Chapter 13

Due Diligence Guidelines –

Internal Controls

Code of Conduct Paragraphs

17.3(a)(i)

17.6(d)(ii)

17.3(b)(ii) and (iii)

17.6(g)

17.4(c)(ii) and (iii)

Key Stock Exchange Guidance Letters

Exchange Guidance Letter GL63-13

Exchange Guidance Letter GL60-13

Key Stock Exchange Listing Decisions

Exchange Listing Decision LD75-2013

Exchange Listing Decision LD73-2013

Exchange Listing Decision LD48-2013

Other Key References

Technical Bulletin AATB 1 (Revised) – Assistance Options to New Applicants and Sponsors in connection with Due Diligence Obligations, including Internal Controls over Financial Reporting, published by the Hong Kong Institute of Certified Public Accountants (July 2015)

Practice Note 21 to the Listing Rules

1. Understanding a Listing Applicant’s Procedures and Systems

1.1 Standards

1.1.1 Based on reasonable due diligence, a sponsor should have a sound understanding of: … a listing applicant, including its history and background, business and performance, financial condition and prospects, operations and structure, procedures and systems. [Paragraph 17.3(a)(i) of the Code of Conduct]

1.1.2 Regarding the preparation of the listing document, a sponsor should perform, without limitation, each of the following: …

(ii) Achieve a thorough understanding of the listing applicant, including its business, history, background, structure and systems. [Paragraph 17.6(d)(ii) of the Code of Conduct]

1.2 Guidance

1.2.1 Pursuant to the sponsor’s declaration in Appendix 19 to the Listing Rules, sponsors are required to confirm, based on their reasonable due diligence enquiries, that they have reasonable grounds to believe and do believe that:

“(v) the [listing applicant] has established procedures, systems and controls (including accounting and management systems) which are adequate having regard to the obligations of the [listing applicant] and its directors under the Exchange Listing Rules and other relevant legal and regulatory requirements (in particular rules 13.09, 13.10, 13.46, 13.48 and 13.49, Chapters 14 and 14A and Appendix 16, and Part XIVA of the Securities and Futures Ordinance) and which provide a reasonable basis to enable the [listing applicant’s] directors to make a proper assessment of the financial position and prospects of the [listing applicant] and its subsidiaries, both immediately before and after listing”.

1.2.2 A sponsor’s role in advising and assisting the listing applicant to prepare itself for an IPO and to operate as a listed entity includes conducting reasonable due diligence to obtain a sound understanding of the listing applicant’s internal controls procedures and systems and providing adequate advice and recommendations to assist the listing applicant to remedy any material deficiencies identified in its internal controls so that, upon listing, the listing applicant has in place adequate systems and controls to enable it to comply with its obligations as a listed company.

1.2.3 It is commonly the case that many of the internal controls required for a listed company may only be introduced shortly before listing. Reasons for this include that higher-level corporate and management controls will be required for a listed company to enable management to plan the business and monitor progress. Additionally, any pre-listing reorganisation may create a new control environment necessitating new or revised internal controls systems.

1.2.4 As noted below, internal controls due diligence and the rectification of any deficiencies identified is time consuming. It is therefore imperative that the sponsor and the listing applicant consider the approach to internal controls due diligence at the outset of the listing process. The listing applicant should be made aware of, and should agree to provide, the necessary commitment of time and resources to enable the internal controls review to be conducted efficiently and in a timely manner. Sufficient time must be allowed to ensure any material deficiencies in the internal controls identified can, where possible, be remedied prior to the filing of the A1 listing application. Where material deficiencies cannot be remedied prior to the A1 listing application, such matters should be disclosed in the listing application submission. Where an internal controls consultant is appointed, the process (assuming that a long form report on internal controls over financial reporting is used) will typically take at least eight weeks to complete, including initial review work and preparing the initial report, addressing any material deficiencies and producing a follow up report. The actual time required will depend on factors including the size, industry and complexity of the listing applicant and the findings and remedial action required. Please see section 5 below for further details on timing.

1.2.5 There is no simple definition of “internal controls” for these purposes. The Committee of Sponsoring Organisations of the Treadway Commission (“COSO”) report “Internal Control – Integrated Framework”1 issued in 2013 contains a definition of internal controls and a conceptual framework which are relevant. The COSO report defines internal controls as including processes designed to provide reasonable assurance regarding the achievement of objectives in relation to the following:

(a) Effectiveness and efficiency of operations;

(b) Reliability of financial reporting; and

(c) Compliance with applicable laws and regulations.

