Corporate Governance Report

Internal Control

Internal Control System

The Board attaches great importance to the construction and perfection of the internal control system, and takes effective approaches to supervise the implementation of related control measures, whilst enhancing operation efficiency and effectiveness, and enhancing corporate governance, risk assessment, risk management and internal control so as to protect shareholders’ investment and ensure the safety of the Company’s assets. In this way, the Company can achieve long-term development goals. The Company’s management is responsible for the establishment and implementation of the internal control system. The internal control system of the Company is built on clear organisational structure and management duties, an effective delegation and accountability system, definite targets, policies and procedures, comprehensive risk assessment and management, a sound financial accounting system, and continuing analysis and supervision of operational performance. It covers all services and transactions of the Company. The Company has formulated a code of conduct for the senior management and employees which ensures their ethical value and competency. The Company has formulated its internal reporting system, which encourages anonymous reporting of situations where employees, especially Directors and senior management personnel, breach the rules.

Since the year 2003, based on the requirements of the U.S. securities regulatory authorities and the COSO Internal Control Framework, and with the assistance of KPMG Advisory (China) Limited (Beijing office) and other advisory institutions, the Company has formulated manuals, implementation rules and related rules in relation to internal control, and has developed the Policies on Internal Control Management and Internal Control Accountability Management to ensure the effective implementation of the above systems. Over more than eight years, the Company has continuously revised and improved the manuals and implementation rules in view of the ever changing internal and external operation environment as well as the requirements of business development. In particular, the Company has further strengthened the control over key business processes based on the distinguishing features of mobile services since the commencement of the full services operation. While continuing to improve the internal control related policies, the Company has also been strengthening its IT internal control capabilities, which has improved the efficiency and effectiveness of internal control, enhancing the safety of the Company’s information system so that the integrity, timeliness and reliability of data and information are maintained.

In 2011, the Company supplemented, updated and improved its internal control manuals on the basis of summing up the full services operation practices, responding to the management system renewal and organisational structure adjustment, materialising the support to the front-end operation by finance departments, and resolving problems detected in recent years. The revised sections mainly included the amendments to the internal control manual on content which are not applicable to the existing business process; according to the need of business development, the Company has added the processes of outsourcing management, operating data and financial data reconciliation and client service management, etc., so as to strengthen risk control on key areas. The applicability of internal control manuals was further improved upon the perfection of internal control procedures. In addition, the Company has further strengthened the supervision and inspection of the implementation of internal controls to promote the effectiveness of implementation of internal control, as well as to prevent and mitigate the financial risks.

Comprehensive Risk Management

The Company views comprehensive risk management as an important task within the Company’s daily operation. Pursuant to regulatory requirements in capital markets of the United States and Hong Kong, the Company has formulated a unique five-step risk management approach based on risk management theory and practice, including risk identification, risk assessment, key risk analysis, risk reaction and risk management assessment. The Company has also designed a risk management template, implemented a standardised risk management procedure and established and refined the centralised risk directories and case studies database of the Company, so that risk management terminology is unified across all levels of the Company and the effectiveness of risk management was improved. Following the efforts made in the past five years, China Telecom has established a comprehensive risk management system and has gradually perfected its comprehensive risk monitoring and prevention mechanism.

In 2011, pursuant to the requirement of provision C2 of the Code on Corporate Governance Practices of The Stock Exchange of Hong Kong Limited, the Company further incorporated comprehensive risk management into its daily operation. The Company continued to strengthen the level-oriented, category-oriented and centralised risk management, with resources concentrated on the prevention of three types of major risk, including the risk exposed in the external environment, operational risk and asset risk, and has achieved satisfactory results. In 2011, the Company was not confronted with any major risks.

After rigorous risk identification, assessment and analysis, the Company has conducted a preliminary assessment of potential major risks to the Company in 2012, such as the external environment risk and operational risk, and has put forward detailed responding measures. Through the strict and appropriate risk management procedures, the Company will ensure the impact from the above risks to the Company are limited to and within an expected range.

Annual Internal Control Evaluation

The Company has been continuously improving its internal control system. In order to meet the regulatory requirements of its places of listing, including the United States and Hong Kong, and strengthen its internal control while guarding against operational risk, the Company’s internal audit department is responsible for coordinating the supervision and assessment of internal control.

