HKUST Annual Report 2017-18

78 Appendices APPENDIX 4 INTERNAL CONTROL AND RISK MANAGEMENT SUMMARY OF INTERNAL CONTROL AND MEASURES The University has developed a system of internal control based on a framework issued by the Committee of Sponsoring Organizations of Treadway Commission (COSO). The five components of COSO Framework, namely Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring, are adopted by the University in ensuring the effectiveness of University governance. In order to provide assurance about the effectiveness of internal controls to the Council and Senior Management of the University, the following arrangements are in place: (a) In 2018, the process champions of key processes have started an exercise to identify risks at the process level and document key controls designed to mitigate the risks identified for their responsible processes. This exercise would help to cultivate risk culture among the key leaders of the units/departments within the University. When the process documentation has been completed, a control self-assessment exercise by the process champions would be rolled out to assess operating effectiveness of the internal controls for their responsible processes. The internal audit team will help to consolidate and report the results of control self-assessment to management for follow-up actions. (b) Whistleblowing Policy is in place and operating to provide a safe and protective means by which staff, students and other stakeholders of the University are enabled to raise concerns with the appropriate University authorities against any malpractice within the University. (c) During the financial year ended 30 June 2018, a consulting firm was appointed as the University’s internal auditors to perform risk based independent reviews on the adequacy and effectiveness of the University’s system of internal control and recommend areas for continuous improvement. In January 2018, an in-house internal audit function has also been re-established. The in-house internal audit function will be responsible to draft the risk-based audit plans for the coming three years and perform independent reviews to assess adequacy of the design and operating effectiveness of the control as well as providing recommendations to streamline processes for efficiency increase. (d) In addition to the statutory annual audit of the University’s financial statements, the external auditors also carry out an independent assurance engagement on the University’s compliance with the guidelines, terms and conditions imposed by the Government’s University Grants Committee. (e) The Audit Committee of the University approves the annual audit plan, supervises the scope of work performed by the internal audit team, reviews the internal audit reports or concerns on internal controls raised by the internal and/or external auditors. Furthermore, the Audit Committee has an oversight role on the appointment and performance of both internal and external audit team to ensure independence of the reporting line for the auditors and objectivity of the work performed by the auditors. RISK MANAGEMENT Council has approved a new Principal Risk Management Process (“The Process”) to manage major or principal institutional risk, comprising a Statement of Risk Appetite, Risk Policy and Risk Process. The Process complies with the recommendation on management of major institutional risk included in the Newby Report on Governance in UGC-funded Higher Education Institutions in Hong Kong, published on 30 March 2016. Management utilized the Process and presented its 2017-18 Assessment of Principal Risk to Council in October 2018. The following summary is derived from this report. Overall Conclusion The University faces a number of principal risks and these are classified under three headings according to Policy: Financial Risks, Reputational Risks and Risks to Operations. In general, the Principal Risks identified have appropriate mitigation and the University has reliable sources of assurance that the mitigation is effective. In most areas, Management believes it can strengthen risk mitigation and has identified new actions to be taken. Resource will be focused on implementing these new actions in the coming years. The University recognizes that new Principal Risks may emerge at any time. Implementation of The Process shall ensure the timely assessment and mitigation of new Principal Risks as they emerge.