1.2.6 Sponsors’ due diligence on internal controls of a listing applicant should include an assessment of:

(a) Design – The design of the internal controls systems and procedures;

(b) Implementation – An assessment of whether the control activities have been implemented as designed. This will typically involve, among other things, the carrying out of walkthrough tests on the procedures and systems in place; and

(c) (where appropriate) Operating effectiveness – The operating effectiveness of the control activities, which involves an assessment of whether the control activities are operated as designed for a period of time.2 This involves testing over a period of time and contrasts with the testing of implementation, which involves testing at a specific point in time.

(Source: Appendix 1 to Technical Bulletin AATB 1 (Revised) – Assistance Options to New Applicants and Sponsors in connection with Due Diligence Obligations, including Internal Controls over Financial Reporting, published by the Hong Kong Institute of Certified Public Accountants in July 2015 (the “Technical Bulletin”)3

1.2.7 The internal controls processes for each listing applicant will vary, depending on the industry, size, organisational structure, culture and management philosophy of, and the different risks faced by, the relevant listing applicant. There are however certain key principles relevant to achieving the objective of reliability of financial reporting set out in guidance issued by COSO, drawn from the five key components identified in the COSO framework of:

• Control environment – the foundation for the other components of internal control, which also provides discipline and structure. Factors include ethical values and competence (quality) of personnel, direction provided by the board and effectiveness of management;

• Risk assessment – identification and analysis of risks underlying the achievement of objectives, including risks relating to the changing regulatory and operating environment, as a basis for determining how such risks should be mitigated and managed;

• Control activities – a diverse range of policies and procedures that help to ensure management directives are carried out and any actions that may be needed to address risks to achieving company objectives are taken;

• Information and communication – effective processes and systems that identify, capture and report operational, financial and compliance-related information in a form and timeframe that enable people to carry out their responsibilities; and

• Monitoring – a process that assesses the adequacy and quality of the internal control system’s performance over time. Deficiencies in internal controls should be reported to the appropriate level upstream.

(Source: Internal Control and Risk Management – A Basic Framework, published by the Hong Kong Institute of Certified Public Accountants)

1.2.8 When considering the internal controls systems in place at the listing applicant, and to be implemented on or prior to listing, the sponsor should have regard to applicable regulatory requirements for listed companies, including the requirements of the Listing Rules (in particular those identified in the sponsor’s declaration referred to in paragraph 1.2.1 above), the Corporate Governance Code set out in Appendix 14 to the Listing Rules, the SFC’s Guidelines on Disclosure of Inside Information and the seventeen basic principles in achieving effective internal controls over financial reporting set out in the “Internal Control – Integrated Framework” published by COSO as set out in Appendix 2 to the Technical Bulletin.

1.2.9 In forming a view as to the general suitability for listing of the listing applicant, the sponsor should have regard to the adequacy of the listing applicant’s internal controls. The sponsor should consider whether any internal controls deficiencies are so material that they should be resolved prior to listing. Where this is not possible, the sponsor should consider whether the matter may be appropriately dealt with by disclosure in the listing application. Other control deficiencies that are identified that are not material (either alone or when taken in aggregate) may be resolved after the filing of the listing application or after listing. Please see further section 4 below.

1.2.10 The Stock Exchange has taken into account the internal controls of a listing applicant and any past breaches when considering its suitability for listing in various listing decisions, including the remedial actions taken to rectify inadequate controls and enhanced measures adopted where non-compliance incidents had been identified.4

1.2.11 The Stock Exchange considers that a systematic failure of a listing applicant’s internal controls which is of serious nature and material may translate into an issue of suitability for listing. Where it is determined that such matters may be resolved by way of disclosure, the Stock Exchange expects specific disclosure in the listing document.5 Where there have been non-compliance incidents relating to the listing applicant, depending on the categorisation of the non-compliances, the Stock Exchange expects the listing document to contain specific disclosure of the non-compliance incidents, how and when rectification actions were taken or will be taken and the internal controls or enhanced internal controls to prevent their recurrence (including the identity, position, qualification and experience of personnel responsible for ensuring compliance). In the event an independent internal control expert has been separately engaged to review the internal controls, the identity of and salient terms of the engagement of an internal controls expert and its findings and recommendations, the timing of implementation of such recommendations and any follow-up review should also be disclosed. Additionally, the listing document should disclose the views of the listing applicant’s directors and the sponsor, with basis, on whether the listing applicant’s internal control measures or enhanced internal control measures are adequate and effective, the suitability of the directors under Listing Rules 3.08 and 3.09 and the applicant’s suitability for listing under Listing Rule 8.04.6

