Are you ready for
C-SOX?
C-SOC (China SOX) and the new control
framework in China
The name: Basic Standard for Enterprise Internal
Control... or C-SOX
China is one of the countries
that has issued regulations specifying
comprehensive requirements over a company's internal
control framework. The C-SOX together with its
three guidance documents will be effective from 1 July 2009 for
listed companies in China.
The legislation was launched by the
Chinese Ministry of Finance, the National Audit
Office, the China Securities Regulatory Commission,
the China Banking Regulatory Commission, and the China
Insurance Regulatory Commission.
The usual SOX
related elements are all present: Companies listed on
the Shanghai or Shenzhen exchanges must conduct
self-evaluations of their internal controls, must
publish an evaluation report on an annual basis and must
hire external auditors to audit the effectiveness
of their internal controls. Policies, procedures, risk
assessment, self assessments, testing, documentation...
C-SOX affects over 900 companies
listed on the Shanghai Stock Exchange and 800
companies listed on the Shenzhen Stock
Exchange.
The challenge:
Many Chinese companies have never gone through
this type of compliance process before.
Some Chinese companies understand SOX
very well!
There are only about 50 Hong Kong or Chinese
companies that are SEC registrants because of US
debt or equity (so they understand the US
SOX)
There are many companies
in China that are subsidiaries
or joint ventures of overseas SEC
registrants.
There are some companies in China that
comply with Sarbanes-Oxley as an indication of best
practice in corporate governance.
Main Challenges and Opportunities in
China:
1. The lack of IT control
documentation and testing in many firms
2. The lack of an enterprice-wide,
processed based approach in many firms
3. The shortage of
qualified and experienced risk management
professionals to work in internal control design,
operation, testing, documentation and compliance
management.
THE NEW AUDITING
STANDARDS AND THE EUROPEAN POINT OF VIEW
The Public Company Accounting
Oversight Board (the "Board" or
"PCAOB") has
proposed changes to its auditing standards related to
the auditor's assessment of and response to
risk.
The Board is proposing seven auditing standards that
would, collectively, update the requirements for
assessing and responding to risk during an audit.
The existingauditing standards
regarding risk assessment were adopted, for the most
part, during the 1980s. These proposals have been
informed by a number of factors and developments since
that time.
These include improvements that many
firms have made in their audit methodologies;
recommendations to the profession on ways in
which
auditors could improve risk assessment; advice from the
Board's Standing Advisory Group
("SAG"); the adoption of Auditing Standard No. 5,
An Audit of Internal Control Over Financial Reporting
That Is Integrated with An Audit of
Financial
Statements; and observations from the
Board's oversight activities.
The proposals build upon and attempt
to improve the framework established by the existing
standards, rather than replacing that framework
altogether.
It is interesting to
learn more about the European point of
view.
The Fédération des
Experts Comptables Européens (FEE) is the
representative organisation for the accountancy
profession in Europe. FEE's membership consists of 43
professional institutes of accountants from 32
countries. FEE member bodies are present in all 27
member states of the European Union and three member
countries of EFTA. FEE member bodies represent more than
500,000 accountants in Europe.
Letter from the
FEE:
Re: FEE Comments on PCAOB Release No.
2008-006: Proposed Auditing Standards Related to the
Auditor's Assessment of and Response to Risk and
Conforming Amendments to PCAOB Standards
"FEE is pleased to provide you
below with its comments on the Public Company Accounting
Oversight Board (PCAOB) Proposed Auditing Standards
Related to the Auditor's Assessment of and Response to
Risk and Conforming Amendments to PCAOB Standards
of
21 October 2008 (the Proposed Auditing
Standards)."
"The benchmark auditing standards are the
clarified International
Standards on Auditing
(ISAs)
For over ten years, FEE has been
advocating for the use of the (clarified) ISAs in the
European Union (EU).
In the meantime, the worldwide use of
the ISAs has steadily expanded over the last few years,
making them the global benchmark auditing
standards.
We therefore welcome the PCAOB's
initiative to align its standards with the clarified
ISAs as a step towards the ultimate worldwide
application of one set of auditing standards for capital
market entities and also other entities.
We also welcome the update of the
PCAOB's risk standards, reflecting the importance the
PCAOB attaches, and is right to attach, to the new risk
approach (i.e. risk assessment and responses to risk) to
the audit which was introduced into
the ISAs a few years ago.
We also support the clarified
ISAs, have commented on each of them, and support
further convergence. These Proposed Auditing Standards
from the PCAOB are therefore very welcome.
In an environment of convergence of
accounting standards, the globalisation of auditing
standards will facilitate consistency in the auditing of
financial statements.
