- Email: [email protected]
Information systems assurance practices in China: Where they are and where are they going?
International Journal of Accounting Information Systems 13 (2012) 185–198
Contents lists available at SciVerse ScienceDirect
International Journal of Accounting Information Systems
Discussion
Information systems assurance practices in China: Where they are and where are they going? Philip Yang PricewaterhouseCoopers, Beijing, China
a r t i c l e
i n f o
Article history: Received 20 October 2011 Accepted 11 June 2012
1. Introduction The formal part of Philip Yang's presentation was in the form of a series of questions that he had agreed to address in advance of the symposium. This was supplemented by questions from the audience.
2. Key players in information systems assurance in China Efrim Boritz: Who are the key players in Information Systems Assurance in China? Philip Yang: First, a disclaimer: Anything I say here does not represent the opinion of the firm. Any specific examples I presented are not real cases. Instead, they are composites for use as examples. So please, don't relate them to any specific company. Now to answer the question. There are in fact four main types of key players in China. The first one is the National Audit office (China National Audit office). They are in fact the first ones who seriously started performing audits and IT audits in China. Twenty or thirty years ago, the majority of Chinese companies were state owned and the NAO was doing the audits of those entities, although they were primarily focused on detecting frauds, finding irregularities, etc. They are a large organization with literally thousands of auditors all over China; including many IT auditors many of whom have the CISA designation. The National Audit Office claims that the first person in mainland China that obtained a CISA was one of their auditors. They also provide thought leadership that I think is really valuable for auditors. I also think they are the most advanced in terms of using CAATS to carry out their audits. E-mail address: [email protected]. 1467-0895/$ – see front matter © 2012 Elsevier Inc. All rights reserved. doi:10.1016/j.accinf.2012.06.004
186
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
The big four accounting firms are the biggest players in this area in China, but the smaller local firms are quickly catching up. The government does not like the fact that the big four are the dominant firms in China. Even for the state owned enterprises, if you look at all the large Chinese corporations — almost all of them are audited by the big four firms, not local firms. So the government is giving the local firms a lot of support. Plus, you may not know that a lot of professors from North America come to China every year. For example, Professor Boritz mentioned went there eight years ago and prepared a very comprehensive training course on behalf of the China National Accounting Institute which provides continuous professional training. They are using that course to train hundreds of people every year. And most of those people getting trained are from local firms. I did that for two years and then I stopped, because I did not want to train my competitors. (Just joking, I will resume my training efforts this year and I would like to train as many professionals as I can.). The third key group is the industry regulators, and some of them are really good, especially the China Banking Regulatory Commission and the China Insurance Regulatory Commission. I will discuss some of the regulatory requirements later, but they are doing a lot of work in this area because of the fact that the banks and insurance companies are relying on IT so heavily. The fourth key player group is the internal audit departments. This depends on the nature of the business of the company. If they are big banks they have a lot of internal auditors (and some of them are specialized in IT audit). One of the big four banks, which I've been working with, has 4000 internal auditors and reports that it has over 100 auditors with a CISA. They're doing quite a lot of amazing things. Most of them are developing internal tools and programs. So that's the key players in the China Market. If you have questions, please ask. Audience Question: Are the external auditors independent? Is independence as important in China as it is here? Or are the audit departments (both internal and external) captives of the organizations and of government regulation? Philip Yang: External auditors, such as the firm where I work (PWC) are similar to accounting firms elsewhere. We are a non-government agency. We are an accounting firm. We do have to comply with exchange regulations and laws and the CICPA (China Institute of Certified Public Accountants) — the professional CPA association in China, which governs professional ethics and auditing standards. So yes, there are all kinds of requirements on independence. There are also independence requirements on financial audits and internal control audits. In fact, it's a daily struggle for us as auditors. There are many service opportunities that we may spot in our audit clients. But the majority of them we cannot perform. The Ministry of Finance and the industry regulators as well as the supervisory commissions for state-owned enterprises are always monitoring what the auditors are doing for the firms and companies they're auditing. For internal auditors independence is a struggle. The internal auditors are supposed to be independent, but a lot of them are really managed by their management. To address this issue, various government agencies are promoting rules to require that the Chief Internal Auditor report to the audit committee directly; for banks and insurance companies this is a requirement and for listed companies it is recommended in China as well. 3. Regulatory authorities, professional organizations, and audit standards Efrim Boritz: What are the main regulations that govern the practice of auditing, especially of the various engagement types, and what are professional organizations doing in response? 3.1. Regulatory authorities Philip Yang: The regulatory authorities' role is really to oversee assurance engagements. There are three key elements. One of them is measurement criteria. The regulatory authorities are the bodies that set up the measurement criteria for our assurance engagements. Of course, they are the single most important driver of our business because of all those regulatory requirements. The Ministry of Finance is the government agency that sets up the accounting rules and it also sets internal control standards.
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
187
Regulators like the China Banking Regulatory Commission (CBRC), the China Insurance Regulatory Commission (CIRC) and China Security Regulatory Commission (CSRC) set the requirements that include reporting, disclosure, security, IT risk management, internal controls, etc. I will discuss examples later of some of those regulatory requirements. There is also a Standardization Administration of the People's Republic of China (SAPRC) which works with ISOs. They set standards for security, technical standards, China standards, XBRL standards, and others. 3.2. Professional organizations Professional organizations include the China Institute of Certified Public Accountants (CICPA), China Institute of Internal Auditors (CIIA), ISACA China Chapter and the China Information Systems Auditor Union. The CICPA issues China CPA Audit Standards, CPA ethics etc. They also accredit China CPA exams and certifications. The CIIA is not a subsidiary of the IIA; but rather, is an independent organization in China. It was started by a group of people within the National Audit Office a few years ago. The NAO started the CIIA not as an independent organization, but independent in form. The CIIA issues China internal audit standards; for example, internal audit standard number 28 deals with the information systems audit. A lot of those standards are in fact, similar to the IIA's internal audit standards. CIIA also functions as an agent of the IIA in China, to help with the exams, training, and related activities. We have an ISACA China Chapter that operates out of Hong Kong. I stopped renewing my membership with them last year, because they are too far away from Beijing and I can't participate in any of their activities. I tried to join the ISACA chapter at large but they wouldn't accept me. The CISAU is also sponsored by the China National Audit Office. It has money, people and other resources that enable them to choose their initiatives. It's growing in size and it has a lot of activities. So that's a brief summary of relevant professional organizations in China. 3.3. Audit Standards Let's move on to Standards. The CICPA sets the audit standards. I'll just discuss some examples of standards that are related to Information Systems. • • • • • • •
AS1211 — Understanding of client and its environments AS1212 — Considerations on use of service organizations AS1231 — Audit procedures to address significant risks AS1314 — Sampling and other means of substantive tests AS1421 — Use of specialists AS1611 — Audit of commercial banks AS1633 — Impacts of e-commerce to F/S audit
These standards are similar to International Audit Standards, at least in our opinion. First, AS1211 requires that financial auditors consider the client's environment. That includes the client's IT systems and applications. It requires us as auditors to do a walkthrough of all the information systems, making sure that we understand the information going through the system. It also requires that we identify the risks that may cause major errors in financial statements. AS1212 asks us to consider the use of service organizations, similar to elsewhere in the world. In China, it is not common yet for companies to use a service organization for activities that may impact their financial statements, but we see this as a growing trend. Eventually, this will be big for sure because our labor costs are rising so quickly. Ten years ago we only needed to pay $500 for a Nanny. Now, ten years later, we have to pay six times as much. In fact, most companies are experiencing similar increases — a six fold increase in salaries over the past 10 years and still increasing. Part of the reason is inflation. AS 1231 requires us to assess significant risks — we have to understand risk and understand the information system. If information systems can cause misstatements, then we have to design procedures to address those risks. There are circumstances where it is not possible to solely rely on a substantive approach for audit comfort. So we have to understand, document and test the client's controls. That
188
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
includes information systems and IT controls. We may also use CAATS that are required for testing journal entries. This is similar to a U.S. audit standard requirements. AS1421 This standard covers the use of specialists that includes information systems auditors. AS1611 is an audit standard that applies to the audit of commercial banks. They cannot live without information systems and the standard is important to the depositors and the investors. So we have an audit standard just for commercial banks and a large portion of it talks about how we develop an understanding of their system, how we audit their IT controls, and how we use CAATS to audit commercial banks. AS 1633 The last auditing standard that I'd like to mention is one that addresses the impact of e-commerce in the financial statement audit. As auditors we are officially required to consider IT, consider e-commerce and how it impacts our financial audit. To give you some background information, last year the central bank's statistics show that the money going through the e-banking systems is over 600 trillion RMB. That's a few times the size of our GDP. That is understandable because all of my clients are using e-banking now. In fact, everybody I know is using e-banking now. 3.4. Information Systems Assurance Standards Now I'd like to mention some information systems assurance standards. AS3101 is a standard that covers assurance of information other than historical financial information (CICPA). A lot of auditors in China use this as a standard when we are required to just audit IT. Although it doesn't specifically say just for the purpose of IT, that's probably the standard we could use in China if we are just auditing information systems. We also have an Internal Control Audit Guide, that's also by CICPA. This is a standard that addresses the audit and issue of an audit opinion on internal controls, which also, of course, covers information systems, because that's a very significant part of internal controls. The CIIA has a standard I mentioned earlier (Internal Audit Standard No. 28) that covers information systems audit. The China Enterprise Internal Control Standards Framework is summarized in Fig. 1. What you call SOX some people call C-SOX in China, but the government doesn't like it because it is really different. Now what is the difference? The foundation is provided by the Basic Standard for Enterprise Internal Controls promulgated by the Ministry of Finance. The first draft came out in 2005, but was finalized in 2008. The People's Bank of China, that was the central bank before we had a banking regulator, had issued an internal control guide to all the banks that is, in fact, very similar to the COSO framework in the late 1990s. This was followed by the insurance regulator who also issued a guide for the insurance companies using COSO. Around 2003, right after the Sarbanes-Oxley-Act in the U.S., the Shanghai Stock Exchange and the Shenzhen Stock Exchange (these are the two exchanges we have in China), each separately issued internal control guidance, also based on the COSO framework that requires listed companies to assess their internal controls and disclose the results of the audit of internal controls. In addition, for the very large state-owned companies, we have a separate government agency that's called the China State-Owned Asset Management Commission who also issued Internal Control Guidelines for companies that belong to the state or have the state as a large shareholder. After that, it issued an Enterprise Risk Management Guideline for all those companies. The intentions behind all of these regulatory initiatives were good but the companies are confused. Imagine if you're a bank and you're listed in China and your largest stock-holder is the state. You have to, in fact, comply with five or six sets of standards. It didn't work because we, as auditors, first of all did not know how to issue audit reports on Internal Controls. So year after year we were forced to tell our clients and the regulators that we cannot do this because to perform such an engagement we have to have the three basic elements: measurement criteria, subject matter, and audit standards. We (the big four) ended up not issuing any reports. There are however some smaller firms that are issuing reports. So a few of those regulators got together and started developing the new standards in 2006 and the first version came out in 2008. The first version was very aggressive. In fact, it's a mixture of the COSO Internal Control Framework and the COSO ERM framework. The basic standard applies to all medium and large companies that are incorporated in China, even if they are foreign owned. As long as they are incorporated in China, they have to comply with it. Internal control, in fact, covers everything, as you can
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
189
Fig. 1. China Enterprise Internal Control Standards Framework.
