China Accounting Vision

Title of the document: Notice on the issuance of the "Basic Standards for Enterprise Internal Control"

Document number: Cai Kuai [2008] No. 7

Issuing department: Audit Office of the Ministry of Finance China Insurance Regulatory Commission China Banking Regulatory Commission China Securities Regulatory Commission

Issue time: 2008-5-22

Implementation time: 2009-7-1

Expiration date:

Regulation type: Internal accounting control system

Industry: all industries

Region: Nationwide

Number of readers: 15420

Number of comments: 33

Page function: Font: Large, medium and small Print off

Content of the article:

The Central Administration Bureau, the Ministry of Railways, the State Administration of Management, the General Logistics Department, the Armed Police Headquarters, the finance departments (bureaus) and audit offices (bureaus) of all provinces, autonomous regions, municipalities directly under the Central Government, and cities under separate state planning, The Finance Bureau and Audit Bureau of the Xinjiang Production and Construction Corps, the regulatory bureaus of all provinces, autonomous regions, municipalities, and cities under separate state planning of the China Securities Regulatory Commission, the Shanghai and Shenzhen Commissioner’s Offices of the China Securities Regulatory Commission, all insurance regulatory bureaus, insurance companies, all banking regulatory bureaus, and policy banks , state-owned commercial banks, joint-stock commercial banks, Postal Savings Bank, asset management companies, provincial-level rural credit unions, trust companies, finance companies, leasing companies directly managed by the China Banking Regulatory Commission, and relevant centrally managed enterprises:

In order to strengthen and standardize the internal control of enterprises, improve the level of enterprise management and risk prevention capabilities, promote the sustainable development of enterprises, and safeguard the socialist market economic order and public interests, in accordance with relevant national laws and regulations, the Ministry of Finance, together with the China Securities Regulatory Commission, the Audit Office, The China Banking Regulatory Commission and the China Insurance Regulatory Commission have formulated the "Basic Standards for Enterprise Internal Control", which are hereby issued and will be implemented within the scope of listed companies from July 1, 2009. Non-listed large and medium-sized enterprises are encouraged to implement them. Listed companies that implement these standards shall self-evaluate the effectiveness of the company's internal controls, disclose an annual self-evaluation report, and may hire an accounting firm with securities and futures business qualifications to audit the effectiveness of internal controls.

If you have any problems during implementation, please feedback to us in time.

Attachment: Basic Standards for Enterprise Internal Control

Attachment: Basic Standards for Enterprise Internal Control

Chapter 1 General Provisions

Article 1 Purpose Strengthen and standardize the internal control of enterprises, improve the level of enterprise management and risk prevention capabilities, promote the sustainable development of enterprises, and safeguard the socialist market economic order and public interests. According to the Company Law of the People's Republic of China and the People's Republic of China The Securities Law of the People's Republic of China, the Accounting Law of the People's Republic of China and the State Council and other relevant laws and regulations formulate this specification.

Article 2: These regulations apply to large and medium-sized enterprises established within the territory of the People's Republic of China.

Small businesses and other units can refer to this specification to establish and implement internal controls.

The classification standards for large and medium-sized enterprises and small enterprises shall be implemented in accordance with relevant national regulations.

Article 3 The internal control referred to in this specification is a process implemented by the company's board of directors, board of supervisors, managers and all employees to achieve control objectives.

The goal of internal control is to reasonably ensure the legal compliance of corporate operations and management, asset security, authenticity and completeness of financial reports and related information, improve operational efficiency and effectiveness, and promote the realization of corporate development strategies.

Article 4 When establishing and implementing internal controls, enterprises should follow the following principles:

(1) Principle of comprehensiveness. Internal control should run through the entire process of decision-making, implementation and supervision, covering various businesses and matters of the enterprise and its affiliated units.

(2) Principle of importance. Internal control should be based on comprehensive control and focus on important business matters and high-risk areas.

(3) Principle of checks and balances. Internal control should form mutual constraints and mutual supervision in terms of governance structure, institutional setup, distribution of rights and responsibilities, business processes, etc., while taking into account operational efficiency.

(4) Principle of adaptability. Internal control should be adapted to the enterprise's operating scale, business scope, competition status, risk level, etc., and should be adjusted in a timely manner as the situation changes.

(5) Cost-benefit principle. Internal control should weigh implementation costs and expected benefits to achieve effective control at an appropriate cost.

