Internal Audit Transformation for State-owned Enterprises (SOEs) —— Employ world-class benchmarks to shape the future business and adapt to a changing and disruptive market

Company: Large Stated owned enterprise
Sector: Infrastructure and public utility investment

The internal audit is an important supervisory mechanism for enterprise business activities. It functions as the third line of defense of enterprise risk management, and plays an irreplaceable role in regulating management of financial revenues and expenditures, clarifying economic responsibility, and strengthening internal control. Internal audits can bring value to situations involving dynamic risk management processes and help clarify complex cross-regional business environments, featuring diversified and multi-leveled management structures. Additionally, they can add reliability to industrial transformation layout optimisation and innovative operation, as well as benefit diversified talent team orchestration. Further, ongoing updates to management technology ensure that internal audits remain relevant to the depth of enterprise operations and management.

  • Typical challenges faced by internal audits of state-owned enterprises (SOE)

From PwC’s observations, the traditional internal audit functions of SOEs are facing various challenges arising from the increasingly complex business environment and the requirement from the State-Owned Assets Supervision and Administration Commission, (SASAC) to 'benchmark with world-class management and create value'.

  • Gap in the positioning of internal audit functions in the new era

The internal audit function is traditionally far removed from the core value chain of a company. Previously, the main purpose would be to meet the requirement of supervisory audit, external audit, regulatory compliance, and merely to perform the minimum required procedures around financial income and expenditure audit, economic responsibility audit, internal control evaluation and other prescribed work. In this form, the capacity for risk prevention in risk management and the role of independent expert consultation in enterprise operation and management are relatively limited. Additionally, the alignment of the three lines of defense during risk prevention is therefore inherently challenging, while mobilisation, the willingness and proactiveness of internal audits on enterprise value protection and creation are severely impaired.

  • The starting point and the scope of work for the traditional internal audit will be expanded

The traditional focus of internal audits would be on areas such as treasury, expenditure, and compliance of approval process. The internal audit would have limited reach into certain aspects of core business and operations, such as financing and guarantee, investment activities and project operation. In addition, due to the commonly perceived concept of 'error detection and fraud prevention', problems found by internal audit are still more relevant to compliance with an emphasis on short-term rectification. Consequently, in the traditional capacity, it has been difficult for internal audits to touch the root causes of business operation issues and barriers to development.

  • Development space to make full use of the internal audit results

The internal audit has typically been viewed as a barrier hindering business development and adding extra procedures and costs. It has instead been understood to ensure accordance with internal and external compliance requirements and to complete the "required" audit tasks, making the internal audit work a formality. As a result, there has been a tendency to consider internal audits as being "disconnected from business", providing "no insight", and being "only superficial" and useful on a case-by-case basis rather than as a remedy for root cause issues. 

  • Limited coverage of internal audit work

For a large state-owned capital investment and operation platform with numerous affiliates in the group, it is difficult to ensure full coverage of internal audit work with high efficiency and quality with the limited resources in the internal audit function. The bottleneck stemming from limited resources of internal audit teams, coincides with increasingly strict external regulatory requirements in recent years. For the internal audit departments of SOEs, not adapting is no longer an option.

PwC’s Internal Audit Transformation Service for SOEs 

As one of the largest local SOE groups, the Company has diversified business segments, numerous domestic and overseas subsidiaries, and a comprehensive corporate hierarchy. The Company also faces strict supervision from domestic regulator SASAC, with increasing requirements such as robust compliance management with an emphasis on improvements in quality and efficiency. While all departments of the enterprise actively tackle the challenges, the Company started to think about how to leverage the internal audit to improve the enterprise risk management ability and overall business management. When brought in to help, PwC customised a series of internal audit services for the Company, each tailored to the specific background and management improvement needs.

Start with an investigative audit -- to enable the enterprises to conduct a comprehensive navigation of their overseas companies and quickly identify high-risk areas.

The Company comprises many business units (more than one thousand) and overseas companies (hundreds), located over a wide range of markets and commanded through a long management chain. To better control the risks, the management needs to continuously optimise the Company's management and control and explore the corporate governance and business models most suitable for the overseas subsidiaries. As an objective and independent third line of defense, the internal audit department is helping the board of directors to conduct comprehensive risk navigation and is assisting the management to identify points of change.

PwC designed the investigative audit for the internal audit department and implemented risk exploration. First, focusing on "investigation", through a designed questionnaire, followed by open resource research, financial data analysis and other methods, we collected comprehensive information about each entity, including development history, equity structure, corporate governance, policies and procedures, assets, treasury, investment, financing, guarantee, borrowing, licenses, KPIs, key persons and other current situations. We combined the qualitative and quantitative analysis, and employed data collaboration, with cross comparison, holistic analysis, external benchmarking, and other methods to ensure the integrity and accuracy of the information before undertaking the audit. Through the investigation in the first step, we targeted the weak links and high-risk areas in the Company. Having mobilised the resources of PwC’s global network, we provided dynamic insights into the planning and direction for the following audit.

