Chapter 13

Due Diligence Guidelines –

Internal Controls

3. Appointment of Internal Controls Consultant

3.1 Standards

A sponsor cannot abrogate responsibility for due diligence. Where a sponsor engages a third party to assist it to undertake specific due diligence tasks (e.g. engaging lawyers to undertake verification of title to properties, accountants to review internal controls, consultancy firms to undertake market research, agencies to perform investigative work), the sponsor remains responsible in respect of the matters to which the specific tasks relate. A third party’s work, in itself, would not be sufficient evidence that a sponsor has discharged its obligation to conduct reasonable due diligence. The degree to which a third party’s work can be relied on may depend on the professional qualifications of the third party to conduct the work. As a minimum the sponsor should:

(i) assess whether the third party is appropriately qualified and competent for the tasks assigned to it;

(ii) consider the scope and extent of the tasks to be performed by the third party;

(iii) assess the results of the work performed by the third party and arrive at its own opinion whether the work provides a sufficient basis to determine that reasonable due diligence has been conducted and whether further due diligence is required;

(iv) assess whether the results of the work are consistent with other information known to the sponsor including that derived from its other due diligence work; and

(v) assess whether the results of the work should be incorporated in the listing document and whether they should be brought to the attention of the regulators. [Paragraph 17.6(g) of the Code of Conduct]

3.2 Guidance

3.2.1 Appointing an internal controls consultant (“Internal Controls Consultant”) to assist with due diligence on the internal controls of the listing applicant is a generally established practice in Hong Kong and an integral part of the IPO process and assessment of the suitability for listing of the listing applicant. Sponsors are not themselves experts in internal controls. Sponsors should, therefore, normally appoint an Internal Controls Consultant to assist them in carrying out due diligence in respect of the listing applicant’s internal controls systems and procedures. A sponsor may decide that it is not necessary to appoint an Internal Controls Consultant where the sponsor is able to conduct the review of the internal controls systems itself. However, this would generally only be in very rare situations such as a spin-off of a company or a listing applicant in a highly regulated industry where, in any such case, the listing applicant has established internal control systems which have been reported on by its internal audit function as to be able to give the sponsor an appropriate level of confidence in the internal controls systems. Even in such circumstances, an Internal Controls Consultant should be appointed to assist in assessing the scope of the internal audit function’s work to identify whether there are any areas in which supplemental due diligence work is appropriate.

3.2.2 When appointing an Internal Controls Consultant, the sponsor should consider the appropriate approach and format for the Internal Controls Consultant’s review and assessment. The different formats available comprise (i) a long form report on internal controls over financial reporting, (ii) an agreed-upon procedures report, (iii) an assurance engagement and (iv) a long form report – comprehensive review. Only assurance engagements provide any assurance or opinion as to the effectiveness of the internal controls systems. Long form reports provide narratives and commentary on the internal controls (including an assessment of the materiality of any deficiencies) and recommendations as to remedial actions. Agreed-upon procedures engagements merely report factual findings with no assessment of materiality of deficiencies or recommendations for remedial action.

3.2.3 The key features of these four types of engagement are set out below:

(a) Long form report on internal controls over financial reporting:

(i) Scope:

• Scoping may be performed at a high level in terms of general areas of internal controls to be considered by the Internal Controls Consultant. Reference may be made to paragraph 15 of Practice Note 21 to the Listing Rules, the Code of Conduct and Consultation Conclusions on the Regulation of Sponsors and the non-exhaustive illustrative list of matters for consideration set out in Appendix 3 to the Technical Bulletin.9

• Can combine review and commentary with detailed testing.

Note: there is no professional standard in Hong Kong covering long form report engagements.

(ii) Report:

• Narrative report format.

• Commentary / description of listing applicant’s internal controls and processes and identification and classification of control deficiencies.

• Recommendations for improvement (to the extent they come to the attention of the Internal Controls Consultant within its scope of work).

• Findings of any detailed testing performed.

• No assurance as to the effectiveness of the new applicant’s internal control activities.

(iii) Follow-up:

• If applicable, the Internal Controls Consultant may conduct a follow-up visit to determine whether recommendations have been implemented.

(b) Agreed-upon procedures:

(i) Scope:

• Specific procedures of an audit nature to be agreed upon.

