MEMBERS' HANDBOOK

PRACTICE NOTE
820
THE AUDIT OF LICENSED CORPORATIONS AND
ASSOCIATED ENTITIES OF INTERMEDIARIES

     
Contents  

Paragraphs

 
   

 
PART I - GENERAL  
Introduction  

1 - 7

 
Definitions  

8

 
Legislation and regulatory requirements  

9 - 27

 
   

 
PART II - THE AUDIT OF FINANCIAL STATEMENTS  
Introduction  

28

 
SASs  

29 - 71

 
   

 
PART III - AUDITORS' REPORTS UNDER THE SECURITIES AND FUTURES (ACCOUNTS AND AUDIT) RULES  
Introduction  

72

 
The auditors' reporting responsibilities  

73 - 78

 
Other considerations  

79 - 82

 
The auditors' reports  

83 - 84

 
The Compliance Report  

85 - 114

 
   

 
PART IV - OTHER REPORTING CONSIDERATIONS  
Audit Questionnaire  

115 - 118

 
   

 
PART V - COMMUNICATIONS BETWEEN AUDITORS AND THE SECURITIES AND FUTURES COMMISSION  
Introduction  

119 - 123

 
Auditors to lodge report with the SFC in certain cases  

124 - 133

 
Other communications by the auditors  

134 - 156

 
Auditors' duty of secrecy  

157 - 162

 
Communications by the SFC to auditors under section 378(3)(h) of the SFO  

163 - 165

 
       
APPENDIX 1 - EXAMPLES OF AUDITORS' REPORTS  
APPENDIX 2 - CLIENT ASSETS  
       

This Practice Note supersedes the following:

  • PN 620.1 "Communications between auditors and securities and futures regulators";
  • Industry Auditing Guideline 3.403 "The audit of the accounts of commodities dealers"; and
  • Industry Auditing Guideline 3.404 "The audit of the accounts of dealers in securities".


Example auditors' reports 14 to 17 in Appendix 2 to SAS 600 "Auditors' reports on financial statements" are withdrawn.

PRACTICE NOTE
820
THE AUDIT OF LICENSED CORPORATIONS AND
ASSOCIATED ENTITIES OF INTERMEDIARIES

       
The purpose of Practice Notes issued by the Hong Kong Institute of Certified Public Accountants is to assist auditors in applying Statements of Auditing Standards (SASs) and Standards on Assurance Engagements (SAEs) of general application to particular circumstances and industries.

They are persuasive rather than prescriptive. However they are indicative of good practice and have similar status to the explanatory material in SASs and SAEs, even though they may be developed without the full process of consultation and exposure used for SASs and SAEs. Auditors should be prepared to explain departures when called upon to do so.
       

PART I - GENERAL

       
Introduction
1. The purpose of this Practice Note is to assist auditors to develop an approach to the audit of the financial statements of licensed corporations and associated entities of intermediaries. This is dealt with in Part II.
2. This Practice Note also provides guidance on the auditors' other reporting responsibilities under the Securities and Futures Ordinance (SFO) which are set out in the Securities and Futures (Accounts and Audit) Rules. This is dealt with in Part III.
3. Guidance on the completion of the Securities and Futures Commission's (SFC) Audit Questionnaire by the auditors is set out in Part IV.
4. Auditors are entitled under the SFO to report directly to the SFC in exceptional circumstances and, in some cases, have a duty to do so. Guidance on such ad hoc reporting is set out in Part V.
5. This Practice Note has been prepared in consultation with the SFC.
6. This Practice Note is based on the SFO in effect as at 1 April 2003, and the subsidiary legislation, codes and guidelines issued by the SFC up to 30 April 2003. Every care has been taken in its preparation. However, the legislation itself is the sole authority of the law and this Practice Note should be used in conjunction with the legislation.
7. It should be borne in mind that certain expressions used in the SFO may be matters for legal interpretation. There may, therefore, be circumstances in which, notwithstanding the guidance given in this Practice Note, auditors will wish to seek legal advice.
       
Definitions
8. The definitions used in this Practice Note are:
  a. Associated entity

A company that is in a controlling entity relationship with an intermediary and receives or holds in Hong Kong client assets of the intermediary.
  b. Client asset rules

Securities and Futures (Client Money) Rules and Securities and Futures (Client Securities) Rules.
  c. Codes and guidelines

Codes and guidelines issued by the SFC under the SFO.
  d. FRR

Securities and Futures (Financial Resources) Rules.
  e. Intermediary

A licensed corporation or a registered institution.
  f. Internal Control Guidelines

"Management, Supervision and Internal Control Guidelines for Persons Licensed by or Registered with the Securities and Futures Commission" issued by the SFC.
  g. Licensed corporation

A corporation which is granted a licence by the SFC under Part V of the SFO for a regulated activity.
  h. Liquid assets

Such assets as are prescribed in Division 3 of Part 4 of the FRR.
  i. Liquid capital

The amount by which liquid assets exceeds ranking liabilities.
  j. Ranking liabilities

The amounts required under Division 4 of Part 4 of the FRR.
  k. Registered institution

An authorized financial institution registered under Part V of the SFO.
  l. Regulated activities

Dealing in securities, dealing in futures contracts, leveraged foreign exchange trading, advising on securities, advising on futures contracts, advising on corporate finance, providing automated trading services, securities margin financing and asset management.
  m. Regulated entity

A licensed corporation or an associated entity of an intermediary.
  n. Segregated account

A segregated account established and maintained under section 4(1) and (2) of the Securities and Futures (Client Money) Rules or under section 5(1) and (2) of the Securities and Futures (Client Securities) Rules.
  o. SFC

Securities and Futures Commission.
  p. SFO

Securities and Futures Ordinance.
  q. Suggested Control Techniques

"Suggested Control Techniques and Procedures for Enhancing a Firm's Ability to Comply with the Securities and Futures (Client Securities) Rules and the Securities and Futures (Client Money) Rules" issued by the SFC.
  r. Systems of control

The internal controls over trading, accounting, settlement and stock holding systems that a licensed corporation or an associated entity has implemented to ensure its compliance with the SFO and any rules made under the SFO.
       
