It is worth noting that in one of the disciplinary sanctions listed[2], a listed issuer was sanctioned for failure to have adequate internal controls and oversight in respect of the operation and affairs of its subsidiaries. Therefore, a listed issuer’s duty to put in place a comprehensive and effective internal control and risk management framework and its directors’ duty to ensure that such controls are appropriate and effective apply not only to the operation and affairs of the listed issuer but extend also to those of its subsidiaries.
The Exchange’s expectations on the internal control regimes of listed issuers
Listed issuers are reminded that they are expected to have a comprehensive and effective internal control and risk management framework in place and their directors are collectively and individually responsible for ensuring that such controls are appropriate and effective.
In the event of a potential breach, the Exchange will not only investigate the relevant event, but also the listed issuer’s internal controls in place, its culture and general attitude towards risk, internal controls, compliance and corporate governance, and whether the directors have taken sufficient and proactive steps to discharge their duties in respect of internal controls. Where there is an internal control deficiency, the Exchange may impose disciplinary sanctions on the listed issuer and/or its directors regardless of whether a breach or misconduct is found.
While the Exchange acknowledges that there is no “one-size-fits-all” approach to internal controls, it expects listed issuers allocate sufficient time and resources to review the effectiveness of internal controls on an ongoing basis and to maintain detailed documentary evidence demonstrating the internal controls in place and their review and enhancement work. Listed issuers are, therefore, urged to keep an “audit trail”.
The Exchange points to the Corporate Governance Code, which contains principles and provisions in relation to internal controls, including but not limited to:
- Principle D.2 which states that the board of directors of a listed issuer should oversee the management in the design, implementation and monitoring of its risk management and internal control systems and the management should provide the board of directors a confirmation as to the effectiveness of such systems;
- Provision D.2.1 which states that the board of directors of a listed issuer should oversee its risk management and internal control systems on an ongoing basis, ensure that the effectiveness of such systems, including all material controls, are reviewed at least annually and report to shareholders that it has done so; and
- Provision D.3.7(a) which states that the audit committee of a listed issuer should review the arrangements for employees to raise concerns about possible improprieties of its internal controls in confidence.
The Exchange encourages listed issuers to refer to the following materials:
- materials published by the Exchange in respect of corporate governance practices on its website[3], such as the “Corporate Governance Guide for Boards and Directors”[4]; and
- materials published by The Hong Kong Institute of Certified Public Accountants in respect of corporate governance, such as the “Internal Control and Risk Management – A Basic Framework”[5] and “AATB 1 Assistance Options to New Applicants and Sponsors in connection with Internal Controls over Financial Reporting”[6] (the “AATB 1”). The Exchange specifically refers to Appendix 3 of AATB 1 which identifies control categories at both entity level and process level, and provides illustrative areas of focus for the review of internal controls.
Directors who are unsure as to whether a robust and effective internal control and risk management framework is in place are urged to consider obtaining professional advice.