• This requires sponsors to agree with the Internal Controls Consultant and the listing applicant the detailed scope of work to be performed by the Internal Controls Consultant, having regard to the specific circumstances of the listing applicant.

(ii) Report:

• No general description of listing applicants’ internal controls and process.

• Report of factual findings based on the specific procedures performed which may encompass providing commentary and identification of control deficiencies.

• No assessment of the materiality of deficiencies.

• No assurance as to the effectiveness of the listing applicant’s internal control activities.

(iii) Follow-up:

• If applicable, the Internal Controls Consultant may conduct a follow-up visit to report on the status of control deficiencies identified.

(c) Assurance engagement:

(i) Scope:

• In order for an Internal Controls Consultant to issue an opinion on the listing applicant’s internal controls systems and procedures in its report (which may be either a positive or negative form of expression), the extent of work is required to be at least sufficient for the Internal Controls Consultant to obtain a meaningful level of assurance as the basis for the opinion.

• While there is no specific elapsed period that is required before the assessment, the control procedures to be tested should at least be operating over the testing period and long enough so that sufficient samples could be obtained for the testing.

(ii) Report:

• Assurance as to the effectiveness of the internal controls systems. The significance of each control deficiency identified is individually evaluated. The opinion given by the Internal Controls Consultant sets out its overall conclusion (which may be either a positive or negative form of expression) on any or all of the effectiveness of the listing applicant’s internal controls systems).

• Identification of any deficiencies.

• Recommendations for improvement (to the extent that they come to the attention of the Internal Controls Consultant within the scope of their work).

(iii) Follow-up:

• If applicable, a follow-up visit to determine and report on whether recommendations have been implemented.

(d) Long form report – comprehensive review (“Comprehensive Long Form Report”):

(i) Scope:

• Scoping in respect of internal controls would be the same as a long form report on internal controls over financial reporting as described in paragraph 3.2.3 (a) above. However, a broader scope may be agreed as appropriate to the circumstances to cover other aspects of the listing applicant’s business (including for instance, strategy/prospects, history and description of business, management and employees, directors and senior managers, products and marketing, production, purchasing and research and development, trading results and assets and liabilities).

(ii) Report:

• Narrative report format.

• Commentary / description according to the scope agreed and identification and classification of control deficiencies.

• Recommendations for improvement (to the extent they come to the attention of the accountants within their scope of work).

• No assurance as to the effectiveness of the new applicant’s processes or controls.

(iii) Follow-up:

• If applicable, the accountants may conduct a follow-up visit to determine whether recommendations have been implemented.

(Source: the Technical Bulletin)

3.2.4 As discussed in section 3.3 below, the sponsor should typically consider appointing an Internal Controls Consultant to either (i) prepare a long form report on internal controls over financial reporting or (ii) conduct an agreed-upon procedures engagement. Consideration may also be given as to whether a Comprehensive Long Form Report should be obtained as an alternative, to assist the sponsor in its due diligence in other areas of the listing applicant’s business. Please refer to Chapter 8 “Due Diligence Guidelines – Business Model” and Chapter 12 “Due Diligence Guidelines – Financial” for further details.

3.2.5 Key differences between a long form report and an agreed-upon procedures engagement are that only the long form report would prioritise and categorise any deficiencies identified according to their relative level of significance or risk, or materiality, and contain any recommendations for improvement to the extent that deficiencies are identified. An agreed-upon procedures review provides commentary on deficiencies, but does not provide any views on materiality or recommendations as to how the deficiencies can be addressed. With an agreed-upon procedures review, the sponsor would therefore need to make, without the benefit of recommendations from the Internal Controls Consultant, its own assessment of the materiality of the deficiencies identified and appropriate recommendations for rectification of the deficiencies.

3.2.6 Another significant difference between a long form report and an agreed-upon procedures engagement is that only the long form report would contain a narrative and commentary on the internal controls and systems of the listing applicant. Generally the commentary would also include a description of the detailed procedures performed by the Internal Controls Consultant on the design and implementation of the internal controls. Sponsors may consider the additional commentary provided by the long form report helpful in achieving a thorough understanding of the listing applicant’s systems, as required by Paragraph 17.6(d)(ii) of the Code of Conduct.