imagine. Internal control may affect strategy. Internal control may affect operations, compliance, of course, financial statements, and other objectives. The standard requires companies to assess and disclose. It also requires an audit opinion. So once again we said, “No. We cannot do it because you only have Internal Control Standards but we need auditing standards too. We cannot do it because we don't know how.” So although initially the regulator had said that the standard would come into effect as of January 1st 2008, nobody could do it, so they postponed it. The final version came out in late 2008 and became effective January 1st 2009 for the basic standards. This gave time for the companies to adapt to the requirements and improve their practices. The principles didn't change much. They use a COSO framework. The standard defines the board's responsibilities for internal control, similar to elsewhere. Also, it requires an assessment, and disclosure, but does not mention an audit. It only says that you could use an audit and leaves that to other regulators like the Stock Exchanges or the China Security Regulatory Commission and Industry Regulators. The companies are saying that this basic standard is too principles based — they have to assess risk; they have to monitor risk; they have to measure risk; they have to have a risk response, internal control procedures, information systems, information communication, and monitoring. But how to they implement these? In response, the Ministry of Finance invited experts, academics and professionals from all the accounting firms, including the big four, to form an advisory committee on Internal Control Standards. Also, before they did anything else, they set up a rule on the working procedures of the task force. And with that, they moved on, step by step. They issued the Internal Control Application Guidelines. Right now there are eighteen guidelines. In response, the banks and insurance companies are saying, “Those [standards] are good, but we are really different from other companies.” So the industry regulators came in, and based on the Basic Standards and Application Guidelines, they issued Internal Control Requirements for specific industries, like banks and insurance companies, to compliment the Basic Standards. The Security Regulatory Commission and the Stock Exchanges also issued disclosure requirements so that the companies would know when and how and what they should assess and what they should disclose. Also, effective 2011 they require audits. This is the first year required that all companies listed on the China Mainboard and on overseas stock exchanges, such as Hong Kong or the U.S., must assess, disclose and be audited on their Internal Controls. The Internal Control Audit Guidelines are issued by the CICPA — we are, in fact, happy that they listened to us. They understand now that we, as auditors, cannot audit Internal Controls for strategic objectives. We cannot audit Internal Controls and express an opinion on operational objectives. We're just doing the audit to address internal controls over financial reporting. We, as auditors, have to use that standard and the companies have to use the Internal Control Assessment Guide. I think it's a nice system. Everyone knows what to do, how to do, and where to do it. Companies are required to assess all the internal controls and disclose,
190
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
and we, as auditors, if we notice any material weakness in other controls during our audit, we still need to disclose this in our audit report. 3.5. Internal Control Application Guidelines Let's move on to the Internal Control Application Guidelines, the second row from the bottom in the framework in Fig. 2, consisting of 18 processes identified by the Ministry of Finance; for example, information systems. The structure of every detailed guideline is to first define the process — what is information systems, what is procurement, etc. — that is the first section. Then, they move on to key risks of those processes — key risks of procurement: you have risks that you may buy things that you really don't need; you may buy things that you're paying too much for; and there might be fraud, etc. After they discuss the key risks, they move on to good control practices. You have to have separation of duties. The person who initiated the request for procurement should not be the person who approves it. The person who receives the goods should not be the person who does the procurement. There are quite detailed best practices listed under control activities. That's the structure of every one of these 18 detailed guidelines. And then there are other things you might find interesting, like social responsibility. We may not have time to discuss this but that's a requirement. It's actually a requirement by the stock exchanges. All listed companies now have to disclose, provide, and file a social responsibility report every year, and it's recommended that this report be audited. Our firm is doing some audits of social responsibility reports. 3.6. IT Risk Management Guide for Commercial Banks I talked about regulatory requirements earlier, so I will give another example of regulatory requirements — IT Risk Management Guidelines for Commercial Banks. These guidelines cover the following topics: • • • • • • • • • • •
Chapter 1, General Guidelines Chapter 2, IT Governance Chapter 3, IT Risk Management Framework Chapter 4, Information Security Chapter 5, IT Application Development, Test and Maintenance Chapter 6, IT Operation Chapter 7, Business Continuity Management Chapter 8, Outsourcing Chapter 9, Internal Audit Chapter 10, External Audit Chapter 11, Other Matters
Fig. 2. Internal Control Application Guidelines.
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
191
As you can see there is a very comprehensive guideline. For internal audit, it says that the internal audit department should have auditors that have relevant IT knowledge and experience. Internal auditors should do the audit based on their situation, but at least once every three years, they should do a comprehensive audit of their IT risk management. For external audit, it says banks may engage external auditors to audit IT. Of course, it doesn't talk about what standards we should use as external auditors. I've not done any yet, but I've done some consulting projects for the banks on IT risk management; it's quite interesting. 3.7. E-Banking Security Assessment Guidelines for financial institutions 3.7.1. General requirements I'll discuss another example that is also from the bank regulator. The banking alliance, not just the banks, but in fact all the financial institutions, have to assess their e-banking activity. This covers security strategy, control policies, risk response, system security, and client protection and privacy. This last requirement may surprise some of you. But in fact we have a law effective April 2nd 2009 that makes it a criminal offense if you obtain significant personal information illegally. The first conviction was a guy who was a private investigator. We call them consulting firms. He got a phone bill of a person on behalf of his client. The phone bill showed all the contacts that person had, and he provided it to his client. His client used that phone bill to blackmail people. The consultant was convicted and sentenced to one and half years in prison. The charge was illegally obtaining personal information. That's why the Chinese constitution was revised. It's a formal crime to illegally obtain personal information. It doesn't matter whether or not you use it for profit, so long as you do it illegally. Financial institutions providing e-banking services should have an overall assessment at least once every two years. 3.7.2. Assessment agent In terms of an assessment agent, you can use an internal independent department so long as it has the expertise to do the assessment. You may also hire external organizations to do the assessment. For external organization you can use an organization that's certified by the CBRC. For example, they're certifying consulting firms who can do the assessment. You may also use those that are not certified by the CBRC. For example, the big four are not certified by the regulators, but we can still do an assessment. 3.7.3. Execution of Security Assessment For the Security Assessment, the scope of the assessment includes security strategy, internal control policy, risk management status, system security, E-banking business continuity planning, contingency plans, risk monitoring and alert(early warning) system I won't get into the details of the scope, but I will talk about the report here — the report should include at least: 1) time, scope and other key terms in the assessment contracts, 2) assessment framework, procedures, approach; bios of the assessors, 3) definition and standard for risk weights, risk classification, and risk calculation, 4) description of assessment subjects and assessment activities, 5) conclusions, 6) recommendations to the institution on e-banking security, 7) any other matters worth mentioning, 8) terminologies and international or domestic standards used, 9) assessment work program as attachments, 10) name list of assessors — that's quite complicated. I've done some assessments, but the report I did wasn't really what they asked of me because what they're asking, essentially is to have a quantitative measurement of the risks and controls and residual risks, conclusions, recommendations on e-banking security, etc. 3.7.4. Timing and filing requirement An assessment needs to be done before the roll out of e-business by a financial institution. An assessment also needs to be done when the following events occur: 1) system taken down by attacks, 2) prolonged downtime after system changes, 3) major hardware failures causing prolonged service interruptions, 4) any other events that an assessment is deemed necessary. Branches of foreign financial institutions in China do not need to do a separate assessment if their e-banking systems are located overseas and assessments are done by their parents. However, they still need to file reports with CBRC on those assessments.
