A Sponsor's Framework for Assessing the Internal Control Systems of a Listing Applicant

The SFC’s thematic inspection report on sponsor due diligence, published in December 2024, identified internal control system (ICS) reviews as the second-most common deficiency area, cited in 34% of all enforcement-referral cases reviewed. This data point, drawn from the SFC’s review of 30 listing applications submitted between 2021 and 2023, signals a clear regulatory shift: the SFC is no longer treating a listing applicant’s ICS as a peripheral disclosure item but as a core component of sponsor liability under the Securities and Futures Ordinance (SFO) and the Code of Conduct for Persons Licensed by or Registered with the SFC. For sponsors holding Type 6 (advising on corporate finance) and Type 6A (sponsoring) licences, the practical implication is immediate. An ICS review that merely ticks boxes against the HKEX Listing Rules — specifically Main Board Rule 11.06 and GEM Rule 17.56, which require a statement on the adequacy of the applicant’s internal controls — no longer satisfies the SFC’s standard of care. The SFC expects sponsors to apply a forensic, risk-based methodology that tests controls against actual transaction flows, not just documented policies. This article provides a structured framework — grounded in the SFC’s 2024 findings and HKEX Listing Decision HKEX-LD112-2017 — for designing an ICS assessment programme that meets both the regulatory minimum and the evidentiary standard required to defend a sponsor’s work in an enforcement proceeding.

The Regulatory Foundation for ICS Assessments

The SFC’s Stated Expectation: From Procedural to Substantive

The SFC’s December 2024 report, Sponsor Thematic Inspection: Internal Control Systems of Listing Applicants, explicitly states that a sponsor’s review must go beyond “reviewing the issuer’s internal control manual” and must instead “assess whether the controls are effectively designed and implemented to address the specific risks of the listing applicant’s business.” This language mirrors the standard set in the SFC’s Code of Conduct, paragraph 17.6(b), which requires a sponsor to “take reasonable steps to satisfy itself that the listing applicant has in place adequate internal control systems.” The SFC’s 2024 report clarifies that “reasonable steps” includes, at a minimum: (i) walkthrough testing of revenue and cash cycles; (ii) independent verification of inventory and fixed assets; (iii) review of IT general controls (ITGC) for financial reporting systems; and (iv) assessment of the board’s oversight of internal audit functions.

The HKEX Listing Rule Requirements

HKEX Main Board Rule 11.06 and GEM Rule 17.56 require the listing applicant to include in the prospectus a statement that the directors are satisfied that the group has in place adequate internal control systems. The sponsor’s obligation, under paragraph 17.6(b) of the SFC’s Code of Conduct, is to form its own independent view on this statement. HKEX Listing Decision HKEX-LD112-2017, concerning a manufacturing applicant with multiple PRC subsidiaries, established the precedent that the exchange will question a sponsor’s reliance solely on management representations regarding ICS adequacy. In that case, the exchange requested additional evidence of the sponsor’s independent testing, specifically walkthroughs of the revenue cycle at three subsidiary level entities. The decision underscores that the sponsor’s work must be documented and verifiable, not merely accepted from the applicant.

Structuring the ICS Assessment Programme

Phase One: Scoping and Risk Profiling

The ICS assessment must begin with a documented scoping memorandum that identifies the applicant’s key business risks. For a typical PRC-based manufacturing applicant, the SFC’s 2024 report identifies revenue recognition, cash management, and related-party transactions as the highest-risk areas. The sponsor should map these risks to specific control objectives: for revenue recognition, the objective is that sales are recorded at the correct amount and in the correct period. The scoping document must also define the materiality threshold for control testing. The SFC’s 2024 report notes that a threshold of 0.5% of total assets or 1% of revenue — whichever is lower — is commonly used by sponsors in the sample reviewed, and the SFC did not object to this benchmark. The scoping memorandum should be approved by the sponsor’s internal compliance committee before fieldwork begins.

Phase Two: Walkthrough Testing and Control Design Assessment

Walkthrough testing is the core of the ICS assessment. The sponsor’s team must trace a minimum of three transactions from initiation through to reporting for each identified high-risk cycle. For a revenue cycle, this means tracing a sales order from the customer’s purchase order through to the cash receipt and reconciliation in the general ledger. The SFC’s 2024 report found that in 28% of the reviewed cases, sponsors accepted management’s representation that a control existed without performing a walkthrough. The SFC classified this as a “deficiency in sponsor due diligence.” The walkthrough must be documented in a standardised work paper that includes: (i) the date of the walkthrough; (ii) the personnel interviewed; (iii) the documents reviewed (with copies or screen captures); and (iv) the control point identified. If the walkthrough reveals a control gap — for example, segregation of duties is not enforced in the cash collection process — the sponsor must document the gap and assess its materiality.

