EN

3 minute read 7 Mar 2022
Standard quality control. Certification. Business, technology, internet and networking concept. Young businessman select the icon on the virtual display.

Internal controls in Hong Kong listed companies

By LI Fai

Partner

Direct: +852 2629 1722 | Mobile: +852 6036 8593 | fai.li@eylaw.com.hk

3 minute read 7 Mar 2022
Related topics Our latest thinking

The Hong Kong Stock Exchange (the “Exchange”) published an Enforcement Bulletin (the “Bulletin”) in February 2022 with the focus on internal controls and risk management framework in Hong Kong listed companies[1]

This article summarises (a) directors’ common misconceptions, (b) typical enforcement cases as well as (c) the Exchange’s expectations on internal control regimes, as highlighted in the Bulletin.

Clarifications for common misconceptions

The Exchange found that some directors of listed companies had misconceptions on internal controls (as listed below). Such mistakenly-held beliefs might be genuine but the Exchange has provided useful clarifications.

 

Common misconception

Clarification

1.

Engaging external auditor is sufficient to discharge a listed issuer’s duty to review its internal controls.

Unless an external auditor is specifically engaged to conduct a formal review on a listed issuer’s internal controls to meet the relevant requirements under the Corporate Governance Code (the “Corporate Governance Code”) as set out in Appendix 14 of the Rules Governing the Listing of Securities on The Stock Exchange of Hong Kong Limited (the “Listing Rules”), directors should not assume that the duty to conduct ongoing review of internal controls is discharged merely on the basis that the auditor has not brought any issues or red flags to their attention.

2.

It is sufficient to review part of the listed issuer’s internal controls every year.

While a more in-depth review may be conducted for specific internal controls of a listed issuer on an ad hoc or rotation basis, the Corporate Governance Code requires all material internal controls to be reviewed annually. Even if a professional adviser is engaged to conduct the review, the board of directors must maintain oversight and ensure that the review is adequate.

3.

Only the audit committee is responsible for the internal controls.

While the Corporate Governance Code stipulates a particular role for the audit committee to play in respect of internal controls, the directors of a listed issuer remain collectively and individually responsible for ensuring that internal controls are appropriate and effective. Directors are expected to understand, support and oversee the audit committee’s work, take an active interest in potential deficiencies and assist in implementing any necessary enhancements even if the audit committee is to take a lead role in internal controls.

4.

A listed issuer may take a passive approach and assume that its internal controls are sound if major issues and/or red flags do not emerge.

It is insufficient for a listed issuer to take a passive approach in reviewing and monitoring its internal controls. Internal controls should be considered on an ongoing basis to ensure they remain fit for purpose by design and are fully implemented and working effectively.

5.

There will be no disciplinary sanctions if internal control deficiencies do not lead to the sufferance of any loss.

An internal control deficiency may, in itself, constitute a breach of duty and result in disciplinary action and public sanction. Disciplinary action and sanction are neither contingent on loss being suffered nor contingent on a separate breach or misconduct being found.

Enforcement cases and trends

From the summary of sanctions published by the Exchange during the second half of 2021, most enforcement cases involved:

  • Directors failing to act honestly and in good faith in the interests of the listed companies
  • Conflicts of interest on the parts of directors
  • Directors’ dealing in shares of the listed companies during the blackout periods
  • Companies failing to publish financial results in a timely manner
  • Companies’ inaccurate, incomplete and misleading disclosures
  • Failing to cooperate with the Exchange’s investigation

These are results of internal control deficiencies and breaches of Listing Rules (sometimes persistent breaches). The Bulletin reported that, out of the 14 disciplinary sanctions published by the Exchange during the second half of 2021, 7 involved failure in relation to internal controls and 8 involved directors’ failure to cooperate with the Exchange in its investigations. This demonstrates both internal control and cooperation in investigations are key enforcement focuses of the Exchange.

It is worth noting that in one of the disciplinary sanctions listed[2], a listed issuer was sanctioned for failure to have adequate internal controls and oversight in respect of the operation and affairs of its subsidiaries. Therefore, a listed issuer’s duty to put in place a comprehensive and effective internal control and risk management framework and its directors’ duty to ensure that such controls are appropriate and effective apply not only to the operation and affairs of the listed issuer but extend also to those of its subsidiaries.

The Exchange’s expectations on the internal control regimes of listed issuers

Listed issuers are reminded that they are expected to have a comprehensive and effective internal control and risk management framework in place and their directors are collectively and individually responsible for ensuring that such controls are appropriate and effective.

In the event of a potential breach, the Exchange will not only investigate the relevant event, but also the listed issuer’s internal controls in place, its culture and general attitude towards risk, internal controls, compliance and corporate governance, and whether the directors have taken sufficient and proactive steps to discharge their duties in respect of internal controls. Where there is an internal control deficiency, the Exchange may impose disciplinary sanctions on the listed issuer and/or its directors regardless of whether a breach or misconduct is found.

While the Exchange acknowledges that there is no “one-size-fits-all” approach to internal controls, it expects listed issuers allocate sufficient time and resources to review the effectiveness of internal controls on an ongoing basis and to maintain detailed documentary evidence demonstrating the internal controls in place and their review and enhancement work. Listed issuers are, therefore, urged to keep an “audit trail”.

The Exchange points to the Corporate Governance Code, which contains principles and provisions in relation to internal controls, including but not limited to:

  • Principle D.2 which states that the board of directors of a listed issuer should oversee the management in the design, implementation and monitoring of its risk management and internal control systems and the management should provide the board of directors a confirmation as to the effectiveness of such systems;
  • Provision D.2.1 which states that the board of directors of a listed issuer should oversee its risk management and internal control systems on an ongoing basis, ensure that the effectiveness of such systems, including all material controls, are reviewed at least annually and report to shareholders that it has done so; and
  • Provision D.3.7(a) which states that the audit committee of a listed issuer should review the arrangements for employees to raise concerns about possible improprieties of its internal controls in confidence.

The Exchange encourages listed issuers to refer to the following materials:

  • materials published by the Exchange in respect of corporate governance practices on its website[3], such as the “Corporate Governance Guide for Boards and Directors”[4]; and
  • materials published by The Hong Kong Institute of Certified Public Accountants in respect of corporate governance, such as the “Internal Control and Risk Management – A Basic Framework”[5] and “AATB 1 Assistance Options to New Applicants and Sponsors in connection with Internal Controls over Financial Reporting”[6] (the “AATB 1”). The Exchange specifically refers to Appendix 3 of AATB 1 which identifies control categories at both entity level and process level, and provides illustrative areas of focus for the review of internal controls.

Directors who are unsure as to whether a robust and effective internal control and risk management framework is in place are urged to consider obtaining professional advice.

Summary

This article summarises (a) directors’ common misconceptions, (b) typical enforcement cases as well as (c) the Exchange’s expectations on internal control regimes, as highlighted in the Bulletin.

About this article

By LI Fai

Partner

Direct: +852 2629 1722 | Mobile: +852 6036 8593 | fai.li@eylaw.com.hk