What to be and hoW to be it?- a Guideline for US Public Companies to Comply

with Sarbanes oxley act Section 404

RISK ADVISORY SERVICE SOX Self Assessment AssistanceInternal Control ReviewInternal Audit Outsouricing and Co-sourcingComplete Risk Management

Part One General Introduction第一部分 简介

Currently, more and more US listed China based enterprises are concerned and challenged by shareholders, investors and regulators on accuracy of their financial information and integrity of company operation. As one of final systematic protection, it is so urgent and important for those US listed China based companies to fully compliance with the requirements of SOX act section 404.

目前，越来越多的在美国资本市场上市的中国企业，其会计信息的准确性和企业的诚信度受到了股民，投资机构及其他相关中介机构的高度关注。作为投资者与股东的最后保护屏障之一，赴美上市的中国公司对于萨班斯法案第 404 条款的遵循变得越来越为重要与迫切。

However, compliance to SOX is still a brand new topic for most China accelerated and non-accelerated filers that have been listed in US stock market for several years. The guideline is aiming at assisting the filers to understand the time schedule of compliance, what the independent consultant could help and what the audit will conclude in the compliance process.

然而，对于很多中国赴美上市的公司的管理层而言，萨班斯的遵循仍是一个崭新的话题，此外，高额的遵循成本也成为这些公司对萨班斯的遵循望而却步的重要考虑之一。作为专长服务于美国上市的中国公司的翰华咨询，我们希望通过我们为中小企业量身定做的服务计划，我们在该领域的丰富经验，以及我们富有竞争力的价格，可以辅助这些非加速申报人顺利通过审计师的检测，达到萨班斯法案要求的遵循标准。这份指南，旨在帮助这些在美上市公司的管理层对于法案的遵循时间，翰华咨询有可能提供的服务及外部审计师有可能完成的工作有所理解。

Below chart is a general summary for the relationship between company goal, risk, control, self-assessment process and auditor’s work.

以下章节乃是一个概览，旨在说明公司的运营目标，运营风险，相关控制，基于法案要求的管理层自我评估以及审计师的工作流程。

Part Two Definition of Non-accelerated File and Their Compliance Time Table第二部分 法案遵循时间表

The Compliance Time Table法案遵循时间表

We prepared a compliance time table of the listed company based on the assumption that the financial year of the Company is ended at 31 December 2011. Additionally, auditor will issue audit opinion on the effectiveness of internal control over financial statements combined with the audit opinion on 2011 financial statements. We also assumed that the Company has commenced the management self-assessment from January 2011.

我们准备了一份法案遵循时间表供公司管理层参考使用，我们下面的这份时间表，乃是基于该公司 2011 财年的结束日为 2011 年 12月 31日的假设。此外，审计师对于该公司有关财务报告的内部控制的有效性的评价意见也将连同本年度财务报表的审计意见一并出具。我们还假设该公司于 2011 年 1月即开始着手对萨班斯法案第 404 条款遵循的准备工作。

Brook & Partners A

ssistance and Review

Scoping, risk identification, control design effectiveness

evaluation

Jan 2011 to Feb 2011

Remediation

March to M

ay 2011

1st round testing

July 2011

2nd round testing

October 2011

3rd round testing

January 2012

Mgm

t Report

February 2012

Part III What We Can Help?第三部分 我们可以做什么？

According to the SEC and PCAOB rule, the filer has the responsibility to present a self-assessment report based on it’s own efforts or an independent consultant. In order to assist the clients to complete the self-assessment package efficiently, we developed an assessment methodology to support client’s assessment, the methodology includes below six key steps:

根据美国证交会以及上市公司会计监督委员会的规定，在美上市公司有责任在自我评估或者延请独立顾问的基础上，出具管理层自我评估报告，对本公司与财务报表相关的内部控制的有效性发表意见。为了协助我们的客户顺利通过法案的遵循，我们设计了一套切实符合中小企业的工作方法论，该方法论共分为六步 ：

