, so as to ensure the assessment work to be resultful.
In 2017, the Company continued to promote the management of audit project plan and conducted comprehensive internal audit to make independent and objective supervision and assessment of the operation activities and the appropriateness, compliance and effectiveness of its internal control through applying certain auditing procedures and methodologies, with an aim to enhance its operation and create more value for the Company, improve the processes for risk management, control and corporate governance and contribute to the fulfillment of its strategic goals. In light of the requirement on annual key risk control and the characteristics of its operation and management, the internal audit in this year mainly included, among others, economic accountability audit, revenues audit and construction audit with focuses on relevant matters such as income and cost accounting, cash management, subcontracting management, and products distribution business management. Upon the request of the management of the Company and in light of the needs of relevant business departments, the internal audit division made use of the data from the audit and the audit outcomes to hold the audit joint meeting, so as to provide advice for the decision-making and operation and management activities of the Company.
The Board continued to monitor and supervise the risk management and internal control systems of the Company through the Audit Committee, and conducted an annual review on the risk management and internal control systems of the Company and its subsidiaries for the financial year ended 31 December 2017. After receiving the report from the internal audit division as to the effectiveness of the relevant systems and the relevant confirmation from the management to the Board, the Board considered that the risk management and internal control systems of the Company were stable, healthy, proper, effective and adequate, and has satisfied the requirements under Rule C.2 of the Corporate Governance Code of the Stock Exchange regarding risk management and internal control.