1.2.12 Depending on the facts and circumstances of each listing applicant and the seriousness of the non-compliance incidents, the Stock Exchange may request a demonstration period of compliance from the cessation of the non-compliance incidents to demonstrate that the rectification measures and enhanced internal control measures adopted are effective, and there is no financial impact on the listing applicant. The demonstration period would generally be required to be an audited period.7 The Stock Exchange has also taken into account non-compliance incidents and lack of sufficient disclosure of rectification measures in the listing document when rejecting a listing application.8

1.2.13 It should be noted that there are limitations to internal controls, even where the listing applicant has in place a sound and well-managed system. Human factors such as poor judgment, error or mistake, or deliberate circumvention or overriding of the systems, together with unforeseen factors, will impact the effectiveness of the internal controls systems. An internal controls system cannot provide protection with certainty against the listing applicant failing to meet its business objectives or complying with its regulatory obligations or against all material errors, losses, fraud or breaches of laws or regulations. The sponsor’s due diligence on internal controls is not, therefore, expected, or able, to provide an absolute assurance as to the effectiveness of the internal controls in place at listing.

Endnotes

1. The report is available at http://www.coso.org/IC.htm

2. In particular, sponsors should ensure that the internal controls are not susceptible to undue influence from any one director (see Exchange Listing Decision LD96-1).

3. The Technical Bulletin is available at [https://duediligenceguidelines.com/wp-content/uploads/local/aatb1july.pdf].

4. In various listing decisions, the Stock Exchange has considered the internal controls of a listing applicant in considering its suitability for listing:

In Exchange Listing Decision LD92-1, the Stock Exchange was considering the suitability for listing of a listing applicant which had a heavy reliance on transactions with the listing applicant’s directors, giving rise to the risk that the internal controls procedures may be overridden due to the conflict of interest. The Stock Exchange noted that it will examine a listing applicant’s corporate governance measures to handle conflicts of interests and may apply a higher standard of review to ensure an issuer’s eligibility. Disclosure may not be sufficient. In this case, the Stock Exchange considered that the listing applicant had not provided information on how the corporate governance measures it introduced would be able to address conflicts of interest, whether internal guidelines and policies had been adhered to and whether conflicts of interest had been avoided during the track record period.

In Exchange Listing Decision LD97-1 and Exchange Listing Decision LD19-2011, the Stock Exchange analysed regulatory non-compliance incidents in considering suitability for listing, including remedial actions and enhanced measures to avoid future non-compliance.

In addition, in Exchange Listing Decision LD75-2013, the Stock Exchange cited, among other factors, failures of internal control measures and deficiencies in disclosures of internal controls and rectification measures as reasons for returning listing applications.

5. Exchange Guidance Letter GL63-13 sets out the expected disclosure depending on the categorisation of the non-compliances. Paragraph 3.1 of the guidance letter divides non-compliance incidents into three categories:

(a) “Material Impact Non-compliances” – non-compliance incidents which, individually or in the aggregate, have had or may have in the future, a material financial or operational impact on the listing applicant. For example, non-compliances giving rise to significant financial penalties or which may result in the closure of material operating facilities.

(b) “Systemic Non-compliances”: non-compliance incidents which are not material impact non-compliances, but which reflect negatively on the listing applicant’s or its directors’/ senior management’s ability or tendency to operate in a compliant manner. For example, repeated and/ or continuous breaches of laws.

(c) “Immaterial Non-compliances”: Non-compliance incidents which are neither material impact non-compliances nor systemic non-compliances.

Paragraph 3.4 sets out the disclosure for Material Impact Non-compliances and paragraph 3.7 sets out the requirements for Systemic Non-compliances. Immaterial Non-compliances do not need to be disclosed.

