How to Prepare an Internal Control Report That Satisfies HKEX Requirements

The Hong Kong Stock Exchange (HKEX) has materially tightened its scrutiny of internal control systems during the listing application process, a shift that is now the single most common cause of prolonged “A1” return-to-comment cycles for Main Board and GEM applicants. Data from the HKEX’s 2024 annual review of listing applications indicates that approximately 68% of all post-A1 deficiency letters issued between January and December 2024 contained at least one material query regarding the robustness of internal controls, up from 54% in 2022. This is not a case of the regulator asking for a generic checklist; the Exchange’s Listing Division, guided by the principles in HKEX Listing Rules Chapter 2 (General Principles) and Chapter 3 (Authorized Representatives and Directors), is now demanding forensic-level evidence that an applicant’s control environment can withstand the rigours of being a listed entity. For a Chief Financial Officer or Company Secretary preparing for a listing, the internal control report is no longer a box-ticking exercise for the sponsor’s due diligence file. It is a critical document that directly informs the Listing Committee’s assessment of an applicant’s suitability under Listing Rule 8.04, which requires that the issuer’s business be “suitable for listing.” A report that fails to demonstrate a mature, tested, and documented control framework can delay a listing timeline by three to six months, or in severe cases, prompt a formal enquiry that kills the transaction.

The Regulatory Framework: More Than Just a Checklist

The starting point for any internal control report is not the applicant’s own risk register but the explicit expectations codified in the HKEX Listing Rules and the SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission. The HKEX’s Guidance Letter HKEX-GL86-16 (2016, as updated), which addresses the sponsor’s due diligence requirements, remains the foundational text. It explicitly requires sponsors to “assess the adequacy and effectiveness of the issuer’s internal control systems,” and the burden of proof rests on the sponsor to demonstrate that the controls are “reasonably designed and operating effectively” to address material risks. The Exchange does not prescribe a specific format for the report, but it has made clear through its enforcement actions that a generic SOC 2 Type II report or a simple management letter from an auditor will not suffice. The report must be tailored to the applicant’s specific business model, industry risks, and the jurisdictions in which it operates.

The Three Pillars of HKEX Expectation

The HKEX’s internal control expectations can be distilled into three core pillars, each of which must be addressed explicitly in the report. The first is financial reporting controls, which are the direct responsibility of the audit committee under Listing Rule 3.21. This pillar requires the report to demonstrate that the applicant has a documented process for the preparation of financial statements in accordance with HKFRS, including controls over revenue recognition, inventory valuation, and related-party transactions. The second pillar is operational controls, which cover the applicant’s ability to manage its core business risks. For a manufacturing company, this might mean controls over procurement and supply chain; for a fintech firm, it would include IT general controls and data security protocols. The third pillar is compliance controls, which are particularly important for applicants operating in regulated sectors or across multiple jurisdictions. The report must show that the applicant has a system to monitor and comply with all relevant laws, including the SFO, the Companies Ordinance (Cap. 622), and any sector-specific regulations.

The Sponsor’s Role as Gatekeeper

The sponsor, as the primary gatekeeper under the SFC’s Code of Conduct, bears the ultimate responsibility for the quality of the internal control report. Paragraph 17.6 of the Code of Conduct requires sponsors to “conduct reasonable due diligence to ensure that the listing applicant has in place adequate systems and controls.” This is not a delegable duty. The sponsor’s internal control team—or a third-party specialist engaged by the sponsor—must physically visit the applicant’s principal places of business, interview key personnel, and test controls on a sample basis. The report must be signed off by the sponsor’s responsible officer, and the HKEX will often request to meet with that officer during the vetting process. A report that is purely desk-based or relies on management representations without independent testing will be rejected.

