Cross-referenced from Listing Rules 610(5) and 1207(10)
1. Introduction
1.1 This Practice Note provides guidance on the application of Rules 610(5) and 1207(10).
1.2 In its prospectus and annual reports, the issuer's board must comment on the adequacy and effectiveness of the internal controls (including financial, operational, compliance and information technology controls) and risk management systems. A statement on whether the audit committee concurs with the board's comments must also be provided.
Rule 610(5) requires the disclosure to be made in the prospectus whereas Rule 1207(10) requires the disclosure to be in the annual reports.
2. Intent of Rules 610(5) and 1207(10)
2.1 Internal controls (including financial, operational, compliance and information technology controls) and risk management systems serve to safeguard shareholders' investments and company's assets. Internal controls also safeguard the quality of internal and external reports, such as the issuer’s financial reports. Risk management systems include business continuity arrangements.
2.2 A board committee, for example, the audit committee is usually responsible for overseeing internal controls and risk management. The board, which includes executive directors, is also responsible for assessing the adequacy and effectiveness of these internal controls and risk management systems.
2.3 The objective of Rules 610(5) and 1207(10) is to increase transparency and accountability. In providing this comment, the board and the audit committee are required to demonstrate that they have rigorously assessed the (i) internal controls (including financial, operational, compliance and information technology controls) and (ii) risk management systems.
3. Compliance with Rules 610(5) and 1207(10)
3.1 In satisfying Rules 610(5) and 1207(10), the board and the audit committee may ask for an independent audit on internal controls or risk management systems to assure themselves on the adequacy and effectiveness of the systems of internal controls and risk management, or if they are not satisfied with the systems of internal controls or risk management.
3.2 The issuer should maintain proper record of the discussions and decisions of the board and the audit committee.
3.3 Compliance with Rules 610(5) and 1207(10) involves the following disclosures:-
(i) Where the board and the audit committee are satisfied that the issuer has adequate and effective systems of internal controls and risk management, the disclosure must include the basis for such comment.
To avoid doubt, under Rule 246(9), all issuers are required to provide the auditor's report to management on the internal controls and accounting systems. Where material weaknesses exist in a potential issuer's internal controls and accounting systems, there must be adequate disclosure of such weaknesses and the steps to address them in the prospectus, offering memorandum or introductory document. This is in addition to Rule 610(5) which requires the board and audit committee to disclose the basis for their comments on the adequacy and effectiveness of the issuer's systems of internal controls and risk management.
(ii) In relation to Rule 1207(10), where the board and/or the audit committee has commented that internal controls or risk management systems need to be strengthened, or has concerns that internal controls or risk management systems are inadequate, the board must disclose the issues and how it seeks to address and monitor the areas of concerns.
3.4 It is the board and the audit committee’s responsibility to evaluate the adequacy and effectiveness of the issuer’s internal controls and risk management systems. The board and audit committee must ensure that the issuer has internal frameworks to provide for timely escalation of material information from management to the board and audit committee and to enable issuers to fulfil their disclosure obligations under the listing rules. In forming its view on the adequacy and effectiveness of the internal controls, the board should not passively rely on information volunteered by management and should make further inquiries to management if the circumstances require.
3.5 In forming its views, the board and the audit committee should assess if the relevant functions responsible for implementing, operating and monitoring the issuer’s internal controls and policies are competent and adequately resourced. In relation to financial controls, the board and audit committee should assess if the finance function is adequately staffed and if the key personnel (e.g. finance controllers, finance directors, chief accountants, chief financial officers) responsible for preparing or overseeing the preparation of financial statements are experienced, competent and appropriately qualified (such as having relevant professional or other qualifications).
3.6 In circumstances where key positions for the relevant functions are vacant due to staff turnover or if existing personnel lack the required competency, the board and audit committee should disclose this and put in place measures to address the skills shortage expeditiously. This includes implementing interim measures where necessary, such as appointing independent technical professionals with the relevant expertise and appropriate qualifications for assistance as a short-term measure. In addition, where there is uncertainty on the accounting treatment of certain transactions due to changes to accounting policies or occurrence of significant events, the board and the audit committee should seek advice from accounting experts with the appropriate qualifications and technical knowledge of the accounting standards for the financial statements.
4. Format of Disclosure
4.1 There is no prescribed format of disclosure.
4.2 As the board and audit committee are obliged by Rules 610(5) and 1207(10) to provide the specific disclosures in Paragraph 3.3 above, the Exchange recommends the comment be provided in the following ways:-
(i) Disclosure to be made in the section on "Audit Committee", "Internal Controls" or "Risk Management" of the prospectus for compliance with Rule 610(5).
(ii) Disclosure to be made in the Directors' Report or Corporate Governance section of the annual report for compliance with Rule 1207(10).
5. General Principle
5.1 Good disclosures which comply with Rules 610(5) and 1207(10) comprise the following:
(i) The board's comment on the Group's internal controls (including financial, operational, compliance and information technology controls) and risk management systems. A statement on whether the audit committee concurs with the board's comment must also be provided; and
(ii) The basis for the board's comment and if the audit committee does not concur with the board, the basis for the audit committee's comment.
5.2 Should the board or the audit committee comment that the Group's internal controls or risk management systems have material weaknesses, then clear disclosure of these weaknesses and the steps to address them is necessary for investors to make an informed decision about the issuer.
Added on 2 April 2013, amended on 1 January 2019 and 29 October 2025.