What China SOX Means for You
The Basic Standard for Enterprise Internal Control (“China SOX” or “C-SOX”) is sponsored by the Ministry of Finance, China Securities Regulatory Commission, the National Audit Office, China Banking Regulatory Commission and China Insurance Regulatory Commission. The purpose of the new regulation is to increase the effectiveness of internal controls in listed Chinese companies, thus reducing risks for companies and their stakeholders.
China SOX requires listed and state-owned companies to implement internal control strategies, conduct self-evaluations of their internal controls, publish an annual evaluation report of their controls and hire third party auditors to validate the effectiveness of their internal controls.
The backbone of the Basic Standard for Enterprise Internal Control is the COSO risk framework, which establishes a broad definition of internal control extending to all parts of an organization.
There are five control elements in the COSO risk framework:
1. Internal environment - the foundation for all other components of internal control
2. Risk assessment - identification and analysis of risks related to the achievement of company objectives
3. Control activities - the policies and procedures that help ensure that directives are executed
4. Information and communication tools - systems to store and exchange information in support of business objectives
5. Internal monitoring - process of assessing the quality of internal controls
The purpose of assessing the internal controls and corporate governance is to obtain sufficient knowledge of the control environment to understand the management’s attitudes, awareness and actions concerning the factors of the control environment.
Specifically, the Basic Standard for Enterprise Internal Control requires that companies in China do the following:
- Build their internal control strategies around the five COSO control elements
- Establish and implement internal control policies
- Implement IT systems to support and automate their controls
- Link management and executive compensation with proper implementation of internal control; effectiveness of internal control implementation should be treated as a key element of performance appraisals for department and staff levels
- Perform self-assessment of the effectiveness of its internal control on a periodic basis and issue control self-assessment reports
This regulation is important and extremely relevant to thousands of companies in China, many of which lack in-depth experience with internal control and risk management implementation.