192
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
Upon completion of an assessment report, the financial institution should file the report with CBRC within one month. Audience Question: In terms of the e-commerce and e-banking, is there anything going on in the area of digital cash like bitcoins? Are there regulations for that? Is it being tolerated? Is it being encouraged? Philip Yang: Before this year it was not really regulated. There are a lot of companies arguing that e-payments are equivalent to PayPal and those types of companies. You may have heard of the Yahoo case. That's a joint venture — they owned some shares of Ali-baba, they do B2B and B2C, which is very big in China. They have a subsidiary that's doing e-cash, equivalent to PayPal. They are the largest player in China. But a regulation came out this year that requires compliance with technical standards, controls, etc. You have to obtain the central bank's approval to be in that business and I think they only gave out five or six licenses so far. My firm is doing some consulting work in this area, although not as much as we would expect. Audience Question: One of the questions I had about this internal control assurance being required and provided is that when the external auditors provide the assurance are they providing assurance at a point in time like we're required to in the U.S., or does it actually cover the full period? What type of assurance is being offered? Philip Yang: The opinion is point in time. Right now, we only have the Internal Control Audit Standard but they are drafting a detailed set of guidelines and explanation for the draft. It probably won't be effective until next year. We are using our judgment at this moment but in the draft guidelines, they require a certain period of testing. I think it is three months, at the minimum. So you would not be able to only test controls immediately before the year end, and then conclude that they're fine. Audience Question: You mention that now in China you're having sustainability reporting. And you're also doing audit. Just wondering, first, do you have some kind of regulatory guidelines to watch what is being reported? And, what is driving the assurance, if it is not required? Is there still some form of requirements for how those audit reports are being done and is there again, some sort of standard guidelines that you follow? Philip Yang: I have done a sustainability report for a client. In fact it's a corporate responsibility report. Why would people want to be audited if it's not a requirement? In this year's campus recruiting, one of the slogans for our firm is, “We are green.” Why? Because we see that the younger generations are no longer attracted by telling them that in ten years they can become a partner. That's not their whole concern. They may not be concerned at all. But, a lot of them are aware of global warming. They want to join a firm that is socially responsible. The most important purpose for our firm, really, is to attract talent, to make people feel they are working with an organization that is a good corporate citizen. It is similar for other companies. The banks want to show their investors that they are good business partners. The report I have on China Development Bank is public. We did not assess the bank yet, but they asked us to do the audit of their social responsibility report. The social responsibility report covers efficient use of energy, efficient use of resources, being a good corporate citizen, taking care of their community, environmental protection, and other topics. If the company is not listed, the framework we use is GRI (the Global Reporting Initiative). If the company is listed then we use the Stock Exchange disclosure requirements. They have very detailed disclosure requirements for social responsibility reports. The Internal Control Guidelines also talk about social responsibility and have a very detailed guideline on what you are recommended to do in regards to social responsibility. For some other companies, sustainability reporting is a very important cost-cutting method. If you are an IT-related company, you have a lot of servers. Electricity consumption is a huge portion of your operating costs. Cutting your electricity consumption not only helps society but it also helps you in terms of improving profitability. So, there are quite a few factors that companies would
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
193
consider in choosing to do report on social responsibility, and some of them would like to be audited as well. For such engagements we use International Audit Standard 3000. International standards are accepted by the Chinese authorities. Some other firms use the other standard I just mentioned, the CICPA standard. It is called Assurance Standard on Assurance of Non-historical Financial Information — so we may use that for the audit as well. Audience Question: You've spoken highly of COSO as one of the development points of some of the control structures in China. You can't do a SOX IT audit in the U.S. without using COBIT, because the AICPA and others have pretty much adopted it informally as the standard. You had a slide, a few slides back, that looked like it was kind of a COBIT approach with the three columns. You're looking at the same kind of step-by-step issues but you haven't mentioned COBIT. Philip Yang: We use a COSO framework, but the framework is really just a structure and thinking process. The detailed Application Guidelines does address COBIT-like principles. So yes, those are good reference frameworks and systems that the standards and detail guidelines incorporate. I did not mention COBIT because we use China specific standards. Audience Question: How can you get 400 ISACA grads without them adopting COBIT. What are you doing in your exams? What I'm saying is that here we use that framework so extensively that it's inconceivable to omit it when we make our exams and when we go through all of our other training courses. You have so many students in China I would have thought they would have been closer to adopting that mainstream IT approach. Philip Yang: Precisely. That's what we use when we do our work. If you recall the IT Risk Management Guidelines by CBRC; in the report they also ask you to disclose what tools and references you used. That may include international standards such as ISO 27OO1 or COBIT. Those frameworks are in fact discussed by the government bodies. They say that they are very good frameworks for us to use. There is no point for us to reinvent the wheel, or reinvent COBIT and make a Chinese COBIT. In practice, it's kind of a challenge. China does not have very good accepted standards. That's why our accounting firms are lagging behind although the economy is pushing forward. E-commerce is developing so fast. We, as auditors, are not doing much and one reason is because we're lagging behind in terms of reference frameworks, measurement standards and audit standards. So, in practice, we do try to use, whenever necessary, whatever we can get such as ISACA research. 4. Information systems related services and opportunities Efrim Boritz: We'll move on to talking about services and opportunities. What are the key types of engagements that are being performed and what are the opportunities in the information systems assurance area? Philip Yang: OK. In answering your question, I will cover the following: • Audit of IT for the purpose of F/S audit • Audit of IT as part of internal control audit • Compliance driven IT assurance work, especially for financial institutions such as banks and insurance companies • Audit report on internal controls of service organizations (ISAE3402) • Consulting projects: IT strategy, IT governance, IT risk, IT security, Data integrity, IT projects
4.1. Audit of IT for the purpose of financial statement audit This area involves the single largest portion of IT auditors in accounting firms. The companies we're serving like the banks and insurance companies, fund management companies and IT companies, companies
194
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
offering online games, B2B, C2C, B2C, etc. These are the ones that really need us. When we do audits, we need to audit their IT. 4.2. Audit of IT as part of internal control audit From this year, the very big challenge is we are not receiving the amount of fees we would expect to get, because all of a sudden, in addition to auditing financial statements we have to, I guess similar to North America with SEC registrants, do an audit of IT as a part of the internal control audit. That's the second largest part of our work. 4.3. Compliance driven IT assurance work The third type of service we are doing is compliance driven IT assurance work, especially for financial institutions. I showed you our bank regulator's requirement on IT risk security assessment. There are also similar requirements for the insurance companies, for fund management companies, for investment banking companies, and they have to assess and file the report. The difficulty is that they have no clear audit standards. There are also no clear measurement criteria. Some of these regulatory requirements you may view as measurement criteria, but they are not good enough or usable enough for an assurance engagement. So what we do is we try to package our service and reports so that they are not assurance reports. 4.4. Audit reports on internal controls of service organizations The next service we have is audit reports on internal control of service organizations. We use ISAE 3402 now because we don't have an equivalent China standard. We previously used SAS 70. However, whereas here that report is for the service organizations and their auditors, most of our clients use the report for their marketing and sales purposes. Most reports we do are for public fund management companies, asset management companies, and banks. They use the report to show their customers that their money is in good hands. This is not a big service, it is not profitable, and there are only two main players. One is the firm I work with. The other firm is Ernst & Young. We are competing very hard against each other, so we're keeping the price very low. 4.5. Consulting projects Consulting projects may not be called assurance projects, but we do a lot of them: IT strategy review, IT planning, IT governance consulting, IT risk, IT security, data integrity, and IT implementation. We have a lot of proposals going on about this throughout the IT life cycle. Audience Question: When you do your IT consulting, can you this for your audit clients or are there restrictions like in the U.S.? Philip Yang: There are restrictions. Audience: So it's pretty much for other people's audit clients. Philip Yang: Yes, but if it's assurance it's okay. Audience: Yes, but I was thinking IT risk, would that be assurance? Philip Yang: IT risk, as a consulting project, we could do as long as we can prove that it is not directly related to the generation of financial statement information. Audience Question: In the environment that you have described in China, its changing so fast, maybe leading in some areas, but I cannot believe that you or we can go into most operations in China and not find significant control weaknesses as we understand them, like an IT environment or
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
195
application control weakness. What about accountability? What happens when people have weaknesses? What do they have to do? Who holds them accountable? Philip Yang: It is a struggle. Yes, we did find material weaknesses in some of our clients that included IT. But IT is a different issue because we, as auditors, only issue an opinion on the internal control over financial reporting. So one thing we could try to do is to look at remediation of those controls — making sure that before they disclose the report, even though there are breakdowns during the process, what else they can do so they at least disclose their financial statements correctly. But, on the operational side, we need to have some reports that say that they may have, or do have, material weaknesses. The ultimate responsibility for internal control lies with the board. I believe in the U.S. it's the CEO and CFO. But, it's the Board in China. They are the ones that are responsible for establishing, assessing and disclosure of internal controls. Audience Question: The whole point with SOX in the U.S. is that you have to disclose and your auditors have to disclose material weaknesses and that includes IT environment processes like systems development. So if you happen to introduce the newest version of SAP just before your year end, the likelihood is poor that it's up and running acceptably well and can be attested to then all of those implementation and development controls, etc. are financial statement oriented as well as core IT processes and therefore there are whole regions of IT control that can't be kept outside of the finance end. So I think if you're looking for those things like the new SAP introduction, you've got a very strong likelihood of serious control questions that would spill over into the credibility of the financial statements that they produce. Philip Yang: In fact, that's a selling point for us, as an accounting firm, to be involved in a major system implementation. What we tell them precisely what you said. In the past they just hired consultants, system implementers such as IBM, etc. Now, a lot of them do hire us as an assurer. So up front we ask them when they do the new implementation, have you done the chart of accounts right? Have you done the forms right? Is the mapping between your business system and your ERP system and to the disclosure system correct? So we did find a lot of issues with how the IT companies implemented the systems. I just did one for a major insurance company two years ago and the report is pretty thick. It contains recommendations for improvement of a process of SAP implementation. That is really valuable, and if they didn't do it, for sure they would have had material weaknesses. Audience Question: I work for a bank. In North America and especially in Europe there's been a huge increase in bank regulations. How is that in China and how does that impact the audit? Philip Yang: We also have a lot of regulations by the bank regulators. Banks normally feel at a loss as to whether or not they should act for business or for compliance. Are they in the compliance business? Some of the regulations are good and at least make the banks feel comfortable in China, for example, regulations on interest on deposits and regulations on interest on your loans. That keeps a very good margin for the banks. And that's why we as consultants have an opportunity to come in to do the work. We have done some research. Once every two years, we talk to the banks about the challenges they are facing. The number one challenge to them, especially for the foreign banks in China, is regulatory complications. Audience Question: There's been a lot of activity related to the health care industry and health care providers and security over their systems and also privacy. Have you seen an increase in that activity in China related to health care and the protection of personal information and medical information? Philip Yang: I would like to say yes, but no, not for health care. That industry is in fact primarily run by the government and it needs improvement. Audience Question: Is there a trend in terms of TPAs (Third Party Assurance)?