6. By paragraph 3.4 of Exchange Guidance Letter GL63-13, the Stock Exchange requires for Material Impact Non-compliances, details on matters such as:

(i) reasons for the non-compliance incidents, nature and extent of the breaches, corresponding risk factors, and the identity and position of the directors/senior management involved in the non-compliance incidents;

(ii) whether the listing applicant has been or will be charged or penalised for the non-compliance incidents during the track record period and up to the latest practicable date with confirmation from the competent authorities (and legal opinions confirming the competence of the relevant authorities). If so, the listing document should disclose the actual or maximum penalty (including the amounts), whether the listing applicant has made any provision (if not, reasons for not making provision), and the potential operational and financial impact on the listing applicant;

(iii) enhanced internal controls to prevent recurrence (including the identity, position, qualification and experience of the personnel who are responsible for ensuring the compliances). In the event an independent internal control expert has been separately engaged to review the internal controls, the listing document should include the identity of and the salient terms of the engagement of an internal control expert and its findings and recommendations and the listing applicant’s timing of implementation of any of the internal control expert’s recommendations (and any follow up review);

(iv) how and when the rectification actions were or will be taken. The Stock Exchange normally expects the rectification actions for all “Material Impact Non-compliances” to be completed before a listing. Where the Stock Exchange accepts that certain non-compliance incidents can only be rectified within a short period after listing, disclose a legal adviser’s view, with basis, whether there is any impediment to rectify the non-compliances, and a statement that the listing applicant will disclose the progress of the rectification in the interim/annual reports and detailed explanation for any delay in the rectification; and

(v) the views of the directors and the sponsor(s), with basis, on whether the listing applicant’s enhanced internal control measures are adequate and effective, the suitability of the directors under Listing Rules 3.08 and 3.09 and the listing applicant’s suitability for listing under Listing Rule 8.04.

Footnote 2 to the guidance letter provides that, if the internal control expert is the reporting accountants or another accounting firm, the relevant guidelines and practices of the accounting profession position an internal controls review as private advice to the directors of the applicant (and if they are party to the engagement, the sponsors). Accordingly, in such circumstances the name of the reporting accountants or other accounting firm and details of their work and findings may be prevented from being quoted or referenced in the listing document. One circumstance in which internal controls work may be referenced in the listing document is where it is practicable for the applicant and the sponsor to additionally and separately engage the reporting accountants or other accounting firm to also perform an assurance engagement in relation to internal controls.

For Systemic Non-compliances, the Stock Exchange expects the following to be disclosed in the listing document:

(a) the views of the directors and the sponsor, with bases for such views, on whether the listing applicant’s internal control measures are adequate and effective under Listing Rule 3A.15(5), the suitability of the directors under Listing Rules 3.08 and 3.09, and the listing applicant’s suitability for listing under Listing Rule 8.04; and

(b) the disclosures set out in paragraphs (i) to (iii) above, to the extent necessary to enable investors to make an informed assessment of the listing applicant.

Material Impact Non-compliances and Systemic Non-compliances should also be highlighted in the “Summary and Highlights” section of the listing document.

Additionally sponsors should refer to Exchange Guidance Letter GL86-16, Appendix 1, Section E which sets out expected disclosures in the business section relating to risk management and internal control systems and non-compliance incidents by reference to Exchange Guidance Letter GL63-13, together with other areas of controls affecting the business, such as with regard to hedging activities.

7. Paragraph 3.2 of Exchange Guidance Letter GL63-13.

8. Paragraph 3.6 of Exchange Guidance Letter GL63-13 provides that the Stock Exchange normally expects the rectification of all Material Impact Non-compliances to have been completed before listing. Paragraph 22(iii) of Exchange Listing Decision LD48-2013.

Disclaimer

HKCFEF Limited and the contributing law firms, accountants and sponsors are not offering these due diligence guidelines as legal, financial or professional advice or services and they should not be relied upon as such. These due diligence guidelines should not be used as a sole basis for any decision, action or inaction and are not meant to serve as a substitute for the advice of qualified professionals. See here for the full terms and conditions.

Internal Controls Due Diligence

Procedures Systems and Controls Including Accounting and Management Systems

Pre-Listing Reorganisation May Create a New Control Environment Necessitating New or Revised Internal Controls Systems

Understanding a Listing Applicants Procedures and Systems

Listing Applicant Internal Controls

Appendix 9 to the Hong Kong Stock Exchange Listing Rules

Adequate Systems and Controls to Comply With Obligations as a Listed Company

The Committee of Sponsoring Organisations of the Treadway Commission (COSO)

COSO Internal Control Integrated Framework report

Risk Management Basic Framework
Systematic Failure of a Listing Applicant’s Internal Controls

Table of contents