Comprehensive Guide to Internal Control and Fraud Prevention in China

With some notable unethical business practices a few years ago, China has witnessed a growing emphasis on the importance of internal control and audit processes within organizations. This article explores into the significance of internal control in the Chinese business environment.

Contributing Advisor

Daisy Huang

Manager, Audit

Defining internal control and audit

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal control as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

The COSO model encompasses several fundamental principles that shape the essence of internal control:

Every organization has its distinct mission, structure, and operations; therefore, internal control systems will vary. While the COSO model provides the foundational principles, each entity must design and structure its internal control system to align with its objectives and operating environment.

Internal audits complement internal control by systematically evaluating the effectiveness of risk management, control, and governance processes. These audits play a vital role in identifying and preventing fraudulent activities. It's worth noting that an internal audit ordered directly by a company's headquarters offers the best protection against fraud in a China-based entity.

Generally speaking, while an annual audit mainly focuses on maintaining reliable financial reporting, the internal control review (ICR) cares more about the specific management process.

Whenever businesses want to figure out whether internal control exists and are sufficient in their Chinese subsidiaries, an ICR might be the best and very first step to achieve that. To put it simply, ICR is an overall assessment of the internal control system across various functions in a company.

It tests whether the implemented internal control system works as designed, to evaluate whether it’s enough to manage the risks that the company may face in its day-to-day business and to identify deficiencies in the internal control structure that could be strengthened to maximize efficiency. Generally, an ICR would generate the following benefits:

• Encourage adherence to prescribed internal control policies and procedures;
• Improve effectiveness and efficiency of operations;
• Guarantee reliability of the companies’ financial reporting;
• Ensure compliance with applicable laws and regulations;
• Detect and prevent errors and irregularities in a timely manner; and
• Help overseas headquarters and senior management to have a thorough understanding of their company’s internal control mechanisms.

When is ICR needed?

While ICR may not be mandatory for smaller companies, it can be a valuable tool for improving your business operations and mitigating risks. 

When to Consider an ICR:

• Fundamental management changes: When your company undergoes significant changes in leadership or management, conducting an ICR is advisable to ensure a smooth transition and maintain control over your operations.
• Internal red flags: If you receive internal reports or indications of potential fraud or corruption within your organization, it's a clear signal that an ICR is needed to identify and address these issues promptly.
• Mergers and acquisitions: In mergers and acquisitions (M&A) cases, especially when the acquiring company lacks knowledge about the acquired company's management situation, an ICR can help bridge the gap and establish a common understanding of internal control mechanisms.
• Language or cultural barriers: When your company faces challenges in aligning internal control practices between a parent overseas company and its Chinese subsidiary due to language or cultural differences, an ICR can facilitate communication and alignment.
• Performance issues: If your business experiences irregularities, high operational costs, or low organizational performance, an ICR can help pinpoint the root causes and improve overall efficiency.

Internal or external team for ICR?

One of the critical decisions you'll face is whether to conduct the ICR internally or engage third-party professional services. Here's a breakdown of the pros and cons:

Internal ICR:

• Cost-saving option.
• Requires in-house expertise.
• It may lack objectivity.

External ICR:

• Bring external expertise to the process.
• Ensures objectivity.
• Customized to address unique risks in China.

When opting for an external ICR, it's crucial to do your due diligence:

• Ensure the service provider can communicate in English to facilitate headquarters or senior management oversight.
• Verify that the service provider has qualified professionals with a strong understanding of ICR and relevant certifications like CPA certificates.
• Check if the service provider has experience conducting ICR for companies with similar business operations and scope.

ICR process

For both internal ICR and external ICR, companies can always get more from the ICR process by knowing how it works. Though the methodology and procedure of each ICR vary case by case, depending on the objectives and actual situation of the company, the full set of ICR process is summarized as follows:

Internal control review process-full set

 Step 1: Identify the company’s business objectives

Since internal control is essentially designed to provide reasonable assurance for the achievement of the company objectives, identifying all objectives that are key to the success of the company is the starting point for improving a company’s internal control system.

