Back Home

Internal Controls

Internal Controls

The MPFA’s internal control and risk management structure is designed to manage and mitigate operational risks. The structure meets with a best practice model known as the “Three Lines of Defence Model”. The three lines of defence in MPFA consists of:

First line of defence - operational management and internal controls

Internal controls are built into systems and processes for guidance and management of day-to-day operations. Individual work units are responsible for maintaining effective internal controls through regular review of operational manuals and ensuring that adequate supervisory controls are in place to safeguard employees’ compliance with internal operational policies and procedures.

Second line of defence - risk management and oversight

Under a well-structured risk management framework, all identified risks are prioritized by their risk levels, and monitoring responsibilities are assigned to different levels of management according to the risk levels of the identified risks. A corporate level risk register and divisional/departmental level risk registers are maintained to keep track of treatments of identified risks, and are reviewed and updated annually.

Third line of defence - internal audit assurance

Through a risk-based internal audit approach, the Risk Management Unit of MPFA provides assurance of the effectiveness of governance, internal controls, and risk management, including the manner in which the first and second lines of defence achieve the internal control and risk management objectives.

Reporting directly to the Managing Director, the Unit provides an independent assessment of internal controls in line with the guidelines and standards on internal audit promulgated by the Hong Kong Institute of Certified Public Accountants. For finance-related audit exercises, the approach of the Committee of Sponsoring Organization of the Treadway Commission (COSO) 2013 is also adopted. Findings of internal audit exercises are reviewed by the senior management and reported to and considered by the Audit Committee, which reports to the Management Board to ensure independence and objectivity.

Back To Top