Chapter 13

Due Diligence Guidelines –

Internal Controls

Code of Conduct Paragraphs

17.3(a)(i)

17.6(d)(ii)

17.3(b)(ii) and (iii)

17.6(g)

17.4(c)(ii) and (iii)

Key Stock Exchange Guidance Letters

Exchange Guidance Letter GL63-13

Exchange Guidance Letter GL60-13

Key Stock Exchange Listing Decisions

Exchange Listing Decision LD75-2013

Exchange Listing Decision LD48-2013

Other Key References

Technical Bulletin AATB 1 (Revised) – Assistance Options to New Applicants and Sponsors in connection with Due Diligence Obligations, including Internal Controls over Financial Reporting, published by the Hong Kong Institute of Certified Public Accountants (July 2015)

Practice Note 21 to the Listing Rules

1. Understanding a Listing Applicant’s Procedures and Systems

1.1 Standards

1.1.1 Based on reasonable due diligence, a sponsor should have a sound understanding of: … a listing applicant, including its history and background, business and performance, financial condition and prospects, operations and structure, procedures and systems. [Paragraph 17.3(a)(i) of the Code of Conduct]

1.1.2 Regarding the preparation of the listing document, a sponsor should perform, without limitation, each of the following: …

(ii) Achieve a thorough understanding of the listing applicant, including its business, history, background, structure and systems. [Paragraph 17.6(d)(ii) of the Code of Conduct]

1.2 Guidance

1.2.1 Pursuant to the sponsor’s declaration in Appendix 19 to the Listing Rules, sponsors are required to confirm, based on their reasonable due diligence enquiries, that they have reasonable grounds to believe and do believe that:

“(v) the [listing applicant] has established procedures, systems and controls (including accounting and management systems) which are adequate having regard to the obligations of the [listing applicant] and its directors under the Exchange Listing Rules and other relevant legal and regulatory requirements (in particular rules 13.09, 13.10, 13.46, 13.48 and 13.49, Chapters 14 and 14A and Appendix 16, and Part XIVA of the Securities and Futures Ordinance) and which provide a reasonable basis to enable the [listing applicant’s] directors to make a proper assessment of the financial position and prospects of the [listing applicant] and its subsidiaries, both immediately before and after listing”.

1.2.2 A sponsor’s role in advising and assisting the listing applicant to prepare itself for an IPO and to operate as a listed entity includes conducting reasonable due diligence to obtain a sound understanding of the listing applicant’s internal controls procedures and systems and providing adequate advice and recommendations to assist the listing applicant to remedy any material deficiencies identified in its internal controls so that, upon listing, the listing applicant has in place adequate systems and controls to enable it to comply with its obligations as a listed company.

1.2.3 It is commonly the case that many of the internal controls required for a listed company may only be introduced shortly before listing. Reasons for this include that higher-level corporate and management controls will be required for a listed company to enable management to plan the business and monitor progress. Additionally, any pre-listing reorganisation may create a new control environment necessitating new or revised internal controls systems.

1.2.4 As noted below, internal controls due diligence and the rectification of any deficiencies identified is time consuming. It is therefore imperative that the sponsor and the listing applicant consider the approach to internal controls due diligence at the outset of the listing process. The listing applicant should be made aware of, and should agree to provide, the necessary commitment of time and resources to enable the internal controls review to be conducted efficiently and in a timely manner. Sufficient time must be allowed to ensure any material deficiencies in the internal controls identified can, where possible, be remedied prior to the filing of the A1 listing application. Where material deficiencies cannot be remedied prior to the A1 listing application, such matters should be disclosed in the listing application submission. Where an internal controls consultant is appointed, the process (assuming that a long form report on internal controls over financial reporting is used) will typically take at least eight weeks to complete, including initial review work and preparing the initial report, addressing any material deficiencies and producing a follow up report. The actual time required will depend on factors including the size, industry and complexity of the listing applicant and the findings and remedial action required. Please see section 5 below for further details on timing.

1.2.5 There is no simple definition of “internal controls” for these purposes. The Committee of Sponsoring Organisations of the Treadway Commission (“COSO”) report “Internal Control – Integrated Framework”1 issued in 2013 contains a definition of internal controls and a conceptual framework which are relevant. The COSO report defines internal controls as including processes designed to provide reasonable assurance regarding the achievement of objectives in relation to the following:

(a) Effectiveness and efficiency of operations;

(b) Reliability of financial reporting; and

(c) Compliance with applicable laws and regulations.