Article 5: An enterprise’s establishment and implementation of effective internal controls should include the following elements:

(1) Internal environment. The internal environment is the basis for an enterprise to implement internal control, and generally includes governance structure, institutional setup and distribution of rights and responsibilities, internal auditing, human resources policies, corporate culture, etc.

(2) Risk assessment. Risk assessment is for an enterprise to promptly identify and systematically analyze risks related to the achievement of internal control objectives in business activities, and to reasonably determine risk response strategies.

(3) Control activities. Control activities are when an enterprise adopts corresponding control measures based on the risk assessment results to control risks within an acceptable level.

(4) Information and communication. Information and communication means that an enterprise collects and transmits information related to internal control in a timely and accurate manner to ensure effective communication of information within the enterprise and between the enterprise and the outside world.

(5) Internal supervision.

Internal supervision is the company's supervision and inspection of the establishment and implementation of internal control, evaluation of the effectiveness of internal control, and the discovery of internal control deficiencies, which should be improved in a timely manner.

Article 6 An enterprise shall formulate its own internal control system and organize its implementation in accordance with relevant laws and regulations, this specification and its supporting measures.

Article 7 Enterprises should use information technology to strengthen internal control, establish an information system suitable for business management, promote the organic combination of internal control processes and information systems, realize automatic control of business and matters, and reduce Or eliminate the element of human manipulation.

Article 8 Enterprises should establish an incentive and restraint mechanism for the implementation of internal control, incorporate the implementation of internal control by each responsible unit and all employees into the performance evaluation system, and promote the effective implementation of internal control.

Article 9 The relevant departments of the State Council may, in accordance with laws and regulations, this Code and its supporting measures, clarify the specific requirements for the implementation of this Code, and supervise and inspect the establishment and implementation of internal controls by enterprises.

Article 10 Accounting firms that are entrusted by enterprises to engage in internal control audits shall audit the effectiveness of the enterprise's internal controls and issue audit reports in accordance with these norms, supporting measures and relevant practice standards. The accounting firm and its signing practitioners shall be responsible for the internal control audit opinions issued.

Accounting firms that provide consulting services for enterprise internal control shall not provide internal control audit services for the same enterprise at the same time.

Chapter 2 Internal Environment

Article 11 Enterprises shall establish standardized corporate governance structures and rules of procedure in accordance with relevant national laws and regulations and corporate articles of association, and clarify decision-making, implementation, and supervision. responsibilities and authorities in other aspects, forming a scientific and effective division of responsibilities and checks and balances.

The shareholders (general meeting) enjoys the legal rights stipulated in laws, regulations and corporate articles of association, and exercises voting rights on major matters such as corporate operating policies, financing, investment, and profit distribution in accordance with the law.

The board of directors is responsible to the general meeting of shareholders and exercises the business decision-making power of the enterprise in accordance with the law.

The board of supervisors is responsible to the general meeting of shareholders and supervises the company’s directors, managers and other senior managers to perform their duties in accordance with the law.

The managers are responsible for organizing and implementing the resolutions of the general meeting of shareholders and the board of directors, and presiding over the production, operation and management of the enterprise.

Article 12 The Board of Directors is responsible for the establishment, improvement and effective implementation of internal controls. The Board of Supervisors supervises the establishment and implementation of internal controls by the Board of Directors. Managers are responsible for organizing and leading the daily operation of the enterprise's internal controls.

Enterprises should establish a special agency or designate an appropriate agency to be responsible for organizing and coordinating the establishment, implementation and daily work of internal controls.

Article 13 An enterprise shall establish an audit committee under the board of directors. The Audit Committee is responsible for reviewing the company's internal controls, supervising the effective implementation of internal controls and internal control self-evaluation, and coordinating internal control audits and other related matters.

The person in charge of the audit committee should have corresponding independence, good professional ethics and professional competence.

Article 14 Enterprises should set up internal organizations based on business characteristics and internal control requirements, clarify responsibilities and authorities, and assign rights and responsibilities to each responsible unit.

Enterprises should prepare internal management manuals to enable all employees to understand the internal organizational structure, job responsibilities, business processes, etc., clarify the distribution of rights and responsibilities, and correctly exercise their powers.

Article 15 Enterprises should strengthen internal audit work and ensure the independence of the internal audit agency setup, staffing and work.