3.2.7 A further difference between a long form report and an agreed-upon procedures engagement relates to the scoping of the engagement. In a long form report engagement, the scoping is generally performed at a high-level in terms of general areas of internal controls to be considered by the Internal Controls Consultant. In contrast, for an agreed-upon procedures engagement, specific procedures at a detailed level must be scoped and agreed with the Internal Controls Consultant. Given this, sponsors may consider the high level approach to scoping the review of the long form report helpful. This may particularly be the case where the scope of work of the Internal Controls Consultant’s review is determined at a very early stage in the listing process.

3.2.8 Both long form reports and agreed-upon procedures engagements provide a report on the factual findings resulting from the procedures adopted and in neither case is assurance expressed by the Internal Controls Consultant on the design, implementation or operating effectiveness of the listing applicant’s internal controls systems and procedures. Sponsors commissioning such reports should therefore assess for themselves based on their due diligence, including but not limited to, the procedures and findings reported on by the Internal Controls Consultant, and draw their own conclusions as to the adequacy of the internal controls systems and procedures in place.

3.2.9 Assurance assignments are in most cases not practicable for companies seeking a listing in Hong Kong and are not typical. This is because, in many cases, certain of the internal controls systems of a listing applicant will be newly implemented in readiness for listing. This will mean that these internal controls processes would not have been operating effectively for a sufficient period of time to enable management to give confirmations on their effective operation historically which would be necessary for the Internal Controls Consultant to give an unqualified assurance opinion. However, in specific circumstances (particularly for listing applicants engaged in certain regulated businesses), an assurance engagement on aspects of their business will generally be appropriate e.g., for those engaged in the casino industry (where internal control measures would be expected to be in place due to the nature of the industry and where they are considered particularly critical to the effective operation of the business), sponsors should request the Internal Controls Consultant to conduct a review of, and opine on, the listing applicant’s anti-money laundering compliance systems by way of a limited assurance engagement. In such cases, a copy of the Internal Controls Consultant’s limited assurance engagement report is typically included in the prospectus.

3.3 Recommended Steps

3.3.1 Appointment of Internal Controls Consultant – Where an Internal Controls Consultant is appointed, the Internal Controls Consultant should be an accounting firm (either the same firm that is acting as the reporting accountants or another accounting firm) or otherwise a specialist internal controls consultant. Sponsors should refer to Chapter 18 “Due Diligence Guidelines – Interaction with Third Parties including Expert Advisers” for details of the steps to be taken in selecting and appointing an Internal Controls Consultant, as supplemented by the specific guidance set out herein. Where the proposed listing is for an A and H share company, the sponsor should ensure that the Internal Controls Consultant appointed has experience with Hong Kong listings. Where the Internal Controls Consultant is not an accounting firm, the sponsor should discuss with the consulting firm the extent to which it will follow the Technical Bulletin with regards to the form and scope of its report.

3.3.2 Where the sponsor is not a party to the engagement letter with the Internal Controls Consultant, the engagement letter should set out the basis upon which the Internal Controls Consultant’s report can be given to and relied upon by the sponsor. In addition, it should deal with the basis on which the report (or extracts from it) can be given to the Regulators and, where appropriate,10 referred to in the listing document. Where it is expected that the Internal Controls Consultant’s report or opinion will be included in the listing document, the sponsors should ensure that the Internal Controls Consultant is aware of the requirement set out in Exchange Guidance Letter GL60-13 to provide a confirmation to the listing applicant, with copies to the Regulators, to the effect that the Internal Controls Consultant does not expect a material change to the opinion based on work done to date.11

3.3.3 The engagement letter with the Internal Controls Consultant should provide for the frequency and timing of the reports. The engagement letter should also contain an undertaking from the listing applicant that it will cooperate fully with the Internal Controls Consultant and provide the necessary commitment of time and resources to enable the internal controls review to be conducted efficiently and in a timely manner.

3.3.4 Where an Internal Controls Consultant has been appointed prior to the appointment of the sponsor, the sponsor should review the engagement letter between the listing applicant and the Internal Controls Consultant to ensure that the scope of work is adequate. Where, in the sponsor’s opinion, it is not, the sponsor should require that the listing applicant amend the engagement terms and scope of work as appropriate, require additional work be performed and a follow-up report be prepared as required.

3.3.5 Appendix 5 to the Technical Bulletin sets out an example long form report arrangement letter which has been developed in consultation with stakeholders. This may be used where a sponsor is not a party to the engagement letter but will be an addressee to the report.

