One of the biggest challenges in implementing C-SOX control effectively is making sure that risk awareness is taken seriously by the entire organization, not just top management or the finance department. This can be especially problematic in organizations that have poor lines of control or do not have the business systems (IT and otherwise) needed to get a clear picture of their operations.
The Basic Standard for Enterprise Internal Control will require a mindset change for many companies in China because they do not currently take a systematic view of operational risk and they may not have the human resources needed to properly implement desired controls. Companies can therefore invest in training and education to increase the level of risk awareness.
This training has several components:
1) Broad training covering topics such as risk management, risk identification, corporate governance, etc.
2) Industry-specific training such as anti-money laundering or fraud awareness, health and safety, or data privacy.
3) Training of specific company policies, processes and procedures related to lines of business.
To effectively create a corporate culture where risks are identified and properly managed, all three types of training have to take place, and management has to be willing to sponsor and fund the training. This means not only holding training classes, but also assessing knowledge and skills of the participants, reinforcing key messages and behaviors and keeping risk as a top priority for the business.
Proper implementation of internal controls is a multi-year process that will require efforts throughout the company. Management teams need to make sure they have all the resources needed to finish the process.