China follows the global trend and development
of good corporate governance (Part II)

　 　
In Part I (see Insight Spring 2007), we introduced the Securities Law and the Company Law of the PRC and described their implications on corporate governance. Now, we are going to look into the internal control guidelines recently released by the two stock exchanges in mainland China.

Guidelines for the Internal Control of Listed Companies
The Shanghai Stock Exchange (Shanghai Exchange) and the Shenzhen Stock Exchange (Shenzhen Exchange) launched their sets of internal control guidelines for listed companies in June 2006 and September 2006 respectively, effective from 1 July 2006 and 1 July 2007 respectively.

In order to guide listed companies to set up sound internal control systems, enhance their risk management capabilities and protect the rights and interests of investors, the Guidelines for the Internal Control of Listed Companies were formulated by the two Stock Exchanges (namely the "Shanghai Guidelines" and "Shenzhen Guidelines") according to the following: the Two Laws 2005; Circular of the State Council concerning Approving and Forwarding the Opinions of the China Securities Regulatory Commission (CSRC) and Promoting the Quality of Listed Companies; other laws, regulations and regulatory documents; and the rules of the two Stock Exchanges concerning the listing of securities.

Mirroring the principles within the COSO framework, the two sets of guidelines require any listed company in mainland China to set up and maintain a sound internal control system. They must ensure that the system is comprehensive, reasonable and effective. The system must ensure that information disclosure is reliable and all relevant laws and regulations are complied with.

The guidelines impose a heavy onus on the directors accountable to shareholders through maintaining a sound internal control system. The guidelines also impose a strict requirement on CPA firms, which may not be the existing external auditors, to attest the management's evaluation of the effectiveness of the internal control system. The CPA firm and the signing partners (i.e. two individual qualified China CPAs) will be personally accountable for their attestations.

The Shanghai Guidelines
The Shanghai Guidelines were released on 5 June 2006. The guidelines are applicable on three levels: (1) company level; (2) departments and subsidiaries level; (3) business processes level. At company level, the guidelines basically mirror the US COSO framework (Internal Control over Financial Reporting) with local customisation based on China's legal and economic environment.

		Strategic goal setting: determination of strategic goals according to risk appetite;
		Internal environment: organisational structure, corporate culture, ethical values, and directions from the board;
		Risk identification: identification of external and internal risks affecting the company;
		Risk assessment: assessment of the significance and likelihood of risks identified;
		Risk response: determination of risk management policies according to risk tolerance and risk appetite;
		Control activities: policies and procedures in place to ensure that risk management policies are carried out effectively;
		Information and communication: the information flow and communication platform for the design, execution and monitoring of control activities;
		Monitoring: monitoring control to ensure the control activities are taking place; and
		Self-evaluation of the internal control system.

	At departments and subsidiaries level, internal control systems shall be consistently applied across departments or subsidiaries (Article 7) subject to minor changes based on different operating environments. Article 14 spelt out the following items which should be consistently applied to all subsidiaries:
		Lawful disclosure of ownership control; and
		Appointment of directors, supervisors, managers and financial controllers;
		Application of the corporate strategy and risk management policies;
		Performance appraisal and incentive plan;
		Non-competing restrictions within the group and related-party transactions policies;
		Management reporting system for significant issues including development plans, annual budgets, acquisitions or disposal of material assets, provision of financial assistance or guarantees, securities and futures transactions, material contracts, and currency risk exposure of overseas operating units; and
		Timely submission of monthly financial and management reports and the external audit of financial reports.

		Sales and receipt - sales ordering, credit assessment, goods delivery, invoicing, recording and receipt, etc.
		Purchases and payment - purchase requisition, purchase ordering, goods receipt, quality control and goods return, recording and payment, etc;
		Production and conversion - production planning, material requisitions, material warehousing, materials issues, production costing, cost of sales calculation, quality control on production, etc;
		Fixed assets - construction-in-progress, acquisition and disposal, maintenance and safeguarding of equipment, transactions recording etc;
		Cash management - cash receipt and payment, recording and reporting, authorisation of cashier, etc;
		Related party transactions - definition of related parties, pricing/authorisation/execution/recording of related parties transactions;
		Treasury and guarantee - authorisation and recording of bank borrowings, corporate guarantees, financial leases, discounting bills, shares allotment, debentures, etc;
		Investment - decision making, execution, custody and recording of investments in listed/unlisted securities, properties, other assets, trust funds, and financial derivatives;
		Research and development - documentation of product design, technology development, product testing, and safeguarding of intellectual property;
		Human resources - recruitment, employee contracting, training, termination, payroll calculation, salary tax, performance appraisal, recording and payment etc.

Article 10 requires the structural organisation of an IT management department with proper control procedures with information access, archives, security, and system development. Article 11 requires proper accounting and financial control policies and procedures to be in place in accordance with the relevant rules and regulations pronounced by the State Ministry of Finance.

Evaluation of internal control systems
Companies shall evaluate their internal control systems on a periodic and ad-hoc basis. Any control deficiencies shall be promptly reported and rectified to ensure that the internal control system operates effectively (Article 22). The evaluation shall be carried out by a dedicated functional department, which is accountable directly to the Board of Directors (BOD) or its sub-committee (i.e. audit committee) (Article 23).

The results of the evaluation shall be reported, together with the progress of follow up work on any control deficiencies previously identified, in the interim and annual reports. (Article 26 and 28) Documentation and working papers prepared in conjunction with the evaluation shall be retained for at least 10 years subject to regulatory inspection, if necessary. (Article 29)

The audit committee is responsible for the reporting of the evaluation of the internal control system to the BOD. The report shall cover: (1) the design of the system; (2) the effective operation of the system; (3) progress and issues identified during the evaluation; (4) planned or executed remediation plans; and (5) the action plan for the following year.

Conclusion
The Shanghai Guidelines clearly lay out the internal control requirements for companies listed on the Shanghai Exchange. The Shenzhen Guidelines have basically adopted similar principles and provisions applying on the other stock market. In Part III, we will look into the Code on Corporate Governance for Listed Companies in China 2001 issued by the China Securities Regulatory Commission.

chris.tam@gthk.com.hk
.

Main