Risk Management & Internal Control

Risk Management and Internal Control System

The Board of Directors of the Company is fully responsible for establishing and maintaining an appropriate and effective risk management and internal control system to safeguard the investment of the shareholders and the assets of the Group. The Company has set up an internal control system and risk management mechanism in compliance with the COSO standards and defined management structure and its authority, which aims at ensuring the efficient utilization of the resources of the Company to achieve its business targets and safeguard its assets, with a view to preventing unauthorized utilization or disposal of the resources of the Company, securing appropriate accounting records to provide reliable financial evidence for internal use or external dissemination, so as to ensure that its operating activities are in compliance with relevant laws and rules. The above control system is designed to manage rather than eliminate the risk of failure to achieve business objectives, and can only provide reasonable and not absolute assurance against material misstatement or loss.

The Company attaches great importance to risk management in the course of its daily operation. With a decade of development since the listing, the Company has established a risk management culture appropriate to its business practices. The Company put in place a set of practicable risk management methods as well as a sound organization structure and management mechanism for risk management, which solidified risk management procedures, enhanced risk management efficiency and basically established a comprehensive risk management mechanism. In 2018, the Company took into account the requirements of Rule C.2 of the Corporate Governance Code of the Stock Exchange and continued to strengthen the identification, classification and assessment and control of risks and closely monitored any possible material risks, without any material risk issue during the year. After strict identification and assessment and analysis of risks, the Company conducted assessment on the potential risks that the Company may be exposed to in 2019, such as market risks and financial risks, and proposed practicable corresponding solutions. The Company formulated the annual risk management report which sets out the risk management work in 2018 and the assessment of material risks and the control plan for 2019.

Since its listing in 2006, the Company has formulated the internal control manual, internal control assessment rules and other systems based on the COSO internal control framework. Over the years, the Company has striven to improve the systems related to internal control and risk management in light of the changes in internal and external operating environments and business development requirements.

The risk management department of the Company has established an internal audit division, which is responsible for organizing the Company's daily risk management and internal control assessment, and reporting to the Audit Committee and the Board of Directors to ensure that the Board and management maintain and operate a sound risk management and internal control system in accordance with established procedures and standards. In 2018, the Company further strengthened audit supervision, and attached importance to the utilization of the results of audit, so as to foster management improvement and to prevent loophole. The above work plays an important role in supporting the Board, the management and the risk management and internal control assessment.

The Company has formulated guidelines on information disclosure management to regulate the disclosure of the periodical result announcements, sensitive information and other important information of the Company and to make proper disclosure in accordance with the requirements of the Stock Exchange. The Company has established a progressive accountability, verification and reviewing system, to ensure the truthfulness, accuracy and timeliness of information disclosure. The Company will appoint external independent advisors, such as legal advisors, for reviewing and verifying when necessary. The Executive Vice President and the Company Secretary of the Company are responsible for coordinating and organizing information disclosure to ensure the compliance of the information disclosure. The Company Secretary is responsible for the daily management of information disclosure, including the disclosure of inside information. The Company also has the Office of the Board to assist in the detailed work regarding information disclosure.

In order to fulfill the requirements of the Stock Exchange, to ensure connected transactions are carried out according to the pricing policy or mechanism under the framework agreements and to regulate and enhance the management of connected transactions, the Company has formulated the Administrative Measures on Connected Transactions of China Communications Services Corporation Limited. The Company enters into a connected transaction framework agreement with China Telecommunications Corporation and applies for the annual caps of connected transactions every three years. At the end of each year, the Company evaluates the connected transactions entered into in each province in the previous year. The risk identification and control targets for connected transactions formulated by the Company are set out in the internal control manual. A series of internal control procedures have been established in respect of the submission, confirmation and delivery of budgets for connected transactions, signing and execution of contracts, reconciliation with connected parties, data verification, accounting, verification of information disclosure and information disclosure, and on-going improvements are made to the management process for connected transactions.

The Group is committed to strengthening its internal control and risk management (as summarized in below figure) and has established a sound internal control foundation.


Annual Risk Management and Internal Control Assessment

The Company continues to focus on strengthening internal control and risk management and has sound internal control and management systems in place. The main internal control and risk management measures of the Company in 2018 are summarized as below:

In 2018, the internal audit division of the Company took the lead in organizing self-assessment for internal control within the whole Group. During the year, the Company's internal control self-assessment switched to a risk-oriented principle, which was organized from top to bottom and under an unified manner. With the changes in the Company's internal and external environments as well as the continuous expansion of its business scale, the Company increased its attention to comprehensive risk management. On the basis of its risk-oriented internal control self-assessment system and a comprehensive assessment, the Company identified the key areas and points to focus on according to the major risks that might be faced by the Company during the year, and effectively and adaptively prepare the list of contents to be addressed for the self-assessment in the year, so as to accomplish a comprehensive and well-targeted inspection and assessment, which covered all of its subsidiaries.

The internal control self-assessment was conducted under the supervision of the Company's working group on risk management, led by the internal audit division, and organized and coordinated by the relevant departments. With the business departments playing a leading role in dealing with the risk management issues at source, the Company further promoted the effective combination between the self-assessment and daily operation management and ensured the effectiveness of the self-assessment work. The business departments were to decide on the persons responsible, exert themselves as the first line of defense of risk management, and instill the risk prevention awareness into all areas of the Company's operations, so as to enhance the effectiveness of their self-assessment efforts and promote the improvement of their management.

After the completion of the assessment, the Company focused on prevention of material risks, and reviewed and examined the design and implementation of its internal control and risk management systems. The Company also formulated practical and effective rectification measures in relation to defects identified during the self-assessment, aiming to make on-going improvements to the internal control system and process so that it could function better to prevent risks and contribute to good management practice. Meanwhile, in the subsequent internal audit, attention was paid to the effectiveness of the internal control for various businesses and inspection was made on assessment of internal control and rectification of defects, so as to ensure that the assessment is effective.

In 2018, the Company continued to promote the management of audit project plan and conducted comprehensive internal audit to make independent and objective supervision and assessment of the operation activities and the appropriateness, compliance and effectiveness of its internal control through applying certain auditing procedures and methodologies, with an aim to enhance its operation and create more value for the Company, improve the processes for risk management, control and corporate governance and contribute to the fulfillment of its strategic goals. In light of the requirement on annual key risk control and the characteristics of its operation and management, the internal audit in this year mainly included, among others, economic accountability audit, revenues audit and audit for construction work with focuses on relevant matters such as income and cost accounting, cash management, subcontracting management, and product distribution business management. Upon the request of the management of the Company and in light of the needs of relevant business departments, the internal audit division made use of the data from the audit and the audit outcomes to hold the audit joint meeting, so as to provide advice for the decision-making and operation and management activities of the Company.

The Board continued to monitor and supervise the risk management and internal control systems of the Company through the Audit Committee, and conducted an annual review on the risk management and internal control systems of the Company and its subsidiaries for the financial year ended 31 December 2018. After receiving the report from the internal audit division as to the effectiveness of the relevant systems and the relevant confirmation from the management to the Board, the Board considered that the risk management and internal control systems of the Company were stable, healthy, proper, effective and adequate, and has satisfied the requirements under Rule C.2 of the Corporate Governance Code of the Stock Exchange regarding risk management and internal control.