1.2.6 Sponsors’ due diligence on internal controls of a listing applicant should include an assessment of:

(a) Design – The design of the internal controls systems and procedures;

(b) Implementation – An assessment of whether the control activities have been implemented as designed. This will typically involve, among other things, the carrying out of walkthrough tests on the procedures and systems in place; and

(c) (where appropriate) Operating effectiveness – The operating effectiveness of the control activities, which involves an assessment of whether the control activities are operated as designed for a period of time.2 This involves testing over a period of time and contrasts with the testing of implementation, which involves testing at a specific point in time.

(Source: Appendix 1 to Technical Bulletin AATB 1 (Revised) – Assistance Options to New Applicants and Sponsors in connection with Due Diligence Obligations, including Internal Controls over Financial Reporting, published by the Hong Kong Institute of Certified Public Accountants in July 2015 (the “Technical Bulletin”)3

1.2.7 The internal controls processes for each listing applicant will vary, depending on the industry, size, organisational structure, culture and management philosophy of, and the different risks faced by, the relevant listing applicant. There are however certain key principles relevant to achieving the objective of reliability of financial reporting set out in guidance issued by COSO, drawn from the five key components identified in the COSO framework of:

• Control environment – the foundation for the other components of internal control, which also provides discipline and structure. Factors include ethical values and competence (quality) of personnel, direction provided by the board and effectiveness of management;

• Risk assessment – identification and analysis of risks underlying the achievement of objectives, including risks relating to the changing regulatory and operating environment, as a basis for determining how such risks should be mitigated and managed;

• Control activities – a diverse range of policies and procedures that help to ensure management directives are carried out and any actions that may be needed to address risks to achieving company objectives are taken;

• Information and communication – effective processes and systems that identify, capture and report operational, financial and compliance-related information in a form and timeframe that enable people to carry out their responsibilities; and

• Monitoring – a process that assesses the adequacy and quality of the internal control system’s performance over time. Deficiencies in internal controls should be reported to the appropriate level upstream.

(Source: Internal Control and Risk Management – A Basic Framework, published by the Hong Kong Institute of Certified Public Accountants)

1.2.8 When considering the internal controls systems in place at the listing applicant, and to be implemented on or prior to listing, the sponsor should have regard to applicable regulatory requirements for listed companies, including the requirements of the Listing Rules (in particular those identified in the sponsor’s declaration referred to in paragraph 1.2.1 above), the Corporate Governance Code set out in Appendix 14 to the Listing Rules, the SFC’s Guidelines on Disclosure of Inside Information and the seventeen basic principles in achieving effective internal controls over financial reporting set out in the “Internal Control – Integrated Framework” published by COSO as set out in Appendix 2 to the Technical Bulletin.

1.2.9 In forming a view as to the general suitability for listing of the listing applicant, the sponsor should have regard to the adequacy of the listing applicant’s internal controls. The sponsor should consider whether any internal controls deficiencies are so material that they should be resolved prior to listing. Where this is not possible, the sponsor should consider whether the matter may be appropriately dealt with by disclosure in the listing application. Other control deficiencies that are identified that are not material (either alone or when taken in aggregate) may be resolved after the filing of the listing application or after listing. Please see further section 4 below.

1.2.10 The Stock Exchange takes into account the internal controls of a listing applicant and any past breaches when considering its suitability for listing, including the remedial actions taken to rectify inadequate controls and enhanced measures adopted where non-compliance incidents have been identified.4

1.2.11 The Stock Exchange considers that non-compliance incidents may translate into an issue of suitability for listing. Where it is determined that such matters may be resolved by way of disclosure, the Stock Exchange expects specific disclosure in the listing document.5 Where there have been non-compliance incidents relating to the listing applicant, depending on the categorisation of the non-compliances, the Stock Exchange expects the listing document to contain specific disclosure of the non-compliance incidents, what and when rectification actions were taken or will be taken and the internal controls or enhanced internal controls to prevent their recurrence (including when they were implemented and the identity, position, qualification and experience of personnel responsible for ensuring compliance, and the directors’ and sponsor’s view on the adequacy and effectiveness of the enhanced internal control measures and the basis thereof). If an independent internal control expert has been separately engaged to review the internal controls, the identity, scope of review of the internal controls expert, its major findings and recommendations, the timing of implementation of such recommendations and any follow-up review should also be disclosed. Additionally, the listing document should disclose (i) the views of the listing applicant’s directors and the sponsor, with basis, on the adequacy and effectiveness of the listing applicant’s enhanced internal control measures; and (ii) why the directors and sponsor believe the directors are suitable to act as the listing applicant’s directors under Listing Rules 3.08 and 3.09 and why the applicant is suitable for listing under Listing Rule 8.04.6