The alternative is cumbersome
questionnaires covering differences in auditing
standards that detract from an efficient and effective
audit.
We recognise that at this stage,
the PCAOB issues standards
separately and with differences from those of the
IAASB because the PCAOB standards need to take into
account U.S. securities law and U.S. Securities and
Exchange Commission (SEC) and
other PCAOB rulemaking
on these laws.
Additionally, seen the PCAOB has
chosen for an integrated audit
approach on both the financial statements and the
internal controls of an entity, we understand
that there are differences between the PCAOB auditing
standards and the (clarified) ISAs.
However, we believe that it is
not conducive to international
convergence of auditing standards for the PCAOB to write
auditing standards that differ from the (clarified)
ISAs at a technical level for other reasons: the
(clarified) ISAs reflect the product of an
intensively
overseen and thorough due process
involving considerable consultation at an international
level.
We noted a wide range of
differences not identified by the PCAOB of which we note
just a few below:
· The distinction between audit
procedures on a financial statements level and on an
assertion level is not always drawn systematically in
the Proposed Auditing Standards like it is done in the
clarified ISAs;
· The distinction between requirements
pertaining to management as opposed to those charged
with governance or the board of directors is not always
pronounced clearly in the Proposed Auditing Standards
like it is included in the clarified ISAs;
· The introduction in the Proposed
Auditing Standards of far reaching requirements to
compensate for the lack of an auditing standard on group
audits like ISA 6001 makes the Proposed Auditing
Standards to be less comprehensive and unduly
burdensome;
· There are requirements for
substantive procedures on all significant risks, with
little scope for the combination of work on controls and
analytical procedures as required by clarified ISAs;
this may be onerous.
Detailed substantive
testing for significant risks
is flawed logically;
detailed checking is not the right response to
significant risks;
· There is a great number of
presumptively mandatory
'shoulds' in the Proposal Auditing Standards (a
construction rejected by the IAASB).
The differences we have noted in
the bullet points above are significant. We believe that
if they were addressed this would be helpful in
eliminating unnecessary differences between
PCAOB
Standards and Clarified ISAs.
A number of European Union (EU)
Member States have successfully adopted a
standardsetting model whereby the basis of the auditing
standards are the full (clarified) ISAs with additions
that address specific national requirements.
The PCAOB should consider this model
particularly as we believe it would facilitate reliance
upon other regulators in the PCAOB's inspection process.
The PCAOB has recently proposed
amendments to its rules in order to help fulfil its
inspection mandate.
The fraud risk
auditing standard should be more
balanced
FEE is in favour of the
introduction of a fraud risk auditing standard but the
clarified ISAs have a great deal more on this in the
application material than is included in the Proposed
Auditing Standard.
Application material is not just about
the extent and effectiveness of
work on fraud, but
also about efficiency and ensuring that auditors do not
do too much.
With the lack of application
material, there is also a danger that the public expectations in respect of the
auditor's ability to detect fraud may exceed the actual
ability given the nature of the inherent
limitations relating to fraud.
The PCAOB needs to mention these
limitations in its various pronouncements so as to
ensure the "expectation" gap is not
widened.
The objectives in the Proposed
Auditing Standards should be aligned to the objectives
in the clarified ISAs
We support the inclusion of an
objective in each standard to clarify the objective of
the requirements and act as a guide to the auditor in
considering whether this has indeed been achieved by the
audit work performed.
It is however not clear why the PCAOB
has chosen to deviate from the objectives included in
the comparable clarified ISAs."
"Standards of such international
significance require a transparent due process
throughout their development.
Open public hearings should be
considered given the need for a degree of openness with
these particularly important standards.
We regret that no implementation date is suggested
in the Proposed Auditing Standards.
The implementation date of new
standards needs to be announced as early as possible to
allow ample time for the standards to be embedded in the
audit methodology, audit training and education, etc of
audit firms and professional accountancy
bodies."
And what the big 4
believe about the new standards?
From Deloitte
& Touche
Re: Request for Public Comment on
Proposed Auditing Standards Related to the Auditor's
Assessment of and Response to Risk and Conforming
Amendments to PCAOB Standards
"We believe the PCAOB should further
enhance its consideration of the
ISAs in its standard-setting process, both
specifically as it pertains to the Proposed Standards
and on a goingforward basis.
We recognize the efforts of the Board
and its staff to reach a "degree of
commonality" with
the ISAs in the development of the Proposed
Standards.
We strongly support the Board's
expressed intention to "eliminate
unnecessary differences between the Board's risk
assessment standards and other risk assessment
standards."
