The China Basic Standard for Corporate Internal Control (“C-SOX”) will come into force soon, and therefore many companies are beginning to implement this regulation. While the prospect of adopting a new corporate governance and risk management standard may seem daunting, there are some simple steps companies can take to get started on the project. Companies that start implementing C-SOX early will gain a competitive advantage and save significant money and resources in the long run. The keys to a successful implementation are gaining support from across the organization and establishing a reasonable project strategy and schedule.
To get the most out of a C-SOX project, it is critical to understand that compliance is an ongoing process, not a one-time initiative. This article will show you how you can get started with the C-SOX process to ensure success.
The Basic Standard for Corporate Internal Control was announced in 2008 and is sponsored by the Ministry of Finance, the China Securities Regulatory Commission, the National Audit Bureau, the China Banking Regulatory Commission, and the China Insurance Regulatory Commission. The purpose of the new regulation is to increase the effectiveness of internal controls in listed Chinese companies, thereby reducing risks to companies and their stakeholders.
The new rule requires companies listed on the Shanghai or Shenzhen stock exchanges to conduct self-assessments of their internal controls, publish an assessment report annually, and hire qualified agencies to audit the effectiveness of their internal controls. The Basic Standard will apply to more than 900 companies listed on the Shanghai Stock Exchange and about 800 companies listed on the Shenzhen Stock Exchange.
The backbone of the Basic Standard for Enterprise Internal Control is the COSO Risk Framework, which establishes a broad definition of internal control that extends to all parts of an organization. It lists five key elements of control:
one. internal environment – the basis for all other components of internal control
two. Risks evaluation – identification and analysis of risks for the achievement of the company’s objectives
3. control activities – the policies and procedures that help ensure that directives are carried out
Four. Information and communication tools – systems for storing and exchanging information in support of business objectives
5. internal monitoring – internal control quality assessment process
The purpose of evaluating internal controls and corporate governance is to gain sufficient knowledge of the control environment to understand management’s attitudes, awareness, and actions regarding control environment factors.
The Basic Norm of Corporate Internal Control requires that listed companies:
o Include the five elements of control when establishing and implementing effective internal control
o Establish and implement internal control policies
o Establish an adequate information technology system for business management with built-in controls
o Establish clear policies on rewards and disciplines related to the correct implementation of internal control. The effectiveness of internal control implementation should be treated as a key element of performance appraisals for department and staff levels.
o Carry out self-assessment of the effectiveness of its internal control on a regular basis and issue control self-assessment reports
The implementation of C-SOX is a change management initiative that can have a significant positive impact on the company. However, to do so, companies need to take certain steps and make sure they have a clear strategy.
Starting the C-SOX compliance process doesn’t have to be difficult. A high level of visibility and support from the executive team will provide the urgency needed to quickly begin implementing training programs and marshalling internal resources. Putting this foundation in place early takes the time pressure out of the compliance project and will give the company a solid foundation in risk management and internal controls well into the future. In particular, making the effort to develop a risk-aware culture will pay off through better existing processes, reduced errors, and increased employee engagement. Businesses starting now will see margin improvements, efficiency gains, and a growing respect for the market.
The Core Standard for Corporate Internal Control is still evolving and final implementation guidelines are not yet available. However, companies should take advantage of this time to seek the benefits of improving risk management and internal control systems.