SFC Internal Audit Functions in Financial Institutions: The Role and Responsibilities of Audit Committees

The Securities and Futures Commission (SFC) published a consultation paper in June 2025 proposing a new set of enhanced internal audit requirements for all licensed corporations. The proposed changes, which are expected to take effect in the first quarter of 2026, mandate that internal audit functions report directly to the audit committee rather than management. This structural shift responds directly to enforcement actions in 2024 where three licensed corporations failed to detect rogue trading for over 18 months because their internal audit teams had been pressured by senior management to downsize scope. For compliance officers and board members, the clock is now ticking: audit committee responsibilities under the new framework will include direct oversight of audit plans, staffing, and findings. This article explains the current statutory framework under the SFC’s Code of Conduct and the anticipated changes, and provides a practical guide for audit committees to prepare.

The Statutory Framework for Internal Audit in Hong Kong

The SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (the Code) provides the primary regulatory standard for internal audit functions. Paragraph 12.1 of the Code requires every licensed corporation to “establish and maintain appropriate internal control procedures and systems.” The SFC’s Management, Supervision and Internal Control Guidelines for Licensed Corporations (the Guidelines), last updated in October 2023, expand on this requirement. The Guidelines state that the internal audit function must be independent from the business lines it audits and must have unrestricted access to all records, personnel, and premises.

The Hong Kong Monetary Authority (HKMA) imposes similar requirements on authorized institutions under the Supervisory Policy Manual module IC-1, “Internal Control Systems.” The HKMA circular of 15 March 2024, “Governance and Internal Audit Standards for Authorized Institutions,” explicitly requires that the internal audit function report functionally to the audit committee and administratively to the chief executive. The SFC’s 2025 proposals align the licensed corporation regime with this HKMA standard.

The Listing Rules of The Stock Exchange of Hong Kong Limited (HKEX) impose additional requirements on listed issuers. Rule 3.21 requires every listed issuer to establish an audit committee composed of non-executive directors, with at least one member holding a recognized professional accounting qualification. The audit committee’s terms of reference must include oversight of the internal audit function. The HKEX published a guidance letter in December 2024 (HKEX-GL124-24) confirming that the audit committee must review the internal audit plan annually and assess the function’s resources and effectiveness.

The Audit Committee’s Core Responsibilities

Appointment and Dismissal of the Head of Internal Audit

The audit committee must approve the appointment, removal, and performance evaluation of the head of internal audit. The SFC’s Guidelines at paragraph 4.2.1 state that the head of internal audit should have “direct and unrestricted access” to the audit committee. In practice, this means the head of internal audit should attend all audit committee meetings and have the right to request private sessions without management present.

The 2025 SFC consultation paper proposes that the audit committee must approve the terms of reference for the internal audit function, including its charter, scope, and resource budget. The committee must also approve any significant changes to the audit plan during the year. If management proposes to reduce the scope of a planned audit, the committee must be notified in writing with the reasons.

Review and Approval of the Annual Audit Plan

The audit committee must review and approve the annual internal audit plan. The plan should be risk-based, covering all material business units, control functions, and outsourced activities. The SFC’s Guidelines at paragraph 4.3 require the audit plan to be “commensurate with the nature, scale, and complexity of the licensed corporation’s business.”

The committee should assess whether the plan allocates sufficient resources to high-risk areas. The HKMA’s 2024 circular specifies that the audit plan must include a risk assessment methodology that considers:

• The volume and value of transactions in each business line
• The complexity of products and services
• The results of previous audits and regulatory inspections
• Changes in the regulatory environment
• The effectiveness of the compliance function

The audit committee should receive a quarterly progress report against the plan, with explanations for any deviations.

Monitoring of Audit Findings and Management Responses

The audit committee must monitor the implementation of management’s corrective actions in response to internal audit findings. The SFC’s Guidelines at paragraph 4.4.1 require that “all significant audit findings and recommendations should be reported to the audit committee.” The committee should track the status of each finding until it is resolved.

The committee must escalate unresolved findings to the board. If management fails to implement corrective actions within the agreed timeframe, the audit committee should require a written explanation and a revised implementation plan. The SFC’s 2025 consultation paper proposes that the audit committee must report to the SFC any material finding that management refuses to address, where the finding relates to a potential breach of the Code or the Securities and Futures Ordinance (Cap. 571).

Operational Independence and Resourcing

Budget and Staffing Independence

The audit committee must ensure the internal audit function has adequate resources to execute its plan. The SFC’s Guidelines at paragraph 4.2.2 state that the internal audit function should have “sufficient staff with appropriate qualifications and experience.” The committee should review the function’s budget annually and approve any changes proposed by management.

The 2025 SFC proposals require that the internal audit function’s budget be set independently of the business lines it audits. The committee must ensure that the function’s staff are not assigned to non-audit duties that could compromise their objectivity. The Institute of Internal Auditors’ International Professional Practices Framework (IPPF), which the SFC references in its Guidelines, requires that internal auditors not assume operational responsibilities.