Legislation and regulatory requirements
  The SFO
9. Under the licensing and registration regime of the SFO, any business entity which carries on or holds itself out as carrying on a business in a regulated activity in Hong Kong is required to be licensed by or registered with the SFC. It is a serious offence to act as an intermediary in Hong Kong without the appropriate licence or registration.
10. The SFC administers the regulation of the regulated activities and assumes the duties of front-line regulator of licensed corporations. It also applies certain requirements to associated entities of intermediaries in relation to their receipt and holding of client assets. The SFC is also responsible for all investigations and disciplinary matters under the SFO, subsidiary legislation, codes and guidelines.
11. Regulated entities must observe at all times all the provisions of the SFO, subsidiary legislation, codes and guidelines. In association with these requirements, regulated entities must file audited annual financial statements within four months of the financial year end to the SFC.
12. The SFO is designed to protect investors and, therefore, is concerned with ensuring that regulated activities in Hong Kong are conducted in accordance with the relevant regulations and rules by persons who are fit and proper and are licensed or registered to conduct such business.
13. The regulatory powers of the SFC are primarily vested in the SFO.
14. Section 5 of the SFO details the functions of the SFC. The functions pertinent to this Practice Note are as follows:
  a. to take steps to maintain and promote the fairness, efficiency, competitiveness, transparency and orderliness of the securities and futures industry;
  b. to supervise, monitor and regulate activities carried on by regulated entities;
  c. to promote, encourage and enforce the proper conduct, competence and integrity of persons carrying on regulated activities;
  d. to promote and develop an appropriate degree of self-regulation;
  e. to take steps it considers appropriate to ensure relevant provisions are complied with;
  f. to secure an appropriate degree of protection for members of the investing public investing in or holding financial products;
  g. to promote, encourage and enforce the adoption of appropriate internal controls and risk management systems; and
  h. to suppress illegal, dishonourable and improper practices in the industry.
  Regulated activities
15. The SFO covers nine types of regulated activities:

Type 1: dealing in securities;

Type 2: dealing in futures contracts;

Type 3: leveraged foreign exchange trading;

Type 4: advising on securities;

Type 5: advising on futures contracts;

Type 6: advising on corporate finance;

Type 7: providing automated trading services;

Type 8: securities margin financing; and

Type 9: asset management.
  Auditors' statutory rights and duties
16. Guidance on the auditors' statutory rights and duties under the SFO is given in Parts III and V below.
       
  Regulatory requirements
17. The SFO provides a framework for the regulation of regulated entities in Hong Kong and the detailed requirements are set out in subsidiary legislation, codes or guidelines issued by the SFC. Each regulated entity is bound by all these requirements, where applicable, to remain fit and proper. The main provisions of the SFO, subsidiary legislation, codes or guidelines are set out in the following paragraphs but they are not a substitute for the legislation and rules themselves. In addition, the SFC has posted a series of "Frequently Asked Questions" on its website which provide a useful source of reference on how to interpret specific circumstances which may arise.
  Licensing and registration
18. Persons carrying on business in a regulated activity in Hong Kong are required to apply for a licence, or a registration in the case of an authorized financial institution. In addition, they must remain fit and proper at all times.
  Business conduct
19. This is the ongoing requirement expected of regulated entities in conducting their business and is designed to ensure that adequate standards are maintained in dealings with clients.
20. The requirements for business conduct are set out either in subsidiary legislation or in non-statutory codes of conduct. Breach of legislation is subject to criminal sanctions and breach of any codes of conduct may be taken into account in determining fitness and properness. Auditors have no requirement to express an opinion on the business conduct of a regulated entity but need to be aware of the requirements.
21. The nine basic principles for business conduct cover the following areas:
  a. honesty and fairness;
  b. diligence;
  c. capabilities;
  d. information about clients;
  e. information for clients;
  f. conflicts of interests;
  g. compliance;
  h. client assets; and
  i. responsibility of senior management.
  Client assets
22. The client asset rules apply to regulated entities that control or are otherwise responsible for client assets and they cover the proper protection of these assets. There are two sets of rules:
  a. one dealing with client securities; and
  b. the other dealing with client money (not applicable to an associated entity of a registered institution or an associated entity of a licensed corporation where the associated entity is an authorized financial institution).
23. The Securities and Futures (Client Securities) Rules require client securities and securities collateral received or held in Hong Kong to be treated by regulated entities in a prescribed manner, such as depositing the securities in the safe custody of a segregated account. There are no prescribed rules for client securities received or held overseas.
24. The Securities and Futures (Client Money) Rules require segregation of client money received or held in Hong Kong by licensed corporations and their associated entities (unless they are authorized financial institutions) within the specified time limit. There are no prescribed rules for client money received or held overseas.
  Record keeping
25. The Securities and Futures (Keeping of Records) Rules are rules for the keeping of accounts and records by regulated entities. Such records are required to contain sufficient details to explain business activities and operations and account for their client assets, and to be retained for a specified period of time.
  Financial resources requirements
26. The FRR are made to ensure that licensed corporations are financially sound and have the resources to provide adequate services to investors.
27. Subject to exceptions, licensed corporations are subject to the paid-up capital and liquid capital requirements. The requirements are different for different regulated activities. However, where a corporation is licensed for more than one regulated activity, the highest of the paid-up share capital and liquid capital requirements which are applicable to the different regulated activities will apply.
       

PART II - THE AUDIT OF FINANCIAL STATEMENTS

       
Introduction
28. Statements of Auditing Standards (SASs) apply to the audit of the financial statements of any entity, irrespective of the size of the entity, its legal form, or the nature of its activities. The commentary which follows identifies the special considerations arising from the application of certain individual SASs to the audit of the financial statements of regulated entities, and suggests ways in which these can be addressed. Where no special considerations arise in relation to a particular SAS, no material is included. For the specific requirements of a SAS, auditors should refer to the SAS concerned.
       