196
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
Philip Yang: TPA audits of service organizations is one area we want, we hope that will increase. We're doing banks and fund managements companies primarily now, and in that sector we see huge growth. The new money they get this year is ten times the money they've gotten in the past ten years. So you see the trend. We do see the growth. Just for this sector, the fund management and asset management sectors. We are expecting to see outsourcing activities increase for efficiency, for specialization and we will do TPAs for those companies. I was just talking about an opportunity last night. They were talking about a charity fund. They get donations from corporate and personal funds and then spend the money for good purposes. There were some bad cases in the past so people stopped donating money to these organizations. So [the Charity Funds] are worried — no money coming in. No money to donate to Africa or remote Chinese villages like where I was living. So yesterday they called and said, “Can you do a TPA for us? I am considering it.” Audience Question: In your view when do you see the projected timeline that TPA regulations will be established in China, because they're currently using the international standard? Philip Yang: People are too busy to do other things so in fact it's us, as professionals, to blame. We're not spending time to carefully think through the market trends, what the market may need, and what we, as accounting firms, can do. So we don't have a planned timeline. Maybe the CICPA does, but I haven't seen it. Audience Comment: That's going to be a huge market. Philip Yang: Yes, but then other areas are already big. People are too busy making easy money. Audience: Earlier, you had said something about the recommendations or requirements for internal audit to report to the audit committee. What about the head of IT security? Is there any best practices, recommendations or even regulations about to whom should that person report in China? Philip Yang: Yes, there are security requirements. The governance requirements talk about IT security but unfortunately I haven't met even one case where we have a head of IT security or Chief Information Security Officer. Security is normally under the IT department, and if they're good then they have a separate department managing security. If they're not as good then there are just some operations people taking care of security or some other people taking care of security. Technically, yes, we're doing it, but in terms of a good governance structure I think people are not doing much, or it's not on the agenda yet. Audience Question: I'd like to know who's training all your people. I'm an educator, so what's the typical stream for where your professionals are coming from? Philip Yang: Some academics visit China every year to teach for free or half-price. The big four firms have our own internal training systems. In my firm, for example, we share our training methodology, tools, etc., globally. Every year in the Beijing office we hire around 50 new graduates. We have around 300 people doing IT audit and internal control related work. It's increasing very fast. When I first joined the firm in Beijing in 1996 we didn't have any IT auditors. Not until the year 2000 did we establish a new department with a few people and now we have 300. We trained them internally and also the universities and continuous professional education firms, they do the training for the general public. The National Accounting Institute has a course developed by Professor Boritz on IT audit for the purpose of financial statements. So they're using that to train hundreds of people every year. Also, through ISACA, a lot of people study and take the exam. I don't know the exact number, perhaps in the thousands, because we can take the exams locally in Beijing, Shanghai, Guangzhou — all of the large cities.
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
197
5. Key challenges and trends Efrim Boritz: So in the last few minutes that we have left I asked Phillip to talk about the key challenges and trends that he sees developing now and I think some already have been mentioned — the issue of talent and so forth — but, maybe you can just take us through some of these points? Philip Yang: Talent is our single most important worry. Last year I took on a new account. The budget for just the IT audit is over 20,000 hours. It started with just me, so for a long time I couldn't fall asleep at night thinking, “Oh my God, 20,000 hours or more!” Then I had an idea: Just me with 24 hours a day times 365 days, I have 9000 hours to start with! That gave me hope, but still I couldn't do it. I recruited some experienced hires. I also got a few fresh graduates. So now, eight months later, I have a pretty good team together. But it's also challenging. I have to train them. Some of them don't have enough experience. They don't have enough knowledge. So it's a lot of challenges in terms of talent. There are a lot of people taking the CISA exam but the number is not enough. In terms of numbers, it's not enough. In terms of knowledge and experience, it's definitely not enough. It might be too shallow for what our clients our really expecting. So talent is an issue. Another issue I that I have talked about is standards. As CPA firms, we should be the ones that give people comfort because e-business and e-banking are growing so fast. But we're not doing enough. We're doing very little. The reason is really because first of all, we ourselves don't have enough clear standards — no measurement criteria, no audit standards. You can borrow, but then people may think that it's an international standard and may not be China specific. So that's an area we need to work on. I think that's really important for the development of the profession. Comfort about the security of e-commerce is mainly provided by the technological firms, not us as auditors. As we all know, management, not technology, is the single most important factor that impacts security, reliance, and trust. IT strategy and planning and IT investment management represent a key trend. Last year, the government's investment in IT systems was about 17 billion RMB. That's roughly four times the cost of the Olympic facilities. If you want to figure out how much that is in U.S. dollars, just divide by 6.3. Five years ago, you divided it by 8.3. In the newspaper a few days ago, it was reported that somewhere in northern China a government agent purchased an iPod. For what? His basic IT needs because he defined it as a USB flash drive. In another case reported in the newspapers the police in southern China were equipped with state-of-the-art Mac Computers that cost 10 times as much as basic laptops. Their explanation was that they need good equipment to serve the public because they want to get good pictures of traffic violators so they can catch the bad guys very quickly. So you see the difference. You can spend 1000 RMB on a basic computer. You can also spend 20,000 RMB for a very good computer, but how do you justify it? So that's the thinking of the China National Audit Office. They want to figure out a framework to audit the investment in IT, the benefits realized from investments in IT. One client was asking me if I could help them find out the IT budget of another similar company. So I asked the company, “Are you okay to share your budget?” He said, “Okay, it's 2 billion RMB.” A big number. So I told the other company. They said, “Then ours should probably be 1.5 billion RMB.” I said, “Why?” They said, “Their company is bigger than ours so our budget can be a bit less.” Obviously, that is not a satisfactory answer. And that's the regulators' concern as well (bank regulators, the insurance regulators). The companies should instead be asking, “How much do we need to invest to have effective security? What is a reasonable amount?” In one case, four years ago, I helped a client's IT department to design and implement real-time monitoring, or what you call a continuous audit system. Since then, they have had very good findings. They went to the compliance department and told them, “Look, these are funny activities. Have you found them?” They went to the front desk management department and said, “Look, these are odd activities. Do you know about them?” They were at a loss. But then they figured out that this was a very good monitoring system. So last year the compliance department went through the approval process to get a budget of 5 million to handle compliance issues quickly in real time. Management approved formally and the next day the front desk operations department went through the approval process. They got a budget of 8 million for a front desk monitoring system. But both of
198
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
them are unnecessary duplications of investment in a monitoring system that already exists. The executive in charge of IT noticed this and called us in. We helped them to design an integrated platform for real-time monitoring, that can be shared, but also properly segregated. You share most of the processes and functions, but then for your internal audit there are things you don't want other people to know you are monitoring. So you may define your own role, define your own level of alerts and do your own procedures. If you are the front desk management department, you can use the same system and your activities can be shared or they can be hidden. To do that, we charge 1.5 million, representing a huge savings for the company. So why was I talking about this? As IT auditors we can contribute to companies realizing huge benefits from huge investments. And that I think requires academics and practitioners to sit down together and figure out measurement criteria, a standard, that we as practitioners can use. The National Audit Office is doing a lot of good things. But they are not willing to share everything they do with us. So we need to develop our own approaches. And that can benefit the companies that we audit. Audience Question: My question is an overarching question: You've been talking about IT audit and audit in China for over an hour now and I'm wondering about culture. I'm wondering how people perceive auditors. Whether it's, “Hi, I'm here the auditor your friend.” Or, “I'm the police.” Or, “I'm an agent of the state.” Is it cooperative, confrontational or if it depends on the circumstances? Philip Yang: As I said it's becoming a global village. So we know that April 1st is not a good time to implement a new law but, April 2nd is fine. As auditors, it depends on the type of engagement we do. Sometimes we are hired by the regulators to do the audit for them, so that's not a friendly environment. But if we come in as consultants, that's a good cooperative environment. For other assurance projects, they know we're not a government agency. Even if we find problems, we're not government. We don't have any power. The only thing we want to do is to help them improve their processes. I always try to let our clients know that although we are auditors, we are trying to help. We let them know what they can do to be good — if you do this, along the way, it will benefit you and it will benefit us. If it's nasty and difficult we all suffer. It's probably similar to what you experience as auditors over here. It also depends on the attitude and communication skills of the auditors, of course. Some auditors don't know their roles. They may be arrogant and they may act as if they were government officers. And some may be unconsciously incompetent. So in those cases there can be not-so-harmonious moments. Audience Question: We see a lot of Chinese graduate students down in the U.S. and our graduate students will have one course in IT audit as well as several background graduate systems courses. So in terms of talents, what are the opportunities for a student educated that way when they return to China? Philip Yang: Plenty. We have a program called the China Sourcing Program. We have people from China located in the U.S. and they are involved in full-time recruiting. We visit several campuses. We also open our website for people to send their applications to us so that we can interview them here in North America. Efrim Boritz: This has been a most fascinating and informative presentation. I'm sure all of you agree. Phillip has a wealth of knowledge and on an impromptu basis can address questions that are as far ranging as opportunities for students to the cultural aspects of how auditors are viewed. So once again I would like to thank Phillip for making the long trip from China to Canada and for sharing his wealth of information with us. Phillip will be here for the rest of the conference so please take an opportunity to introduce yourself and ask him about his work or any other things you may be interested in. Please join me in thanking Phillip for this wonderful presentation. Philip Yang: Thank you all for giving me the opportunity.
