China’s Basic Standard for Enterprise Internal Control (“C-SOX”) comes into effect soon and many companies are therefore starting to implement this regulation. While the prospect of adopting new corporate governance and risk management standard may seem daunting, there are some simple steps that companies can take to get a head start on the project. Companies that start implementing C-SOX early will gain competitive advantage and save significant money and resources over the long run. The keys to a successful implementation are to enlist the support of the entire organization, and to set out a reasonable strategy and timeframe for the project.
To get the most from a C-SOX project, it is critical to understand that compliance is a continual process, not a one-time initiative. This article will show how you can get started with the C-SOX process to ensure success.
The Basic Standard for Enterprise Internal Control was announced in 2008 and is sponsored by the Ministry of Finance, China Securities Regulatory Commission, the National Audit Office, China Banking Regulatory Commission and China Insurance Regulatory Commission. The purpose of the new regulation is to increase the effectiveness of internal controls in listed Chinese companies, thus reducing risks for companies and their stakeholders.
The new rule requires companies listed on the Shanghai or Shenzhen exchanges to conduct self-evaluations of their internal controls, publish an evaluation report on an annual basis and hire qualified agencies to audit the effectiveness of their internal controls. The Basic Standard will apply to over 900 companies listed on the Shanghai Stock Exchange and about 800 companies listed on the Shenzhen Stock Exchange.
The backbone of Basic Standard for Enterprise Internal Control is the COSO risk framework, which establishes a broad definition of internal control extending to all parts of an organization. It lists five key control elements:
1. Internal environment – the foundation for all other components of internal control
2. Risk assessment – identification and analysis of risks to the achievement of company objectives
3. Control activities – the policies and procedures that help ensure that directives are executed
4. Information and communication tools – systems to store and exchange information in support of business objectives
5. Internal monitoring – process of assessing the quality of internal controls
The purpose of assessing the internal controls and corporate governance is to obtain sufficient knowledge of the control environment to understand the management’s attitudes, awareness and actions concerning the factors of the control environment.
The Basic Standard for Enterprise Internal Control requires that listed companies:
• Include the five control elements when establishing and implementing effective internal control
• Establish and implement internal control policies
• Establish a suitable business management information technology system with embedded controls
• Set clear policies on the rewards and disciplines related to the proper implementation of internal control. Effectiveness of internal control implementation should be treated as a key element of performance appraisals for department and staff levels
• Perform self-assessment of the effectiveness of its internal control on a periodic basis and issue control self-assessment reports
Implementing C-SOX is a change management initiative that can have a significant positive impact on the company. However, in order to do so, companies must take certain steps and make sure they have a clear strategy.
Starting the C-SOX compliance process does not have to be difficult. A high level of visibility and support from the executive team will provide the urgency needed to quick start rolling out training programs and gathering internal resources. Putting these foundations in place early removes time pressure from the compliance project and will give the company a strong basis in risk management and internal controls going forward. In particular, making the effort to develop a culture of risk awareness will pay off through better existing processes, reduction of errors, and increased employee engagement. Companies that begin now will see improving margins, increases in efficiency and growing market respect.
The Basic Standard for Enterprise Internal Control is still evolving and final implementation guidelines are not yet available. However, companies should take advantage of this time to seek the benefits to improved risk management and internal control systems.