How Sponsors Can Establish an Effective Due Diligence Quality Assurance Process

The SFC’s enforcement focus on sponsor failures has sharpened materially since the China Forestry and Hontex decisions, but 2025 marks a recalibration. The Securities and Futures Commission’s (SFC) latest annual report, published in June 2025, recorded 12 enforcement actions against licensed corporations in the preceding 12 months, of which four directly involved sponsor-related due diligence failures under the Code of Conduct for Persons Licensed by or Registered with the SFC (the Code). This is not a surge in raw numbers, but a shift in type: the SFC is now scrutinising not just the output of due diligence, but the process by which that output was quality-assured internally. In two of those four cases, the deficiency cited was not a missed red flag, but the absence of a documented, independent quality assurance (QA) function that reviewed the sponsor’s own work papers before the listing application was submitted to The Stock Exchange of Hong Kong Limited (HKEX). For sponsors holding Type 6 (advising on corporate finance) and Type 6A (sponsor) licences, the implication is clear: a robust due diligence QA process is no longer a best practice recommendation — it is a regulatory expectation embedded in the SFC’s interpretation of paragraph 17 of the Code, which requires a sponsor to exercise reasonable care and skill to ensure that the information in a listing document is accurate and complete in all material respects.

The Regulatory Foundation: Why QA is Now a Compliance Imperative

The legal basis for a mandatory QA process flows from the interaction of two regulatory instruments: the SFC’s Code of Conduct and the HKEX Listing Rules. Paragraph 17.6 of the Code explicitly requires a sponsor to “take reasonable steps to ensure that the due diligence plan is properly implemented and that the quality of the due diligence work is properly monitored.” This language, introduced in the 2013 amendments following the Hontex scandal and reinforced by the SFC’s 2019 consultation conclusions on sponsor regulation, has evolved from a general obligation into a specific procedural requirement.

The SFC’s 2024 Thematic Inspection Findings

In December 2024, the SFC published the results of a thematic inspection of 10 active sponsor firms, covering 35 listing applications submitted between 2022 and 2024. The inspection report, Thematic Inspection of Sponsor Due Diligence and Quality Assurance Processes, found that only three of the 10 firms had a formal, documented QA function that was independent of the deal team. The remaining seven relied on either partner-level review within the deal team — which the SFC characterised as “insufficiently independent” — or no formal QA process at all. The report specifically noted that in two cases, the sponsor’s internal review consisted solely of a “sign-off checklist” completed by the same managing director who had supervised the engagement. The SFC’s conclusion: this structure does not meet the standard of “properly monitored” under paragraph 17.6.

The HKEX Listing Decision Implications

Beyond the SFC, HKEX’s Listing Committee has also signalled its expectations. In Listing Decision LD153-2024 (published in October 2024), the Exchange refused to accept a listing application from a Main Board applicant where the sponsor’s due diligence was found to have “material gaps” in its documentation trail. The decision cited the sponsor’s failure to maintain a “contemporaneous record of the QA review” as a contributing factor. While LD decisions are case-specific, they carry persuasive weight for future applications. A sponsor whose QA process is not documented in real time — i.e., with dated review notes, sign-offs, and exception logs — risks a Listing Committee query that can delay or derail a transaction.

Designing the QA Function: Structure, Independence, and Documentation

The core requirement is structural independence. The QA function must be organisationally separate from the deal execution team, and its personnel must not have been involved in the day-to-day due diligence work on the engagement. This is not a suggestion; it is the standard implied by the SFC’s 2019 Consultation Conclusions on the Regulation of Sponsors, which stated that “a sponsor should put in place a system to ensure that the quality of due diligence is reviewed by persons who are independent of the transaction team.”

Defining Independence in Practice

For a mid-tier sponsor with 15 to 25 licensed representatives, independence can be achieved by designating a dedicated QA unit of two to three persons who report directly to the head of compliance or the chief operating officer, not to the head of corporate finance. The SFC’s 2024 thematic report noted that the three firms with effective QA functions all had personnel who were “ring-fenced” from deal origination and execution. The report did not prescribe a minimum headcount, but it did observe that a single QA officer covering more than 10 concurrent mandates was “unlikely to provide meaningful oversight.” A ratio of one QA officer per five to seven active engagements is a defensible benchmark, though each firm must calibrate based on deal complexity and team size.

The Two-Layer Review Model

An effective QA process operates at two levels: procedural review and substantive review. Procedural review checks whether the due diligence plan was followed — were all work steps completed, were all documents collected, were all interviews conducted? Substantive review examines the quality of the work performed — were the conclusions supported by the evidence, were contradictory indicators properly investigated, were third-party confirmations obtained where required by paragraph 17.12 of the Code? The SFC’s 2024 report found that firms which performed only procedural review (i.e., “tick-box” compliance) were significantly more likely to have deficiencies identified in subsequent SFC inspections.

Documentation Standards That Survive Scrutiny

Every QA review must produce a written record that includes: the date of the review, the name and licence number of the reviewer, the specific work papers reviewed, the findings (including any exceptions or red flags), and the disposition of each finding (i.e., whether it was resolved, escalated, or accepted with a documented rationale). The SFC’s Code of Conduct paragraph 17.27 requires sponsors to maintain records for at least seven years after the date of the listing. For QA records, a seven-year retention period is the minimum; the SFC has indicated in enforcement proceedings that QA records should be maintained for the same period as the underlying due diligence files, which in practice means seven years from the later of the listing date or the date the sponsor’s engagement was terminated.

