China's Basic Standard for Enterprise Internal Control

Also known as "China SOX" or "C-SOX", the Basic Standard for Enterprise Internal Control is a regulation adopted in China designed to improve risk management and prevent AIG, Enron and Worldcom-style disasters in China.

The Basic Standard for Enterprise Internal Control was announced in June 2008 and will be phased in over the next couple of years. Like Sarbanes-Oxley (SOX) in the US, it will place different requirements on companies based on their size, ownership structure, etc.

At present, the government has not yet specified the implementation guides for China SOX, other than to release the general draft guidelines. As a result, companies in China have asked for implementation to be delayed pending more clarity.

The first companies that are required to adopt China SOX are the state-owned enterprises under the State-Owned Asset Supervisory and Administration Commission (SASAC). These are many of the largest companies in China and include industrial giants such as Sinopec, Sinochem, CNOOC, Baosteel, Air China and more.

Also included in the first round will be foreign-listed Chinese companies, i.e. firms whose shares are traded in Hong Kong, NYSE, NASDAQ, etc. In general, these companies will find it easier to implement the C-SOX requirements because they have already had to improve internal control to meet listing requirements of foreign exchanges.

There are lots of people paying attention to this rule, so expect it to be enforced. After all, The Basic Standard for Enterprise Internal Control is sponsored by the Ministry of Finance, China Securities Regulatory Commission, the National Audit Office, China Banking Regulatory Commission and China Insurance Regulatory Commission. These are influencial organizations who will want to make sure that risk management best practices are well adopted in China.

The COSO framework is the underlying risk management structure for China SOX.  COSO is a well-established framework that has been developing since it was launched in 1985.  In terms of enterprise risk management, the COSO framework lists the key considerations, functions and metrics for sound enterprise risk management.

COSO is made up of 5 control elements:

1. Internal environment - the foundation for all other components of internal control

2. Risk assessment - identification and analysis of risks to the achievement of company objectives

3. Control activities - the policies and procedures that help ensure that directives are executed

4. Information and communication tools – systems to store and exchange information in support of business objectives

5. Internal monitoring - process of assessing the quality of internal controls

There are five main requirements to the Basic Standard for Enterprise Internal Control and several smaller requirements.

The main requirements are that companies adopting China SOX must:

1. Include the five control elements in internal controls (Chapter 1 Article 5). This means that they must study and implement COSO and similar frameworks and use them as the foundation for their on-going risk management. It will be important to train all staff on relevant areas of risk management.
   
2. Define and implement internal control policies (Chapter 1 Article 6). This is a long process of documenting existing internal controls, evaluating them, and making and changes. Here, Chinese companies would do well to learn from the experiences of public companies in the US who implementated Section 404 of Sarbanes-Oxley. That would up being the most difficult and time consuming part. On the good side, companies that paid attention to their internal controls wound up with considerable business benefits.
   
3. Establish a suitable IT system with embedded controls (Chapter 1 Article 7). IT will automate many of the internal control processes in all areas of the business (for example, supply chain, customer service or financial reporting). This means that companies who comply with China SOX will be buying new ERP systems, email tools, databases, training sytems, HR systems and lots more.
   
4. Set policies on the compensation and disciplines related to the proper implementation of internal control. Effectiveness of internal control implementation should be treated as a key element of performance appraisals for department and staff levels (Chapter 1 Article 8). As I have mentioned in other forums, this is potentially the most sensitive part of China SOX. The meaning here is that managers will be personally accountable for the success or failure of their internal controls. Expcet this one to get lots of attention and debate going forward.
   
5. Perform self-assessment of the effectiveness of internal controls on a periodic basis and issue control self-assessment reports (Chapter 6 Article 46). The company must conduct its own evaluation of the control framework, and share its findings with qualified external auditors. The auditors then propose changes and vouch for the validity of the internal controls in an annual report.
   

Hidden in the C-SOX regulation is the requirement that companies in China must set up whistleblower mechanisms for fraud alert.

