Internal audit of Hong Kong branches of foreign banks

Roles and expectations of local and head office internal audit functions?

August 2023

As indicated in the Supervisory Policy Manual (“SPM”) IC-2 issued by the Hong Kong Monetary Authority (“HKMA”), banks are required to establish a robust Internal Audit (“IA”) function to give assurance to the Board and senior management on the effectiveness and efficiency of each core function of the bank. The IA function is expected to be able to perform a structural risk assessment, observe external events and perform targeted audits using a risk-based approach.

Based on our knowledge of the market, IA functions in Hong Kong face certain common challenges and constraints in meeting the HKMA regulatory requirements. This situation is even more prominent for Hong Kong bank branches of foreign banks, where they rely on their Group IA function to audit the Hong Kong operations.

Where Hong Kong branches (of foreign banks) follow the Group's framework, policies and procedures, one of the common observations is that there is a lack of assessment to ensure that the Group’s policies suit the Hong Kong operations. Whilst the HKMA allows a Group’s framework to be applied, it expects the Group’s policies and parameters to be assessed and justified by the local management, and to be customised to align with local regulatory requirements, taking into account the size and operations of the Hong Kong business, where appropriate.