1.2.12 Depending on the facts and circumstances of each listing applicant and the seriousness of the non-compliance incidents, the Stock Exchange may require rectification before listing. The Stock Exchange normally expects Material Non-compliances to be fully rectified before listing unless this is not applicable or possible. Material Non-compliances that involve bill financing from banks and interest rate/loan arbitrage that are not criminal in nature may be addressed by disclosure. The listing applicant will be required to cease all non-compliant bill financing and for a period of at least 12 months demonstrate that its business is sustainable when it is in compliance.7 The Stock Exchange has also taken into account non-compliance incidents and lack of sufficient disclosure of rectification measures in the listing document when rejecting a listing application.8

1.2.13 It should be noted that there are limitations to internal controls, even where the listing applicant has in place a sound and well-managed system. Human factors such as poor judgment, error or mistake, or deliberate circumvention or overriding of the systems, together with unforeseen factors, will impact the effectiveness of the internal controls systems. An internal controls system cannot provide protection with certainty against the listing applicant failing to meet its business objectives or complying with its regulatory obligations or against all material errors, losses, fraud or breaches of laws or regulations. The sponsor’s due diligence on internal controls is not, therefore, expected, or able, to provide an absolute assurance as to the effectiveness of the internal controls in place at listing.

Endnotes

1. The report is available at https://www.coso.org/Pages/default.aspx.

2. In particular, sponsors should ensure that the internal controls are not susceptible to undue influence from any one director (Exchange Guidance Letter GL68-13 notes that the Stock Exchange will take into account a person’s influence on the listing applicant’s internal controls in determining whether Integrity Non-compliances would render a listing applicant unsuitable for listing).

3. The Technical Bulletin is available at: https://duediligenceguidelines.com/wp-content/uploads/local/aatb1july.pdf.

4. The Stock Exchange considers the internal controls of a listing applicant in considering its suitability for listing. In Exchange Guidance Letter GL68-13, the Stock Exchange provides guidance on suitability for listing of listing applicants where there have been non-compliance incidents. In assessing suitability for listing, one of the factors that the Stock Exchange will take into account is whether any effective internal control measures have been implemented (and for how long) to avoid re-occurrence of similar non-compliances.

In addition, in Exchange Listing Decision LD75-2013, the Stock Exchange cited, among other factors, failures of internal control measures and deficiencies in disclosures of internal controls and rectification measures as reasons for returning listing applications.

5. Exchange Guidance Letter GL63-13 sets out the expected disclosure depending on the categorisation of the non-compliances. Paragraph 3.1 of the guidance letter sets outs three categories of non-compliance incidents:

(a) “Material Non-compliances”: non-compliance incidents which, individually or in aggregate, have had or are reasonably likely to have in the future, a material financial or operational impact on the listing applicant. For example, non-compliances giving rise to significant financial penalties or which may result in the closure of material operating facilities.

(b) “Systemic Non-compliances”: non-compliance incidents which are not Material Non-compliances, but their recurring nature may reflect negatively on the listing applicant’s or its directors’/ senior management’s ability or tendency to operate in a compliant manner.

(c) “Immaterial Non-compliances”: Non-compliance incidents which are neither Material Non-compliances nor Systemic Non-compliances.

Paragraph 3.4 sets out the disclosure for Material Non-compliances and paragraph 3.7 sets out the requirements for Material Non-compliances that involve bill financing from banks and interest rate/loan arbitrage that are not criminal in nature and may be addressed by disclosure. Paragraph 3.8 specifies that for Systemic Non-compliances, the Stock Exchange expects the listing applicant to include the same information as for Material Non-compliances, save that no rectification is required. Immaterial Non-compliances do not need to be disclosed (see paragraph 3.10).

6. By paragraph 3.4 of Exchange Guidance Letter GL63-13, the Stock Exchange requires for Material Non-compliances, details on matters such as:

(i) reasons for, nature and extent of the non-compliance incidents, corresponding risk factors, and the identity and position of the directors/senior management involved in the non-compliance incidents (if any);

(ii) whether the listing applicant has been penalised for the non-compliance incidents during the trading record period and up to the latest practicable date or is likely to be penalised in the future, with confirmation from the competent authorities (and a legal opinion confirming the competence of the relevant authorities). If applicable, disclose the actual or maximum penalty (including the amounts), any provisions made (if not, reasons therefor), and the potential operational and financial impact on the listing applicant (if material);

