Accountability And Audit

Financial reporting

The board recognises the importance of the integrity of its financial information and acknowledges its responsibility for preparing financial statements that give a true and fair view of the Group’s affairs, its results and cash flows in accordance with the Hong Kong Financial Reporting Standards and the Hong Kong Companies Ordinance. The board endeavours to present to shareholders a balanced and understandable assessment of CITIC Limited’s performance, position and prospects. Accordingly, appropriate accounting policies are selected and applied consistently, and judgments and estimates made by the management for financial reporting purposes are prudent and reasonable.

New or revised accounting standards became effective during the year under review, and those most significant and relevant to the Group are disclosed in Note 2 to the consolidated financial statements.

The responsibilities of the external auditors with respect to the accounts for the year ended 31 December 2023 are set out in the Independent Auditor’s Report.

External auditors and their remuneration

The external auditors perform independent reviews or audits of the financial statements prepared by the management. PricewaterhouseCoopers (“PwC”) was engaged as CITIC Limited’s external auditor since 1989 and retired at the close of annual general meeting held on 16 May 2013. KPMG was engaged in place of PwC as CITIC Limited’s external auditor and subsequently retired at the close of the annual general meeting held on 2 June 2015 (“2015 AGM”). PwC was appointed as CITIC Limited’s external auditor in place of KPMG with effect from the close of the 2015 AGM as its largest listed subsidiary, China CITIC Bank Corporation Limited, was required to change its external auditor. Since then, PwC has been the auditor of CITIC Limited until it retired at the close of annual general meeting held on 21 June 2023 (“2023 AGM”) due to restrictions in respect of the years of continuous appointment by a state-owned financial enterprise of an accounting firm. KPMG was appointed as CITIC Limited’s external auditor in place of PwC with effect from the close of 2023 AGM.

For 2024, KPMG’s fees were approximately as follows:

Statutory audit fee: RMB129 million (2023: RMB105 million).

Fees for other services, including special audits, advisory services relating to systems and tax services: RMB7 million (2023: RMB12 million).

Other audit firms provided statutory audit services at a fee of approximately RMB83 million (2023: RMB80 million) as well as other services for fees of RMB63 million (2023: RMB46 million).

Overview of risk management and internal control

The Group’s risk management and internal control systems are designed to reduce or manage risk to an acceptable level for the Group. They do not eliminate the risk of failure to achieve business objectives, however, can only provide reasonable assurance that the business objectives of CITIC Limited in the following areas are achieved:

effectiveness and efficiency of operations, including the achievement of performance and operating targets and the safeguarding of assets;
reliability of financial and operating information provided by the management, including management accounts and statutory and financial reports available to public; and
compliance with applicable laws and regulations by business units and functions.

Overview of risk management and internal control

The risk management and internal control system of CITIC Limited is established along the core concepts of risk management and internal control released by the Committee of Sponsoring Organisations of the Treadway Commission (COSO), and the Basic Standard for Enterprise Internal Control, as well as relevant guidelines and governmental policies.

The framework of risk management and internal control adopted by CITIC Limited is illustrated below:

The risk management and internal control system of CITIC Limited comprises “Four Levels” and “Three Lines of Defence” under the corporate governance structure. The “Four Levels” are the (i) board of directors and several committees, (ii) management and several committees, (iii) risk management functions of CITIC Limited, and (iv) member companies. The “Three Lines of Defence” are the (i) first line of defence comprised by business units of each level of CITIC Limited, (ii) second line of defence comprised by the risk management functions of each level of CITIC Limited, and (iii) third line of defence comprised by the internal audit departments of each level of CITIC Limited.

The board has overall responsibility for maintaining a sound and effective risk management and internal control system. The audit and risk management committee acts on behalf of the board in providing oversight of the Group’s financial reporting system, risk management and internal control systems, reviewing and monitoring the effectiveness of the internal audit function, and reviewing the Group’s policies and practices on corporate governance.