Benefit to the Company

The board of directors obtained a full picture of the current status of their operations and management, with a clearer view of newly acquired and merged entities. Among hundreds of overseas companies, including newly established and acquired or merged entities, overseas holding platforms and other types of companies, the Company obtained critical inventory including management status, organisational status, business status, and financial status. It's also the first time for the Company to have a comprehensive, comparable, quantitative and visual dashboard of the management status of overseas subsidiaries, which helps reveal common risks.

After prioritising the key risk, we suggested an in-depth follow-up action and audit plan. From the perspective of internal audit, the risk was highlighted and presented to the board of governance. We also helped the Company to explore an effective and efficient corporate governance model for overseas subsidiaries.

Following this, “advisory management auditing” was undertaken to identify the root causes of the problems with potential solutions suggested for the strategy and business model.

There are many subsidiaries in the Company, with different levels of investment and shareholders. Further, a range of different investment decision-making bodies and operation bodies exist. In recent years, the Company has continuously faced pressure to generate profit, control loss, and unlock potential among the subsidiaries and projects. The management hopes that based on the audit of the business performance, the internal audit function can carry out special audit work for loss-making companies and projects to help the Company objectively evaluate the operating results and support strategic transformation.

PwC designed and implemented the special internal audit covering more than 100 loss-making subsidiaries (projects) for the internal audit department. Using in-depth sorting, the composition, nature and measurement model of revenue and cost, considering the characteristics of the subsidiaries (projects) in the region and industry, the reasonableness of revenue and cost were analysed. With a view to look back at the original plan and strategy for the establishment of these subsidiaries and projects and track losses to root causes thoroughly. In the process of the special audit, the internal audit project team clustered the subsidiaries by industries and stages, focusing on natural barriers, inherent restrictions, and development bottlenecks in the industry.

Benefit to the Company

Generally, internal audits are useful for finding compliance and procedural problems. In this instance, with these special audits of loss making, the project team introduced industry experts from PwC that covered varying investment subjects, to consider the characteristics of different industries. By utilising the internal audit, the project team was able to offer valuable advice to the Company to aid strategic transformation, business model verification and solutions in other fundamental areas.

The operation management audit - "deep dive" into the group operation and assist enterprises to improve efficiency through pilot projects.

An operation and management audit is a comprehensive audit practice. It covers the operation and management of the audited entity during the audit period, focusing on key areas, such as strategy implementation, profitability, resource allocation, quality and efficiency improvement, investment management, compensation management, financing and guarantee management, asset management, and implementation of policies and procedures. For the Company, as a holding platform, with multiple management levels and a range of strategies and financial control models, such an audit is often superficial, lacking in-depth business insights, and clear explanations of problems, leading to inaccurate recommendations.

To overturn these standard challenges, PwC assisted the internal audit department to reform the approach of the operation and management audit, which is usually "audit the next lower level only". Targeting the multi-level platform companies and especially those subsidiaries at the bottom of the command chain, PwC helped the Company to perform deep dive audits and run pilot audit projects. In doing so, PwC helped the Company evolve expectations of the internal audit.

Benefit to the Company

With the investigative audit widening the scope of internal audit work, the internal audit team revealed the management level of the audited platform company in depth, by conducting the operation audit of the subsidiaries and key projects at the bottom level, and objectively evaluated the economics, efficiency and effectiveness of the operation activities and management measures of the audited unit. At the same time, to address identified problems, weak links and risks existing in the audited unit, we provided suggestions to improve operation and management, increase economic benefits and strengthen risk prevention.

Overall benefits and Conclusions:

The internal audit function was able to radically assist the Company's operation through a series of new projects by:

Focusing on the business risks of overseas subsidiaries. Addressing the decision gap for multi-level management companies. Enhancing efficiency and effectiveness of business operation. Drawing attention to compliance risk and value management, as well as other core areas related to governance. In addition to improving the process of risk prevention and value protection.

PwC continues to set an example in the field of internal auditing to help SOEs adhere to the integrity of the internal audit process, while benefitting from expert-driven innovation and utilising top-tier benchmarks in the field to realise the full potential of internal audits with an emphasis on shifting from protection to value creation.

Contact us

Thomas Leung

Thomas Leung

Managing Partner - Markets, PwC China

Tel: +[86] (10) 6533 2838 / +[852] 2289 8288

Jennifer Ho

Jennifer Ho

Asia Pacific Risk Services Leader, Mainland China and Hong Kong Digital Trust & Risk Leader, PwC Hong Kong

Tel: +[852] 2289 2919

Jasper Xu

Jasper Xu

Mainland China and Hong Kong Digital Trust & Risk Markets Leader, China Central Digital Trust & Risk Leader, PwC China

Tel: +[86] (21) 2323 3405

Kenny Hui

Kenny Hui

Governance, Risk & Controls Services Leader, PwC China

Tel: +[86] (755) 8261 8292

Follow us