Internal control

The Directors are responsible for internal control in HSBC and for reviewing its effectiveness. Procedures have been designed for safeguarding assets against unauthorised use or disposition; for maintaining proper accounting records; and for the reliability of financial information used within the business or for publication. Such procedures are designed to manage rather than eliminate the risk of failure to achieve business objectives and can only provide reasonable and not absolute assurance against material misstatement, errors, losses or fraud. The procedures also enable HSBC Holdings to discharge its obligations under the Handbook of Rules and Guidance issued by the Financial Services Authority, HSBC's lead regulator.

The key procedures that the Directors have established are designed to provide effective internal control within HSBC and accord with the Internal Control: Revised Guidance for Directors on the Combined Code issued by the Financial Reporting Council. Such procedures for the ongoing identification, evaluation and management of the significant risks faced by HSBC have been in place throughout the year and up to 3 March 2008, the date of approval of the Annual Report and Accounts 2007. In the case of companies acquired during the year the internal controls in place are being reviewed against HSBC's benchmarks and integrated into HSBC's processes.

HSBC's key internal control procedures include the following:

• Authority to operate the various subsidiaries and responsibilities for financial performance against plans and for capital expenditure is delegated to their respective chief executive officers within limits set by the Board of Directors of HSBC Holdings. Sub-delegation of authority from the Board to individuals requires these individuals, within their respective delegation, to maintain a clear and appropriate apportionment of significant responsibilities and to oversee the establishment and maintenance of systems of controls appropriate to the business. The appointment of executives to the most senior positions within HSBC requires the approval of the Board of Directors of HSBC Holdings.
• Functional, operating, financial reporting and certain management reporting standards are established by Group Head Office management committees for application across the whole of HSBC. These are supplemented by operating standards set by functional and local management as required for the type of business and geographical location of each subsidiary.
• Systems and procedures are in place in HSBC to identify, control and report on the major risks including credit, changes in the market prices of financial instruments, liquidity, operational error, breaches of law or regulations, unauthorised activities and fraud. Exposure to these risks is monitored by risk management committees, asset and liability committees and executive committees in subsidiaries and by the Group Management Board for HSBC as a whole. A risk management meeting of the Group Management Board, chaired by the Group Finance Director, is held monthly. These risk management meetings address asset, liability and management issues. Minutes of the risk management meetings of the Group Management Board are submitted to the  Group Audit Committee and to the Board of Directors.
• A Disclosure committee has been established to review material disclosures made by HSBC Holdings for any errors, misstatements or omissions. The membership of the Disclosure Committee, which is chaired by the Group Company Secretary, includes the heads of the Finance, Legal, Risk, Compliance, Corporate Communications, Investor Relations and Internal Audit functions and representatives from the principal regions, customer groups and global businesses.
• Processes are in place to identify new risks from changes in market practices or customer behaviours which could expose HSBC to heightened risk of loss or reputational damage. During 2007 attention continued to be directed towards evolving best practice in the areas of internet banking, counterparty risk management policy following the publication of the Corrigan report in July 2005; best practice guidance emerging on liquidity management from the Institute of International Finance; the implications of a slowing housing market in the US coupled with rising payment obligations under ARMs; Group exposure to monolines and money market funds; the impact on the Group of the market illiquidity situation; and the implications of changed customer behaviour in the UK regarding seeking protection from credit obligations.
• Periodic strategic plans are prepared for key customer groups, global product groups, support functions and certain geographies within the framework of the Group Strategic Roadmap. Rolling operating plans are prepared and adopted by all major HSBC operating companies, and set out the key business initiatives and the likely financial effects of those initiatives.
• Centralised functional control is exercised over all computer system developments and operations. Common systems are employed for similar business processes wherever practicable. Credit and market risks are measured and reported on in subsidiaries and aggregated for review of risk concentrations on a Group-wide basis.
• Authorities to enter into credit exposures and market risk exposures are delegated with limits to line management in the subsidiaries. In addition, functional management in Group Head Office is responsible for setting policies, procedures and standards in the following areas of risk: credit risk; market risk; liquidity risk; operational risk; IT risk; insurance risk; accounting risk; tax risk; legal and regulatory compliance risk; human resources risk; reputational risk; and purchasing risk.
• Policies to guide subsidiary companies and management at all levels in the conduct of business to safeguard the Group's reputation are established by the Board of HSBC Holdings and the Group Management Board, subsidiary company Boards, Board committees or senior management. Reputational risks can arise from environmental, social or governance issues, or as a consequence of operational risk events. As a banking group, HSBC's good reputation depends upon the way in which it conducts its business but it can also be affected by the way in which clients, to which it provides financial services, conduct their business.
• The internal audit function, which is centrally controlled, monitors the effectiveness of internal control structures across the whole of HSBC. The work of the internal audit function is focused on areas of greatest risk to HSBC as determined by a risk-based approach. The head of this function reports to the Group Chairman and the Group Audit Committee.
• Management is responsible for ensuring that recommendations made by the internal audit function are implemented within an appropriate and agreed timetable. Confirmation to this effect must be provided to internal audit. Management must also confirm annually to internal audit that offices under their control have taken or are in the process of taking the appropriate actions to deal with all significant recommendations made by external auditors in management letters or by regulators following regulatory inspections.

The Group Audit Committee has kept under review the effectiveness of this system of internal control and has reported regularly to the Board of Directors. The key processes used by the Committee in carrying out its reviews include: regular business and operational risk assessments; regular reports from the heads of key risk functions including Internal Audit and Compliance; the production annually of reviews of the internal control framework applied at Group Head Office and major operating subsidiary level measured against HSBC benchmarks, which cover all internal controls, both financial and non-financial; semi-annual confirmations from chief executives of principal subsidiary companies that there have been any material losses, contingencies or uncertainties caused by weaknesses in internal controls; internal audit reports; external audit reports; prudential reviews; and regulatory reports. In addition, where unexpected losses have arisen or where incidents have occurred which indicate gaps in the control framework or in adherence to Group policies, the Group Audit Committee has reviewed special reports, prepared at the instigation of management, which analyse the cause of the issue, the lessons learned and the actions proposed by  management to address the issue.

The Directors, through the Group Audit Committee, have conducted an annual review of the effectiveness of HSBC's system of internal control covering all material controls, including financial, operational and compliance controls and risk management systems. The Group Audit Committee has received confirmation that management has taken or is taking the necessary action to remedy any failings or weaknesses identified through the operation of HSBC's framework of controls.