Internal controls

Market Turnover

繁简

About HKEX

Related Sites: LME

Sustainable & Green Exchange (STAGE)

Exchange Traded Products

Structured Products

Real Estate Investment Trusts

Eligible OTC Clear Products

Interest Rate Swaps

Non Deliverable Forwards

Cross Currency Swaps

Deliverable FX

Find a Partner

MSCI Index Futures & Options

HKEX Sustainable & Green Exchange

Data and Index Services

Real Time Data Services

Historical Data Services

Settlement and Depository

Settlement - Securities

Depository

Common Nominee Services

Securities Admission into CCASS

PFMI

Unclaimed Entitlements Held by HKSCC Nominees Limited

Uncertificated Securities Market

Platform Services

Client Connect

Corporate Action Messaging Standardisation

FINI - A New Era for Hong Kong’s IPO market

Orion Cash Platform

Orion Derivatives Platform

Integrated Fund Platform

HKEX Issuer Access Platform

Southeast Asia Listing Insights

Northbound and Southbound

Sustainable & Green Exchange (STAGE)

Core Climate

Listing of Specialist Technology Companies

Listing Review Committee

Listing Policy Panel Report

Rules and Guidance

Listing Rules

Interpretation and Guidance

Listing of Overseas Issuers

Listing of Biotech Companies

Listing of Specialist Technology Companies

Technology Enterprises Channel (TECH)

Launch of FINI platform

Expansion of the Paperless Listing Regime

Listing e-Forms Guidance Materials

IPO

Application Proof, PHIP and Related Materials

New Listing Information

Listing Matters regarding Sponsor Regulation and Intermediaries Regulation

Other Materials

e-Learning

Listed Issuers

Issuers' Continuing Obligations & Annual Listing Fees

Guides on the Exchange's Practices and Procedures for Handling Listing-related Matters

Products and Issuers' Information

Guidance

Debt Securities

Summary of Listing Requirements for Debt Issues to Professional Investors Only

Guidance Materials

Disciplinary & Enforcement

Overview

Disciplinary Procedures

Enforcement Guidance Materials

Disciplinary Sanctions

Enforcement Bulletin

Enforcement Statistics

Request for Assistance

Sustainability & Corporate Governance

ESG Academy

Board Diversity Hub

Corporate Governance Practices

Corporate News Releases

Regulatory Announcements

Market Communications

Stock Quote Lookup

Exchange Traded Products

Derivative Warrants

Inline Warrants

Callable Bull / Bear Contracts

Real Estate Investment Trusts

Debt Securities

Futures & Options Prices

Clearing, Settlement and Depository

HKEXnews

News Alerts

Market Data Services

Risk Management and Internal Controls

Internal controls

Internal controls are processes and policies designed to provide assurance regarding the achievement of the issuer’s objectives, which are fundamental to an issuer’s successful operation.

Roles and responsibilities Risk management Internal controls Policies on whistleblowing and anti-corruption

Table: Components of risk management and internal control systems
Components	Principles
Component 1 Corporate Culture / Control environment This refers to the issuer’s overall culture of internal controls, i.e. the issuer’s control environment. It is important that throughout the various levels of the issuer’s operation and staff, there is a commitment to integrity, compliance and ethical behaviour. This commitment starts at the board level as the right “tone from the top” is required to achieve buy-in across the organization.	1.	Integrity and Ethical Values – There is a firm commitment to ethical standards and culture of integrity, including through appropriate policies and procedures (whistleblowing policy, code of conduct, etc.).
	2.	Independent Board Oversight – The board maintains independence from management and exercises appropriate oversight of the internal control system’s implementation (among others, through the audit committee).
	3.	Organizational Structure – There is a defined structure of authority and responsibility to implement operational, reporting, compliance, and business objectives.
	4.	Human Resources – Staff recruitment, development and retention is focused on alignment with the issuer’s objectives, in particular in terms of culture, integrity and compliance.
	5.	Accountability – There is a system of responsibility and accountability in place that includes regular reviews of staff performance including on compliance metrics related to the internal control systems.
Component 2 Risk Assessment This refers to ongoing risk assessment across all aspects of the issuer’s business. An issuer needs to operate with clear objectives which allow for an ongoing analysis of risks (including fraud risk) to such objectives – this includes identifying and analysing significant change to (among other things) ensure internal controls remain effective.	6.	Identification of Objectives – Establish strategic operational, reporting, and compliance objectives to allow for the identification of potential risks and the impact of such risks to the objectives.
	7.	Identification of Risks – Conduct assessment of risks for the issuer’s objectives, and adopt plans for risk management.
	8.	Fraud Risks –Consider fraud risks and adopt appropriate steps to manage such risks.
	9.	Impact on Internal Controls – Consider the impact of its risk assessment on its internal control systems and make any changes as required.
Component 3 Internal Controls This describes the internal control systems / control activities put in place to respond to the risk assessment and mitigate the identified risks. This includes activities, processes, policies and communications required to establish a strong framework of internal controls and respond adequately to risks.	10.	Internal Controls – The Issuer adopts and implements a system of internal controls (or control activities) to manage and mitigate risks.
	11.	Technology – The internal control systems include appropriate controls over technology / IT infrastructure.
	12.	Policies / Procedures – The internal control system is supported by appropriate policies and procedures.
Component 4 Information and Communication This requires an issuer to put in place procedures to ensure that the internal control systems are supported by appropriate and up-to-date information and data, and, for such information to be adequately communicated internally and externally (as applicable).	13.	Information and Data – To ensure proper operation of the risk assessment and internal control systems, the issuer deploys accurate, timely, and sufficiently detailed information and/or data (issuers should also critically assess the impact of the use of AI on such processes).
	14.	Internal Communication – Relevant information is communicated in a timely and thorough manner to support the effective operation of the internal control systems.
	15.	External Communication – Communication designed to support the effective operation of internal control systems should also involve external stakeholders (as required).
Component 5 Monitoring This requires an issuer to continuously monitor the internal control systems and ensure that they remain fit for purpose, and that potential deficiencies are communicated in a timely manner such that and appropriate actions can be taken.	16.	Ongoing Monitoring – Conduct ongoing monitoring and periodic reviews of the internal control systems effectiveness. The monitoring should involve internal and external resources (as appropriate).
	17.	Reporting – Results of the ongoing monitoring and review should be reported to management and the board (and other relevant stakeholders) in a timely manner, in particular if deficiencies have been identified and/or changes to the existing systems are required.
Source: The Internal Control—Integrated Framework (ICIF-2013) published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) formed by five global accountancy and auditing organizations. See also the Hong Kong Institute of Certified Public Accountants, Technical Bulletin, Assistance Options to New Applicants and Sponsors in connection with Due Diligence Obligations, including Internal Controls over Financial Reporting (AATB1).