The internal audit institution shall supervise and inspect the effectiveness of internal controls in conjunction with internal audit supervision. The internal audit institution shall report the internal control deficiencies discovered during supervisory inspections in accordance with the enterprise's internal audit working procedures; it shall have the right to report directly to the board of directors, its audit committee, and the board of supervisors for major internal control deficiencies discovered during supervisory inspections.

Article 16 Enterprises shall formulate and implement human resources policies that are conducive to the sustainable development of the enterprise. Human resources policies should include the following contents:

(1) Recruitment, training, dismissal and resignation of employees.

(2) Employees’ salary, assessment, promotion, rewards and punishments.

(3) Compulsory leave system and regular job rotation system for employees in key positions.

(4) Restrictive regulations for employees who possess state secrets or important business secrets to leave their posts.

(5) Other policies related to human resources management.

Article 17 Enterprises should regard professional ethics and professional competence as important criteria for selecting and hiring employees, effectively strengthen employee training and continuing education, and continuously improve the quality of employees.

Article 18 Enterprises should strengthen cultural construction, cultivate positive values ????and social responsibility, advocate honesty and trustworthiness, dedication, pioneering innovation and teamwork spirit, establish modern management concepts, and strengthen risk awareness.

Directors, supervisors, managers and other senior managers should play a leading role in the construction of corporate culture.

Enterprise employees should abide by the employee code of conduct and conscientiously perform their job responsibilities.

Article 19 Enterprises should strengthen legal education, enhance the legal awareness of directors, supervisors, managers and other senior managers and employees, strictly make decisions, act in accordance with the law, and supervise in accordance with the law, establish and improve the legal advisory system and Recording system for major legal dispute cases.

Chapter 3 Risk Assessment

Article 20 Enterprises should comprehensively, systematically and continuously collect relevant information based on the set control objectives, and conduct risk assessments in a timely manner based on the actual situation.

Article 21 When conducting risk assessment, an enterprise shall accurately identify internal risks and external risks related to the achievement of control objectives, and determine the corresponding risk tolerance.

Risk tolerance is the risk limit that an enterprise can bear, including the overall risk tolerance and the acceptable risk level at the business level.

Article 22 When identifying internal risks, enterprises shall pay attention to the following factors:

(1) Professional ethics of directors, supervisors, managers and other senior management personnel, and employee professional competencies and other human resource factors.

(2) Management factors such as organizational structure, operating methods, asset management, and business processes.

(3) Independent innovation factors such as research and development, technological investment, and application of information technology.

(4) Financial conditions, operating results, cash flow and other financial factors.

(5) Safety and environmental factors such as operational safety, employee health, and environmental protection.

(6) Other relevant internal risk factors.

Article 23 When identifying external risks, enterprises should pay attention to the following factors:

(1) Economic factors such as economic situation, industrial policy, financing environment, market competition, and resource supply.

(2) Legal factors such as laws, regulations, and regulatory requirements.

(3) Social factors such as safety and stability, cultural traditions, social credit, education level, and consumer behavior.

(4) Scientific and technological factors such as technological progress and process improvement.

(5) Natural disasters, environmental conditions and other natural environmental factors.

(6) Other relevant external risk factors.

Article 24 Enterprises should use a combination of qualitative and quantitative methods to analyze and rank the identified risks according to the likelihood of risk occurrence and degree of impact, and determine the focus and priority control. risk.

When conducting risk analysis, enterprises should fully recruit professionals, form a risk analysis team, and carry out work in accordance with strict and standardized procedures to ensure the accuracy of risk analysis results.

Article 25 Enterprises should weigh risks and benefits based on the results of risk analysis and risk tolerance, and determine risk response strategies.

Enterprises should reasonably analyze and accurately understand the risk preferences of directors, managers, other senior managers, and employees in key positions, and adopt appropriate control measures to avoid significant losses to corporate operations due to personal risk preferences.

Article 26 Enterprises shall comprehensively use risk response strategies such as risk avoidance, risk reduction, risk sharing and risk tolerance to achieve effective control of risks.

Risk aversion is a strategy for enterprises to avoid and mitigate losses by giving up or stopping business activities related to the risk for risks that exceed their risk tolerance.

Risk reduction is a strategy for enterprises to take appropriate control measures to reduce risks or mitigate losses after weighing costs and benefits, and to control risks within risk tolerance.