In the case of using a third-party service to conduct an ICR, the company and the service provider need to figure out the objectives even before the service agreement is signed. By expressly identifying the business objectives, the service provider can better allocate their resources to the most relevant business process and reduce the likelihood of overlooking key business risks.

Step 2: Walk-through tests to learn the key business processes and controls

The walk-through test is a method commonly used to learn the key business processes and existing internal controls in an ICR. A walk-through test traces how the company authorizes, records, processes, and reports a sample transaction.

For example, in a walk-through test for the purchase cycle of a manufacturing company, the auditor would go through the whole process—including order placing, good shipment, invoicing, good receipt and quality checking, monthly reconciliation and payment settlement, and quality dispute management—step by step. During the test, auditors will use the email chains between the staff in charge and the suppliers, the invoices, and the paper records to demonstrate the process. By studying a single transaction, the auditor gets a sense of how the company handles other similar transactions.

Step 3: Document key processes and control narratives

After the walk-through test, the auditors would document the key processes and control narratives they observed, not only for the purpose of presenting the company’s current management situation to the headquarters or the acquiring company but also to streamline their own thoughts to facilitate the follow-up ICR processes.

Internal control documentation can take various forms, such as flowcharts, policy and procedure manuals, and narrative descriptions. But whatever form it takes, the documentation should be of sufficient clarity to ensure that a reader will understand the detailed process.

Step 4: Identify key control points for further review

Since it’s impossible to test and analyze all control points considering the time and cost, auditors must decide which control points they would conduct further review. Here, the “materiality principle” must be followed, i.e., only those points – which could go wrong, and would thus impede the achievement of the company’s key objectives – are subject to further test and review.

During this preliminary assessment, the auditor’s professional judgment is essential to assessing these key points. Only key controls with low or moderate risk are worth an effectiveness test. If internal control is deemed very likely to be ineffective or non-existent, and there are no alternative controls existing, the auditor may directly report it as a significant deficiency or weakness in the later ICR report.

Step 5: Test the effectiveness of key control points

Auditors will then comprehensively apply different methods, such as interviewing, observing, inspecting, and re-performance, to test the effectiveness of the controls. Different methods suit different controls.

For example, observation is appropriate when the control is a process and produces no product for inspection, such as when access to an area is restricted to authorized personnel only, and inspection is suitable when documentation is available to check, such as authorization or contract compliance. To get sufficient appropriate evidence for evaluating the effectiveness of the controls, the size of the tested sample is a key factor. Both the American Institute of Certified Public Accountants (AICPA) and the Chinese Institute of Certified Public Accountants (CICPA) have standards on the minimum sample size; however, the auditors may still need to use their expertise to determine if a larger sample size is needed.

Step 6: Analyze control deficiencies and assess corresponding risks

Based on the materials acquired in the former steps, the auditors could analyze the deficiencies of the key control points and assess the corresponding effects on the companies’ businesses. Generally, if a control is not implemented by personnel with proper authority and expertise as designed, then the control has deficiencies in operation; if a control performed as designed could not achieve the intended objectives, then the control has deficiencies in the design.

One thing the auditors should bear in mind is that ICR is subject to cost-benefit constraints. No internal control system can absolutely prevent undesirable conditions from occurring. The control will be regarded as effective as long as it can give reasonable assurance of the success of the business. Another thing is that when assessing the effects of the control deficiencies, it should be noted significant risks include not only those that threaten the survival of the group or could seriously weaken it, but also the risk of failing to identify significant opportunities.

Step 7: Generate the ICR report

Finally, auditors would generate a complete report that will include at least the following:

• The description of the key controls;
• The findings of the control deficiencies;
• The assessment of the possible risks resulted from the control weaknesses; and
• Specific and feasible solutions to fix or improve the company’s control system.