SAS 110: THE AUDITORS' RESPONSIBILITY TO CONSIDER FRAUD AND ERROR IN AN AUDIT OF FINANCIAL STATEMENTS
  Background note

When planning and performing audit procedures and evaluating and reporting the results thereof, the auditors should consider the risk of material misstatements in the financial statements resulting from fraud or errors. (SAS 110.1)
29. In addition to the conditions or events specified in SAS 110 as increasing the risk of fraud or error, the following factors may be especially relevant for regulated entities (this list is not exhaustive):
  a. backlogs in key reconciliations, particularly those with brokers and exchanges and for bank accounts and safe custody accounts - both the regulated entity's own and those relating to its clients;
  b. inadequate segregation of duties between the front, middle and back office staff (i.e. "incompatible functions");
  c. complex products and transactions inadequately understood by management;
  d. inadequate definition of management responsibilities and supervision of staff;
  e. elements of the remuneration package (particularly bonuses) for certain staff which are highly geared in relation to reported profits or revenues;
  f. volatility in the market place; and
  g. no established compliance culture or inadequate internal controls.
30. Regulated entities are specifically required by the SFC to have adequate systems of internal control over client assets, which include appropriate systems to minimize the risk of losses to the business from irregularities, fraud or error. Auditors need to bear in mind their responsibilities to report to the SFC in accordance with guidance set out in Part V below.
       
SAS 120: CONSIDERATION OF LAWS AND REGULATIONS IN AN AUDIT OF FINANCIAL STATEMENTS
  Background note

When planning and performing audit procedures and in evaluating and reporting the results thereof, the auditors should recognize that noncompliance by the entity with laws and regulations may materially affect the financial statements. (SAS 120.1)
31. The auditors need to recognize particularly that some laws and regulations are central to the regulated entity's ability to conduct its business as compliance is a prerequisite of obtaining a licence to operate. Non-compliance may reasonably be expected to result in the regulated entity ceasing operations, or call into question the regulated entity's status as a going concern.
32. Auditors of regulated entities will normally:
  a. discuss with the regulated entity's general counsel, compliance officer, internal auditor and other personnel responsible for compliance, and review any work on compliance matters carried out by them;
  b. read the SFC's press releases on its website for any known enforcement action of a particular regulated entity;
  c. review correspondence between the regulated entity and the SFC; and
  d. assess the actual or contingent consequences arising from non-compliance and consider the impact on the financial statements.
       
  Money Laundering
33. Laws and regulations relating to money laundering are integral to the legal and regulatory framework within which regulated entities operate. By the nature of their business, regulated entities may be ready targets of those engaged in money laundering activities.
34. The primary bodies of law in Hong Kong concerned with the subject of money laundering are the Drug Trafficking (Recovery of Proceeds) Ordinance, the Organized and Serious Crimes Ordinance and the United Nations (Anti-Terrorism Measures) Ordinance. Details on the matters are set out in the related guidance notes and circulars issued by the SFC.
35. The SFC expects regulated entities to establish policies and controls to combat money laundering and terrorist financing which cover the following areas:
  a. the establishment and maintenance of policies, procedures and controls to deter and to recognize suspicious transactions;
  b. the establishment of a procedure to report suspicious transactions;
  c. evidence of client identification;
  d. retention of client identification and transaction records for use as evidence in future investigations; and
  e. education and training of staff.
       
  Codes and guidelines issued by the SFC
36. Auditors have no direct reporting responsibility in respect of the codes and guidelines issued by the SFC. Nevertheless, breaches of such codes and guidelines may:
  a. give rise to claims by investors against the regulated entity; and
  b. cause the regulated entity to have its business restricted or, in extreme cases, have its licence revoked so threatening its viability as a going concern.
37. Auditors will also be aware that breaches of the codes and guidelines could have consequences for other matters which are the subject of the auditors' reporting responsibilities to the SFC - for example, financial resources, accounting records and the handling of client assets.
38. Auditors would ensure that members of the audit team have a general understanding of the applicable codes and guidelines, sufficient to enable them to be alert to possible non-compliances which come to their attention.
39. As part of the normal procedures undertaken for the purposes of the audit of the financial statements and reporting under the Securities and Futures (Accounts and Audit) Rules, auditors would gain an understanding of the regulated entity's operations, including the nature of the business carried out. They would also obtain an understanding of the control environment that exists, including the regulated entity's higher level procedures for complying with the applicable codes and guidelines.
40. Such an understanding will provide an indication of the extent to which the general atmosphere and controls in the regulated entities are conducive to compliance, for example through consideration of:
  a. the adequacy of procedures and training to inform staff of the requirements of the applicable codes and guidelines to ensure that they meet those requirements;
  b. adequacy of authority and supervision;
  c. the review of compliance by senior management;
  d. procedures to ensure that possible non-compliances are investigated by an appropriate person and are brought to the attention of senior management; and
  e. the authority of, and resources available to, the compliance officer, internal auditor and those in charge of compliance functions.
41. Auditors need to be alert to any indication that a regulated entity is conducting business outside the scope of its licence as this may amount to an offence under the SFO.
42. Where an apparent non-compliance of the codes and guidelines comes to the auditors' attention, they would ensure that the implications for their reporting responsibilities are correctly identified.
43. Auditors would enquire of management and staff whether any non-compliances have occurred and obtain appropriate representations from management, preferably in writing, addressing any possible non-compliances which have come to their attention.
       
SAS 130: GOING CONCERN
  Background note

When planning and performing audit procedures and in evaluating the results thereof, the auditors should consider the appropriateness of management's use of the going concern assumption underlying the preparation of the financial statements. (SAS 130.1)
44. In reviewing going concern, the auditors of a regulated entity would consider the following areas in addition to those set out in Appendix 1 of SAS 130, since the possible regulatory action of the SFC on the regulated entity is particularly relevant to the going concern assumption:
  a. regulatory censure or fines;
  b. regulatory capital shortages;
  c. visits from the SFC;
  d. reputation and other indicators (including client complaints);
  e. general non-compliance with the law, codes and guidelines; and
  f. unusual movements in the financial market.
45. If the auditors have any doubts as to the ability of a regulated entity to continue as a going concern, they may be required to make a report to the SFC under their statutory duties on which guidance is set out in Part V below.
       
SAS 140: ENGAGEMENT LETTERS
  Background note

The auditors and the client should agree on the terms of the engagement, which should be recorded in an audit engagement letter or other suitable form of written contract. (SAS 140.1)
46. In addition to those principal contents set out in SAS 140, the auditors' engagement letter would also cover reporting requirements under the Securities and Futures (Accounts and Audit) Rules and in particular, the auditors' rights and duties to report directly to the SFC. The engagement letter makes it clear that the statutory duty to report places an obligation on auditors to report matters if found and does not involve undertaking additional work to identify them. It also clarifies that auditors may sometimes consider it necessary to report directly to the SFC without the client's prior knowledge or consent.
       
