Attitudes to internal control from around the world: China
Author: James Chang, Risk Consulting Partner, Beijing
The updated COSO framework recognises today’s more diverse and globalised economy, and the need for common standards across cultures and borders. It does this by articulating 17 principles to provide a common language. Nonetheless, any framework will be challenged by different business cultures and management styles. Here in China, internal control leaders have to balance the recommendations of the framework with the nuances of our unique cultural traditions, our business customs and the demands of our fast-evolving economy.
- Traditional management culture: According to traditional Chinese management culture, authority rests with those at the top of the management chain. Demands or decisions from top management are usually seen as orders of the highest priority from people with significant experience, which can supersede existing internal control measures.
In this environment, those departments responsible for compliance are not given the mandate to query management decisions. This can be a challenge for the internal control framework if there is a shift in management objectives or misalignment with stated internal control objectives.
- Perception of internal control within the business: Internal control is often deemed to be most effective when the ‘three lines of defence’ are activated — front-line employees, risk and compliance functions and then audit. However, in China, internal control is largely viewed by the business as being solely the responsibility of the second and third lines of defence, allowing front-line employees to focus on their core responsibilities. There is a significant opportunity for internal control leaders to work together with business unit leaders to understand how to effectively orient the entire organisation towards achieving its internal control objectives.
- Rapidly changing business environment: With China being one of the fastest-developing economies in the world, Chinese businesses are in a constant state of change in their quest to be competitive. As new processes, new systems and new products are developed, the internal control framework needs to adapt to dynamically keep on top of increased risk exposure. This has been a significant challenge for China’s internal control functions.
- Control fatigue: In recent times, there has been a growing sentiment from within the business that internal control processes have become too onerous compared to the value they bring. This is especially seen as an issue where control processes impede the client experience or decrease business efficiency, or where control checks fail to differentiate between or monitor risk-critical information — such as client credit applications.
Business units are increasingly voicing concerns about the amount of control-, risk- or audit-related tasks they are being asked to perform, stating that it is having a negative impact on business capacity. Streamlining across internal control, risk management and internal audit demands is high on the agenda for internal control managers in China.