Scoping--Top-down Approach

Understanding Processes

Identifying key controls

Evaluating effectiveness

Evaluating identified deficiencies

Remediation

We will explain the methodology in details in below section:我们将在下面的部分详细介绍该方法论 ：

I Top-down approach in scopingI划定项目范围上的自顶向下原则

PCAOB Audit standard 5 suggests auditors to use a top-down approach to the audit of internal control over financial reporting. Accordingly, self-assessment of management on the internal control can also follow the direction of AS 5. Under this approach, the internal control assessment should start with entity-level control and go down to significant accounts and disclosures and their relevant assertions that present a reasonable possibility of material misstatement to the financial statements and related disclosures. Major steps include:

上市公司会计监督委员会审计准则第五号建议审计师运用在审计与财务报告相关的内部控制的时候采用自顶向下的原则。与此相对应，管理层所作的关于内部控制的自我评估亦应遵循第五号准则的要求。在这种方法论的指导下，对于内部控制的评估应该从公司层面的控制入手，逐步向下延伸到关键账户，披露以及对应的会计假定。主要工作步骤包括 ：

Identifying entity-level controlsIdentifying significant accounts and disclosures and their relevant assertionsIdentifying transactions which generate the preponderance of the account balance to determine key processes and map them to each in-scope account.

辨别公司层级的控制辨别重大账户，披露及对应的会计认定辨别关键流程，并将其映射至项目范围内的账户

Means to end: Risk Assessment工作成果 ：风险评估文档 / 风险矩阵

The risk-based top-down approach enables management or their third-party consultants to focus their assessment on relevant controls and reduces cost in complying with 404 section.

以风险为基础的自顶向下的方法可以使得管理层或其聘请的第三方顾问将他们的评估集中于相关控制，并在节省成本的基础上得以完成遵循。

II Understanding processesII了解流程

To identify mitigating controls, testing performers need to obtain an understanding of the operation of key processes by inquiring of process owner, observing the operation, inspecting relevant documents or re-performing certain actions. They should document the process combined with their understanding in forms of process flow chart or narratives.

不论是作为管理层还是其聘请的第三方顾问，均应对关键流程有所了解和认知，其对流程了解的方法包括，对流程负责人的访谈，观察运营程序，检查相关文档或者对某些程序进行重新执行。他们（管理层或其管理顾问）需要以流程图或直接描述的方式记载他们所理解的流程。

Means to end: Flowcharting工作成果 ：流程图

III Identifying key controlsIII辨别核心控制

In documenting processes, process-level controls could be identified. Among identified process-level and entity-level controls, key controls used to mitigate misstatement risks should be determined.

在归档流程的过程中，流程层次的控制可以被识别。在已经识别的公司层级的控制和流程层级的控制中，管理层或者他们所聘请的第三方应该决定那些可以减轻错报风险的关键控制。

Means to end: Risk Assessment工作成果 ：风险评估文档 / 风险矩阵

Evaluating effectivenessIV评估控制的有效性

Effectiveness evaluation of a control could go in two steps, firstly assessing design effectiveness and secondly testing operating effectiveness. Walkthroughs could be an effective way of achieving dual purposes of identifying key risks & controls and assessing the design effectiveness of a certain control.

对于控制有效性的评估一般分为两个步骤，第一，评估控制设计的有效性 ；第二，测试控制执行的有效性。穿行测试可以有效的满足识别关键风险和控制以及评估控制设计有效性的目标。

Means to end: Walkthroughs工作成果 ：穿行测试文档

V Evaluating identified deficienciesV评估识别的缺陷

Testing result of each control could be categorized as adequate, design deficiency, operating deficiency. To illustrate the severity, identified deficiencies should be labeled as deficiency, significant deficiency, or material weakness. Action plans should be made to remedy identified deficiency. Retesting should be performed, if possible, to evaluate the effect of improvement.