SAS 150: SUBSEQUENT EVENTS
  Background note

The auditors should consider the effect of subsequent events on the financial statements and on the auditors' report. (SAS 150.1)
47. In addition to the specific procedures to identify subsequent events which may require amendment to, or disclosure in the financial statements outlined in paragraphs 9 and 10 of SAS 150, for the regulated entity, the auditors would review correspondence with the SFC since the period end and make enquiries of management to determine whether any breaches of the law, codes and guidelines or other regulatory concerns have come to light since the period end.
       
SAS 160: OTHER INFORMATION IN DOCUMENTS CONTAINING AUDITED FINANCIAL STATEMENTS
  Background note

Auditors should read the other information. If as a result the auditors identify any material inconsistencies between the financial statements and the other information, or become aware of any material misstatements of fact in the other information, they should seek to resolve them. (SAS 160.1)
48. The SFC has issued an Account Disclosure Document for Licensed Corporation setting out additional financial information to be disclosed. Auditors would comply with the requirements in SAS 160 in respect of the additional financial information which would be disclosed as part of the accompanying information to the financial statements. Auditors are requested by the SFC to report any material inconsistencies between the additional financial information and the audited financial statements in the Audit Questionnaire. Details are set out in Part IV below.
       
SAS 200: PLANNING
SAS 210: KNOWLEDGE OF THE BUSINESS
  Background note

Auditors should plan the audit work so that the audit will be performed in an effective manner. (SAS 200.1)

In performing an audit of financial statements, auditors should have or obtain a knowledge of the business sufficient to enable them to identify and understand the events, transactions and practices that, in the auditors' judgement, may have a significant effect on the financial statements or on the audit or the auditors' report. (SAS 210.1)
49. Regulated entities can be complex and auditors would seek to understand the business and the regulatory regime in which they operate. A fundamental principle embodied in the HKICPA Professional Ethics Statements is that auditors do not accept or perform work which they are not competent to undertake. The auditors may also consider the use of technical specialists, for example where the business is trading in complex products or is heavily reliant on e-commerce. Generally, there is a close relationship between planning and knowledge of the business and an understanding of the high level control environment.
50. To avoid potential duplication of audit effort, the audit approach to a regulated entity normally addresses the audit of the financial statements and the work required for reporting under the Securities and Futures (Accounts and Audit) Rules together. Auditors plan so as to ensure that their audit work on the financial statements and the regulatory reporting is completed within timescales imposed by the SFC. The audit plan for a regulated entity typically explains the legal and regulatory background and, in order to reduce audit risk, discusses those areas where the auditors' responsibilities are different from those for other types of entity.
       
  Direct communication from the SFC
51. As explained in paragraph 163 below, the SFC is able to disclose information directly to auditors. Where such a matter has been brought to the attention of auditors, they consider its implications for their work and may amend their approach accordingly. However, the fact that they may have been informed of such a matter by the SFC does not, of itself, require auditors to change the scope of their work, nor does it require them actively to search for evidence in relation to the matter communicated by the SFC.
52. The auditors have no obligation to seek out breaches of the law, codes and guidelines. However, auditors would include procedures within their planning process to ensure that members of the audit team are able to recognize reportable matters which are likely to be encountered in their audit work and that such matters are reported to the audit partner without delay.
       
SAS 300: AUDIT RISK ASSESSMENTS AND ACCOUNTING AND INTERNAL CONTROL SYSTEMS
  Background note

The auditors should obtain an understanding of the accounting and internal control systems sufficient to plan the audit and develop an effective audit approach. The auditors should use their professional judgement to assess audit risk and to design audit procedures to ensure it is reduced to an acceptably low level. (SAS 300.1)
53. There is a wide variation between different regulated entities in terms of size, activity and organization, so that there can be no standard approach to internal controls and risk. Auditors assess the adequacy of controls in relation to the circumstances of each entity. In addition to the factors set out in paragraph 12 of SAS 300, the following factors would be considered by the auditors in assessing whether there may be an increased level of inherent risk of material misstatement:
  a. the nature and status of the regulated entities and any changes in their status which may affect the application of protection of clients' assets requirements;
  b. a change in the market environment (for example, high volatility);
  c. the introduction of new clients or products or marketing and distribution methods (for example e-commerce);
  d. claims made in promotional literature (for example in relation to risks and performance);
  e. the risk profile of business undertaken;
  f. the complexity of products;
  g. the consistency of products, methods and operations in different departments or locations;
  h. the legal and operational structure of the regulated entities;
  i. where a group structure exists, the financial and managerial support provided to and by other group companies;
  j. the number of branches or sales offices (see paragraph 56 below);
  k. the use of licensed representatives;
  l. management's attitude towards regulation, compliance and control and its appreciation of the importance of investor protection;
  m. the respective roles and responsibilities attributed to the finance, internal audit and compliance functions;
  n. the recruitment, competence, training and supervision of personnel; and
  o. the integrity, competence and experience of management.
54. Regulated entities vary greatly in the complexity of their operations and hence in the reliance which auditors place on their detailed internal controls. These are particularly important in cases where the accounting system is at risk of failing to capture transactions which do not involve the immediate movement of funds - such as trading in certain derivative instruments or underwriting. A sound understanding of the process is required in order to guard against the risk of unrecorded or mis-recorded transactions. These may or may not be unauthorized but will also expose the regulated entity to possible loss, through failure to appreciate the risks which are actually being run.
55. Client assets is one area where detailed internal controls are particularly relevant. While such assets are in principle not part of the audited financial statements, any material deficiency in the adequacy of internal controls over client assets will need to be reported in the Compliance Report (see paragraph 105 below). Auditors can refer to the Suggested Control Techniques.
56. Some regulated entities operate a network of branches. In such instances, the auditors determine the degree of head office control over the business and accounting functions at the branch office and the scope and effectiveness of the regulated entity's inspection and/or internal audit visits. Where branches maintain separate accounting records, the extent of audit visits and work on each branch is also dependent on the materiality of, and risks associated with, the operations of each branch and the extent to which controls over branches are exercised centrally. In the case of smaller branches, the degree to which exceptions to the regulated entity's normal control procedures may be caused by minimal staffing levels (the greater difficulty of ensuring adequate segregation of duties, for example) and the consequent need for an increased level of control from outside the branch are relevant to audit planning.
       
