Lessons from Lockdown - Company Record Keeping
Hong Kong law requires companies to keep copies of certain documentation and sufficient records of all business transactions. Documents must also be made available for inspection, including to shareholders and auditors.
These requirements have proved a challenge for some companies during lockdown, when many offices are closed and people's movements restricted.
In this article, we set out an overview of:
- some practical tips for companies on keeping records and ensuring their ready accessibility;
- what records are required to be maintained by a company in Hong Kong; and
- record keeping for audit in Hong Kong.
During the recent Covid-19 pandemic, businesses have sought to continue to operate whilst people work both flexibly and remotely and this has highlighted the importance of enabling remote access to documents. This is particularly important where the documents are needed in relation to statutory filings given the potential penalties, all of which we look at in further detail in this article.
A key consideration for companies now is to allow for continued access to documents in order to ensure compliance with these obligations, and at the same time maintain adequate security whilst people continue to work from home. The measures set out here should help companies to comply going forwards.
- Keep electronic copies of all records in a shared drive/file (adequately secured), so that they can be easily accessed as required (as permitted under section 655(2)(a) of the CO).
- Routinely scan receipts into a shared location (where folders are themed), ensuring adequate control and security – this also guards against the risk that the ink may fade away.
- Consider using online or cloud-based book-keeping software.
- Discuss with your Company Secretary whether it holds your company records electronically, to allow faster and easier access for auditors.
- Ensure maintenance of adequate risk management and internal controls.
- Ensure anyone with access to shared files receives IT/cybersecurity training and keep logs of training records.
- Have in place procedures for proper and adequate reporting of the company’s affairs and operations, which should be reviewed periodically – listed companies are required to have such procedures in place, but it is also recommended for non-listed companies.