3.3.6 Format of the internal controls review – The sponsor should discuss with the Internal Controls Consultant and the listing applicant the appropriate format of the internal controls review carried out by the Internal Controls Consultant, namely (i) a long form report on internal controls over financial reporting, (ii) an agreed-upon procedures engagement, (iii) an assurance engagement or (iv) a Comprehensive Long Form Report. Given (a) the requirement under Paragraph 17.6(d)(ii) of the Code of Conduct that the sponsor achieve a thorough understanding of the listing applicant’s systems and (b) the requirement under Paragraph 17.3(b)(ii) of the Code of Conduct to give advice and recommendations to assist the listing applicant to remedy material deficiencies, sponsors may consider adopting a long form report approach for the additional assessment and description it provides of the internal controls systems and procedures in place in the listing applicant and its subsidiaries, the assessment of materiality of any deficiencies identified and the report’s recommendations (as discussed at paragraphs 3.2.5 and 3.2.6 above). It should be noted that if an agreed-upon procedures engagement is used, the sponsor may need to carry out significantly more work than would be the case where a long form report approach is used, in order to understand the internal controls systems in place at the listing applicant, to make recommendations to remedy deficiencies and to map the scope against the regulatory requirements (see paragraph 3.3.9 for additional information).

3.3.7 Scope of work – The sponsor should request that the Internal Controls Consultant provides a proposed detailed scope of work for its review. As mentioned above, for a long form report engagement, the scoping is generally performed at a high-level in terms of general areas of internal controls to be considered by the Internal Controls Consultant compared with an agreed-upon procedures engagement, where specific procedures at a detailed level must be scoped and agreed with the Internal Controls Consultant. When reviewing the proposed scope of work, the sponsor should exercise its judgment to determine whether the proposed scope of the work is sufficient for the purposes of the sponsor’s confirmation in the sponsor’s declaration in Appendix 19 to the Listing Rules. In particular, the sponsor should have regard to its knowledge of the listing applicant, its industry, size, geographical coverage and management structure and the key risks faced by the listing applicant.12

3.3.8 In determining the scope of work of the Internal Controls Consultant, the sponsor should have regard to the matters set out in paragraphs 1.2.6 to 1.2.8 above, including considering addressing the design, implementation and operating effectiveness of the internal controls systems and procedures in place.

3.3.9 Where the sponsor is aware of historic incidences of non-compliance or other deficiencies identified through other aspects of its due diligence on the listing applicant or its management (including deficiencies identified in management letters issued by the listing applicant’s auditors), the sponsor should discuss these with the Internal Controls Consultant and consider addressing these deficiencies when determining the Internal Controls Consultant’s scope of work. Where the sponsor becomes aware of such matters after the Internal Controls Consultant has commenced its work, the sponsor should consider amending the scope of work to address such issues.

3.3.10 Determining coverage and sample – The sponsor should also consider and discuss with the Internal Controls Consultant and the listing applicant the coverage of the report, for instance, the appropriate business units or entities within the listing applicant’s group that should be the subject of walk-through tests conducted by the Internal Controls Consultant to assess the internal controls systems and procedures in place within the key operating entities of the listing applicant group. Where the listing applicant’s business is conducted in multiple locations, particular consideration should be given to identifying the appropriate entities for review. The sponsor should seek guidance from the Internal Controls Consultant as to the appropriate sample size for testing, based on the Internal Controls Consultant’s experience and any relevant industry matrices. The approach of only performing procedures on a sample basis is normal, acceptable practice. The sponsor should obtain an appropriate confirmation that equivalent internal controls are in place elsewhere in the listing applicant’s group which are consistent with those adopted by the entity or entities forming the sample.

3.3.11 Additional steps for agreed-upon procedures engagement – As discussed in paragraph 3.2.6 above, where the agreed-upon procedures approach is used, detailed scoping of the work to be conducted by the Internal Controls Consultant is required. In order to form a view on the adequacy of the scope of the agreed-upon procedures, as an additional step, sponsors should consider conducting a comparison of the work covered by the scope of work of the Internal Controls Consultant with applicable regulatory requirements including the requirements of the Listing Rules (in particular those identified in the sponsors’ declaration referred to in paragraph 1.2.1 above and the Corporate Governance Code set out in Appendix 14 to the Listing Rules) the SFC’s Guidelines on Disclosure of Inside Information and the seventeen basic principles in achieving effective internal controls over financial reporting set out in “Internal Control – Integrated Framework” published by COSO as set out in Appendix 2 to the Technical Bulletin.