Contents lists available at SciVerse ScienceDirect
International Journal of Accounting Information Systems
Discussion
Information systems assurance practices in China: Where they are and where are they going? Philip Yang PricewaterhouseCoopers, Beijing, China
a r t i c l e
i n f o
Article history: Received 20 October 2011 Accepted 11 June 2012
1. Introduction The formal part of Philip Yang's presentation was in the form of a series of questions that he had agreed to address in advance of the symposium. This was supplemented by questions from the audience.
2. Key players in information systems assurance in China Efrim Boritz: Who are the key players in Information Systems Assurance in China? Philip Yang: First, a disclaimer: Anything I say here does not represent the opinion of the firm. Any specific examples I presented are not real cases. Instead, they are composites for use as examples. So please, don't relate them to any specific company. Now to answer the question. There are in fact four main types of key players in China. The first one is the National Audit office (China National Audit office). They are in fact the first ones who seriously started performing audits and IT audits in China. Twenty or thirty years ago, the majority of Chinese companies were state owned and the NAO was doing the audits of those entities, although they were primarily focused on detecting frauds, finding irregularities, etc. They are a large organization with literally thousands of auditors all over China; including many IT auditors many of whom have the CISA designation. The National Audit Office claims that the first person in mainland China that obtained a CISA was one of their auditors. They also provide thought leadership that I think is really valuable for auditors. I also think they are the most advanced in terms of using CAATS to carry out their audits. E-mail address: [email protected]. 1467-0895/$ – see front matter © 2012 Elsevier Inc. All rights reserved. doi:10.1016/j.accinf.2012.06.004
186
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
The big four accounting firms are the biggest players in this area in China, but the smaller local firms are quickly catching up. The government does not like the fact that the big four are the dominant firms in China. Even for the state owned enterprises, if you look at all the large Chinese corporations — almost all of them are audited by the big four firms, not local firms. So the government is giving the local firms a lot of support. Plus, you may not know that a lot of professors from North America come to China every year. For example, Professor Boritz mentioned went there eight years ago and prepared a very comprehensive training course on behalf of the China National Accounting Institute which provides continuous professional training. They are using that course to train hundreds of people every year. And most of those people getting trained are from local firms. I did that for two years and then I stopped, because I did not want to train my competitors. (Just joking, I will resume my training efforts this year and I would like to train as many professionals as I can.). The third key group is the industry regulators, and some of them are really good, especially the China Banking Regulatory Commission and the China Insurance Regulatory Commission. I will discuss some of the regulatory requirements later, but they are doing a lot of work in this area because of the fact that the banks and insurance companies are relying on IT so heavily. The fourth key player group is the internal audit departments. This depends on the nature of the business of the company. If they are big banks they have a lot of internal auditors (and some of them are specialized in IT audit). One of the big four banks, which I've been working with, has 4000 internal auditors and reports that it has over 100 auditors with a CISA. They're doing quite a lot of amazing things. Most of them are developing internal tools and programs. So that's the key players in the China Market. If you have questions, please ask. Audience Question: Are the external auditors independent? Is independence as important in China as it is here? Or are the audit departments (both internal and external) captives of the organizations and of government regulation? Philip Yang: External auditors, such as the firm where I work (PWC) are similar to accounting firms elsewhere. We are a non-government agency. We are an accounting firm. We do have to comply with exchange regulations and laws and the CICPA (China Institute of Certified Public Accountants) — the professional CPA association in China, which governs professional ethics and auditing standards. So yes, there are all kinds of requirements on independence. There are also independence requirements on financial audits and internal control audits. In fact, it's a daily struggle for us as auditors. There are many service opportunities that we may spot in our audit clients. But the majority of them we cannot perform. The Ministry of Finance and the industry regulators as well as the supervisory commissions for state-owned enterprises are always monitoring what the auditors are doing for the firms and companies they're auditing. For internal auditors independence is a struggle. The internal auditors are supposed to be independent, but a lot of them are really managed by their management. To address this issue, various government agencies are promoting rules to require that the Chief Internal Auditor report to the audit committee directly; for banks and insurance companies this is a requirement and for listed companies it is recommended in China as well. 3. Regulatory authorities, professional organizations, and audit standards Efrim Boritz: What are the main regulations that govern the practice of auditing, especially of the various engagement types, and what are professional organizations doing in response? 3.1. Regulatory authorities Philip Yang: The regulatory authorities' role is really to oversee assurance engagements. There are three key elements. One of them is measurement criteria. The regulatory authorities are the bodies that set up the measurement criteria for our assurance engagements. Of course, they are the single most important driver of our business because of all those regulatory requirements. The Ministry of Finance is the government agency that sets up the accounting rules and it also sets internal control standards.
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
187
Regulators like the China Banking Regulatory Commission (CBRC), the China Insurance Regulatory Commission (CIRC) and China Security Regulatory Commission (CSRC) set the requirements that include reporting, disclosure, security, IT risk management, internal controls, etc. I will discuss examples later of some of those regulatory requirements. There is also a Standardization Administration of the People's Republic of China (SAPRC) which works with ISOs. They set standards for security, technical standards, China standards, XBRL standards, and others. 3.2. Professional organizations Professional organizations include the China Institute of Certified Public Accountants (CICPA), China Institute of Internal Auditors (CIIA), ISACA China Chapter and the China Information Systems Auditor Union. The CICPA issues China CPA Audit Standards, CPA ethics etc. They also accredit China CPA exams and certifications. The CIIA is not a subsidiary of the IIA; but rather, is an independent organization in China. It was started by a group of people within the National Audit Office a few years ago. The NAO started the CIIA not as an independent organization, but independent in form. The CIIA issues China internal audit standards; for example, internal audit standard number 28 deals with the information systems audit. A lot of those standards are in fact, similar to the IIA's internal audit standards. CIIA also functions as an agent of the IIA in China, to help with the exams, training, and related activities. We have an ISACA China Chapter that operates out of Hong Kong. I stopped renewing my membership with them last year, because they are too far away from Beijing and I can't participate in any of their activities. I tried to join the ISACA chapter at large but they wouldn't accept me. The CISAU is also sponsored by the China National Audit Office. It has money, people and other resources that enable them to choose their initiatives. It's growing in size and it has a lot of activities. So that's a brief summary of relevant professional organizations in China. 3.3. Audit Standards Let's move on to Standards. The CICPA sets the audit standards. I'll just discuss some examples of standards that are related to Information Systems. • • • • • • •
AS1211 — Understanding of client and its environments AS1212 — Considerations on use of service organizations AS1231 — Audit procedures to address significant risks AS1314 — Sampling and other means of substantive tests AS1421 — Use of specialists AS1611 — Audit of commercial banks AS1633 — Impacts of e-commerce to F/S audit
These standards are similar to International Audit Standards, at least in our opinion. First, AS1211 requires that financial auditors consider the client's environment. That includes the client's IT systems and applications. It requires us as auditors to do a walkthrough of all the information systems, making sure that we understand the information going through the system. It also requires that we identify the risks that may cause major errors in financial statements. AS1212 asks us to consider the use of service organizations, similar to elsewhere in the world. In China, it is not common yet for companies to use a service organization for activities that may impact their financial statements, but we see this as a growing trend. Eventually, this will be big for sure because our labor costs are rising so quickly. Ten years ago we only needed to pay $500 for a Nanny. Now, ten years later, we have to pay six times as much. In fact, most companies are experiencing similar increases — a six fold increase in salaries over the past 10 years and still increasing. Part of the reason is inflation. AS 1231 requires us to assess significant risks — we have to understand risk and understand the information system. If information systems can cause misstatements, then we have to design procedures to address those risks. There are circumstances where it is not possible to solely rely on a substantive approach for audit comfort. So we have to understand, document and test the client's controls. That
188
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
includes information systems and IT controls. We may also use CAATS that are required for testing journal entries. This is similar to a U.S. audit standard requirements. AS1421 This standard covers the use of specialists that includes information systems auditors. AS1611 is an audit standard that applies to the audit of commercial banks. They cannot live without information systems and the standard is important to the depositors and the investors. So we have an audit standard just for commercial banks and a large portion of it talks about how we develop an understanding of their system, how we audit their IT controls, and how we use CAATS to audit commercial banks. AS 1633 The last auditing standard that I'd like to mention is one that addresses the impact of e-commerce in the financial statement audit. As auditors we are officially required to consider IT, consider e-commerce and how it impacts our financial audit. To give you some background information, last year the central bank's statistics show that the money going through the e-banking systems is over 600 trillion RMB. That's a few times the size of our GDP. That is understandable because all of my clients are using e-banking now. In fact, everybody I know is using e-banking now. 3.4. Information Systems Assurance Standards Now I'd like to mention some information systems assurance standards. AS3101 is a standard that covers assurance of information other than historical financial information (CICPA). A lot of auditors in China use this as a standard when we are required to just audit IT. Although it doesn't specifically say just for the purpose of IT, that's probably the standard we could use in China if we are just auditing information systems. We also have an Internal Control Audit Guide, that's also by CICPA. This is a standard that addresses the audit and issue of an audit opinion on internal controls, which also, of course, covers information systems, because that's a very significant part of internal controls. The CIIA has a standard I mentioned earlier (Internal Audit Standard No. 28) that covers information systems audit. The China Enterprise Internal Control Standards Framework is summarized in Fig. 1. What you call SOX some people call C-SOX in China, but the government doesn't like it because it is really different. Now what is the difference? The foundation is provided by the Basic Standard for Enterprise Internal Controls promulgated by the Ministry of Finance. The first draft came out in 2005, but was finalized in 2008. The People's Bank of China, that was the central bank before we had a banking regulator, had issued an internal control guide to all the banks that is, in fact, very similar to the COSO framework in the late 1990s. This was followed by the insurance regulator who also issued a guide for the insurance companies using COSO. Around 2003, right after the Sarbanes-Oxley-Act in the U.S., the Shanghai Stock Exchange and the Shenzhen Stock Exchange (these are the two exchanges we have in China), each separately issued internal control guidance, also based on the COSO framework that requires listed companies to assess their internal controls and disclose the results of the audit of internal controls. In addition, for the very large state-owned companies, we have a separate government agency that's called the China State-Owned Asset Management Commission who also issued Internal Control Guidelines for companies that belong to the state or have the state as a large shareholder. After that, it issued an Enterprise Risk Management Guideline for all those companies. The intentions behind all of these regulatory initiatives were good but the companies are confused. Imagine if you're a bank and you're listed in China and your largest stock-holder is the state. You have to, in fact, comply with five or six sets of standards. It didn't work because we, as auditors, first of all did not know how to issue audit reports on Internal Controls. So year after year we were forced to tell our clients and the regulators that we cannot do this because to perform such an engagement we have to have the three basic elements: measurement criteria, subject matter, and audit standards. We (the big four) ended up not issuing any reports. There are however some smaller firms that are issuing reports. So a few of those regulators got together and started developing the new standards in 2006 and the first version came out in 2008. The first version was very aggressive. In fact, it's a mixture of the COSO Internal Control Framework and the COSO ERM framework. The basic standard applies to all medium and large companies that are incorporated in China, even if they are foreign owned. As long as they are incorporated in China, they have to comply with it. Internal control, in fact, covers everything, as you can
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
189
Fig. 1. China Enterprise Internal Control Standards Framework.