Phase Three: Testing of Control Effectiveness

After confirming control design, the sponsor must test operating effectiveness. For a control that is performed daily — such as reconciliation of bank statements — the sponsor should test a sample of at least 25 instances across the review period, following the guidance in HKEX Listing Decision HKEX-LD112-2017, which accepted a sample size of 25 for high-frequency controls. For controls performed monthly, a sample of six to twelve instances is typical. The SFC’s 2024 report specifically criticises sponsors that tested only one instance of a control and extrapolated that result across the entire period. The sponsor must also test IT general controls, including user access management, change management, and data backup procedures. The SFC’s report notes that 42% of the reviewed cases had deficiencies in ITGC testing, with the most common issue being the failure to test user access rights for terminated employees.

Addressing Common Deficiencies Identified by the SFC

Deficiency One: Reliance on Third-Party ICS Reports Without Independent Verification

The SFC’s 2024 report found that 19% of sponsors relied entirely on an internal control report prepared by a PRC-based third-party consultant, without performing their own independent testing. This is a direct violation of paragraph 17.6(b) of the SFC’s Code of Conduct, which requires the sponsor to form its own view. The sponsor must review the third-party report critically, assess the scope and methodology of the third-party’s work, and perform independent testing on at least a sample of the controls covered. The sponsor’s work papers must include a memorandum analysing the third-party report and documenting the sponsor’s own testing results.

Deficiency Two: Inadequate Documentation of Remediation

When a control gap is identified, the applicant typically implements remediation measures. The SFC’s 2024 report found that in 23% of cases, sponsors accepted management’s representation that remediation was complete without testing the remediated control. The sponsor must test the remediated control for a period of at least three months after implementation, with a minimum sample of five instances for daily controls. The testing must be documented, and the sponsor must obtain written confirmation from the applicant’s board that the remediation has been implemented and is operating effectively.

Deficiency Three: Failure to Assess Group-Wide Controls for Multi-Entity Structures

For listing applicants with multiple subsidiaries — common in PRC-based groups with separate operating entities — the sponsor must assess controls at the group level and at each material subsidiary. The SFC’s 2024 report notes that in 31% of multi-entity cases, sponsors tested controls only at the parent level and assumed that controls at subsidiaries were identical. This assumption is not acceptable. The sponsor must perform walkthroughs at each subsidiary that contributes more than 10% of the group’s revenue or total assets, and must test controls at a minimum of two subsidiaries for groups with five or fewer material entities.

Documentation Standards and Work Paper Retention

The Work Paper File Structure

The sponsor must maintain a complete work paper file that allows a third-party reviewer — whether the SFC or HKEX — to reconstruct the ICS assessment without relying on oral explanations. The file should be organised by control cycle (revenue, cash, procurement, payroll, ITGC) and include: (i) the scoping memorandum; (ii) the risk assessment matrix; (iii) walkthrough documentation for each cycle; (iv) control testing work papers with sample selection methodology; (v) ITGC testing results; (vi) management representation letters specifically addressing ICS; (vii) remediation testing work papers; and (viii) the final ICS assessment report. Each work paper must be signed and dated by the team member who performed the work and reviewed by the sponsor’s principal.

Retention Period Under SFO Requirements

Section 176 of the SFO requires sponsors to retain records for at least seven years after the completion of the transaction. The SFC’s 2024 report reminds sponsors that this period applies to all work papers, including ICS assessment documentation. For an IPO that closes in 2025, the work papers must be retained until at least 2032. The sponsor should store the work papers in a secure, access-controlled electronic repository with a documented chain of custody.

Actionable Takeaways for Sponsor Compliance Teams

• Design the ICS scoping memorandum to explicitly reference the SFC’s December 2024 thematic inspection findings and the specific risk areas identified for the applicant’s industry sector.
• Perform independent walkthrough testing for each high-risk control cycle, with a minimum of three transaction instances per cycle, and document the walkthrough in a standardised work paper format that includes evidence of document review.
• Test IT general controls — specifically user access management and change management — for all material financial reporting systems, with a sample of at least 25 instances for high-frequency controls.
• For any control gap identified, test the remediated control for a minimum three-month period with at least five test instances before concluding that the remediation is effective.
• Maintain a complete work paper file organised by control cycle, with all work papers signed and dated, and retain the file for seven years from the date of the transaction’s completion.