China’s Basic Standard for Enterprise Internal Control (C-SOX) is coming into effect soon, and while some of the implementation guidelines have not been specified, the core of the regulation is in place.
The main purpose of C-SOX is to increase the effectiveness of internal controls in listed Chinese companies, thus reducing risks for companies and their stakeholders. Companies must evaluate their internal controls, publish an evaluation report on an annual basis and audit the effectiveness of their internal controls. These are new concepts to many organizations in China, and as a result there is some resistance and confusion to deal with. Below is a list of ten questions to address before starting your C-SOX implementation process.
1) Do we have an organization map? This document is the backbone of your C-SOX implementation because it shows the roles and responsibilities for the departments and employees. It will be used to assign areas of responsibility and internal control approval levels. If your organization does not have a recent map, work with your human resources department to put one together.
2) Who “owns” C-SOX? The answer should be the CEO and Board of Directors. If top management doesn’t own the C-SOX process, it means that the company is not putting in the right amount of resources needed to make the implementation work. Companies that delegate C-SOX implementation to a specific department risk failure due to lack of support.
3) What is our current risk management framework? An existing risk management framework is a great starting point for C-SOX. It could be based on COSO, ERM or ISO 31000 – the point of departure is less important that the discipline that comes with a risk management process. If you do not have an existing risk management framework, you should hire an outside consultant or expert to help you.
4) How will IT help us? IT will play a key role in your C-SOX process, so it helps to get the IT team involved early. Part of the implementation will be buying new software (in fact, the Basic Standard for Enterprise Internal Control mandates the use of IT systems with in-built controls) and the IT department can help to draft a strategy and execute it.
5) What is our training plan? Your compliance initiative will not succeed if you don’t train your staff. The training plan should include at least the following elements: why internal control is important, key internal controls, company policies and procedures, and who to go to with questions. Use e-learning to get the training out quickly and with maximum consistency.
6) Where is the expertise? If you don’t have experts on internal control and risk management within your company, you should hire externally to jump start your project. There are many specialist consultants who can help you develop and execute your strategy and who will train your staff (this will reduce your costs in the long term).
7) What constitutes success? Make sure the CEO and top management have a shared vision of what C-SOX success looks like. This is a long process and there will be many steps along the way. Your implementation plan should detail key milestones and metrics for your business.
8) How do we evaluate staff performance? Several elements of C-SOX are related to human resources. Managers have to perform self-evaluations against internal control metrics, meaning that department managers will have to disclose information about their goals and objectives, and rate themselves on their performance. Furthermore, the Basic Standard for Enterprise Internal Control requires that compensation of executives be linked to internal control. These are new concepts for many companies, and setting up a performance management process is the best way to implement these requirements.
9) What’s in it for me? Unless managers understand the benefits of C-SOX compliance, they are not likely to want to invest time and money in the process. Make sure you have an education campaign so staff understand where they fit in the process and the benefits to them.
10) What’s next? C-SOX compliance is an on-going process, not a one-time event. There are always next steps and future plans and strategies that need to be implemented. You need a team that is able to implement existing requirements and plan ahead for what comes next.
The Basic Standard for Enterprise Internal Control is a wide-ranging rule which will impact every area of a company’s business. You need to take care to address these fundamental questions before starting your implementation process.
Alex Raymond is the Founder and CEO of Vast Talent, a specialized provider of compliance and performance management systems in China.
Vast Talent was founded in 2008 and has offices in Hong Kong and Beijing.