15. Internal Controls and Internal Audit

The Audit Committee is a specialist committee that operates under Huawei’s Board of Directors. Within the scope of authority set forth by the Board of Directors, the Audit Committee oversees internal controls, covering the entire internal control system, internal and external audits, corporate processes, as well as the company’s legal, regulatory, and BCG compliance. The Audit Committee is made up of members of the Supervisory Board, the Board of Directors, and relevant experts. Audit Committee membership must be approved by the Board of Directors. Internal audit organizations and our external auditor report to both the Audit Committee and the Board of Directors. (Source: Audit Committee Charter (Provisional), Board of Directors Doc. No. [2012] 008)

As the company develops more rapidly, our management may not cover all aspects, and we will find increasing numbers of temporary loopholes. This is why we have established three lines of defense within our internal control system.

The first line of defense, which is the most important, controls risks during business operations. We should put over 90% of our effort into developing an effective first line of defense, which should be standardized but flexible. We need to flexibly respond to the service needs of different customers. The ultimate goal is to have business managers take responsibility for internal controls. For example, the manager of a certain business will also be responsible for the internal controls of that business. This approach should be extended all the way up to the top levels of the company. We must never waver in our determination to strengthen our first line of defense, and move towards the process ownership system one step at a time. This means we will gradually delegate authority to process owners. Country representatives will eventually become general managers who need to meet the basic requirements for overall business operations. The company’s processes must be simple and effective. The majority of our oversight must be based on processes. Processes themselves are a line of defense, so if we develop our processes properly, we will already have a strong defense system. Streamlining processes is a goal we will pursue with resolve.

The second line of defense ensures consistent management of major risks across processes and domains. Functional departments for internal controls and risk monitoring must promote the application of methodologies. A large number of managers should be trained on internal controls before going to work in the field. The second line of defense must provide many methodologies and also add, rotate, and develop numerous managers for the first line of defense. We have to define what responsibilities process owners should have. The Semi-Annual Control Assessment (SACA) is an assessment of process owners, and we should help them launch some pilots, establish process control systems, define jobs and roles, and get the whole system working correctly. At the same time, we should plan and deploy a Golden Seeds program country by country to roll out iSales, streamline configuration, and manage delivery in the Enterprise Resource Planning (ERP) system. Once the program succeeds, the golden seeds can be divided into two teams, and transferred to other countries. If they succeed again, a new group of golden seeds will emerge. This acts like an upward spiral that constantly produces new golden seeds. A new cohort of these will be promoted into managers. If they all have successful track records, then why not let them take over representative offices? Why not let them take over HQ? They will be welcomed back to HQ in high spirits. Who says they can’t be leaders in their twenties?

We need to further define the responsibilities of owners for the three lines of defense.

The first line of defense is comprised of business managers and process owners, who are also the primary owners of internal controls. We must build internal controls, awareness, and capabilities amongst our employees, and ensure process compliance at checkpoints and during real practices. Process compliance ensures the quality of authority exercises. We need to implement a process ownership system that ensures process owners and business managers are truly accountable for internal controls and risk monitoring. This should eliminate 95% of risks during process-based operations. Business managers must be able to do two things: create value and effectively implement internal controls.

The second line of defense is comprised of functional departments that are responsible for internal controls and risk monitoring. These departments should streamline the management of major risks across processes and domains. They should also develop methodologies, promote their application, and ensure employees at all levels have the required capabilities. The inspection team should focus on real-time events and serve as a helping hand to business managers. The inspection team must not overstep its authority though, and should remember that business managers are the primary owners of management. The inspection team needs to help business managers manage their business in a mature manner, identify problems, make improvements, and effectively resolve problems. The inspection and internal controls teams are to exercise the authority of oversight while helping business departments work according to processes. One thing is clear: Neither the Inspection Department nor the Internal Controls Department is accountable for internal controls.

We will rework our Internal Control System document by strictly following IBM’s internal control practices. This document will serve as our guidelines for improving our internal control system and does not need to be confined to the content in our approved documents. (Source: Resolution on the Plan for Improving Huawei’s Internal Controls, EMT Resolution No. [2007] 045)

During its meeting on April 29, 2015, the EMT defined Huawei’s internal control targets over the next three years as follows:

To achieve a “Basically Satisfactory” internal control maturity rating, a department must have:

Layer 1: the Control Environment. This serves as the base of the internal control pyramid. The global end-to-end processes and ownership system act as the foundation for Huawei’s internal control system and must be fully understood and implemented to ensure internal controls are successful. Global process owners have the primary responsibility for internal controls within their processes.

Layer 2: Control Tools and Indicators. This includes the compliance testing of KCPs, internal and external audit results, and other control tools and indicators that have been defined as essential inputs for the internal control assessment.