SAS 310: AUDITING IN A COMPUTER INFORMATION SYSTEMS ENVIRONMENT
  Background note

The auditors should consider how a computer information systems (CIS) environment affects the audit. (SAS 310.1)
57. CIS is integral to the business of a regulated entity due to the high volume of transactions and the linkages to various third party systems. Many regulated entities also use their CIS to prepare regulatory reports to the SFC. It is therefore common for auditors to require a detailed knowledge of the regulated entity's CIS.
58. As new CIS technologies emerge, they are frequently employed by regulated entities to build increasingly complex computer systems that may include micro-to-mainframe links, distributed data bases, end user processing, and business management systems that feed information directly into the accounting systems. Such systems increase the overall sophistication of CIS and the complexity of the specific applications that they affect. As a result, they may increase risk and require further consideration.
       
SAS 402: EXTERNAL CONFIRMATIONS
  Background note

The auditors should determine whether the use of external confirmations is necessary to obtain sufficient appropriate audit evidence to support certain financial statement assertions. In making this determination, the auditors should consider materiality, the assessed level of inherent and control risk, and how the evidence from other planned audit procedures will reduce audit risk to an acceptably low level for the applicable financial statement assertions. (SAS 402.1)
59. External confirmation of client account balances can provide strong evidence regarding the existence of the account at a certain date. It can also provide strong audit evidence regarding the operation of cut-off procedures.
60. For efficiency purpose, the auditors may circularize external confirmations of client account balances together with client assets held for custody so as to obtain audit evidence to support the financial statement assertions and regulatory reporting items at the same time. Further details on circularization are set out in paragraph 27 of Appendix 2 to this Practice Note.
       
SAS 420: AUDIT OF ACCOUNTING ESTIMATES
  Background note

Auditors should obtain sufficient appropriate audit evidence regarding accounting estimates. (SAS 420.1)
61. Accounting estimates are used for valuation purposes in some, for example, over-the-counter derivatives and illiquid trading positions.
62. For various derivative instruments auditors may not be able to readily substantiate an independent fair market valuation. In these instances the regulated entity may arrange for some form of mathematical modelling to be undertaken to provide a valuation for review and testing by the auditors. The auditors would review the process for developing and testing the model which has been used by the regulated entity, and in particular the performance of the model in various conditions when compared with prices actually obtained in the market. This involves obtaining an understanding of the assumptions and a review of the estimates involved for reasonableness, consistency and conformity with generally accepted practices. Given the special complexities involved with these types of products it is common practice for a specialist in this area to be involved in the work.
63. If the use of such a specialist is planned, the auditors would obtain sufficient appropriate audit evidence that such work is adequate for the purpose of the audit in accordance with SAS 520 "Using the work of an expert".
       
SAS 440: REPRESENTATIONS BY MANAGEMENT
  Background note

The auditors should obtain evidence that the directors acknowledge their collective responsibility for preparation of the financial statements which give a true and fair view and are in accordance with the relevant financial reporting framework, and have approved the financial statements. (SAS 440.1)
64. In addition to the examples of representations given in SAS 440, the auditors of a regulated entity would also consider obtaining additional confirmations. The letter could cover inter alia the following representations:
  a. acknowledging management's responsibility for establishing and maintaining accounting records and systems of control in accordance with the law, codes and guidelines;
  b. confirming that management has made available to the auditors all correspondence and notes of meetings with the SFC relevant to the auditors' examination;
  c. that all complaints have been drawn to the attention of the auditors;
  d. where applicable, representation that no client money or client securities were administered or held by the regulated entity; and
  e. that the requirements under the Securities and Futures (Keeping of Records) Rules, the client asset rules and the FRR have been complied with.
       
SAS 480: AUDIT CONSIDERATIONS RELATING TO ENTITIES USING SERVICE ORGANIZATIONS
  Background note

The client auditors should consider how a service organization affects the client's accounting and internal control systems so as to plan the audit and develop an effective audit approach. (SAS 480.1)
65. Some regulated entities outsource a variety of activities. Specific examples include:
  a. safe custody of client assets by a custodian;
  b. settlement or clearing of trades (this may or may not include the third party taking on the settlement risk, maintaining accounting records, reconciling client assets, sending client statements directly);
  c. maintenance of accounting records;
  d. product administration (such as unit trusts or savings schemes);
  e. investment management; and
  f. valuation of investments.
66. A regulated entity would ensure compliance with the law, codes and guidelines whether or not activities are outsourced. In addition, a regulated entity using a service organization would comply with the following requirements in respect of the outsourced activities:
  a. ongoing assessment and monitoring of the competence and independence of the third party;
  b. responsibility for keeping records; and
  c. responsibility for acts or omissions by the third party.
       
SAS 500A: CONSIDERING THE WORK OF INTERNAL AUDITING
  Background note

The external auditors should consider the activities of internal auditing and their effect, if any, on external audit procedures. (SAS 500A.1)
67. The Internal Control Guidelines requires an intermediary (where practicable) to establish an internal audit function. Therefore in the majority of cases, auditors would be considering the activities of this function.
       
SAS 520: USING THE WORK OF AN EXPERT
  Background note

When using the work performed by an expert, the auditors should obtain sufficient appropriate audit evidence that such work is adequate for the purposes of the audit. (SAS 520.1)
68. For regulated entities carrying out complex transactions, it may be necessary to rely on experts to review valuation models. In such cases, the auditors will need to determine the need to use the work of an expert in accordance with SAS 520.
       
SAS 610: COMMUNICATIONS OF AUDIT MATTERS WITH THOSE CHARGED WITH GOVERNANCE
  Background note

The auditors should communicate audit matters of governance interest arising from the audit of financial statements with those charged with governance of an entity. (SAS 610.1)
69. The SFC may request copies of auditors' management letters from regulated entities. Against this background, auditors may consider it prudent to include in their report to directors or management, as a matter of course, a statement that:
  a. the management letter has been prepared for the sole use of the regulated entities;
  b. it must not be disclosed to a third party, or quoted or referred to, without the written consent of the auditors; and
  c. no responsibility is assumed by the auditors to any other person.
       