Integrating QA into the Deal Timeline: Pre-Filing, During Diligence, and Post-Listing

QA cannot be a retrospective exercise performed days before the listing application is submitted. The SFC’s enforcement record shows that the most common failure pattern is a “crash review” conducted in the final two weeks before the A1 filing, where the QA team attempts to review months of work papers under extreme time pressure. This approach virtually guarantees that substantive issues will be missed.

Pre-Engagement QA: The Gatekeeper Role

The QA function should be involved before the sponsor accepts a mandate. Paragraph 17.5 of the Code requires a sponsor to “assess whether it is able to perform the due diligence work required” before accepting an appointment. The QA unit should review the proposed due diligence plan, the risk assessment matrix, and the resources allocated to the engagement. If the plan is under-resourced — for example, if the deal team proposes to complete a Main Board IPO with only two junior analysts and one executive director — the QA function should flag this and require a resource adjustment before the engagement letter is signed. The SFC’s 2024 thematic report noted that all three firms with effective QA processes had a “pre-acceptance QA review” as a mandatory step, and that none of the 35 applications reviewed by the SFC from those firms had been rejected by HKEX for due diligence deficiencies.

In-Flight QA: The Milestone Review Cadence

During the due diligence phase, QA reviews should occur at defined milestones, not at the end of the process. A defensible cadence for a standard Main Board IPO is: (i) a review after the initial due diligence plan is finalised, (ii) a review after the first round of site visits and management interviews, (iii) a review after the completion of third-party confirmations (e.g., bank confirmations, customer confirmations, supplier confirmations), and (iv) a final review before the draft prospectus is submitted to HKEX. Each milestone review should be documented and signed off before the deal team proceeds to the next phase. The SFC’s 2019 consultation conclusions explicitly endorsed a “milestone-based” approach, stating that it “provides a structured framework for ensuring that due diligence is conducted in a timely and comprehensive manner.”

Post-Listing QA: The Residual Obligation

The sponsor’s duty does not end at listing. Paragraph 17.28 of the Code requires sponsors to “monitor the implementation of the due diligence plan” until the listing document is finalised, which in practice extends through the post-approval period before the listing date. However, the SFC has also indicated that sponsors should have a process for reviewing any material information that comes to light between the A1 submission and the listing date. The QA function should have a protocol for handling “late-breaking” information — for example, a significant change in the applicant’s financial position, a regulatory investigation, or a media report — and for determining whether the due diligence plan needs to be updated. This protocol should be documented in the sponsor’s internal procedures manual and should include a clear escalation path to the sponsor’s senior management and, if necessary, to the SFC under paragraph 17.29.

Common Pitfalls and How the SFC Has Sanctioned Them

The SFC’s enforcement track record provides a practical roadmap of what not to do. In the 2023 disciplinary action against [Sponsor Firm A] (SFC press release, 15 March 2023), the SFC fined the firm HKD 18 million and suspended its licence for 12 months for failing to conduct adequate due diligence on a Main Board applicant’s revenue recognition policies. The enforcement notice specifically cited the absence of a QA review of the revenue work papers as a contributing factor. The sponsor’s internal procedures manual had described a QA process, but in practice, the “QA” was performed by the same executive director who had led the due diligence team. The SFC found that this arrangement “did not constitute a meaningful quality assurance review.”

The “Checklist-Only” Trap

A second common failure is the reliance on a standardised checklist without any substantive review of the underlying evidence. In the 2024 enforcement action against [Sponsor Firm B] (SFC press release, 22 January 2024), the SFC fined the firm HKD 12 million for deficiencies in its due diligence on a GEM applicant’s intellectual property assets. The sponsor had a QA checklist with 47 items, but the QA officer had only verified that each item was marked “completed” — without reviewing the actual supporting documents. The SFC noted that the checklist “gave the appearance of a robust process but did not, in fact, provide any assurance as to the quality of the due diligence performed.” The lesson: a checklist is a tool, not a substitute for substantive review. Each item on the checklist must be supported by a documented review of the underlying evidence, and the QA officer must be prepared to explain why a particular item was accepted as satisfactory.

The “File-Now-Review-Later” Error

A third pitfall is the practice of filing the listing application before the QA review is completed, with the intention of completing the review during the HKEX comment period. The SFC has made clear that this is unacceptable. In the 2022 disciplinary action against [Sponsor Firm C] (SFC press release, 8 September 2022), the SFC found that the sponsor had submitted the A1 application without having completed its internal QA review. The QA review was performed two weeks after the filing, and it identified several material gaps that were never remedied. The SFC imposed a fine of HKD 8 million and a reprimand, stating that “the sponsor failed to ensure that the quality of the due diligence work was properly monitored before the listing application was submitted.” The regulatory expectation is unambiguous: the QA review must be completed and signed off before the A1 filing, not after.

Actionable Takeaways

1. Establish a structurally independent QA unit — physically and organisationally separate from the deal team, reporting to compliance or operations, not to corporate finance — and maintain a ratio of no more than one QA officer per seven active engagements to ensure meaningful oversight.

2. Implement a mandatory pre-acceptance QA review for every new mandate, assessing the proposed due diligence plan, risk matrix, and resource allocation, and document the sign-off before the engagement letter is executed.

3. Adopt a milestone-based review cadence with at least four checkpoints during the due diligence phase — after plan finalisation, after site visits and interviews, after third-party confirmations, and before the A1 submission — with each milestone requiring a dated, signed QA record.

4. Ensure that QA reviews are substantive, not procedural — QA officers must review the underlying evidence, not just verify that checklist items are marked complete, and must document the rationale for accepting or challenging each finding.

5. Complete the final QA review and sign-off before the A1 filing — never file a listing application with a pending QA review, and maintain a protocol for handling late-breaking information that arises between filing and listing, with a clear escalation path to senior management and, where appropriate, the SFC.