Step 8: Follow-up monitor and review

Unlike companies regulated by Article 404 of the SOX, it’s not mandatory for most companies to do a follow-up monitor and review to see if the deficient controls are actually improved. For those who just want to learn about the control environment of their Chinese subsidiaries or their newly acquired companies, the ICR report is decent enough to signify the end of the ICR process.

However, if the company wants reasonable assurance in the long term, they should continuously monitor and regularly review their internal control system for maximum benefit.

Fraud risk in China

When it comes to fraud risk, China presents a unique set of challenges and opportunities that differ from many other locations. While fraud itself is a universal issue driven by human self-interest, China's business environment can magnify certain aspects of fraud risk.

Differences in Fraud Risk

The prevailing notion is that fraud risk in China is not fundamentally different from elsewhere, but the circumstances create unique challenges. China's business transactions often lack transparency, and the language barrier can serve as a formidable shield against detection. While attributing fraud to Chinese culture is an oversimplification, certain characteristics of Chinese business culture can influence the prevalence of fraud.

One notable distinction is the significance of contracts. In China, contracts are generally less binding than in other regions, leaving room for fraudulent activities. Additionally, the response to fraud within Chinese companies may differ from practices in other countries. Punitive actions after discovering fraud are often less severe, potentially encouraging fraudulent behavior.

Types of fraud in China

Fraud in China encompasses a wide spectrum, ranging from small-scale petty cash fraud to highly sophisticated schemes deeply embedded in an organization's operations. Protecting intellectual property (IP) has become a growing concern, especially for companies that have shifted from manufacturing-centric models to those where the true business value lies in their IP assets.

The complexity of an organization's structure can also significantly impact fraud risk. Companies engaged in extensive marketing, dealing with multiple vendors, and managing complex supply chains face higher fraud risks. Even with a simple business model, inappropriate behavior uncovered during internal audits can run deep within a company's operations.

Specific fraud risk areas in China-based enterprises

Several operational areas within China-based enterprises are particularly vulnerable to fraud:

Supply chain:

• Purchasing overpriced raw materials due to inappropriate agreements with suppliers.
• Improper disposal of scrap materials.
• Poor inventory control.

Payroll:

• Discrepancies between contract salaries and actual payroll payments.
• Deliberate over-accrual and unauthorized use of welfare benefits.
• Existence of ghost employees.
• Unauthorized or improper reimbursements.
• Non-payment of taxes and social security.

Sales:

• Selling goods at or below cost due to inappropriate agreements between sales staff and purchasers.
• Payment of unauthorized sales commissions to employees or their associates.
• Lack of a competitive bidding process.

Preventing fraud in China

For foreign-invested enterprises in China, preventing fraud entails a heightened focus on strengthening internal control systems. This effort aligns with the "fraud triangle," which addresses motivation, rationalization, and opportunity as key elements of fraud risk.

Internal control primarily targets limiting the opportunity for fraud. For instance, enhancing the physical security of inventory can prevent fraudulent activities related to misappropriation. An illustrative example is a Chinese clothing manufacturer with an employee who deliberately mislabelled good material as scrap and sold it at a lower price to a separate company, ultimately producing counterfeit products.

Recruitment practices can address the motivation aspect of fraud prevention. Pre-employment screening, particularly for sensitive positions within the "fraud potential zone," should be standard practice. This zone includes senior roles in finance, procurement, sales, supply, marketing, warehousing, and distribution.

While China's labor laws challenge pre-employment screening, discreet investigations can help uncover unethical behavior. The most challenging aspect to address is rationalization, which often involves procurement staff and suppliers. Given their thin profit margins, a closer examination can determine if they are acting in the company's best interests and adhering to contractual obligations.

Below, we provide an internal control checklist to help foreign enterprises in China limit their risk of fraud while operating in the country.