对于单个控制的测试结果，可以为适当的，设计缺陷以及执行缺陷这样几种结果。为了严格的区分和展示不同的结果，被识别出的缺陷可以分为缺陷，实质性缺陷和重大漏洞几个不同的层次。相关的修补计划应当依次制定，并且以重新测试作为手段和基础，再次评估改善之后的控制情况。

Means to end: Risk & Control Matrix, Issue Log工作成果 ：风险 / 控制矩阵，缺陷汇总

Part IV What the Auditor Will Do?第四部分 审计师可以做什么？

The client’s auditor is required to issue an attestation report on internal control over financial reporting. The opinion (Whether the internal control over financial reporting is effective.) of the auditor will be presented based on below factors:

公司的审计师需要对该公司与财务报告相关的内部控制进行评价，出具鉴证报告。审计师的审计意见（该公司和财务报告相关的内部控制是否有效）应该基于以下因素予以表达 ：

The self-assessment package prepared by the management or it’s independent consultant;Auditor’s audit procedure and samples selected.

管理层或者管理层聘请的顾问出具的自我评估报告 ；审计师执行的审计程序与选择的样本。

The auditor has to perform the integrated audit based on the instruction of PCAOB audit standards.

审计师应当给予上市公司会计监督委员会出具的审计准则执行审计。

Part V About Risk Advisory Service of Brook & Partners第五部分 关于翰华咨询风险管理服务

Risk Advisory Service (“RAS”) mainly focuses on risk advisory related services such as Internal Control Review (“IAR”), Complete Risk Assessment (“CRA”) and SOX assistance service under the compliance requirement from section 404.

风险管理服务主要专注于风险建议相关的服务，如内部控制审阅，全面风险管理以及萨班斯法案 404 条款约束下的法案遵循的支持性工作。

SOX Act Section 404 Compliance Assistance Service

Currently more and more security markets establish strict monitoring regulations and laws, Brook & Partners could assist the clients with its rich experiences and complete methodology.

Our approach:bAssist the management to be familiar with the requirements of the law/

regulations;bProvide training of methodologies and knowledge of the law requirements;bAssist the management to assess the control environment and risk;bAssist the management to establish the project team;bHelp to assess the risks and draft risk matrix;bAssist the project team/be in-charge of the control identification and

control activity designing;bDesign the control activities and audit program;bAssist the Company to conduct the walkthrough and compliance testing;bAssist the Company to evaluate the testing result and design the action plan

and monitor the remediation works.

美国萨班斯法案第 404 条款遵循项目支持性服务 ；

越来越多的资本市场开始制定苛刻的条例和法律制约和监督上市公司的内部控制。翰华咨询将携其服务多年的宝贵经验，助力广大客户顺利达标。

我们的方法 ：b协助管理层熟悉法规要求 ；b根据法规要求，为管理层提供必要的信息和方法论的培训 ；b助力管理层评价控制环境 ；b助力管理层建立项目团队 ；b协助评估风险，草拟风险矩阵 ；b协助或者主持控制的辨别和控制行为的设计 ；b设计控制行为及审计程序 ；b协助客户完成穿行测试及遵循性测试 ；b协助客户评估测试结果，设计跟进程序。

Outsourcing & Co-sourcing of Internal Audit, Risk Assessment and Corporate Governance Service

Currently more and more foreign invested enterprises (“FIEs”) would like to select a professional service provider to outsource/co-source its internal audit function (“IA”) as below considerations:bCost saving to maintain a cost consuming full time staff team;bProfessional body could provide the internal audit service/risk management

service from an independent eye;bStrong/complete networks/resources/people supporting;bFresh and variance background and experience to internal operation and

management.

Our approaches:Our approaching to internal audit outsourcing and co-sourcing services:bPerform risk assessment before conducting the field works;bAssess the control environment of the Company;bEvaluate/review/create processes and controls according to the result of

risk assessment;

bNote any significant deficiencies/material weakness/issues to management through the delivering of a comprehensive report;

bCommunicate the internal audit result with management;bProvide our professional suggestions/improving recommendations;bAny requested following-up works from management.