imagine. Internal control may affect strategy. Internal control may affect operations, compliance, of course, financial statements, and other objectives. The standard requires companies to assess and disclose. It also requires an audit opinion. So once again we said, “No. We cannot do it because you only have Internal Control Standards but we need auditing standards too. We cannot do it because we don't know how.” So although initially the regulator had said that the standard would come into effect as of January 1st 2008, nobody could do it, so they postponed it. The final version came out in late 2008 and became effective January 1st 2009 for the basic standards. This gave time for the companies to adapt to the requirements and improve their practices. The principles didn't change much. They use a COSO framework. The standard defines the board's responsibilities for internal control, similar to elsewhere. Also, it requires an assessment, and disclosure, but does not mention an audit. It only says that you could use an audit and leaves that to other regulators like the Stock Exchanges or the China Security Regulatory Commission and Industry Regulators. The companies are saying that this basic standard is too principles based — they have to assess risk; they have to monitor risk; they have to measure risk; they have to have a risk response, internal control procedures, information systems, information communication, and monitoring. But how to they implement these? In response, the Ministry of Finance invited experts, academics and professionals from all the accounting firms, including the big four, to form an advisory committee on Internal Control Standards. Also, before they did anything else, they set up a rule on the working procedures of the task force. And with that, they moved on, step by step. They issued the Internal Control Application Guidelines. Right now there are eighteen guidelines. In response, the banks and insurance companies are saying, “Those [standards] are good, but we are really different from other companies.” So the industry regulators came in, and based on the Basic Standards and Application Guidelines, they issued Internal Control Requirements for specific industries, like banks and insurance companies, to compliment the Basic Standards. The Security Regulatory Commission and the Stock Exchanges also issued disclosure requirements so that the companies would know when and how and what they should assess and what they should disclose. Also, effective 2011 they require audits. This is the first year required that all companies listed on the China Mainboard and on overseas stock exchanges, such as Hong Kong or the U.S., must assess, disclose and be audited on their Internal Controls. The Internal Control Audit Guidelines are issued by the CICPA — we are, in fact, happy that they listened to us. They understand now that we, as auditors, cannot audit Internal Controls for strategic objectives. We cannot audit Internal Controls and express an opinion on operational objectives. We're just doing the audit to address internal controls over financial reporting. We, as auditors, have to use that standard and the companies have to use the Internal Control Assessment Guide. I think it's a nice system. Everyone knows what to do, how to do, and where to do it. Companies are required to assess all the internal controls and disclose,
190
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
and we, as auditors, if we notice any material weakness in other controls during our audit, we still need to disclose this in our audit report. 3.5. Internal Control Application Guidelines Let's move on to the Internal Control Application Guidelines, the second row from the bottom in the framework in Fig. 2, consisting of 18 processes identified by the Ministry of Finance; for example, information systems. The structure of every detailed guideline is to first define the process — what is information systems, what is procurement, etc. — that is the first section. Then, they move on to key risks of those processes — key risks of procurement: you have risks that you may buy things that you really don't need; you may buy things that you're paying too much for; and there might be fraud, etc. After they discuss the key risks, they move on to good control practices. You have to have separation of duties. The person who initiated the request for procurement should not be the person who approves it. The person who receives the goods should not be the person who does the procurement. There are quite detailed best practices listed under control activities. That's the structure of every one of these 18 detailed guidelines. And then there are other things you might find interesting, like social responsibility. We may not have time to discuss this but that's a requirement. It's actually a requirement by the stock exchanges. All listed companies now have to disclose, provide, and file a social responsibility report every year, and it's recommended that this report be audited. Our firm is doing some audits of social responsibility reports. 3.6. IT Risk Management Guide for Commercial Banks I talked about regulatory requirements earlier, so I will give another example of regulatory requirements — IT Risk Management Guidelines for Commercial Banks. These guidelines cover the following topics: • • • • • • • • • • •
Chapter 1, General Guidelines Chapter 2, IT Governance Chapter 3, IT Risk Management Framework Chapter 4, Information Security Chapter 5, IT Application Development, Test and Maintenance Chapter 6, IT Operation Chapter 7, Business Continuity Management Chapter 8, Outsourcing Chapter 9, Internal Audit Chapter 10, External Audit Chapter 11, Other Matters
Fig. 2. Internal Control Application Guidelines.
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
191
As you can see there is a very comprehensive guideline. For internal audit, it says that the internal audit department should have auditors that have relevant IT knowledge and experience. Internal auditors should do the audit based on their situation, but at least once every three years, they should do a comprehensive audit of their IT risk management. For external audit, it says banks may engage external auditors to audit IT. Of course, it doesn't talk about what standards we should use as external auditors. I've not done any yet, but I've done some consulting projects for the banks on IT risk management; it's quite interesting. 3.7. E-Banking Security Assessment Guidelines for financial institutions 3.7.1. General requirements I'll discuss another example that is also from the bank regulator. The banking alliance, not just the banks, but in fact all the financial institutions, have to assess their e-banking activity. This covers security strategy, control policies, risk response, system security, and client protection and privacy. This last requirement may surprise some of you. But in fact we have a law effective April 2nd 2009 that makes it a criminal offense if you obtain significant personal information illegally. The first conviction was a guy who was a private investigator. We call them consulting firms. He got a phone bill of a person on behalf of his client. The phone bill showed all the contacts that person had, and he provided it to his client. His client used that phone bill to blackmail people. The consultant was convicted and sentenced to one and half years in prison. The charge was illegally obtaining personal information. That's why the Chinese constitution was revised. It's a formal crime to illegally obtain personal information. It doesn't matter whether or not you use it for profit, so long as you do it illegally. Financial institutions providing e-banking services should have an overall assessment at least once every two years. 3.7.2. Assessment agent In terms of an assessment agent, you can use an internal independent department so long as it has the expertise to do the assessment. You may also hire external organizations to do the assessment. For external organization you can use an organization that's certified by the CBRC. For example, they're certifying consulting firms who can do the assessment. You may also use those that are not certified by the CBRC. For example, the big four are not certified by the regulators, but we can still do an assessment. 3.7.3. Execution of Security Assessment For the Security Assessment, the scope of the assessment includes security strategy, internal control policy, risk management status, system security, E-banking business continuity planning, contingency plans, risk monitoring and alert(early warning) system I won't get into the details of the scope, but I will talk about the report here — the report should include at least: 1) time, scope and other key terms in the assessment contracts, 2) assessment framework, procedures, approach; bios of the assessors, 3) definition and standard for risk weights, risk classification, and risk calculation, 4) description of assessment subjects and assessment activities, 5) conclusions, 6) recommendations to the institution on e-banking security, 7) any other matters worth mentioning, 8) terminologies and international or domestic standards used, 9) assessment work program as attachments, 10) name list of assessors — that's quite complicated. I've done some assessments, but the report I did wasn't really what they asked of me because what they're asking, essentially is to have a quantitative measurement of the risks and controls and residual risks, conclusions, recommendations on e-banking security, etc. 3.7.4. Timing and filing requirement An assessment needs to be done before the roll out of e-business by a financial institution. An assessment also needs to be done when the following events occur: 1) system taken down by attacks, 2) prolonged downtime after system changes, 3) major hardware failures causing prolonged service interruptions, 4) any other events that an assessment is deemed necessary. Branches of foreign financial institutions in China do not need to do a separate assessment if their e-banking systems are located overseas and assessments are done by their parents. However, they still need to file reports with CBRC on those assessments.