  Breach of laws and rules issued by the SFC
70. Unless there are reasons for supposing a report should be made directly to the SFC (see Part V below), auditors would discuss promptly with appropriate management of the regulated entity (including the compliance officer) apparent breaches of the law, codes and guidelines, or instances where a regulated entity may be carrying on activities outside the scope of its authorization, which come to their attention in the course of the audit. This will both enable auditors to determine the impact of the matter on their reporting obligations, and permit appropriate corrective action to be taken by management.
71. Breaches or possible breaches of the law, codes and guidelines which come to the auditors' attention and which neither require the auditors to make a report to the SFC under the statutory duty provisions of the SFO, nor require their auditors' report to be qualified, will be considered for inclusion in the auditors' management letter.
       

PART III - AUDITORS' REPORTS UNDER THE SECURITIES AND FUTURES (ACCOUNTS AND AUDIT) RULES

Introduction
72. This Part of the Practice Note is intended to provide a common approach to reporting by auditors on regulated entities and to establish clear unequivocal wording of auditors' reports such that a standard form of wording may be used by auditors when reporting. One benefit of establishing a standard form of report is that it removes any ambiguity as to the assurance obtained from auditors about compliance with the requirements of the SFO. Example auditors' reports are set out in Appendix 1 to this Practice Note.
       
The auditors' reporting responsibilities
73. The auditors' reporting responsibility under the Securities and Futures (Accounts and Audit) Rules is primarily to provide assurance to the SFC on the financial information provided by the regulated entity and on the systems of control operated by the regulated entity during the financial year covered by the report in relation to the regulated entity's stewardship of client assets.
74. The auditors' reporting responsibility under the Securities and Futures (Accounts and Audit) Rules addresses matters for which the primary responsibility lies with the management of the regulated entity. The relevant responsibilities of management are, broadly:
  a. to prepare annual financial statements in accordance with generally accepted accounting principles;
  b. to prepare applicable returns as detailed in section 3(1)(b) of the Securities and Futures (Accounts and Audit) Rules;
  c. to ensure that the client asset rules and the Securities and Futures (Keeping of Records) Rules are observed; and
  d. to prepare the business and risk management questionnaire.
  Details are set out in section 3 of the Securities and Futures (Accounts and Audit) Rules.
75. The precise matters on which auditors are required to report vary according to the nature of the regulated entity's activities. Under section 4(1) of the Securities and Futures (Accounts and Audit) Rules, the auditors' report is required to cover the following matters:
  a. whether the financial statements give a true and fair view;
  b. whether the financial statements are in accordance with the records kept by the regulated entity under the Securities and Futures (Keeping of Records) Rules and satisfy the requirements of the Securities and Futures (Accounts and Audit) Rules;
  c. in the case of a licensed corporation, whether the required returns made up to the last day of the financial year as detailed in section 3(1)(b) of the Securities and Futures (Accounts and Audit) Rules have been correctly compiled from the records of the licensed corporation or, if not correctly compiled, the nature and extent of the incorrectness;
  d. in so far as applicable, whether the regulated entity had systems of control in place that were adequate to ensure compliance with the SFC's requirements with regard to client assets during the financial year in question;
  e. in so far as applicable, whether the regulated entity complied with the Securities and Futures (Keeping of Records) Rules and the client asset rules during the financial year in question; and
  f. in the case of a licensed corporation, whether there appears to have been any contravention of the FRR by the licensed corporation during the financial year in question.
76. The objective of accounting systems and controls is to provide a reasonable level of assurance that assets are safeguarded against loss from unauthorized use or disposition, that risks are properly monitored and evaluated and that transactions are executed in accordance with established procedures and are recorded properly. Accounting systems and controls also assist management in conducting the business in a prudent manner.
77. In considering the adequacy of systems of control required by the client asset rules and the Securities and Futures (Keeping of Records) Rules, auditors must recognize the inherent limitations of such systems. These limitations mean that, despite the existence of controls, errors or irregularities may occur and may not be detected. Also, projection of any evaluation of the systems to future periods is subject to the risk that management information and control procedures may become inadequate because of changes in conditions or the risk that the degree of compliance with those procedures may deteriorate.
78. In discharging their reporting responsibilities regarding a regulated entity, auditors must have particular regard to any changes in the SFO and its subsidiary legislation and any other requirements of the SFC in force during the financial year to which the report relates.
       
Other considerations
  Planning
79. The nature of the business undertaken by a regulated entity, its size and its particular circumstances will affect the nature and extent of the auditors' work. When planning their work, the auditors assess the risks associated with the nature of the particular regulated entity. Certain risks will not be applicable to all regulated entities.
80. Other factors that will be considered are:
  a. the scope of licensing in relation to the holding of client assets;
  b. the extent of investment management discretion permitted;
  c. the introduction of new requirements;
  d. changes to existing requirements; and
  e. modifications or waivers granted or special conditions imposed by the SFC.
81. In making an assessment of various risk factors, auditors would normally meet senior management and the Compliance Officer as part of their planning process. They would also consider the following:
  a. operational manuals;
  b. documentation of systems and controls;
  c. compliance monitoring programmes and results;
  d. the records maintained by the regulated entity of any non-compliances and notifications to the SFC that may have occurred during the period under review;
  e. correspondence with the SFC, relating to financial returns and any other matters;
  f. the results of inspection visits made by the SFC;
  g. the register of complaints received from clients during the period under review; and
  h. any relevant internal audit reports.
       
  Audit evidence
82. As with the audit of the financial statements, the auditors plan and perform their work so that they obtain sufficient evidence for their opinion. When doing so, they consider what is material, recognizing the nature and scale of the regulated entity concerned. It is not feasible, nor necessary, for the auditors to examine every transaction reflected in the records, nor to achieve complete satisfaction that the systems of control operate totally effectively.
       