Table: Scope for annual reviews of the risk management and internal control systems
Components	Scope for Annual Review
Component 1 Corporate Culture / Control environment	Assessment of integrity and ethical values across the organization, including: What are the relevant policies and procedures (including on code of conduct, conflict of interest, whistleblowing, handling of complaints); what is the approach to legal and regulatory compliance (including compliance with the Listing Rules and the Corporate Governance Code); how is staff / management remuneration assessed.
	Assessment of board independence and performance, including: What is the level of independence, experience and respective roles and responsibilities of board members; is there a process for the declaration of interest; what is the composition of the board committees; whether the terms of reference of the board committees remain appropriate and what is the level of communication between the board and its committees; are directors’ interests being declared.
	Assessment of management performance and commitment to internal controls, including: What is the quality of financial reporting (including but not limited to relevance, reliability, comparability and timeliness); what are the operational goals and policies & procedures in pursuit of such goals; is there sufficient attention to and frequency of discussions on governance, risk and internal control related topics.
	Assessment of organizational structure, including: What are the relevant legal entities, business units, etc. and their responsibilities; how do the reporting lines (in particular between management and business units) work.
	Assessment of financial reporting competencies, including: What is the level of staffing and is the experience and qualification of staff members adequate, in particular in relation to governance / financial reporting; what is the level of training.
	Assessment of responsibilities and delegation, including: What are the relevant roles and responsibilities, level of authority, assignment of authority and delegation, relevant policies and procedures (including on override of authority).
	Assessment of human resources performance, including: What policies and procedures are in place, what is their practical implementation in relation to recruitment, training, performance evaluation, promotion, compensation, termination.
	Assessment of legal / regulatory compliance, including: What is the level of compliance with (i) (financial) reporting requirements, (ii) laws and regulations (including Listing Rule compliance), and what are the internal control systems in place to procure such compliance, and monitor and report potential deficiencies.
Component 2 Risk Assessment	Assessment of objectives, including: Are there clear objectives in terms of the issuer’s operations / business, financial reporting and regulatory / legal compliance.
Component 2 Risk Assessment	Assessment of risk assessment and management procedures, including: What are the processes in place for risk assessment and management; regulatory and legal compliance; fraud identification and prevention; is there an ongoing monitoring of the operating environment and potential risks; are there (business) contingency plans; are financial reporting risks assessed.
Component 3 Internal Controls	Detailed assessment of internal controls in place, including: Analysis of policies and procedures, relevant roles and responsibilities, segregation of duties, record keeping and an assessment of compliance with laws / regulations across all aspects of the issuer’s operation, such as: Sales, accounts receivable and collection; Procurement, accounts payable and payment; Inventory management, including logistics; Production and costing; Human resources and payroll; Fixed assets; Cash and treasury management; Insurance; Financial reporting and disclosure controls; Taxes; and IT system (general and application) controls.
Component 4 Information and Communication	Assessment of use of information and existing level of communication in relation to: Corporate planning, budgeting, forecasting; Reporting from and to management (including without limitation monthly updates to the board as required by the CG Code); Internal communication, including policies / procedures for monitoring and detecting confidential / sensitive information, possible conflicts, notifiable / connected transactions (Chapters 14 and 14A of Listing Rules), other legal or regulatory exposure; External communication, including policies / procedures on communication with external parties, distribution of annual/ interim reports and publication of results announcements (including pursuant to Listing Rules 13.46, 13.48 and 13.49), handling of inside information and leakage of sensitive information (including pursuant to Listing Rule 13.09 and Part XIVA of the Securities and Futures Ordinance (Cap. 571 of the Laws of Hong Kong)), regulatory enquiries (including pursuant to Listing Rule 13.10); Level of confidentiality applied to communication and dissemination of (sensitive) information; Level of data protection across the organization, including against cyber threats and data theft, and compliance with applicable personal data laws.
Component 5 Monitoring	Assessment of monitoring functions, policies and procedures, including: Board / management level monitoring; Internal audit (or other function) monitoring, including: Role / responsibility of monitoring function; Interaction with external auditor / providers; Evaluation and mitigation of deficiencies; Escalation / reporting to management / board; Implementation of internal controls / policies. Channels for reporting / whistleblowing; Management letter and internal control findings communicated by external auditor and/or service providers; Level of monitoring of legal / regulatory compliance.
Source: The Internal Control—Integrated Framework (ICIF-2013) published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) formed by five global accountancy and auditing organizations. See also the Hong Kong Institute of Certified Public Accountants, Technical Bulletin, Assistance Options to New Applicants and Sponsors in connection with Due Diligence Obligations, including Internal Controls over Financial Reporting (AATB1).