As a sub-committee of the Executive Committee, the Asset and Liability Management Committee (“ALCO”) has been established to monitor financial risks of the Group in accordance with the relevant financial and treasury risk management policies. Based on the annual budget, ALCO reviews CITIC Limited’s financing plan and instruments, oversees fund management and cash flow positions, and manages risks relating to counterparties, interest rates, currencies, commodities, commitments and contingent liabilities. It is also responsible for formulating hedging policy and approving the use of new risk management tools.

Relevant departments of CITIC Limited are responsible for communicating and implementing the decisions, monitoring the adherence of the management policies and preparing relevant reports. All units have the responsibility for identifying, effectively managing and reporting risks on a timely basis, in accordance with the overall risk framework under the management policies and within the scope of authorisation.

CITIC Limited is committed to constantly improving its risk management and internal control framework at all levels; strengthening the risk assessment and monitoring of major projects and key businesses; staying fully informed of the operations, financial condition and major business progress of its subsidiaries through off-site monitoring, on-site inspections and other means to assess the risks that may arise; reporting on a timely basis any weaknesses and potential risks; supervising and implementing management and control measures; and improving the completeness and effectiveness of its risk management and internal control practices across the Group.

Key control policies and measures

The Group’s risk management and internal control are primarily the collective responsibilities of management and the employee. For consistent compliance by every person in the Group, the following key control policies and measures have been implemented:

Key control policies and measures
Internal environment	The Group has corporate governance policy, human resources policy and code of conduct for its business operation and governance, as well as periodic reviews and refresher training sessions on important ethical practices. A whistle-blowing policy has been implemented for facilitating internal reporting of suspected malpractice. An inside information and price sensitive disclosure policy is in place covering the reporting and dissemination of price-sensitive information.
Risk assessment	The executive committee of CITIC Limited constantly monitors the business, operational and other risks of the business units. The risk management function identifies and assesses the risks that CITIC Limited is facing through conducting regular risk assessments. It also controls the risks of subsidiaries through regular risk management reporting and risk assessment as well as the monitoring of major projects and businesses. Risk management reports are collated, prepared and submitted to the board/the audit and risk management committee for deliberation, and corresponding risk management measures will be adopted immediately. In addition to the departments with risk management function, relevant functions of CITIC Limited will also identify and assess financial and other risks in terms of investment review, strategic planning, financial management and compliance with laws. The long-term objective is to further promote and monitor formal business-wide risk management processes. Further information in this regard is set out in the Risk Management section of this annual report.
Control activities	Major control systems and processes include budgetary and cost controls, relevant reporting systems and processes for management reporting, corporate policies and procedures for approval, review and segregation of duties across the Group.
Monitoring	Constant monitoring of compliance and review of risk management and internal control are conducted under the supervision of the audit and risk management committee. (Please refer to the section “Monitoring of risk management and internal control effectiveness”). The joint company secretaries of CITIC Limited and related functions are responsible for the overall assessment and monitoring of established procedures to ensure compliance with the Listing Rules and supervision of compliance matters related to applicable laws and other major requirements. The internal audit function reports directly to the audit and risk management committee, and is responsible for examination of risk management and internal control.
Information and communication	Implementation, maintenance and constant development of business and management information systems support CITIC Limited’s businesses and operations, including finance, information disclosure and collaborative supervision. Corporate information is disseminated in a timely manner through the intranet, collaborative office system and corporate email system of CITIC Limited. A corporate website and shareholders communication policy ensure that shareholders receive complete and clear information about CITIC Limited and are encouraged to participate in general meetings of CITIC Limited.

Monitoring of risk management and internal control effectiveness

During the year, the audit and risk management committee assessed the effectiveness of the risk management and internal control systems on behalf of the board. The reviews covered material controls, including financial, operational and compliance controls, the adequacy of the resources, qualifications and experience of employees in the internal audit, risk management, accounting and financial reporting functions, as well as the sufficiency of training sessions and related budgets.