The auditors' reports
83. Two separate auditors' reports are prepared in respect of the period under review. They are required to be submitted by the regulated entities to the SFC within four months of their year end. Auditors would take all reasonable steps for their reports to be issued in order for the regulated entities to submit them to the SFC by the specified date.
  a. The auditors' report on the financial statements
    i. For a regulated entity which is a Hong Kong incorporated company, the auditors' report contains an audit opinion expressed in true and fair terms pursuant to the Companies Ordinance requirements. It also states whether the financial statements are in accordance with the records kept under the Securities and Futures (Keeping of Records) Rules and satisfy the requirements of the Securities and Futures (Accounts and Audit) Rules. An example auditors' report is given in Example 1 of Appendix 1 to this Practice Note.
    ii. For a licensed corporation which was previously a securities dealer regulated under the Securities Ordinance, an example auditors' report on financial statements with the accounting period which straddles 1 April 2003 (the effective date of the SFO) is given in Example 1A of Appendix 1 to this Practice Note.
  b. The Compliance Report setting out the auditors' conclusions on matters set out in paragraph 75(c) to 75(f) above
    i. For a licensed corporation, an example Compliance Report is given in Example 2 of Appendix 1 to this Practice Note.
    ii. For a licensed corporation which was previously a securities dealer regulated under the Securities Ordinance, an example Compliance Report for the accounting period which straddles 1 April 2003 is given in Example 2A of Appendix 1 to this Practice Note.
    iii. For an associated entity of an intermediary, an example Compliance Report is given in Example 3 of Appendix 1 to this Practice Note.
84. Guidance on the detailed requirements of the Compliance Report is set out in paragraph 85-114 below.
       
The Compliance Report
  The addressee
85. The Compliance Report is addressed to the directors of the regulated entity.
  The assurance standards followed
86. Auditors would state that they have conducted their Compliance Reporting engagement in accordance with Standards on Assurance Engagements issued by the HKICPA, and with reference to this Practice Note. They also state that they have carried out such procedures as were considered necessary for their report.
  Reporting requirements
  Financial resources of licensed corporations
87. Licensed corporations are required to submit to the SFC the following financial returns as referred to in section 3(1)(b) of the Securities and Futures (Accounts and Audit) Rules made up to the last day of the financial year:
  a. liquid capital computation;
  b. required liquid capital computation;
  c. summary of bank loans, advances and other credit facilities;
  d. analysis of margin clients;
  e. analysis of collateral received from margin clients;
  f. analysis of rolling balance cash clients;
  g. analysis of client assets; and
  h. analysis of proprietary derivative positions.
88. Auditors are required to give an opinion as to whether the financial returns referred to in paragraph 87 which have been submitted to the SFC have been correctly compiled from the records of the licensed corporation, or if not correctly compiled, the nature and extent of the incorrectness. This involves auditors in examining the licensed corporation's compilations by reference to the FRR, paying particular attention to those areas most susceptible to management's discretion and having regard to the concept of prudence. Particular care will be exercised in cases where the licensed corporation is operating at a level close to the minimum requirement, since any shortfall (however small) is a contravention of the FRR and results in a higher possibility of window dressing. Auditors would note that the Securities and Futures (Accounts and Audit) Rules do not provide that immaterial discrepancies or reclassifications can be disregarded. Accordingly, auditors qualify their opinion where discrepancies and reclassifications are identified in the financial returns regardless of materiality.
89. If auditors qualify their Compliance Report in respect of the financial returns, they either provide the reconciliations or explain the differences. The reconciliations or explained differences are attached to the Compliance Report.
90. In particular the auditors would check that the reconciliation agrees back to supporting documentation and that the explanations given for any reconciling items are reasonable. Reconciling items commonly relate to audit adjustments made after submission of the return.
  Accounting records and systems
91. Auditors are required to report whether the regulated entity has satisfied the requirements of the Securities and Futures (Keeping of Records) Rules during the period under review. In order to report on whether the regulated entity has satisfied the requirements of these rules it is envisaged that consideration will be given to whether adequate systems for control of the regulated entity's accounting systems have been maintained.
92. The Securities and Futures (Keeping of Records) Rules set out the basic characteristics of adequate accounting records in general and include some guidance on the contents of specialized accounting records, especially those concerned with client assets. Management, in establishing and maintaining accounting records, and the auditors, in forming a view as to whether adequate records have been kept, will need to refer to the detailed rules relevant to the particular regulated activities.
93. The Securities and Futures (Keeping of Records) Rules require that regulated entities shall in relation to the businesses which constitute any regulated activities for which they are licensed and their associated entities as regards the receipt or holding of client assets in relation to such regulated activities, to keep, where applicable, such accounting, trading and other records as are sufficient to:

