There is considerable attention in the Chinese business community to the newly announced Basic Standard for Enterprise Internal Control (C-SOX), which goes into effect in July 2009. Compliance with this regulation will be a considerable effort for many firms.
The Basic Standard for Enterprise Internal Control was announced in the summer of 2008 by the Ministry of Finance, China Securities Regulatory Commission (CSRC), China Banking Regulatory Commission (CBRC), the National Audit Office, and China Insurance Regulatory Commission (CIRC). The new regulation intends to increase the effectiveness of internal controls in listed Chinese companies, thus reducing risks for companies and their stakeholders.
Companies listed on either of the two major Chinese stock exchanges (Shanghai and Shenzhen) must conduct self-evaluations of their internal controls, report on an annual basis and hire qualified auditors to review the effectiveness of their internal controls. C-SOX will apply to over 2000 companies in China.
Many companies have hired consultants and advisers to document, test and upgrade internal controls to prepare their C-SOX compliance. However, without a cultural change and appropriate investments in technology that automates the documentation, assessment and remediation of internal controls, you would need to allocate the same amount of resources year after year to be compliant with C-SOX. In order to reduce their cost of long term compliance, companies have to make the focus on internal controls a part of their company culture.
Below are 6 checkpoints for how seriously your company is taking internal control:
1) Internal controls are owned by senior management
2) Executives clearly assign responsibilities for training and for monitoring of internal controls
3) Evaluations of control systems are done periodically and are thoroughly documented and are conducted by trained staff
4) Comprehensive and business-appropriate criteria are used to evaluate controls
5) Control deficiencies are reported to management and corrected on a timely basis
6) Controls built in as new processes and procedures are implemented
This checklist was designed to encourage your organization to make a culture shift toward risk awareness and responsibility. Your performance against this checklist will give you a good picture of how seriously your company is able to deal with the challenges of C-SOX.
The most important criterion for success in a C-SOX implementation is to ensure the support of the entire organization. Although responsibility for risk management and compliance ultimately sits with the CEO and Board of Directors, forward-thinking companies will move to push responsibility to various parts of the organization. C-SOX projects require participation from many levels of an organization, and for compliance projects to succeed, companies must make their staff an active participant on the integrated project team. People need to prepare for compliance consultants or auditors, and companies must commit staff and resources to make efficient use of outside consultants.