Layer 3: Assessments. Company management can view and use the assessment reports regularly. Through the use of the control tools at Layer 2 and associated reviews, the control indicators are converted into useful information with which Huawei’s control posture can be assessed regularly.

Layer 4: Appraisal and Accountability. Guided by business controllers, business owners and managers complete performance appraisals and accountability assessments, applying the assessment results from Layer 3 and considering the process for fulfilling their oversight responsibilities. These responsibilities include reviews, discussions, business risk assessments, operations monitoring, communication, information sharing, and professional assessments. Internal audit personnel and business controls departments also combine these outputs with their own professional analysis. This allows them to produce reports on audit findings and the company’s internal controls. These reports are delivered to the Audit Committee and the EMT who then implement appropriate rewards, or disciplinary or corrective actions.

The Business Controls Department’s mission, authority, and responsibilities are to:

Engineering inspection is the end-to-end inspection of any engineering delivery business. It is supposed to create corrective action plans for identified problems in collaboration with business departments. If any evidence of BCG violations is found during the inspection process, these violations are reported to the Investigation Department of the Internal Audit Department. The Internal Audit Department must focus on establishing deterrence, while the priority of engineering inspections is to promptly identify problems and push for improvements in different business departments. (Source: Minutes of the Report on Organizational Building of the Engineering Inspection Department, EMT Meeting Minutes No. [2011] 010)

ICFR represents all of Finance’s requirements for business. In other words, Finance has but one requirement for business – to manage ICFR based on the three types of financial reports.

Following the Enron scandal in 2002, the US Congress passed the Sarbanes-Oxley Act. The Act states that CEOs and CFOs of listed companies are responsible for making sure their company has an effective ICFR system that promptly and accurately discloses financial reports and information. The Act also made fraudulent disclosure and commitment subject to legal sanctions. Of the last 10 lawsuits that were filed in the US involving between US$2 billion and US$7 billion, seven involved false accounting or fraudulent disclosure. (Meng Wanzhou: Ensuring the Consistency of Business and Accounts and the Accuracy of Financial Reports—On Signing the ICFR Commitment Letter, Improvement Issue No. 479, 2015)

Now that we have achieved the CIAG, the EMT has agreed to add one more corporate-level work priority – improving financial report quality to a “Very Satisfactory” rating. Efforts surrounding this goal will be made to drive representative office-oriented integration and achieve the Five Ones¹ and consistency of business and accounts. (Source: Minutes of the Report on the Progress of Driving Representative Office-oriented Integration Forward and Achieving Five Ones and CIAG, EMT Meeting Minutes No. [2017] 003)

The ICFR Regulations must clearly state the ICFR responsibilities of managers at all levels. The responsibilities of CEOs/CFOs and process owners for ensuring the data quality of their respective domains must be clearly defined. Also, in this document, the responsibilities related to managing different types of financial data must be clarified. The document must also contain information about a layered commitment mechanism for fulfilling ICFR responsibilities. Responsibility fulfillment needs the support of tools and methodologies. Key control over financial reporting (KCFR) is a key tool for supporting ICFR. What is KCFR? KCFR is a tool used to identify key control elements that impact financial report quality throughout processes. Internal control methods, such as compliance testing and SACA, are then used to regularly monitor KCFR compliance during day-to-day work. This way, we can determine whether key data and information from business domains are accurate and reliable. There is no way to completely ensure that financial reports will always be of high quality, even if we clarify ICFR responsibilities, identify KCFR throughout processes, and regularly perform compliance testing and SACAs. This is because even if we keep each KCFR under control, there may be manual account adjustments to stock data and provisions for project losses. Manually adjusted financial data must also be managed. Data management coupled with KCFR assessments makes the ICFR mechanism complete. (Meng Wanzhou: ICFR Is a Means, and Consistency of Business and Accounts Is an End, Improvement Issue No. 460, 2014)

All employees must act with integrity, diligently fulfill their duties, and comply with all applicable laws and regulations, as well as Huawei’s own BCGs. Huawei prohibits all business fraud, including but not limited to:

At every key decision point of an investigation, decisions must be made according to the majority rule.

First, you must stick to the principle of collective decision making through votes by majority rule at every stage of an investigation, from launching the investigation, communication, and approval, to deciding on legal involvement. Business decisions can be left in the hands of the manager, but investigations into people cannot be the responsibility of only one person. No individual has the authority to approve or reject investigations into people. We stick to the majority rule, but the department head can chair meetings. We must avoid anyone abusing their authority to form cliques. No single manager has the authority to directly order an investigation into someone. Investigations must not become a tool for making people with different ideas suffer; otherwise, we will start to get cliques within the company. On this issue, we’d better be a bit conservative. We are all in favor of proactive auditing, but there have to be checks on authority, and the majority rule creates checks and balances.