内部审计服务，风险评估及公司治理评价的外包及分包服务 ；

越来越多的企业选择将自己的内部审计职能外包或者分包给一个专业团体，内部审计职能的外包与分包服务有如下优点 ：b可以以较低的成本建立维护一个专业的审计团队 ；b外部的专业团体可以提供相对独立的咨询服务 ；b来自于专业团体的强大网络 / 人员 / 资源 ；b对于管理层而言，专业团体还可提供新鲜的视角，不同的背景及丰

富的经验。

我们的方法 ：对于内部审计分包和外包服务，翰华咨询的方法论为 ：b在现场工作前开展风险评估工作 ：b根据风险评估的结果，评估 / 审阅 / 创建关键的流程文档 ；b撰写项目报告，向管理层披露关注到的重大控制缺陷和显著缺失 ；b与管理层就审计结果进行交流 ；b针对关注到的控制缺陷，提供我们的专业建议和改善措施 ；b根据管理层的要求，实施必要的跟进工作。

Part VI Service Team of RAS第六部分 RAS服务团队

Mark Ma, Partner

马津先生

马津先生是翰华咨询北京办公室合伙人。他主要负责公司的市场推广与拓展，他亦为公司风险控制与服务质量评估小组的核心成员。

大学毕业以后，马津先生加入德勤会计师事务所税务部。作为一名税务顾问，马先生专注于为外商投资企业及外国企业提供个人所得税，企业所得税和流转税的咨询与筹划服务。在这一期间，马先生逐步建立了对中国税收框架的深刻理解。2003 年，马先生加入摩托罗拉中国，作为内部审计团队的一员，马先生全程参与了摩托罗拉萨班斯法案第404 条款的遵循项目，马先生是中国大陆最早接触及参与萨班斯法案遵循项目的专业人士之一。他亦因在项目中的杰出表现，获颁 2003年度摩托罗拉中国 Bravo 奖。

在此之后，马先生加入毕马威北京办公室风险管理服务，作为审计师及高级审计师，马先生主要专注于为大型跨国公司提供风险管理，内部控制及萨班斯法案遵循等专业服务。在此期间，马先生系统的学习了毕马威的方法论，建立了对风险管理，内部控制的优化与提升，以及流程再造的深刻认知。在此期间马先生服务过的代表客户包括 ：塔奥中国，朗讯中国，思科以及康明斯。

加入翰华咨询之前，马先生还曾服务于一家英国的管理咨询公司，担任高级经理及部门主管职务，主要负责项目的接洽，新客户的开拓与发展以及项目的全程管理。

马先生是翰华咨询的联合创始合伙人及翰华管理团队的核心成员。他主要负责新市场的拓展，新客户关系的搭建，以及项目管理。他亦是翰华风险管理服务的主管合伙人之一。他的代表客户包括维萨拉中国，宾堡中国，唯益食品，保富铁路以及 Valence 能源。

马先生是英国 BPP 专业教育的兼职讲师，主讲公司治理，萨班斯法案的遵循，全面风险管理及流程再造。马先生在 2009 年及 2010 年亦撰写出版了两本会计方面的书籍。

马先生拥有管理学学士学位，是英国特许公认会计师。

马先生的工作语言为中文及英语。

Mark Ma

Mark Ma is a partner in the Brook & Partners Beijing office. He is responsible for the company’s overall marketing and is also a core member of the risk control & service quality assessment team.

After graduating from university, Mark Ma started his professional career at Deloitte and Touche. At Deloitte, Mark worked as a tax consultant, providing advisory and planning services relating to expatriate individual income tax, corporate income tax and turnover taxes. He established a solid understanding of the China tax regime and China accounting standards. In 2003, Mark joined Motorola China to be an internal auditor, focus on Sarbanes Oxley Act section 404 compliance projects. At the time Mark was one of the first professionals in mainland China to be actively involved in SOX act compliance issues. He also won a Bravo Award at Motorola China in 2003.