Endnotes

9. Appendix 3 to the Technical Bulletin contains an illustrative scope of work in connection with due diligence assistance for internal controls over financial reporting which is non-exhaustive and is not industry specific. The broad category headings are:

I. Internal controls at the entity level

• Control environment

• Risk assessment

• Control activities

• Information and communication

• Monitoring

II. Internal controls at the process level

• Sales, accounts receivable and collection

• Procurement, accounts payable and payment

• Inventory management, including logistics

• Production and costing

• Human resources and payroll

• Fixed assets

• Cash and treasury management

• Insurance

• Financial reporting and disclosure controls

• Taxes

• IT general controls

10. In paragraph 26 of the Technical Bulletin, the Hong Kong Institute of Certified Public Accountants considers that it would be inappropriate to quote from or make reference to an Internal Controls Consultant’s report in a listing document where a long form report or agreed-upon procedures engagement is adopted where it could potentially be misrepresented as the Internal Controls Consultant providing assurance or a conclusion on the effectiveness of the internal controls or the sponsor’s due diligence procedures.

In paragraph 3.1(c) of Exchange Guidance Letter GL63-13, the Stock Exchange may require the identity and salient terms of the engagement of an internal controls expert engaged to be included in the listing document with its findings and recommendations and any follow up review in circumstances where there has been material non-compliance incidents.

Footnote 2 to the guidance letter provides that, if the internal control expert is the reporting accountants or another accounting firm, the relevant guidelines and practices of the accounting profession position an internal controls review as private advice to the directors of the applicant (and if they are party to the engagement, the sponsors). Accordingly, in such circumstances the name of the reporting accountants or other accounting firm and details of their work and findings may be prevented from being quoted or referenced in the listing document. One circumstance in which internal controls work may be referenced in the listing document is where it is practicable for the applicant and the sponsor to additionally and separately engage the reporting accountants or other accounting firm to also perform an assurance engagement in relation to internal controls.

11. Paragraph 3.1 of Exchange Guidance Letter GL60-13.

12. For listing applicants who have business models with significant forfeited income from pre-payments, sponsors should refer to Exchange Guidance Letter GL26-12. For listing applicants who engage in hedging activities, sponsors should refer to Exchange Listing Decision LD77-2014.

For companies engaged in the restaurant business, sponsors should refer to Exchange Guidance Letter GL28-12.

For listing applicants engaged in the pawn loan business, sponsors should also consider the Stock Exchange’s guidance in Exchange Listing Decision LD33-2012 with respect to risk management and internal control measures that should generally be adopted for this type of business.

For listing applicants with a distributorship model, sponsors should refer to Exchange Guidance Letter GL36-12 which requires disclosure of measures to monitor sales activities to detect potential abuses.

For listing applicants with biological assets, sponsors should refer to Exchange Guidance Letter GL46-12 which sets out disclosure requirements relating to, among other matters, internal controls over the physical existence of biological assets and the relevant record keeping.

For Chapter 21 companies, sponsors should refer to Exchange Guidance Letter GL17-10.

For companies with civil defense projects in the PRC, sponsors should refer to paragraph 6.2(iii) of Exchange Guidance Letter GL19-10.

Disclaimer

HKCFEF Limited and the contributing law firms, accountants and sponsors are not offering these due diligence guidelines as legal, financial or professional advice or services and they should not be relied upon as such. These due diligence guidelines should not be used as a sole basis for any decision, action or inaction and are not meant to serve as a substitute for the advice of qualified professionals. See here for the full terms and conditions.

Sponsor Engages a Third Party to Assist it to Undertake Specific Due Diligence Tasks

Listing Applicants Internal Controls

Appropriate Qualifications of Third Party

Appointment of Internal Controls Consultant

Paragraph 17.6(g) of the Code of Conduct

Internal Controls Consultant

Long Form Report on Internal Controls over Financial Reporting

Comprehensive Long Form Report

Comprehensive Review

Listing Applicant Internal Controls Review
SFC’s Guidelines on Disclosure of Inside Information
proposed listing for an A and H share company
agreed-upon procedures report
internal audit
an assurance engagement

Table of contents