Risk sharing is a strategy in which an enterprise prepares to rely on the strength of others to control risks within its risk tolerance by adopting business subcontracting, purchasing insurance, etc. and taking appropriate control measures.

Risk tolerance means that an enterprise is not prepared to take control measures to reduce risks or mitigate losses after weighing the costs and benefits.

Article 27 Enterprises should continue to collect information related to risk changes based on different development stages and business expansion situations, conduct risk identification and risk analysis, and timely adjust risk response strategies.

Chapter 4 Control Activities

Article 28 Enterprises should combine risk assessment results and combine manual control with automatic control, preventive control with discovery control, Use appropriate control measures to control risks within tolerance.

Control measures generally include: incompatible job separation control, authorization approval control, accounting system control, property protection control, budget control, operational analysis control and performance evaluation control, etc.

Article 29: Separation control of incompatible positions requires enterprises to comprehensively and systematically analyze and sort out the incompatible positions involved in business processes, and implement corresponding separation measures to form a system in which each person performs his or her own duties. Responsible and mutually restrictive working mechanism.

Article 30 Authorization approval control requires enterprises to clarify the scope of authority, approval procedures and corresponding responsibilities of each position to handle business and matters in accordance with the provisions of regular authorization and special authorization.

Enterprises should prepare authority guidelines for regular authorization, standardize the scope, authority, procedures and responsibilities of special authorization, and strictly control special authorization. Routine authorization refers to the authorization carried out by an enterprise in accordance with established responsibilities and procedures in daily operation and management activities. Special authorization refers to authorization granted by an enterprise under special circumstances and specific conditions.

Managers at all levels of the enterprise should exercise their powers and assume responsibilities within the scope of authorization.

Enterprises should implement a collective decision-making approval or joint signature system for major businesses and matters. No individual may make decisions alone or change collective decisions without authorization.

Article 31 Accounting system control requires enterprises to strictly implement the national unified accounting standards system, strengthen basic accounting work, clarify the processing procedures of accounting vouchers, accounting books and financial accounting reports, and ensure the authenticity and completeness of accounting information .

Enterprises should set up accounting institutions in accordance with the law and staff them with accounting practitioners. Personnel engaged in accounting work must obtain an accounting qualification certificate. The person in charge of the accounting institution shall have professional and technical qualifications of accountant or above.

Large and medium-sized enterprises should set up a chief accountant. An enterprise that has a chief accountant shall not have a deputy with overlapping powers.

Article 32 Property protection and control requires enterprises to establish a daily property management system and a regular inventory system, and take measures such as property records, physical storage, regular inventory, and account verification to ensure the safety of property.

Businesses should strictly limit access to and disposal of property by unauthorized personnel.

Article 33 Budget control requires enterprises to implement a comprehensive budget management system, clarify the responsibilities and authority of each responsible unit in budget management, standardize the preparation, approval, release and execution procedures of the budget, and strengthen budget constraints.

Article 34 Operation analysis and control requires enterprises to establish an operation analysis system. Managers should comprehensively use information on production, purchase and sales, investment, financing, finance, etc., through factor analysis, comparative analysis, and trend analysis. Analysis and other methods are used to conduct regular operation analysis to identify existing problems, identify the causes in a timely manner and make improvements.

Article 35 Performance appraisal control requires enterprises to establish and implement a performance appraisal system, scientifically set up an appraisal indicator system, conduct regular appraisals and objective evaluations of the performance of all responsible units and all employees within the enterprise, and make the appraisal The results are used as the basis for determining employee salary and job promotion, evaluation, demotion, transfer, dismissal, etc.

Article 36 Enterprises should comprehensively apply control measures based on internal control objectives and risk response strategies to implement effective control over various businesses and matters.

Article 37 Enterprises should establish a major risk early warning mechanism and an emergency response mechanism for emergencies, clarify risk early warning standards, and formulate emergency plans and identify responsible personnel for major risks or emergencies that may occur. , Standardize handling procedures to ensure that emergencies are handled promptly and properly.

Chapter 5 Information and Communication

Article 38 Enterprises should establish an information and communication system, clarify the collection, processing and transmission procedures of internal control-related information, and ensure timely communication of information , Promote the effective operation of internal control.

Article 39: Enterprises should reasonably screen, check, and integrate various internal and external information collected to improve the usefulness of the information.