The Company has adopted the COSO Internal Control Framework as the standard for the internal control assessment. With the management’s internal control testing guidelines and the Audit Standard No. 5 that were issued by PCAOB as its directives, the Company’s internal control assessment is composed of the self-assessment conducted by the persons responsible for internal control together with the independent assessment conducted by the internal audit department. In order to judge the nature of deficiencies in internal control and analyse the effectiveness of the internal control system, the Company adopts the following four major steps of assessment: (1) analyse and identify areas which require assessment, (2) assess the effectiveness of the design of internal control, (3) assess the effectiveness of the execution of internal control, (4) analyse the impact of deficiencies in internal control, evaluate the nature of internal control deficiencies and reach a conclusion as to the effectiveness of the internal control system. At the same time, the Company rectifies any deficiencies found during the assessment. By formulating “Interim Measures for the Internal Control Assessment”, “Manual for the Self-Assessment of Internal Control”, “Manual for the Independent Assessment of Internal Control” and other documents, the Company has ensured the assessment procedures are in compliance with related rules and regulations.

In 2011, the Company’s internal audit department initiated and coordinated the assessment of internal control at Company level, and reported the results to the Audit Committee and the Board.

Self-assessment of internal control adopts a top-down approach which reinforces assessment in respect of control points at the corporate level and control points corresponding to major accounting items. The Company insisted on risk-oriented principles and, on the basis of comprehensive assessment, identified key control areas and control points for major assessment through risk analysis. In 2011, the Company, on the basis of a comprehensive self-evaluation and by way of encouraging active participation by the operational departments, the supervision and control of the assessment process and the monitoring and audit measures were reinforced, comprehensive monitoring control self-assessment was launched and self-assessment covered 100% of the Company, which detected and rectified the existing problems in time. At the same time, in respect of significant areas of risk, the Company’s internal audit department selected 69 key links covering its main processes and organised independent assessment of the internal controls of the Company’s ten provincial branches. It kept track of the rectification of internal control deficiencies to ensure its effectiveness. It organised specialised internal control assessments for operating data and financial data reconciliation to steer the Company towards further strengthening of its standardised management in this regard. The above internal control assessments were effective countermeasures against risks to the Company and contributed to the perfection and healthy development of the Company’s internal control system.

As for the independent assessment, the Company has put forth the guiding principle that “independent assessment shall focus on the major risks in relation to enterprise operation and management and be based on complete internal control system, so as to ensure that the nature of risks and problems will be identified and captured, and to improve the overall efficiency of auditing”, which has actively assisted all departments and branches in raising the quality and efficiency of the independent assessment since 2009. In 2011, in accordance with the principle and arrangement of assessment for the Company, all provincial branches launched a proactive independent assessment within each province. When problems of internal control were identified during the assessment, the provincial branches proposed recommendations and oversaw the process to rectify the problems. As a result, the independent assessment effectiveness of each provincial branch was improved. The Company guided all provincial branches to launch independent assessments and to incorporate a number of factors into consideration, such as extraordinary risks of internal control, proportion of assets and revenue, and the frequency of assessment made by external auditors. Through independent assessment, the Company not only grasped the overall situation of internal control, but also developed key tests for its high-risk processes. In addition, the Company inspected the related units in respect of their rectification of internal control deficiencies and focused on the key issues in order to ensure the depth and quality of assessment.

Furthermore, the Company organised the internal control assessment team and other relevant departments to closely coordinate with the external auditors’ internal control audit related to financial statements. The internal control audit covered the Company and all its subsidiaries as well as the key processes and control points in relation to major accounting items. The external auditors regularly communicated with the management in respect of the audit results.

All levels of the Company have been attaching great importance to rectifying internal control deficiencies. The Company pushes all units to carry out rectification in relation to deficiencies identified through self-assessment, independent assessment and the internal control audit made by the external auditors. The Company also highlighted the participation of professional departments whilst exploring the establishment of an internal control mechanism with long-term efficiency. To ensure effective rectification, the Company also strengthened the verification and supervision of the rectification of internal control deficiencies. Pursuant to requests from the Company, all provincial branches launched rectification on any deficiencies identified from the assessment (including the internal control audit) in a positive manner.

Through self-assessments and independent assessments conducted by branches at different levels, the Company carried out multi-layered and full-dimensional reviews of its internal control system, and put its utmost efforts into rectifying the problems which were identified. Through this method, the Company was able to ensure the effectiveness of its internal control and successfully passed the year-end attestation undertaken by the external auditors.

The Board, through the Audit Committee, reviewed the internal control system of the Company and its subsidiaries for the financial year ended 31 December 2011, which covered its controls on financial reporting, operation and compliance, as well as its risk management functions. The Board is of the view that the Company’s internal control system is solid, well-established and effective. The annual review also considers the adequacy of resources, qualifications and experience of staff fulfilling the Company’s accounting and financial reporting functions, together with the adequacy of the staff’s training programmes and the relevant budget.