While making our anti-corruption policies stricter, we will continue the policy of allowing employees to declare their own wrongdoing. This is a principle of being both strict and lenient, aiming to cure the disease and save the patient. Don’t suppose that we will not hold people accountable for past wrongdoings. Without accountability, we won’t establish cold deterrence. We need to establish cold deterrence so that our employees will not violate the BCG rules in the first place. Therefore, if you have already done something wrong, please report this voluntarily as soon as you can. Get them off your chest. Senior managers should take the lead in doing this to set an example. We should publicize it so that people know, through the offices of ethics and compliance (OECs), to send the message of a harder crackdown on BCG violations across the company. Cases which have been passed on to the legal authorities can be published on the company’s bulletin board as well. (Ren Zhengfei: Speech at a Briefing on the Progress of Large-scale Elimination of Corruption, Huawei Executive Office Speech No. [2014] 010)

When it comes to overseeing managers, we need to be both strict and lenient.

The right way to go about this work is to be responsible for the people under investigation. You need to help them understand their mistakes and get issues off their chest. Second, you have to select the right investigators based on the seniority of the people involved and the severity of the incident. You need the right strategy for the investigation. To be explicit about it, when the subjects of your investigation are senior and older members of staff, you have to send experienced investigators, even including their department heads in your investigation team. Where an issue does not involve any illegal activity (for example, claiming private expenses from the company), you should apply huidu. Not everything has to be dealt in absolute black and white. You should let the person involved retain a bit of dignity, and believe that Huawei employees are prepared to correct their mistakes once they are aware of their wrongdoings. (Ren Zhengfei: Speech on the Audit Committee’s 2014 Annual Work Report at the January Board of Directors Meeting, Huawei Executive Office Speech No. [2015] 017)

The requirements of the company regarding auditing and audit personnel are outlined as follows: Audit must implement organizational controls and create rules for their work. These rules should cover the selection of a subject, the content and scope of auditing, ways to obtain evidence, ways to assign someone to talk with the subject, the content and scope of communication, and so on. All these things must be approved by the organization. Approval levels will vary by grade, depending on the seniority of the subject and the content of the audit. An audit of the president of a level-1 department or a more senior position must be approved by the Huawei Executive Office. An audit of the director of a level-2 department or a more senior managerial position must be approved by the HRC. Audits of other employees must be approved by level-1 management teams. As for financial BCG violations, audit personnel cannot speak with the subject unless they have irrefutable evidence. Such communication must also stay within the scope of their authority. When you perform an audit, be careful not to go beyond the scope set forth by the organization. There must be an end to every audit; otherwise, employees would just live in fear. The subject of an audit is not our enemy. If new clues outside the approved work scope are found during the audit, you must ask an appropriate manager to decide whether to continue or adjust the audit. The audit scope must not be extended at will. Audit must operate within the scope of authority of the Internal Audit Department. Currently, Audit manages problems related to violations of the law, and company rules and regulations. Other issues are still in the hands of management teams at all levels. Audit must not go beyond the scope of their own authority. (Source: Requirements of Audit Work, EMT Resolution No. [2010] 019)

We must delegate appropriate authority to lower levels, align their authority with their responsibilities, and build an environment in which everyone is taking on greater responsibilities. Managers at all levels must fulfill their job responsibilities. On top of this, the company needs to delegate appropriate authority to them. When it comes to accountability, we must distinguish between BCG violations and mistakes at work. The company has a very clear accountability framework in place for BCG violations. If a mistake is made during work, we must analyze it in detail and take appropriate disciplinary actions. (Ren Zhengfei: Unite as Many People as Possible—Speech at the Self-reflection Session of the Board of Directors Executive Committee, Huawei Executive Office Speech No. [2013] 143)

In the reporting outline, there should be a section explaining things from the perspective of the person under audit. We must fully understand their circumstances and their responses. At the same time, we have to stick to the facts. Sticking to the facts may just be four words, but it is not an easy thing to do, not easy at all! Whatever you do, don’t turn the process into a battle against the person under audit. We still need to motivate more people to fight on our side. It’s easy to impose penalties; but it’s hard to help a person with a checkered past get back onto their feet. Many heroes from our history books had huge flaws, and there is no such thing as a perfect person. The reason Wang Anshi² failed was that he insisted drawing a clear line between black and white. With our managers, we must assume they are innocent until proven guilty. China is a country that places great emphasis on the rule of law, and we have to respect human rights. It is better to leave some things unclear than to harm our own people. You must not walk into someone’s home and start insulting them. Above all, don’t let the children of the person under investigation know the investigation is going on. This can be emotionally damaging. (Ren Zhengfei: Speech on the Audit Committee’s 2014 Annual Work Report at the January Board of Directors Meeting, Huawei Executive Office Speech No. [2015] 017)