192
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
Upon completion of an assessment report, the financial institution should file the report with CBRC within one month. Audience Question: In terms of the e-commerce and e-banking, is there anything going on in the area of digital cash like bitcoins? Are there regulations for that? Is it being tolerated? Is it being encouraged? Philip Yang: Before this year it was not really regulated. There are a lot of companies arguing that e-payments are equivalent to PayPal and those types of companies. You may have heard of the Yahoo case. That's a joint venture — they owned some shares of Ali-baba, they do B2B and B2C, which is very big in China. They have a subsidiary that's doing e-cash, equivalent to PayPal. They are the largest player in China. But a regulation came out this year that requires compliance with technical standards, controls, etc. You have to obtain the central bank's approval to be in that business and I think they only gave out five or six licenses so far. My firm is doing some consulting work in this area, although not as much as we would expect. Audience Question: One of the questions I had about this internal control assurance being required and provided is that when the external auditors provide the assurance are they providing assurance at a point in time like we're required to in the U.S., or does it actually cover the full period? What type of assurance is being offered? Philip Yang: The opinion is point in time. Right now, we only have the Internal Control Audit Standard but they are drafting a detailed set of guidelines and explanation for the draft. It probably won't be effective until next year. We are using our judgment at this moment but in the draft guidelines, they require a certain period of testing. I think it is three months, at the minimum. So you would not be able to only test controls immediately before the year end, and then conclude that they're fine. Audience Question: You mention that now in China you're having sustainability reporting. And you're also doing audit. Just wondering, first, do you have some kind of regulatory guidelines to watch what is being reported? And, what is driving the assurance, if it is not required? Is there still some form of requirements for how those audit reports are being done and is there again, some sort of standard guidelines that you follow? Philip Yang: I have done a sustainability report for a client. In fact it's a corporate responsibility report. Why would people want to be audited if it's not a requirement? In this year's campus recruiting, one of the slogans for our firm is, “We are green.” Why? Because we see that the younger generations are no longer attracted by telling them that in ten years they can become a partner. That's not their whole concern. They may not be concerned at all. But, a lot of them are aware of global warming. They want to join a firm that is socially responsible. The most important purpose for our firm, really, is to attract talent, to make people feel they are working with an organization that is a good corporate citizen. It is similar for other companies. The banks want to show their investors that they are good business partners. The report I have on China Development Bank is public. We did not assess the bank yet, but they asked us to do the audit of their social responsibility report. The social responsibility report covers efficient use of energy, efficient use of resources, being a good corporate citizen, taking care of their community, environmental protection, and other topics. If the company is not listed, the framework we use is GRI (the Global Reporting Initiative). If the company is listed then we use the Stock Exchange disclosure requirements. They have very detailed disclosure requirements for social responsibility reports. The Internal Control Guidelines also talk about social responsibility and have a very detailed guideline on what you are recommended to do in regards to social responsibility. For some other companies, sustainability reporting is a very important cost-cutting method. If you are an IT-related company, you have a lot of servers. Electricity consumption is a huge portion of your operating costs. Cutting your electricity consumption not only helps society but it also helps you in terms of improving profitability. So, there are quite a few factors that companies would
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
193
consider in choosing to do report on social responsibility, and some of them would like to be audited as well. For such engagements we use International Audit Standard 3000. International standards are accepted by the Chinese authorities. Some other firms use the other standard I just mentioned, the CICPA standard. It is called Assurance Standard on Assurance of Non-historical Financial Information — so we may use that for the audit as well. Audience Question: You've spoken highly of COSO as one of the development points of some of the control structures in China. You can't do a SOX IT audit in the U.S. without using COBIT, because the AICPA and others have pretty much adopted it informally as the standard. You had a slide, a few slides back, that looked like it was kind of a COBIT approach with the three columns. You're looking at the same kind of step-by-step issues but you haven't mentioned COBIT. Philip Yang: We use a COSO framework, but the framework is really just a structure and thinking process. The detailed Application Guidelines does address COBIT-like principles. So yes, those are good reference frameworks and systems that the standards and detail guidelines incorporate. I did not mention COBIT because we use China specific standards. Audience Question: How can you get 400 ISACA grads without them adopting COBIT. What are you doing in your exams? What I'm saying is that here we use that framework so extensively that it's inconceivable to omit it when we make our exams and when we go through all of our other training courses. You have so many students in China I would have thought they would have been closer to adopting that mainstream IT approach. Philip Yang: Precisely. That's what we use when we do our work. If you recall the IT Risk Management Guidelines by CBRC; in the report they also ask you to disclose what tools and references you used. That may include international standards such as ISO 27OO1 or COBIT. Those frameworks are in fact discussed by the government bodies. They say that they are very good frameworks for us to use. There is no point for us to reinvent the wheel, or reinvent COBIT and make a Chinese COBIT. In practice, it's kind of a challenge. China does not have very good accepted standards. That's why our accounting firms are lagging behind although the economy is pushing forward. E-commerce is developing so fast. We, as auditors, are not doing much and one reason is because we're lagging behind in terms of reference frameworks, measurement standards and audit standards. So, in practice, we do try to use, whenever necessary, whatever we can get such as ISACA research. 4. Information systems related services and opportunities Efrim Boritz: We'll move on to talking about services and opportunities. What are the key types of engagements that are being performed and what are the opportunities in the information systems assurance area? Philip Yang: OK. In answering your question, I will cover the following: • Audit of IT for the purpose of F/S audit • Audit of IT as part of internal control audit • Compliance driven IT assurance work, especially for financial institutions such as banks and insurance companies • Audit report on internal controls of service organizations (ISAE3402) • Consulting projects: IT strategy, IT governance, IT risk, IT security, Data integrity, IT projects
4.1. Audit of IT for the purpose of financial statement audit This area involves the single largest portion of IT auditors in accounting firms. The companies we're serving like the banks and insurance companies, fund management companies and IT companies, companies
194
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
offering online games, B2B, C2C, B2C, etc. These are the ones that really need us. When we do audits, we need to audit their IT. 4.2. Audit of IT as part of internal control audit From this year, the very big challenge is we are not receiving the amount of fees we would expect to get, because all of a sudden, in addition to auditing financial statements we have to, I guess similar to North America with SEC registrants, do an audit of IT as a part of the internal control audit. That's the second largest part of our work. 4.3. Compliance driven IT assurance work The third type of service we are doing is compliance driven IT assurance work, especially for financial institutions. I showed you our bank regulator's requirement on IT risk security assessment. There are also similar requirements for the insurance companies, for fund management companies, for investment banking companies, and they have to assess and file the report. The difficulty is that they have no clear audit standards. There are also no clear measurement criteria. Some of these regulatory requirements you may view as measurement criteria, but they are not good enough or usable enough for an assurance engagement. So what we do is we try to package our service and reports so that they are not assurance reports. 4.4. Audit reports on internal controls of service organizations The next service we have is audit reports on internal control of service organizations. We use ISAE 3402 now because we don't have an equivalent China standard. We previously used SAS 70. However, whereas here that report is for the service organizations and their auditors, most of our clients use the report for their marketing and sales purposes. Most reports we do are for public fund management companies, asset management companies, and banks. They use the report to show their customers that their money is in good hands. This is not a big service, it is not profitable, and there are only two main players. One is the firm I work with. The other firm is Ernst & Young. We are competing very hard against each other, so we're keeping the price very low. 4.5. Consulting projects Consulting projects may not be called assurance projects, but we do a lot of them: IT strategy review, IT planning, IT governance consulting, IT risk, IT security, data integrity, and IT implementation. We have a lot of proposals going on about this throughout the IT life cycle. Audience Question: When you do your IT consulting, can you this for your audit clients or are there restrictions like in the U.S.? Philip Yang: There are restrictions. Audience: So it's pretty much for other people's audit clients. Philip Yang: Yes, but if it's assurance it's okay. Audience: Yes, but I was thinking IT risk, would that be assurance? Philip Yang: IT risk, as a consulting project, we could do as long as we can prove that it is not directly related to the generation of financial statement information. Audience Question: In the environment that you have described in China, its changing so fast, maybe leading in some areas, but I cannot believe that you or we can go into most operations in China and not find significant control weaknesses as we understand them, like an IT environment or
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
195
application control weakness. What about accountability? What happens when people have weaknesses? What do they have to do? Who holds them accountable? Philip Yang: It is a struggle. Yes, we did find material weaknesses in some of our clients that included IT. But IT is a different issue because we, as auditors, only issue an opinion on the internal control over financial reporting. So one thing we could try to do is to look at remediation of those controls — making sure that before they disclose the report, even though there are breakdowns during the process, what else they can do so they at least disclose their financial statements correctly. But, on the operational side, we need to have some reports that say that they may have, or do have, material weaknesses. The ultimate responsibility for internal control lies with the board. I believe in the U.S. it's the CEO and CFO. But, it's the Board in China. They are the ones that are responsible for establishing, assessing and disclosure of internal controls. Audience Question: The whole point with SOX in the U.S. is that you have to disclose and your auditors have to disclose material weaknesses and that includes IT environment processes like systems development. So if you happen to introduce the newest version of SAP just before your year end, the likelihood is poor that it's up and running acceptably well and can be attested to then all of those implementation and development controls, etc. are financial statement oriented as well as core IT processes and therefore there are whole regions of IT control that can't be kept outside of the finance end. So I think if you're looking for those things like the new SAP introduction, you've got a very strong likelihood of serious control questions that would spill over into the credibility of the financial statements that they produce. Philip Yang: In fact, that's a selling point for us, as an accounting firm, to be involved in a major system implementation. What we tell them precisely what you said. In the past they just hired consultants, system implementers such as IBM, etc. Now, a lot of them do hire us as an assurer. So up front we ask them when they do the new implementation, have you done the chart of accounts right? Have you done the forms right? Is the mapping between your business system and your ERP system and to the disclosure system correct? So we did find a lot of issues with how the IT companies implemented the systems. I just did one for a major insurance company two years ago and the report is pretty thick. It contains recommendations for improvement of a process of SAP implementation. That is really valuable, and if they didn't do it, for sure they would have had material weaknesses. Audience Question: I work for a bank. In North America and especially in Europe there's been a huge increase in bank regulations. How is that in China and how does that impact the audit? Philip Yang: We also have a lot of regulations by the bank regulators. Banks normally feel at a loss as to whether or not they should act for business or for compliance. Are they in the compliance business? Some of the regulations are good and at least make the banks feel comfortable in China, for example, regulations on interest on deposits and regulations on interest on your loans. That keeps a very good margin for the banks. And that's why we as consultants have an opportunity to come in to do the work. We have done some research. Once every two years, we talk to the banks about the challenges they are facing. The number one challenge to them, especially for the foreign banks in China, is regulatory complications. Audience Question: There's been a lot of activity related to the health care industry and health care providers and security over their systems and also privacy. Have you seen an increase in that activity in China related to health care and the protection of personal information and medical information? Philip Yang: I would like to say yes, but no, not for health care. That industry is in fact primarily run by the government and it needs improvement. Audience Question: Is there a trend in terms of TPAs (Third Party Assurance)?