The main risk management and internal control reviews during the year were as follows:

Monitoring of risk management and internal control	Particulars of major tasks completed	Observations
Internal audit	Reviewed the internal audit report. Reviewed the progress and outcomes of internal audit in accordance with the approved annual internal audit plan.	Internal audit findings and recommendations, and management’s remedial actions taken were considered at each audit and risk management committee meeting. Reported to the board on such reviews when necessary.
Compliance assessment	Reviewed the establishment of compliance management system, compliance risk control and management of key compliance projects made by CITIC Limited and its business units; reported on an annual basis any matters subject to criminal convictions, administrative punishments and other punitive measures as a result of non-compliance with laws and regulations, listing rules, provisions under industry regulation; rectified non-compliance and ongoing supervision to ensure completion of such rectification.	No major non-compliance cases were noted during the year, the construction of compliance system still needs to be constantly improved.
Review of risk management and internal control system	Reviewed the business operation and risk management, the changes of risks, and ability to respond in several meetings during the year. Reviewed and confirmed the results of self-assessment on risk management and internal control effectiveness, and the written statements issued by senior management. Reviewed the results of the comprehensive assessment of the major control and risk management activities undertaken by business units and head office functions. Ensured that the supporting documents of the self-assessments on risk management and internal control by the management were reviewed by the internal audit function or risk management function. Reviewed the written statements issued by senior management of business units to confirm that their self-assessments remained correct and that their accounts were prepared in accordance with the financial reporting policies of the corporation.	No material issues were identified during the year, but business units and the Group’s head office functions indicated certain areas of risk management and internal control meriting improvement. Management issued a positive confirmation.
Review of the internal audit, risk management, accounting and financial functions	Reviewed the self-assessments made by business units and the finance, audit, monitoring and compliance functions on the adequacy of the resources, qualifications and experience of employees in the internal audit, risk management, accounting and financial reporting functions, as well as the sufficiency of training sessions and budget.	Resources in the internal audit, risk management, accounting and finance functions were adequate. On the whole, the qualifications and experience of the staff of the internal audit, risk management, accounting and finance functions were satisfactory. Training activities and budgets were given constant attention and remained satisfactory during the year.

The board and the management will establish sufficient and effective supervision, management and controls through the risk management and internal control framework of CITIC Limited, which will ensure compliance with the Listing Rules and other legal or regulatory requirements of the jurisdictions in which the Group operates, in order to constantly improve the risk management and internal control system.

Internal Audit

CITIC Limited regards internal audit as an important part of the supervisory function of the board and the audit and risk management committee. The primary objective of internal audit, which is set out in the internal audit charter, is to provide independent and objective internal assurance and consulting services, evaluate and improve the effectiveness of risk management and internal control processes for the Company so as to add value and improve the Company’s operations and accomplish its objectives.

Authority

Under the internal audit charter of CITIC Limited, the internal audit department can obtain and access all records, personnel and physical properties relevant to internal audit. The head of the internal audit department has unrestricted access to the board and senior management.

Responsibility

The responsibilities of the internal audit are set out in the internal audit charter, which stipulates that (a) examination and assessment are conducted in respect of risk management and internal control to evaluate whether risks related to the following are effectively controlled: achievement of strategic objectives, reliability and integrity of financial and operational information, efficiency and effectiveness of operations, safeguarding of assets, and compliance with the laws, regulations and policies of the Company; (b) track and examine corrective actions in respect of audit findings; (c) special audits are conducted when required by the board and senior management.

Internal audit staffing and tasks completed in 2024

At 31 December 2024, CITIC Limited had approximately 700 internal audit staff members in the internal audit departments of the head office and major subsidiaries, providing audit services to various business units and functions of the Company.

During the year, the internal audit department prepared an annual internal audit plan in accordance with risk-based principles. Pursuant to the approved annual plan, detailed audit planning for each audit was devised, followed by field audits and discussions with management. Audit reports addressed to the management were prepared by the internal audit department after completion of the audits. Work reports were also tabled for review at each meeting of the audit and risk management committee, which included audit findings and follow-up results, work progress and staffing of internal audit. The internal audit department issued audit reports on various business segments and subsidiaries of the Company.

Other tasks performed by the internal audit department during the year included the following:

Implementation of internal audit assessment to evaluate the quality of the audit work of major subsidiaries in terms of management, quality, performance and coordination, in order to facilitate the effective execution of internal audit.
Professional training and sharing sessions for internal audit staff to enhance their audit skills and knowledge.

Management Committees

Business Ethics