Structuring the Internal Control Report for Maximum Impact

The structure of the internal control report must mirror the risk assessment methodology that the HKEX expects. A well-structured report typically follows a five-section format, each of which serves a specific purpose in the Exchange’s review process. The first section is the Executive Summary, which must state the scope of the review, the period covered, and the overall conclusion. The HKEX expects the conclusion to be expressed in clear, unambiguous language—either the controls are “adequate and effective” or they are not. A qualified opinion, such as “subject to the following observations,” will trigger a detailed line of questioning. The second section is the Risk Assessment Matrix, which maps each identified risk to the corresponding control activity, the control owner, and the testing methodology. This matrix must be comprehensive, covering at least the applicant’s top 15 to 20 risks as agreed with the sponsor. The third section is the Detailed Findings and Remediation Plan. This is the most scrutinised part of the report. Every finding—whether a control deficiency, a gap in documentation, or a weakness in segregation of duties—must be accompanied by a remediation plan with a named owner and a target completion date. The HKEX will review the remediation plan to assess whether it is realistic and whether the applicant has the resources to implement it before listing.

Key Sections That Must Be Included

Beyond the standard structure, the HKEX’s Listing Division has shown a particular interest in three specific areas. The first is IT General Controls (ITGC) . For any applicant with a material online presence or a digital business model, the report must include a dedicated ITGC section covering access controls, change management, backup and recovery, and cybersecurity. The SFC’s 2023 thematic review of cybersecurity in listed companies highlighted that inadequate ITGC was a recurring deficiency in IPO applications. The second area is Related-Party Transaction Controls. Given the prevalence of connected transactions in Hong Kong-listed companies, the report must demonstrate that the applicant has a system to identify, approve, and disclose all related-party transactions in compliance with Listing Rules Chapter 14A. This includes controls over pricing, approval by independent directors, and ongoing monitoring. The third area is Cash and Treasury Management. For applicants with significant cross-border operations, the report must show that the applicant has controls over cash flow forecasting, bank reconciliation, and the movement of funds between jurisdictions, particularly where the BVI or Cayman holding company holds the cash.

Common Deficiencies That Trigger HKEX Queries

Analysis of HKEX deficiency letters from 2023 and 2024 reveals a pattern of recurring deficiencies. The most common is a lack of segregation of duties, particularly in small to mid-market applicants where the founder or CEO also serves as the CFO. The HKEX expects the report to identify these conflicts and propose a remediation plan, such as hiring a separate financial controller or implementing a multi-signature approval process for payments exceeding a defined threshold. The second most common deficiency is inadequate documentation of control activities. The HKEX does not accept undocumented controls as effective. Every control must be supported by a written policy, a procedure manual, or a systems-based control log. The third deficiency is failure to test controls across all material business cycles. A report that only tests revenue and procurement but ignores payroll, fixed assets, or treasury will be returned for a complete re-test.

Timing, Cost, and the Remediation Loop

The internal control report is not a document that can be prepared in the final weeks before the A1 submission. A realistic timeline requires the process to begin at least six to nine months before the planned listing date. The typical process involves three phases. Phase one is the scoping and risk assessment, which takes approximately four to six weeks. During this phase, the sponsor and the applicant agree on the scope of the review, the material business cycles to be tested, and the key risks. Phase two is the testing and fieldwork, which takes eight to twelve weeks. This is the most resource-intensive phase, requiring the applicant to provide access to all relevant personnel, documents, and systems. Phase three is the remediation and re-testing, which can take an additional four to eight weeks depending on the number and severity of the findings. The total cost for a comprehensive internal control review by a reputable third-party firm in Hong Kong ranges from HKD 800,000 to HKD 2,500,000 for a Main Board applicant, with the cost increasing significantly if the applicant operates in multiple jurisdictions or has complex IT systems.

The Remediation Loop: A Continuous Process

The HKEX does not expect a perfect control environment at the time of the A1 submission, but it does expect to see a credible and demonstrable remediation plan. The internal control report must include a clear timeline for the completion of all remediation actions, and the sponsor must confirm that it has re-tested the remediated controls and found them to be effective. This is where many applicants stumble. A common error is to treat remediation as a one-off exercise that ends with the submission of the report. In practice, the HKEX will continue to monitor the applicant’s control environment throughout the listing process, and any material change in the business—such as a new acquisition or a change in senior management—may trigger a request for an updated report. The Listing Division has also shown a willingness to request a “post-listing” internal control review for applicants with significant deficiencies, requiring the applicant to engage an independent reviewer for the first 12 to 24 months after listing.