a licensed corporation
  a. explain, and reflect the financial position and operation of, such businesses;
  b. enable profit and loss accounts and balance sheets that give a true and fair view of its financial affairs to be prepared from time to time;
  c. account for all client assets that it receives or holds;
  d. enable all movements of such client assets to be traced through its accounting systems and, where applicable, stock holding systems;
  e. reconcile, on a monthly basis, any differences in its balances or positions with other persons and show how such differences were resolved;
  f. demonstrate compliance with certain sections of the client asset rules and that it has systems of control in place to ensure such compliance;
  g. enable it readily to establish whether it has complied with the FRR; and
  h. keep records specified in the Schedule to and section 5, 6, 7(2) or 8 of the Securities and Futures (Keeping of Records) Rules.
  an associated entity
  a. account for the client assets;
  b. enable all movements of the client assets to be traced through its accounting systems and, where applicable, stock holding systems;
  c. show separately and account for all receipts, payments, deliveries and other uses or applications of the client assets effected by it, or on its behalf, and on whose behalf such receipts, payments, deliveries or other uses or applications of the client assets have been effected;
  d. reconcile, on a monthly basis, any differences in its balances or positions with other persons and show how such differences were resolved;
  e. demonstrate compliance with certain sections of the client asset rules and that it has systems of control in place to ensure such compliance; and
  f. keep certain specific records where applicable.
94. These records would be kept in such a manner as will enable an audit to be conveniently and properly carried out, and make entries in these records in accordance with generally accepted accounting principles where applicable. There are also particular requirements, over and above those outlined above, for licensed corporations involved in certain regulated activities.
95. Detailed guidance on the control objectives and audit evidence in relation to the auditors' reporting requirements with regard to client assets under the Securities and Futures (Accounts and Audit) Rules are included in Appendix 2 to this Practice Note. Auditors will need to apply their judgement in determining the extent and nature of their work which would be based on a good understanding of the regulated entity's systems of control.
96. Underlying any systems of control adopted by a regulated entity is the control environment. Such an environment is created by management having and showing a positive attitude towards the operation of controls and by an organizational framework which enables proper segregation and delegation of control functions and which encourages failings to be reported and corrected. Thus, where a lapse in the operation of a control is treated as a matter of concern, rather than being largely overlooked, the control environment will be stronger and will contribute to effective systems of control: whereas a weak control environment will undermine detailed controls, however well designed.
97. Within this control environment, the control procedures needed to ensure that the business is conducted to protect investors' interests would be commensurate with the regulated entity's needs and particular circumstances, and also with the inherent risks of the business undertaken. The size of the regulated entity will have an important bearing on the design and formality of the systems and controls. The operating procedures and methods of recording and processing transactions used by small regulated entities often differ significantly from those of large regulated entities. Internal controls which would be relevant to a large regulated entity, may not be practical or appropriate in a small one. Management of a small regulated entity has less need to depend on formal controls for the reliability of the records and other information, because of personal contact with, or involvement in, the operation of the business itself. Nevertheless the need for a positive attitude to the control environment is equally relevant in both small and large regulated entities.
98. Management would consider these factors in the design and maintenance of the systems of control. It would also recognize where appropriate the cost of a particular control, as against its purpose and expected benefit.
99. For the foregoing reasons, different systems and controls may be deemed adequate in different regulated entities, if they provide reasonable assurance that certain control objectives have been achieved. In designing the systems and controls, management would address inter alia the following general control objectives:
  a. the business is planned and conducted in an orderly, prudent and cost-effective manner in adherence to established and documented policies;
  b. transactions and commitments are entered into only in accordance with management's general or specific authority;
  c. client assets are safeguarded and are completely and accurately recorded;
  d. the assets are safeguarded and the liabilities controlled;
  e. the risk of loss from fraud, other irregularities and error is minimized, and any such losses are promptly and readily identified;
  f. management is able to monitor on a regular and timely basis the regulated entity's business's position relative to its risk exposure;
  g. management is able to prepare complete and accurate returns for the SFC on a timely basis in accordance with the FRR; and
  h. issues relating to compliance with the law, codes and guidelines are resolved in a timely manner to the satisfaction of the SFC.
100. Regulated entities frequently have a high degree of computerization. While the control objectives described above apply in both a manual and a computerized environment, there are nevertheless certain requirements of an internal control system peculiar to a computerized environment.
101. In designing a control system, management needs to understand the interaction between manual and computer controls and how they contribute in aggregate to the achievement of the control objectives.
102. Clearly, the emphasis between the two forms of control will be dependent not only on the degree of computerization but also on the circumstances and particular risks of the regulated entity. The greater the degree of computerization, the greater the emphasis that will need to be placed on the general and application controls of the computerized function, as part of the overall systems of internal control. However, the routine processing of a computerized system is generally more reliable than that of a manual system.
103. Systems of control, including the assignment of responsibilities as set out in the Internal Control Guidelines, need to be clearly documented if they are to be understood, communicated and operated effectively and consistently. Regulated entities and their auditors would consider whether appropriate documentation is a prerequisite of an adequate system.
104. The effective operation of a control system may be enhanced by an internal audit department or by specific monitoring performed by a compliance department. The existence of such departments and their scope and objectives are matters for management. In assessing the effectiveness of such departments, the auditors will consider the terms of reference of the departments, their independence from operational personnel and management, the quality of staffing and to whom they report in the regulated entity.
  Client assets
105. There are essentially two aspects to the auditors' reporting responsibilities for client assets:
  a. whether during the period under review, the regulated entity had systems of control in place that were adequate to enable compliance with the relevant sections of the client asset rules; and
  b. whether during the period under review, the regulated entity complied with the relevant sections of the client asset rules.
106. Guidance on the control objectives and audit evidence is set out in Appendix 2 to this Practice Note. Auditors apply their judgement in determining the extent and nature of their work which is based on the following general requirements:
  a. the auditors understand the business of the regulated entity and the environment in which the regulated entity operates;
  b. the auditors review the regulated entity's systems and consider whether these are adequate for control and accounting purposes, and are in accordance with the requirements set out in the Suggested Control Techniques; and
  c. the auditors test those systems and controls to establish that they are operating effectively.
107. When planning and carrying out their work, the auditors must always keep in mind the need for audit evidence in relation to the existence of client assets and the accuracy of the regulated entity's records.
108. Certain licensed corporations do not receive or hold client money or client securities either by choice or by limitation of their licensing condition. It would therefore not normally be necessary for auditors to make reference to the client asset rules in the Compliance Report. However, the auditors would ensure that such licensed corporations have procedures in place to avoid receipt or holding of client assets. If during the course of the performance of these procedures (as set out in paragraphs 67 - 69 of Appendix 2 to this Practice Note) it comes to the auditors' attention that the licensed corporation has held client assets, it would be necessary for auditors to make reference to the licensed corporation's compliance with the client asset rules in the Compliance Report. In these circumstances, auditors will need to revisit the requirements under SAS 120 and paragraphs 41 and 42 of this Practice Note.
       
  The identity of the auditors
109. The Compliance Report indicates clearly the name of the auditors.
       
  The date of the report
110. It is highly desirable that the Compliance Report is dated with the same date of the auditors' report on the financial statements.
       
  Qualified reports
111. Auditors may qualify their Compliance Report on grounds other than those which arise in reporting on whether the financial statements give a true and fair view. Where the requirements of the rules upon which auditors must report have not been met, their report includes a statement specifying the relevant requirements and the respect in which they have not been met, in sufficient detail for the breach or shortcoming to be clearly understood and evaluated. In particular, where the breach relates to a specific rule, the rule number or reference will be stated in the report.
112. In considering any matter indicating a possible breach of the FRR, client asset rules and the Securities and Futures (Keeping of Records) Rules or inadequate systems of control over client assets, auditors analyze the circumstances in order to identify its cause, and establish the action management has taken or intends to take to correct the matter.
113. If the auditors propose to include any qualification or adverse statement in the Compliance Report (or their report on the financial statements), they are required under section 157(1)(b) of the SFO, as soon as reasonably practicable after they first propose the inclusion of the qualification or adverse statement, to lodge with the SFC a report. Details are set out in Part V below.
114. The Securities and Futures (Accounts and Audit) Rules do not provide that trivial breaches can be disregarded. Where small exceptions are discovered, the auditors will need to qualify their opinion, although references can be made to the extent of the breach.
       
More...