(iii) details of the enhanced internal control measures implemented to prevent recurrence, including when they were implemented and the identity, position, qualification and experience of the personnel who are responsible for ensuring compliance, the directors’ and sponsor’s view of the adequacy and effectiveness of the enhanced internal control measures and the basis thereof. If an independent internal control expert has been separately engaged to review the internal controls, the listing document should disclose the identity and scope of review of the internal control expert, its major findings and recommendations and the listing applicant’s timing of implementation of such recommendations (and any follow up review);

(iv) what and when the rectification actions were or will be taken. The Stock Exchange normally expects all “Material Non-compliances” to be fully rectified before listing unless the rectification is not applicable or possible. Where applicable, the listing applicant should disclose (1) detailed explanations on why rectification is not applicable or possible; and (2) where the listing applicant is able to demonstrate that Material Non-compliance incidents can only be rectified shortly after listing, a legal adviser’s confirmation that there is no impediment to the rectification of the Material Non-compliances and a statement that the listing applicant will disclose the progress of the rectification in the interim/annual reports and detailed explanation for any delay in the rectification;

(v) why the directors and the sponsor(s) believe the directors are suitable to act as the listing applicant’s directors under Listing Rules 3.08 and 3.09 and why the listing applicant is suitable for listing under Listing Rule 8.04; and

(vi) a brief summary of the non-compliance incidents in the “Summary and Highlights” section of the listing document with appropriate cross reference.

Footnote 2 to the guidance letter provides that, if the internal control expert is the reporting accountants or another accounting firm, the relevant guidelines and practices of the accounting profession position an internal controls review as private advice to the directors of the applicant (and if they are party to the engagement, the sponsors). Accordingly, in such circumstances the name of the reporting accountants or other accounting firm and details of their work and findings may be prevented from being quoted or referenced in the listing document. One circumstance in which internal controls work may be referenced in the listing document is where it is practicable for the applicant and the sponsor to additionally and separately engage the reporting accountants or other accounting firm to also perform an assurance engagement in relation to internal controls.

For Material Non-compliances that involve bill financing from banks and interest rate/loan arbitrage that are not criminal in nature and can be addressed by disclosure, the listing document should include, as well as the information set out above, (i) the amount of gains from the non-compliant bill financing; (ii) unqualified audited financial results covering at least one complete 12-month period after the cessation of the non-compliant bill financing, and (iii) the independent internal control expert’s review and conclusions at the end of a 12-month audited period on the listing applicant’s enhanced internal control measures indicating that there are no other negative findings on the listing applicant’s internal control system during such 12-month audited period.

For Systemic Non-compliances, the Stock Exchange expects the listing applicant to include the same information as for Material Non-compliances, save that no rectification is required.

Additionally sponsors should refer to Exchange Guidance Letter GL86-16, Appendix 1, Section E which sets out expected disclosures in the business section relating to risk management and internal control systems and non-compliance incidents by reference to Exchange Guidance Letter GL63-13, together with other areas of controls affecting the business, such as with regard to hedging activities.

7. Paragraphs 3.4(d) and 3.7 of Exchange Guidance Letter GL63-13.

8. Exchange Listing Decisions LD92-2015 and LD107-2017 contain examples where the Stock Exchange has rejected listing applications due to non-compliances.

In paragraph 22(iii) of Exchange Listing Decision LD48-2013, the Stock Exchange cited a failure by a listing applicant to include sufficient disclosure in the listing document of rectification measures and internal controls which were aligned to the non-compliance incidents as a reason for returning a listing application.

Disclaimer

HKCFEF Limited and the contributing law firms, accountants and sponsors are not offering these due diligence guidelines as legal, financial or professional advice or services and they should not be relied upon as such. These due diligence guidelines should not be used as a sole basis for any decision, action or inaction and are not meant to serve as a substitute for the advice of qualified professionals. See here for the full terms and conditions.

Internal Controls Due Diligence

Procedures Systems and Controls Including Accounting and Management Systems

Pre-Listing Reorganisation May Create a New Control Environment Necessitating New or Revised Internal Controls Systems

Understanding a Listing Applicants Procedures and Systems

Listing Applicant Internal Controls

Appendix 9 to the Hong Kong Stock Exchange Listing Rules

Adequate Systems and Controls to Comply With Obligations as a Listed Company

The Committee of Sponsoring Organisations of the Treadway Commission (COSO)

COSO Internal Control Integrated Framework report

Risk Management Basic Framework
Systematic Failure of a Listing Applicant’s Internal Controls

Table of contents