| China’s Basic Standard for Enterprise Internal | | | | risk management and internal controls |
| Control (C-SOX) is coming into effect soon, and while | | | | - Have executives visibly |
| some of the implementation guidelines are not yet | | | | “own” the C-SOX implementation |
| clear, the core of the regulation is in place. | | | | - Establish a “whistleblower” |
| The purpose of C-SOX is to increase the | | | | mechanism and fraud reporting hotline to alter the |
| effectiveness of internal controls in listed Chinese | | | | company to potential problems |
| companies, thus reducing risks for companies and | | | | Management will need to be visible in its support for |
| their stakeholders. Companies must evaluate their | | | | C-SOX and ensure that a sense of urgency is felt |
| internal controls, publish an evaluation report on an | | | | across all offices and regions. This means creating a |
| annual basis and audit the effectiveness of their | | | | project team with adequate representation from the |
| internal controls. These are new concepts to many | | | | entire business, and one with the political clout |
| organizations in China, and as a result there is some | | | | required to overcome institutional resistance to |
| resistance and confusion to deal with. Many Chinese | | | | change. |
| companies have poor risk management systems, | | | | Although responsibility for risk management and |
| inadequate business data and patchy IT | | | | compliance ultimately sits with the CEO and Board of |
| infrastructures. However, these are not the biggest | | | | Directors, forward-thinking companies will move to |
| challenges facing companies that will be required to | | | | push responsibility to various parts of the |
| comply with C-SOX. | | | | organization. C-SOX projects require participation |
| The biggest challenge for China SOX (and hence, the | | | | from many levels of an organization, and for |
| top criteria for success) is company culture. No | | | | compliance projects to succeed, companies must |
| amount of money, software or consultants can | | | | make their staff an active participant on the |
| compare with the beneficial effects of enlightened | | | | integrated project team. |
| and committed management. For C-SOX to really | | | | Industry leaders involve much of the organization in |
| succeed, companies have to embrace risk | | | | their C-SOX implementation process and go beyond |
| management as a concept, adopt internal control | | | | the minimum requirements imposed by the Basic |
| frameworks and change their corporate culture. | | | | Standard for Enterprise Internal Control to improve |
| What does that mean? For organizations to get the | | | | operating results while introducing business |
| most benefits of C-SOX compliance, they must: | | | | improvements throughout the organization. |
| - Foster openness and transparency in | | | | Many companies in China do not currently have this |
| the company | | | | kind of culture, and that is going to mean extra time |
| - Be open to self-evaluation and | | | | and effort and required for proper implementation of |
| self-criticism (of the management team and all | | | | the Basic Standard for Enterprise Internal Control. |
| employees) | | | | Companies that see this as an opportunity to refresh |
| - Report on perceived risks in a timely | | | | and improve their corporate culture will be rewarded |
| fashion | | | | with a quicker process and more tangible business |
| - Provide training on the benefits of | | | | benefits. |