196
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
Philip Yang: TPA audits of service organizations is one area we want, we hope that will increase. We're doing banks and fund managements companies primarily now, and in that sector we see huge growth. The new money they get this year is ten times the money they've gotten in the past ten years. So you see the trend. We do see the growth. Just for this sector, the fund management and asset management sectors. We are expecting to see outsourcing activities increase for efficiency, for specialization and we will do TPAs for those companies. I was just talking about an opportunity last night. They were talking about a charity fund. They get donations from corporate and personal funds and then spend the money for good purposes. There were some bad cases in the past so people stopped donating money to these organizations. So [the Charity Funds] are worried — no money coming in. No money to donate to Africa or remote Chinese villages like where I was living. So yesterday they called and said, “Can you do a TPA for us? I am considering it.” Audience Question: In your view when do you see the projected timeline that TPA regulations will be established in China, because they're currently using the international standard? Philip Yang: People are too busy to do other things so in fact it's us, as professionals, to blame. We're not spending time to carefully think through the market trends, what the market may need, and what we, as accounting firms, can do. So we don't have a planned timeline. Maybe the CICPA does, but I haven't seen it. Audience Comment: That's going to be a huge market. Philip Yang: Yes, but then other areas are already big. People are too busy making easy money. Audience: Earlier, you had said something about the recommendations or requirements for internal audit to report to the audit committee. What about the head of IT security? Is there any best practices, recommendations or even regulations about to whom should that person report in China? Philip Yang: Yes, there are security requirements. The governance requirements talk about IT security but unfortunately I haven't met even one case where we have a head of IT security or Chief Information Security Officer. Security is normally under the IT department, and if they're good then they have a separate department managing security. If they're not as good then there are just some operations people taking care of security or some other people taking care of security. Technically, yes, we're doing it, but in terms of a good governance structure I think people are not doing much, or it's not on the agenda yet. Audience Question: I'd like to know who's training all your people. I'm an educator, so what's the typical stream for where your professionals are coming from? Philip Yang: Some academics visit China every year to teach for free or half-price. The big four firms have our own internal training systems. In my firm, for example, we share our training methodology, tools, etc., globally. Every year in the Beijing office we hire around 50 new graduates. We have around 300 people doing IT audit and internal control related work. It's increasing very fast. When I first joined the firm in Beijing in 1996 we didn't have any IT auditors. Not until the year 2000 did we establish a new department with a few people and now we have 300. We trained them internally and also the universities and continuous professional education firms, they do the training for the general public. The National Accounting Institute has a course developed by Professor Boritz on IT audit for the purpose of financial statements. So they're using that to train hundreds of people every year. Also, through ISACA, a lot of people study and take the exam. I don't know the exact number, perhaps in the thousands, because we can take the exams locally in Beijing, Shanghai, Guangzhou — all of the large cities.
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
197
5. Key challenges and trends Efrim Boritz: So in the last few minutes that we have left I asked Phillip to talk about the key challenges and trends that he sees developing now and I think some already have been mentioned — the issue of talent and so forth — but, maybe you can just take us through some of these points? Philip Yang: Talent is our single most important worry. Last year I took on a new account. The budget for just the IT audit is over 20,000 hours. It started with just me, so for a long time I couldn't fall asleep at night thinking, “Oh my God, 20,000 hours or more!” Then I had an idea: Just me with 24 hours a day times 365 days, I have 9000 hours to start with! That gave me hope, but still I couldn't do it. I recruited some experienced hires. I also got a few fresh graduates. So now, eight months later, I have a pretty good team together. But it's also challenging. I have to train them. Some of them don't have enough experience. They don't have enough knowledge. So it's a lot of challenges in terms of talent. There are a lot of people taking the CISA exam but the number is not enough. In terms of numbers, it's not enough. In terms of knowledge and experience, it's definitely not enough. It might be too shallow for what our clients our really expecting. So talent is an issue. Another issue I that I have talked about is standards. As CPA firms, we should be the ones that give people comfort because e-business and e-banking are growing so fast. But we're not doing enough. We're doing very little. The reason is really because first of all, we ourselves don't have enough clear standards — no measurement criteria, no audit standards. You can borrow, but then people may think that it's an international standard and may not be China specific. So that's an area we need to work on. I think that's really important for the development of the profession. Comfort about the security of e-commerce is mainly provided by the technological firms, not us as auditors. As we all know, management, not technology, is the single most important factor that impacts security, reliance, and trust. IT strategy and planning and IT investment management represent a key trend. Last year, the government's investment in IT systems was about 17 billion RMB. That's roughly four times the cost of the Olympic facilities. If you want to figure out how much that is in U.S. dollars, just divide by 6.3. Five years ago, you divided it by 8.3. In the newspaper a few days ago, it was reported that somewhere in northern China a government agent purchased an iPod. For what? His basic IT needs because he defined it as a USB flash drive. In another case reported in the newspapers the police in southern China were equipped with state-of-the-art Mac Computers that cost 10 times as much as basic laptops. Their explanation was that they need good equipment to serve the public because they want to get good pictures of traffic violators so they can catch the bad guys very quickly. So you see the difference. You can spend 1000 RMB on a basic computer. You can also spend 20,000 RMB for a very good computer, but how do you justify it? So that's the thinking of the China National Audit Office. They want to figure out a framework to audit the investment in IT, the benefits realized from investments in IT. One client was asking me if I could help them find out the IT budget of another similar company. So I asked the company, “Are you okay to share your budget?” He said, “Okay, it's 2 billion RMB.” A big number. So I told the other company. They said, “Then ours should probably be 1.5 billion RMB.” I said, “Why?” They said, “Their company is bigger than ours so our budget can be a bit less.” Obviously, that is not a satisfactory answer. And that's the regulators' concern as well (bank regulators, the insurance regulators). The companies should instead be asking, “How much do we need to invest to have effective security? What is a reasonable amount?” In one case, four years ago, I helped a client's IT department to design and implement real-time monitoring, or what you call a continuous audit system. Since then, they have had very good findings. They went to the compliance department and told them, “Look, these are funny activities. Have you found them?” They went to the front desk management department and said, “Look, these are odd activities. Do you know about them?” They were at a loss. But then they figured out that this was a very good monitoring system. So last year the compliance department went through the approval process to get a budget of 5 million to handle compliance issues quickly in real time. Management approved formally and the next day the front desk operations department went through the approval process. They got a budget of 8 million for a front desk monitoring system. But both of
198
P. Yang / International Journal of Accounting Information Systems 13 (2012) 185–198
them are unnecessary duplications of investment in a monitoring system that already exists. The executive in charge of IT noticed this and called us in. We helped them to design an integrated platform for real-time monitoring, that can be shared, but also properly segregated. You share most of the processes and functions, but then for your internal audit there are things you don't want other people to know you are monitoring. So you may define your own role, define your own level of alerts and do your own procedures. If you are the front desk management department, you can use the same system and your activities can be shared or they can be hidden. To do that, we charge 1.5 million, representing a huge savings for the company. So why was I talking about this? As IT auditors we can contribute to companies realizing huge benefits from huge investments. And that I think requires academics and practitioners to sit down together and figure out measurement criteria, a standard, that we as practitioners can use. The National Audit Office is doing a lot of good things. But they are not willing to share everything they do with us. So we need to develop our own approaches. And that can benefit the companies that we audit. Audience Question: My question is an overarching question: You've been talking about IT audit and audit in China for over an hour now and I'm wondering about culture. I'm wondering how people perceive auditors. Whether it's, “Hi, I'm here the auditor your friend.” Or, “I'm the police.” Or, “I'm an agent of the state.” Is it cooperative, confrontational or if it depends on the circumstances? Philip Yang: As I said it's becoming a global village. So we know that April 1st is not a good time to implement a new law but, April 2nd is fine. As auditors, it depends on the type of engagement we do. Sometimes we are hired by the regulators to do the audit for them, so that's not a friendly environment. But if we come in as consultants, that's a good cooperative environment. For other assurance projects, they know we're not a government agency. Even if we find problems, we're not government. We don't have any power. The only thing we want to do is to help them improve their processes. I always try to let our clients know that although we are auditors, we are trying to help. We let them know what they can do to be good — if you do this, along the way, it will benefit you and it will benefit us. If it's nasty and difficult we all suffer. It's probably similar to what you experience as auditors over here. It also depends on the attitude and communication skills of the auditors, of course. Some auditors don't know their roles. They may be arrogant and they may act as if they were government officers. And some may be unconsciously incompetent. So in those cases there can be not-so-harmonious moments. Audience Question: We see a lot of Chinese graduate students down in the U.S. and our graduate students will have one course in IT audit as well as several background graduate systems courses. So in terms of talents, what are the opportunities for a student educated that way when they return to China? Philip Yang: Plenty. We have a program called the China Sourcing Program. We have people from China located in the U.S. and they are involved in full-time recruiting. We visit several campuses. We also open our website for people to send their applications to us so that we can interview them here in North America. Efrim Boritz: This has been a most fascinating and informative presentation. I'm sure all of you agree. Phillip has a wealth of knowledge and on an impromptu basis can address questions that are as far ranging as opportunities for students to the cultural aspects of how auditors are viewed. So once again I would like to thank Phillip for making the long trip from China to Canada and for sharing his wealth of information with us. Phillip will be here for the rest of the conference so please take an opportunity to introduce yourself and ask him about his work or any other things you may be interested in. Please join me in thanking Phillip for this wonderful presentation. Philip Yang: Thank you all for giving me the opportunity.