HKUST Annual Report 2018-19

76 ANNUAL REPORT 2018-19 Appendices APPENDIX V INTERNAL CONTROL AND RISK MANAGEMENT SUMMARY OF INTERNAL CONTROL AND MEASURES The University has developed a system of internal control based on a framework issued by the Committee of Sponsoring Organizations of Treadway Commission (COSO). The five components of COSO Framework, namely Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring, are adopted by the University in ensuring the effectiveness of University governance. In order to provide assurance about the effectiveness of internal controls to the Council and Senior Management of the University, the following arrangements are in place: (a) Whistleblowing Policy is in place and operating to provide a safe and protective means by which staff, students and other stakeholders of the University are enabled to raise concerns with the appropriate University authorities against any malpractice within the University. (b) The Internal Audit team is responsible to prepare the annual risk-based audit plans and perform independent reviews to assess adequacy of the design and operating effectiveness of the control as well as providing recommendations to streamline processes for efficiency increase. (c) In addition to the statutory annual audit of the University’s financial statements, the external auditors also carry out an independent assurance engagement on the University’s compliance with the guidelines, terms and conditions imposed by the Government’s University Grants Committee. (d) The Audit Committee (The AC) of the University approves the annual audit plan, supervises the scope of work performed by the internal audit team, reviews the internal audit reports or concerns on internal controls raised by the internal and/or external auditors. Furthermore, the Audit Committee has an oversight role on the appointment and performance of both internal and external audit team to ensure independence of the reporting line for the auditors and objectivity of the work performed by the auditors. Risk Management The University’s risk management process (“The Process”) is implemented in accordance with the Strategic Risk Management Policy. The Process complies with the recommendation on management of major institutional risks included in the Newby Report on Governance in UGC-funded Higher Education Institutions in Hong Kong, published on 30 March 2016. The report on risk assessment and supporting risk registers were presented to the Council for approval in October 2019. The following is a summary of the risk assessment results extracted from the report. Overall Conclusion The University faces a number of strategic risks that are classified under reputational, operational and financial risks. In general, there are appropriate mitigation actions to mitigate the identified risks. The University also has reliable sources of assurance that the mitigation is effective. Furthermore, management is well aware of the societal issues faced by the general public in Hong Kong, including the University. Management reaffirms the University’s core values of inclusiveness, diversity and respect in mitigating the external risks arising from the societal issues. The University values and respects the differences of individuals, whether in terms of race, gender, cultural backgrounds, religion, personal interests and in other dimensions, and strives to embrace these diverse forces to foster an inclusive and caring environment. Management continues to emphasize that it is essential that all parties, public or private, adopt an open and approachable attitude in listening to one another by means of direct conversation. The University is trying its utmost to provide a safe environment for teaching and learning with an expression of sharing, dialogue and intellectual stimulation within our campus setting. Management also stands ready to provide support to all members, especially those who are new to the University family. The University also recognizes that new strategic risks may emerge at any time. Going forward, management with the support of the Internal Audit Office will continue to monitor and review the risk registers to identify and assess existing and emerging risks that could lead to serious consequences. The Internal Audit Office will also help to follow up on the completion status of risk mitigating activities at least annually.