Mark subsequently joined KPMG’s Beijing office in the Risk Advisory department as an associate and senior accountant. He was engaged in SOX compliance services, internal audit services and internal control review services. During this period, Mark learnt KPMG’s methodologies, establishing a sound understanding of risk management, internal control, process restructuring and SOX Act compliance requirements. The clients he served in this period included Tower, Lucent China, Cisco and Cummins China.

Mark was also a key management team member and department head of a UK based consulting firm. He was mainly responsible for engagement negotiation, new client development and overall project control.

Mark is a co-founder and key management team member of Brook & Partners. He is responsible for new market research and development, new client development and engagement management. He is also one of the leading members of the risk advisory service project team at Brook & Partners. His clients include Vaisala China, Bimbo China, Rich Products, Balfour Railway and Valence Energy.

Mark Ma is part-time lecturer of BPP professional, UK. His lecture topics include: Corporate Governance, SOX Act Compliance, Complete Risk Management and Process Restructuring. He is also the author of two accounting books published in 2009 and 2010. Mark earned his BA degree from Tianjin University of Finance & Economics. He is a member of ACCA and speaks both Mandarin and English.

Mark Ma PartnerTel: (86 10) 8586 5359 ext. 8002E-mail: mark.ma@brookpartner.com

刘巍女士

刘巍女士是翰华咨询的总监，主要负责中国上市公司的内部控制体系的搭建，民营企业赴境外上市前的预审计服务及财务咨询服务。刘女士还是翰华咨询深圳业务团队的主管总监，负责南中国市场的拓展及维护。

刘巍女士毕业于中国人民大学，毕业后加入中瑞岳华会计师事务所，担任审计师，高级审计师及部门经理职务，在中瑞岳华的五年间，刘女士建立了对中国企业会计制度及中国税法的深刻理解。这一期间刘女士服务的行业包括采矿业、机场服务、机械制造、房地产、酒店、高科技等。

刘女士随后加入了一家在香港上市的商业连锁企业担任财务高级经理职务。在此期间，她的主要工作包括，开发 ERP 系统与财务系统数据的对接与分析，持续提高工作效率及工作质量 ；带领团队完成公司上市前的财务规划，配合中介机构进行上市后的定期审计 ；对会计核算、税务管理、财务分析等日常工作进行监督与管理 ；；带领团队对公司重大的投资、并购活动进行尽职调查，撰写分析报告，为公司提供建议和决策支持等工作。

在加入翰华咨询前，刘女士还曾担任一家管理咨询公司咨询总监的职务，负责新客户的开发，咨询项目的客户对接，业务团队的建立与培训等工作。

刘女士拥有管理学学士学位，是中国注册会计师，国际注册内部审计师。

Ms. Kathy Liu

Ms. Kathy Liu is a director of Brook & Partners, focus on China listed company internal control system establishment service, pre-IPO financial advisory service and other financial consulting service. Kathy is also in-charge director of our Shenzhen team, covers the business development and maintenance of Southern China market.

After graduated from university, Kathy joined RSM CPA LLP as a junior auditor, senior auditor and an audit manager. During this period, Kathy establishes the deep understanding to China GAAP and China tax regime. The industries Kathy involved in this period include: Mining, Airport Service, Mechanical Manufacturing, Real Estate, Hotel and High-technology industries.

Kathy subsequently joined a HK listed commercial chain enterprise as a financial manager, her key responsibilities in this role include: assists to develop new ERP system in the group, leads the financial team to complete pre-IPO financial planning and documents preparing, assists the auditor to complete the IPO audit, assists CFO to improve existing financial management system, relevant policies and procedures; performs periodically tax compliance and filing, leads a team to finish financial due-diligence to potential Target companies, drafts due-diligence report to support the management decision.

Before joining Brook & Partners, Kathy is a director of a local management consulting firm, responsible for new clients relationship development, establishment and training of engagement team.

Ms. Liu holds a B.S in management, she is a China Certified Public Accountant and Certified Internal Auditor.

Kathy LiuDirectorTel: (86 10) 8586 5359 ext. 8007E-mail: Kathy.liu@brookpartner.com

PROFESSIONALS ASSISTING PERFORMANCEwww.brookpartner.com