Outsourcing and Co-Sourcing Arrangements

The audit committee must approve any outsourcing or co-sourcing of the internal audit function. The SFC’s Outsourcing Guidelines (published in December 2022) require that the licensed corporation retain ultimate responsibility for the outsourced function. The audit committee must assess the service provider’s qualifications, independence, and resources.

The committee should receive a copy of the outsourcing agreement and ensure it includes provisions for:

• Access to the service provider’s work papers and staff
• The right to terminate the agreement for cause
• Confidentiality and data protection requirements
• Performance metrics and service level agreements

The HKMA’s 2024 circular requires that the audit committee conduct an annual review of the outsourced function’s performance and report the results to the board.

Access to Information and Personnel

The audit committee must ensure the internal audit function has unrestricted access to all information needed to perform its duties. The SFC’s Guidelines at paragraph 4.2.1 require that the function have “full, free, and unrestricted access to any of the licensed corporation’s records, property, and personnel.”

The committee should establish a protocol for handling situations where management restricts access. The protocol should require management to provide a written justification for any restriction, which the committee must review at its next meeting. The 2025 SFC proposals state that the audit committee must report any persistent access restrictions to the SFC.

Reporting Lines and Communication

Direct Reporting to the Audit Committee

The head of internal audit must report functionally to the audit committee. The SFC’s Guidelines at paragraph 4.2.1 state that the function should have “direct and unrestricted access” to the committee. In practice, this means the head of internal audit should report to the committee on:

• The results of completed audits
• Progress against the annual plan
• Significant risk exposures and control issues
• Management’s responses to audit findings
• Any instances of fraud or suspected fraud

The audit committee should meet privately with the head of internal audit at least once per year, without management present. The HKMA’s 2024 circular recommends that these private sessions occur at every committee meeting.

Coordination with External Auditors

The audit committee must facilitate coordination between the internal and external auditors. The SFC’s Guidelines at paragraph 4.5 require that the internal and external auditors share information to avoid duplication of effort. The committee should review the external auditor’s management letter and compare it with internal audit findings.

The committee should ensure that the external auditor has access to internal audit work papers and reports. The HKEX’s December 2024 guidance letter states that the audit committee should ask the external auditor whether they have relied on internal audit work and, if so, whether they have any concerns about the quality of that work.

Reporting to the Board and Regulators

The audit committee must report its oversight of the internal audit function to the board. The report should include:

• The committee’s assessment of the function’s effectiveness
• Any material findings and management’s responses
• Any changes to the audit plan or resources
• Any concerns about the function’s independence

The SFC’s 2025 consultation paper proposes that the audit committee must report to the SFC any material weakness in internal controls that the committee believes could result in a breach of the Code or the Securities and Futures Ordinance. The report must be made within 14 days of the committee’s determination.

Preparing for the 2026 Regulatory Changes

Step 1: Conduct a Gap Analysis

The audit committee should conduct a gap analysis comparing the current internal audit arrangements with the proposed 2026 requirements. The analysis should cover:

• The reporting line of the head of internal audit
• The committee’s approval of the audit plan and budget
• The committee’s access to information and personnel
• The committee’s oversight of outsourced functions
• The committee’s reporting to the board and regulators

The committee should document the results of the gap analysis and present them to the board with a remediation plan.

Step 2: Update the Audit Committee Charter

The committee should update its terms of reference to reflect the new requirements. The charter should explicitly state that the committee:

• Approves the appointment and removal of the head of internal audit
• Approves the annual audit plan and any significant changes
• Reviews quarterly progress reports
• Monitors management’s responses to audit findings
• Reports to the board and regulators as required

The charter should be reviewed by legal counsel and approved by the board.

Step 3: Establish Communication Protocols

The committee should establish protocols for direct communication with the head of internal audit. The protocols should include:

• Scheduled private sessions at each committee meeting
• A process for the head of internal audit to request an emergency meeting
• A process for the committee to request additional information
• A process for escalating unresolved findings to the board and regulators

The protocols should be documented and distributed to all committee members and the head of internal audit.

Actionable Takeaways

1. Audit committees must approve the annual internal audit plan and budget independently of management, with the 2026 SFC proposals making this a formal regulatory requirement.
2. The head of internal audit must have direct and unrestricted access to the audit committee, including the right to request private sessions without management present.
3. Audit committees must track all material audit findings and escalate unresolved items to the board, with a proposed 14-day reporting window to the SFC for control weaknesses linked to potential regulatory breaches.
4. Outsourcing of the internal audit function does not transfer regulatory responsibility; the committee must approve the service provider and conduct annual performance reviews.
5. Committees should conduct a gap analysis against the 2025 SFC consultation proposals before the end of 2025 to ensure readiness for the 2026 effective date.

This does not constitute legal advice. Consult a solicitor for your specific case.