Whistleblower protection and fraud early warning systems are new concepts in China's business environment (which has been rocked by too many corporate scandals in recent years to bother keeping track), so most companies don't know how to take the first step.

I will quickly outline some of the most important considerations as a road-map to getting started. The purpose of a whistleblower mechanism to alert the company to risks, fraud or corruption and it is an important part of a enterprise risk management framework. Employees can report misconduct, illegal activities or fraud to company management or directors.

To be effective, a whistleblower mechanism should have:

- Anonymity.  For employees to feel safe in bringing suspicious, illegal, corrupt or overly-risky information to management's attention, they must be able to make their reports anonymously.  It won't be effective if employees have to identify themselves to make a report, because they simply won't do it.

- Multiple ways to report.  Employees should be able to “blow the whistle” by telephone, email or web form. Companies should outsource the telephone service to an external organiztion with experience in these types of operations.    Emails sent by employees should also go to an external mailbox and be encrypted to remove information about the sender.   Online reporting allows for anonymous and secure delivery.

- No repercussions.The company needs a strong policy of no recourse or repercussions against anyone who makes a report.  This crates a culture of openness and transparency and adhered to the spirit of the law.  If employees feel that their career or personal safety would be put at risk bringing information forward, they won't do so and the organization will continue to be exposed to potentially significant risks.

- Resolution. Companies adopting China SOX must investiage and deal with any reports of that come into the hotline. This means a complete investigation, dealing with the issue, and making sure proper internal controls are implemented to prevent problems in the future.

Reasonable suspicion of misconduct is an ok reason for someone to use the reporting hotline. That being said, abuse of the reporting mechanism should be punished and strongly discouraged. Companies that are complying with the requirements of C-SOX must make sure everyone in the company knows the purposes and appropriate use of the whistelblower hotline. And they must be enouraged to use if it they need to.

While the full details of this internal control and corporate governance regulation have not yet been published, I have picked up on some of the changes to the scope and roll-out schedule.

Who will it affect?

The Basic Standard for Enterprise Internal Control was originally targeted at domestically-listed Chinese companies. There are about 900 companies listed on the Shanghai Stock Exchange and about 700 listed in Shenzhen. C-SOX was intended to impose stricter corporate governance, risk management and control standards on those listed companies. However, the government realized that many of these firms simply don't have resources to properly implement the changes required at this time.

So C-SOX was directed at an easier target: firms listed on overseas markets. These are big, well-run companies that floated their shares in New York, Hong Kong or London, and therefore are already compliant with stricter regulations (like Sarbanes-Oxley). Since these companies already have the people, processes and systems required by these external markets, the government figured it would be more easier for them to deal with China SOX's requirements.

An addition to the China SOX list of affected companies are China’s state-owned enterprises (SOEs). These are huge organizations under direct state control and include many of the best known companies in China. The largest SOEs (namely the 150 ones controlled by China’s SASAC, or State-owned Assets Supervision and Administration Commission) are now among the first wave of companies that must comply. These are big comanies with the people skills and resources required to comply with China SOX.

What areas of Business will be affected by China SOX?

Internal controls are the focus of China SOX, which means that companies must define their controls and implement systems to manage them. While the C-SOX regulation is intended to cover all areas of a Chinese company’s operations, there have been some modifications to this requirement. For example, the first priority for China SOX is the safeguarding of financial assets, so a lot of emphasis is put on financial risk management and financial controls. Corporate governance and operational risk management, while still key components of China SOX, are not priority number one.

Since China SOX is still new, there hasn't been that much reporting and analysis on it yet. As more becomes available, I will post it here. I do have a China-related informational blog that tracks new data and information about the regulation. My company's website also has more analysis and best practice on how to implement C-SOX.

Many of the large international consulting and advisory firms, such as PwC, Deloitte, KPMG, Protiviti and Ernst & Young have information packets on China SOX for their clients.