(5) The costs of a control should not exceed the likely benefits from reduced risks.

　　(6) Internal control systems should be an integral part of an organization.

　　(7) Effective financial controls, including the maintenance of proper accounting records, are an important element of a system of internal control.

　　Reporting on internal control

　　(1) Shareholders are entitled to know whether the internal control system is sufficient to safeguard their investment.

　　(2) The board should, at least annually, conduct a review of the effectiveness of internal control systems and report to shareholders.

　　(3) The review should cover all material controls, including financial, operational and compliance controls and risk management systems.

　　(4) The objectives of reporting are to recommend for changes, to assist management identification of risk and control issues, and to ensure action takes place.

　　(5) Reporting may be voluntary or required by statue.

　　Content of report

　　(1) Objectives of audit work.

　　(2) Summary of process undertaken by auditor.

　　(3) Major outcomes of the work and audit opinion.

　　(4) Recommendation and key action points.

　　Management information

　　(1) To enable management to identify and manage risks and monitor internal controls, they need adequate information.

　　(2) There should be effective channels of communication within the organization.

　　(3) Information should be provided regularly to management.

　　(4) Management need both internal and external information.

　　(5) The actual information provided to management varies, depending on different levels of management.

　　(6) There should be an adequate, integrated information system, supplying internal financial, operational and compliance data and relevant external data.

　　(7) The information should be reliable, timely and accessible, and provided in a consistent format (more understandable)。

　　(8) The characteristics of information will change depending on the management level.

　　Risk

　　(1) Risk is the chance of exposure to the adverse consequences of uncertain future events. Risk can have an adverse impact on the organization’s objectives.

　　(2) For shareholder’s concerns, the relationship between the level of risks and the returns achieved should be addressed.

　　(3) The link between director’s remuneration and risks take should be addressed.

　　(4) Corporate governance requires: (a) Establish appropriate control mechanisms for dealing with the risks the organization faces; (b) Monitor risks by regular review and a wider annual review; (c) Disclose risk management processes.

　　(5) The elements of risk management include: (a) Risk identification; (b) Risk analysis; (c) Risk planning; (d) Risk monitoring.

　　(6) Risk management is the process of reducing the possibility of adverse consequences either by reducing the likelihood of an event or its impact.

　　(7) Management is responsible for establishing a risk management system in an organization.

　　(8) Management needs to monitor risk on an ongoing basis. For the reasons of (a) To identify new risks to determine an appropriate risk management strategy; (b) To identify changes to existing or known risks to amend the risk management strategy.

　　Strategic vs. Operational risks

　　(Strategic risks)

　　(1) Strategic risks relate to the fundamental and key decisions that the directors take about the future of the organization.

　　(2) Strategic risks are risks arising from the possible consequences of strategic decisions taken by the organization, such as merger and acquisition.

　　(3) Strategic risks should be identified and assessed at senior management and board or director level.

　　(Operational risks)

　　(1) Operational risks refer to potential losses that might arise in business operations. It is the risk of loss from a failure of internal business and control processes.

　　(2) Operational risks can be defined as including losses from internal control or audit inadequacies, information technology failures, human error, loss of key-person risk, fraud and business interruption events.