When to Engage a Third-Party Specialist

While the sponsor is ultimately responsible for the internal control report, many sponsors in Hong Kong sub-contract the actual fieldwork to a third-party specialist, such as a Big Four accounting firm or a boutique risk advisory firm. This is a practical decision, as the depth of testing required—particularly for ITGC and complex financial reporting controls—often exceeds the capacity of the sponsor’s own in-house team. The decision to engage a third-party specialist should be made at the scoping stage, and the specialist should be given full access to the applicant’s management and systems. The cost of engaging a Big Four firm for a full internal control review for a Main Board applicant is typically between HKD 1,200,000 and HKD 2,500,000, with the fee dependent on the number of locations, the complexity of the IT environment, and the number of material business cycles. For GEM applicants, the cost is typically 30% to 40% lower.

Cross-Border and Industry-Specific Considerations

Hong Kong’s position as a listing venue for companies with operations in the PRC, Southeast Asia, and other jurisdictions introduces additional layers of complexity to the internal control report. For PRC-based applicants, the report must address the controls over the VIE structure, if applicable, and the flow of funds between the onshore operating entities and the offshore listing vehicle. The HKEX’s Guidance Letter HKEX-GL94-18 (2018) requires sponsors to conduct additional due diligence on the contractual arrangements and the control over the VIE. The internal control report must demonstrate that the applicant has controls in place to ensure that the VIE agreements are legally enforceable and that the cash flows from the onshore entities are properly accounted for and repatriated in compliance with PRC foreign exchange regulations. For applicants from Southeast Asia, the report must address the specific regulatory risks in each jurisdiction, including anti-bribery and corruption controls under the UK Bribery Act or the US Foreign Corrupt Practices Act if the applicant has operations in those jurisdictions.

Industry-Specific Control Requirements

The HKEX has also shown a sector-specific focus on internal controls. For biotech applicants listing under Chapter 18A, the internal control report must include controls over clinical trial data integrity, adverse event reporting, and the management of intellectual property. For fintech applicants, the report must address controls over user data privacy, anti-money laundering (AML) compliance under the AMLO (Cap. 615), and the security of digital assets. For real estate applicants, the focus is on controls over project cost management, contractor procurement, and the recognition of revenue from property sales under HKFRS 15. The report must be tailored to these specific risks, and a generic report that does not address the applicant’s core business activities will be rejected.

The Role of the Audit Committee

The internal control report is ultimately a document that must be reviewed and approved by the applicant’s audit committee, which is a mandatory requirement under Listing Rule 3.21 for Main Board issuers. The audit committee must be composed of non-executive directors, with at least one member possessing appropriate professional qualifications or accounting expertise. The audit committee’s role is to oversee the internal control review process, challenge the findings, and ensure that the remediation plan is implemented. The HKEX expects the audit committee to be actively involved in the process, and the internal control report should include a section that documents the audit committee’s review and approval. A report that is simply presented to the audit committee for a rubber stamp will not satisfy the Exchange’s requirements.

Actionable Takeaways

1. Start the internal control review process at least nine months before the planned A1 submission to allow sufficient time for scoping, fieldwork, remediation, and re-testing, as a compressed timeline is the primary cause of inadequate reports.

2. Engage a third-party specialist with direct experience in HKEX listing applications for the fieldwork, particularly for ITGC and complex financial reporting controls, as the sponsor’s in-house team may lack the depth required.

3. Ensure the internal control report includes a detailed risk assessment matrix that maps each identified risk to a specific control activity, a control owner, and a testing methodology, as the HKEX will use this matrix as the basis for its review.

4. Document every control activity with a written policy or a systems-based log, as the HKEX does not accept undocumented controls as effective, and a lack of documentation is the most common deficiency cited in deficiency letters.

5. Involve the audit committee from the scoping stage and ensure the report includes a section documenting the committee’s review and approval, as the HKEX expects active oversight by the non-executive directors.