Internal Control Review: Audit and Evaluation in China
Whenever foreign investors want to figure out whether internal control exists and is sufficient in their Chinese subsidiaries, an internal control review (ICR) might be the best and very first step to achieve that.
In contrast to an annual statutory audit, which mainly focuses on maintaining reliable financial reporting, the ICR cares more about the specific management process.
To put it simply, ICR is an overall assessment of the internal control system across various functions in a company.
It tests whether the implemented internal control system works as designed, to evaluate whether it’s enough to manage the risks that the company may face in its day-to-day business, and to identify deficiencies in the internal control structure that could be strengthened to maximize efficiency.
Generally, an ICR would generate the following benefits:
- Encourage adherence to prescribed internal control policies and procedures;
- Improve effectiveness and efficiency of operations;
- Guarantee reliability of the companies’ financial reporting;
- Ensure compliance with applicable laws and regulations;
- Detect and prevent errors and irregularities in a timely manner; and,
- Help oveseas headquarters and senior management to have a thorough understanding of thier company’s internal control mechanisms.
When is ICR needed?
Unlike listed companies that are required by law to conduct separate internal control audit and evaluation regularly, ICR is generally not mandatory for smaller companies. The ICR is often seen as a “plus”, rather than a “must”, for those whose business models are comparatively simple.
More often than not, these businesses may just combine the ICR into the annual statutory audit process. However, even SMEs should consider an ICR under certain circumstances, including:
- When the key management of the company is changing;
- When there is internal reporting indicating fraud or corruption within the organization;
- When an acquiring company in an M&A knows nothing about the management situation of the acquired company;
- When a parent overseas company and its Chinese subsidiary have difficulties in reaching a mutual understanding on internal control mechanisms due to language or cultural barriers; or,
- When a company tries to figure out why irregularities, high costs, or low performance have occurred within its organization.
ICR by internal or external team?
Many companies may also wonder whether they should do the review internally or use third party professional services. While the former might be preferred for cost-saving purposes, an ICR conducted by third party professionals can actually add more value to the process in the business context of China.
This is not only because they have the expertise needed to identify the unique risks and deficiencies in China, but also because they are usually in a more independent position to ensure the objectiveness of the ICR process, and thus better serves to improve the internal control operations.
Nevertheless, the advantages of external ICR can only be achieved when the third party professionals are reliable and qualified. Companies are advised to do at least basic due diligence into a potential third party to ensure it has compatible resources and experience to conduct an ICR that are customized to their needs.
For example, the qualified service provider should handle the ICR process in English, allowing headquarters or senior managements to monitor the process; the service provider should have adequate professionals with good understanding of ICR and necessary qualifications, such as CPA certificate or other certificates; the service provider should have experience of conducting ICR for companies that have similar business operations and scope.
For both internal ICR and external ICR, companies can always get more from the ICR process by knowing how it works. Though the methodology and procedure of each ICR vary case by case, depending on the objectives and actual situation of the company, we summarize the full set of ICR process as follows:
Step 1: Identify the company’s business objectives
Since internal control is essentially designed to provide reasonable assurance for the achievement of the company objectives, identifying all objectives that are key to the success of the company is the starting point to improve a company’s internal control system.
In the case of using a third party service to conduct an ICR, the company and the service provider need to figure out the objectives even before the service agreement is signed. By expressly identifying the business objectives, the service provider can better allocate their resources to the most relevant business process and reduce the likelihood of overlooking key business risks.
Step 2: Walk-through tests to learn the key business processes and controls
The walk-through test is a method commonly used to learn the key business processes and existing internal control in an ICR. A walk-through test traces how the company authorizes, records, processes, and reports a sample transaction.
For example, in a walk-through test for the purchase cycle of a manufacturing company, the auditor would go through the whole process—including order placing, good shipment, invoicing, good receipt and quality checking, monthly reconciliation and payment settlement, and quality dispute management—step by step. During the test, auditors will use the email chains between the staff in charge and the suppliers, the invoices, and the paper records to demonstrate the process. By studying a single transaction, the auditor gets a sense of how the company handles other similar transactions.
Step 3: Document key processes and controls narratives
After the walk-through test, the auditors would document the key processes and controls narratives they observed, not only for the purpose of presenting the company’s current management situation to the headquarter or the acquiring company, but also to streamline their own thoughts to facilitate the follow-up ICR processes.
Internal control documentation can take various forms, such as flowcharts, policy and procedure manuals, and narrative descriptions. But whatever form it takes, the documentation should be of sufficient clarity to ensure that a reader will understand the detailed process.
Step 4: Identify key control points for further review
Since it’s impossible to test and analyze all control points considering the time and cost, auditors must decide which control points they would conduct further review. Here, the “materiality principle” must be followed, i.e. only those points – which could go wrong, and would thus impede the achievement of the company’s key objectives—are subject to further test and review. During this preliminary assessment, the auditor’s professional judgement is essential to assessing these key points.
Only key controls with low or moderate risk are worth an effectiveness test. If an internal control is deemed very likely to be ineffective or non-existent, and there is no alternative controls existing, the auditor may directly report it as a significant deficiency or weakness in the later ICR report.
Step 5: Test the effectiveness of key control points
Auditors will then comprehensively apply different methods, such as interviewing, observing, inspecting, and re-performance, to test the effectiveness of the controls. Different methods suit different controls. For example, observation is appropriate when the control is a process and produces no product for inspection, such as when access to an area is restricted to authorized personnel only, and inspection is suitable when documentation is available to check, such as authorization or contract compliance.
To get sufficient appropriate evidence for evaluating the effectiveness of the controls, the size of the tested sample is a key factor. Both American Institute of Certified Public Accountants (AICPA) and Chinese Institute of Certified Public Accountants (CICPA) have standards on the minimum sample size; however, the auditors may still need to use their expertise to determine if larger sample size is needed.
Step 6: Analyze control deficiencies and assess corresponding risks
Based on the materials acquired in the former steps, the auditors could analyze the deficiencies of the key control points and assess the corresponding effects to the companies businesses.
Generally, if a control is not implemented by personnel with proper authority and expertise as designed, then the control has deficiencies in operation; if a control performed as designed could not achieve the intended objectives, then the control has deficiencies on design.
One thing should the auditors bear in mind is that ICR is subject to cost-benefit constraints. No internal control system can absolutely avoid undesirable conditions occur. The control will be regarded effective as long as it can give reasonable assurance to the success of the business.
Another thing is that when assessing the effects of the control deficiencies, it should be noted significant risks include not only those that threaten the survival of the group, or could seriously weaken it, but also the risk of failing to identify significant opportunities.
Step 7: Generate ICR report
Finally, auditors would generate a complete report that will include at least:
- The description of the key controls;
- The findings of the control deficiencies;
- The assessment of the possible risks resulted from the control weaknesses; and,
- Specific and feasible solutions to fix or improve the company’s control system.
Step 8: Follow-up monitor and review
Unlike companies regulated by Article 404 of the SOX, it’s not mandatory for most companies to do a follow-up monitor and review to see if the deficient controls are actually improved.
For those who just want to learn the control environment of their Chinese subsidiaries, or their newly acquired companies, the ICR report is decent enough to signify the ends of the ICR process.
However, if the company wants reasonable assurance in the long term, they should continuously monitor and regularly review their internal control system for maximum benefit.