Over the course of working closely with Hong Kong companies on their internal control reviews, we have observed all kinds of circumstances that contribute to the success or failure of both the review and the company’s listing and long-term success. Too often, companies mistakenly assume that internal control reviews are a challenge, obstacle or undesirable formality to only be dealt with at the absolute minimum. The first and foremost mistake to avoid is the belief that a successful review is one that does not identify any risks.
The reality is that proactively working to ensure compliance ensures the continued competitive advantage of the enterprise as it continues to expand. An effective review delivers value by identifying aspects of a company’s operations with room for improvement, and companies develop a stronger image in the marketplace by transparently committing to the process, rather than pushing to be perceived as infallible from the outset.
Now more than ever, investors make decisions based on data, and one indication of good governance is the regularity with which companies assess and update their operating procedures and internal controls. Therefore, the very first step in a successful review is to align perception with fact in order to enhance and protect over the long term.
Deficits in internal controls have the potential to scale along with the growth of the business, and it is for this reason that working with reviewer equips companies for success from the outset. Reviewing IC systems only when a review is required by Listing Rules increases the risk factors posed by inadequate controls.
Internal controls kept in place for the sole purpose of “satisfying” a reviewer are almost certainly bound to pose problems in the future. The most common deficits we observe are poorly defined roles, improper risk assessment, and insecure access to company resources.
Defining Roles: Separate For A Purpose
The role of the board and executive management should be clearly defined in terms of the responsibilities that each position holds. The chairman should not be taking on responsibilities held by the Chief Executive Officer, who should report to the board of directors, while the Chief Financial Officer should be able to carry out their duties independently. The company’s leadership is accountable to the board, while the board is accountable to shareholders. Maintaining these streams of responsibility is as essential as maintaining separate lanes of traffic on a highway.
It is quite common for successful companies transitioning from private entity to the IPO stage to find themselves in uncharted waters. While many of the most inspiring success stories in business come from the singular vision of an entrepreneur, expanding companies cannot avoid appointing a separate board, and often separate executive positions in order to maintain growth and continue to channel the founder’s vision on a larger scale.
There is no scope for a listed company to deviate from these separations of responsibility, because they ensure the proper functioning of personnel throughout the organization while preventing against error and misuse of authority, which at the highest level may even result in corporate scandals. Checks and balances on authority for a listed company are not simply management principles; they must be put in practice through solid internal control systems that specifically assess operations.
Risk Assessment: To Each Their Own
Companies must clearly define the risks they face. This is one aspect of the process where the company needs to fully and unambiguously divulge its business risk factors in order for the reviewer to be able to design the best possible protections. If companies are not forthcoming, no reviewer or external entity can fill in all the blanks, and the end result only affects the company.
While many aspects of the internal control review process involve external parties identifying vulnerabilities that a company may not have been aware of, risk assessment depends on specific reports from the perspective of those most familiar with operations. In addition to identifying risk factors, the degree of vulnerability should also be rated relative to the individual circumstances of the company and business, in order to fully protect against adverse scenarios.
For example, the COVID-19 pandemic affects different businesses differently, despite the near universal impact it has had across the economy. Businesses that serve clients in person, on site, will have to weigh pandemic related risk factors differently than service providers that do not interact with the public on a day to day basis. Staffing and resource related considerations must similarly be weighed differently depending on the company and industry. It is safe to say that now is the worst time in recent history to be operating a business without comprehensive risk assessments in place.
Access: In the Right Hands…
The designation of access privileges is perhaps the most sensitive risk factor that companies face internally. Just as roles have to be separated, even with the most senior management, access to critical resources like funds and inventory has to be judicially managed and regularly followed up. In every case where an employee has access to systems, resources or the authority to make decisions regarding company operations, there should be a system to grant, record, renew and revoke access as and when necessary.
The complexity and potential liability of such a system scales with the size of the business and number of employees, and the process must consider risk factors and employee roles in context in order to rule out the possibility of misuse and error, and identify and neutralize problems as soon as they occur.
When companies set up any of these controls in a makeshift fashion, or fail to follow up with fine tuning, upscaling and field testing with periodic internal control review, they are bound to run into trouble. Establishing responsibilities, identifying risks and designating access are critical internal controls that have to be refined and reviewed over time, based on observations and data driven feedback from actual operations. Merely keeping such policies on the books may suffice for a small business, but substantial growth comes with equally substantial risk and responsibility. With over 5 decades of experience to look back on, we are confident that when you work with us, you are choosing the surest path towards the long-term welfare of your enterprise.