Internal control

The Directors are responsible for internal control in HSBC and for reviewing its effectiveness. Procedures have been designed for safeguarding assets against unauthorised use or disposition; for maintaining proper accounting records; and for the reliability of financial information used within the business or for publication. Such procedures are designed to manage rather than eliminate the risk of failure to achieve business objectives and can only provide reasonable and not absolute assurance against material misstatement, errors, losses or fraud. The procedures also enable HSBC Holdings to discharge its obligations under the Handbook of Rules and Guidance issued by the Financial Services Authority, HSBC’s lead regulator.

The key procedures that the Directors have established are designed to provide effective internal control within HSBC and accord with the Internal Control: Revised Guidance for Directors on the Combined Code issued by the Financial Reporting Council. Such procedures for the ongoing identification, evaluation and management of the significant risks faced by HSBC have been in place throughout the year and up to 6 March 2006, the date of approval of the Annual Report and Accounts 2005. In the case of companies acquired during the year, including Metris Companies Inc., the internal controls in place are being reviewed against HSBC’s benchmarks and integrated into HSBC’s systems.

HSBC’s key internal control procedures include the following:

• Authority to operate the various subsidiaries is delegated to their respective chief executive officers within limits set by the Board of Directors of HSBC Holdings or by the Group Management Board under powers delegated by the Board. Sub-delegation of authority from the Group Management Board to individuals requires these individuals, within their respective delegation, to maintain a clear and appropriate apportionment of significant responsibilities and to oversee the establishment and maintenance of systems of controls appropriate to the business. The appointment of executives to the most senior positions within HSBC requires the approval of the Board of Directors of HSBC Holdings.
• Functional, operating, financial reporting and certain management reporting standards are established by Group Head Office management for application across the whole of HSBC. These are supplemented by operating standards set by functional and local management as required for the type of business and geographical location of each subsidiary.
• Systems and procedures are in place in HSBC to identify, control and report on the major risks including credit, changes in the market prices of financial instruments, liquidity, operational error, breaches of law or regulations, unauthorised activities and fraud. Exposure to these risks is monitored by asset and liability committees and executive committees in subsidiaries and by the Group Management Board for HSBC as a whole. A Risk Management meeting, chaired by the Group Finance Director, is held each month. The Risk Management meeting addresses asset and liability management issues. Minutes of the Risk Management meeting are submitted to the Group Management Board and the Group Audit Committee.
• Processes are in place to identify new risks from changes in market practices or customer behaviours which could expose HSBC to heightened risk of loss or reputational damage. During 2005 additional attention was directed towards evolving best practice in the areas of internet fraud, counterparty risk management policy following the publication of the Corrigan report in July 2005 and responding to new public policy initiatives governing sales practices.
• Periodic strategic plans are prepared for customer groups, global product groups, key support functions and certain geographies within the framework of the Group Strategic Plan. Operating plans are prepared and adopted by all HSBC companies annually, setting out the key business initiatives and the likely financial effects of those initiatives.
• Centralised functional control is exercised over all computer system developments and operations. Common systems are employed for similar business processes where practicable. Credit and market risks are measured and reported on in subsidiaries and aggregated for review of risk concentrations on a Group-wide basis.
• Responsibilities for financial performance against plans and for capital expenditure, credit exposures and market risk exposures are delegated with limits to line management in the subsidiaries. In addition, functional management in Group Head Office is responsible for setting policies, procedures and standards in the following areas of risk: credit risk; market risk; liquidity risk; operational risk; IT risk; insurance risk; accounting risk; tax risk; legal and regulatory compliance risk; human resources risk; reputational risk and purchasing risk; and for certain global product lines.
• Policies to guide subsidiary companies and management at all levels in the conduct of business to safeguard the Group’s reputation are established by the Board of HSBC Holdings and the Group Management Board, subsidiary company boards, board committees or senior management. Reputational risks can arise from social, ethical or environmental issues, or as a consequence of operational risk events. As a banking group, HSBC’s good reputation depends upon the way in which it conducts its business but it can also be affected by the way in which clients, to which it provides financial services, conduct their business.
• The internal audit function, which is centrally controlled, monitors the effectiveness of internal control structures across the whole of HSBC. The work of the internal audit function is focused on areas of greatest risk to HSBC as determined by a risk-based approach. The head of this function reports to the Group Chairman and the Group Audit Committee.
• Management is responsible for ensuring that recommendations made by the internal audit function are implemented within an appropriate and agreed timetable. Confirmation to this effect must be provided to internal audit. Management must also confirm annually to internal audit that offices under their control have taken or are in the process of taking the appropriate actions to deal with all significant recommendations made by external auditors in management letters or by regulators following regulatory inspections.

The Group Audit Committee has kept under review the effectiveness of this system of internal control and has reported regularly to the Board of Directors. The key processes used by the Committee in carrying out its reviews include: regular reports from the heads of key risk functions; the production annually of reviews of the internal control framework applied at Group Head Office and major operating subsidiary level measured against HSBC benchmarks, which cover all internal controls, both financial and non-financial; semi-annual confirmations from chief executives of principal subsidiary companies that there have been no material losses, contingencies or uncertainties caused by weaknesses in internal controls; internal audit reports; external audit reports; prudential reviews; and regulatory reports.

The Directors, through the Group Audit Committee, have conducted an annual review of the effectiveness of HSBC’s system of internal control covering all material controls, including financial, operational and compliance controls and risk management systems. The Group Audit Committee has received confirmation that management has taken or is taking the necessary action to remedy any failings or weaknesses identified through the operation of HSBC’s framework of controls.