Enterprises can obtain internal information through financial accounting information, operation and management information, research reports, special information, internal publications, office networks and other channels.

Enterprises can obtain external information through channels such as industry associations, social intermediaries, business units, market surveys, letters and visits, online media, and relevant regulatory authorities.

Article 40 An enterprise shall share internal control-related information among all management levels, responsible units, and business links within the enterprise, as well as between the enterprise and external investors, creditors, customers, suppliers, and intermediaries. Communicate and provide feedback with regulatory authorities and other relevant parties. Problems discovered during the information communication process should be reported in a timely manner and resolved.

Important information should be delivered to the board of directors, board of supervisors and management in a timely manner.

Article 41 Enterprises should use information technology to promote the integration and sharing of information and give full play to the role of information technology in information and communication.

Enterprises should strengthen control over information system development and maintenance, access and changes, data input and output, file storage and custody, network security, etc., to ensure the safe and stable operation of information systems.

Article 42 Enterprises should establish an anti-fraud mechanism, adhere to the principle of equal emphasis on punishment and prevention, and focus on prevention, and clarify the key areas and key links of anti-fraud work and the responsibilities of relevant institutions in anti-fraud work. authority to standardize the reporting, investigation, handling, reporting and remediation procedures for fraud cases.

Enterprises should at least focus on the following situations in anti-fraud work:

(1) Embezzling or misappropriating corporate assets without authorization or using other illegal methods to obtain improper benefits.

(2) False records, misleading statements or major omissions in financial accounting reports and information disclosure, etc.

(3) Abuse of power by directors, supervisors, managers and other senior managers.

(4) Relevant institutions or personnel collude to commit fraud.

Article 43: Enterprises should establish a reporting and complaint system and a whistleblower protection system, set up a reporting hotline, clarify the reporting and complaint handling procedures, handling time limits and settlement requirements, and ensure that reporting and complaints become effectively grasped information by the enterprise. important ways.

The reporting and complaint system and whistleblower protection system should be communicated to all employees in a timely manner.

Chapter 6 Internal Supervision

Article 44 Enterprises shall, in accordance with these norms and supporting measures, formulate an internal control and supervision system and clarify the internal audit institution (or other authorized Supervisory agencies) and other internal agencies have responsibilities and authorities in internal supervision, and standardize the procedures, methods and requirements of internal supervision.

Internal supervision is divided into daily supervision and special supervision. Routine supervision refers to the company's regular and continuous supervision and inspection of the establishment and implementation of internal controls; special supervision refers to major adjustments or changes in the company's development strategy, organizational structure, operating activities, business processes, employees in key positions, etc. Under certain circumstances, conduct targeted supervision and inspection on one or certain aspects of internal control.

The scope and frequency of special supervision should be determined based on the results of risk assessment and the effectiveness of daily supervision.

Article 45: Enterprises shall formulate standards for identifying internal control deficiencies. For internal control deficiencies discovered during the supervision process, they shall analyze the nature and causes of the deficiencies, propose rectification plans, and adopt appropriate forms in a timely manner. Report to the board of directors, supervisory board or management.

Internal control defects include design defects and operational defects. Enterprises should track the rectification of internal control deficiencies and hold the relevant responsible units or responsible persons accountable for major deficiencies discovered during internal supervision.

Article 46: Enterprises shall regularly self-evaluate the effectiveness of internal control based on internal supervision and issue an internal control self-evaluation report.

The method, scope, procedure and frequency of internal control self-evaluation shall be determined by the enterprise based on business adjustments, changes in operating environment, business development status, actual risk levels, etc.

If the relevant national laws and regulations provide otherwise, such provisions shall prevail.

Article 47 Enterprises shall properly preserve relevant records or materials in the establishment and implementation process of internal control in writing or other appropriate forms to ensure the verifiability of the establishment and implementation process of internal control.

Chapter 7 Supplementary Provisions

Article 48 These regulations shall be interpreted by the Ministry of Finance in conjunction with other relevant departments of the State Council.

Article 49 The supporting measures for this specification shall be formulated separately by the Ministry of Finance in conjunction with other relevant departments of the State Council.

Article 50 This specification will come into effect on July 1, 2009.

Extended reading: How to buy insurance, which one is better, and step-by-step instructions to avoid these "pitfalls" of insurance