Practical considerations for disclosure on risk management and internal controls

An issuer needs to make detailed disclosure in the corporate governance report on its risk management and internal control systems and the (at least) annual reviews of these systems (MDR paragraph H). An issuer should consider the following questions when preparing disclosures:

Disclosure on risk management and internal control systems’ scope

Are there sufficient details on how the issuer identifies and manage significant risks (including ESG, fraud and cyber risks)?
Is there disclosure on whether the issuer has an internal audit function (and if not, how relevant functions have otherwise been delegated)?
Is there description on the relevant aspects of its risk management and internal control systems and any significant changes that were made to the systems during the last reporting period? There should be an explanation on what prompted changes made to the systems (e.g. change in risk profile, discovery of potential deficiencies).

Disclosure on reviews of risk management and internal controls systems

Is disclosure sufficiently detailed on the scope (e.g. which group entities are being included), process and frequency of the review(s) of the risk management and internal control systems conducted during the relevant reporting period?
Any description on the roles of all stakeholders involved in the reviews (including confirmations whether external providers have been involved)?
Have the findings and results of the review been disclosed in sufficient detail – including information on any significant control failings or weaknesses identified during the reporting period and remedial steps taken?

Board confirmation of risk management and internal controls systems’ effectiveness

Has the board obtained sufficient information and assurances to come to a finding that the issuer’s risk management and internal control systems remain effective, including from management, internal departments (e.g. internal audit) or any external provider (e.g. the auditor)?
Has the board confirmed in the corporate governance report that (i) it is responsible for the issuer’s risk management and internal control systems; and (ii) based on the board’s review and assurances received, these systems continue to be appropriate and effective?

Internal Controls

Components of risk management and internal control systems

While there is no “one-size-fits-all” approach to designing an effective and appropriate system of risk management and internal controls, international bodies have developed a framework setting out components that should be covered by an issuer’s internal controls. When designing their risk management and internal control systems, issuers can consider and apply these components in accordance with their unique risk profile and circumstances.

Table: Components of risk management and internal control systems

Monitoring and review of internal control systems

The board is responsible for putting in place a proper process and procedures to govern the ongoing monitoring and the periodic reviews of the issuer’s risk management and internal control systems.
The board may delegate the monitoring and control activities to board committees, management, and internal and external functions. The board should, however, maintain oversight and apply independent and professional judgment on any reports it receives on the effectiveness of the risk management and internal control systems. The board should also consider whether the issuer in its particular circumstances may benefit from the engagement of independent third parties (such as external auditors or consultants) to facilitate the ongoing monitoring or the periodic reviews.
The Corporate Governance Code requires that issuers conduct reviews of the risk management and internal control systems’ effectiveness at least annually. The board should assess the frequency and scope (e.g. whole or parts of the systems) of the review, taking into account the particular situation of the issuer. For example, more frequent reviews may be appropriate where significant control failings and weaknesses were identified in prior reviews, and review intervals of one year may be too long for assessing the effectiveness of the adopted remedial measures.
The board should plan how the review should be conducted and how relevant work will be distributed among the issuer’s management and internal departments and external providers. The board is also responsible for ensuring that the review process is adequately resourced. It is important to document and keep a record of the steps taken, and the outcome of the review of the risk management and internal control systems’ effectiveness (including any assurance that the board has received).

Scope for annual reviews

Download Topic – Risk Management and Internal Controls Download full guide