How to Set Up Internal Controls for FIE Audit in China: 2026 Guide
Establishing robust internal controls is not just a regulatory box-ticking exercise for foreign-invested enterprises in China — it is the single most effective way to secure a clean audit opinion, reduce compliance costs, and protect the business from fraud. The 2025 EY China Fraud Survey found that FIEs with mature internal control systems detected 83% of control deficiencies before their external auditors did, reducing audit adjustments by an average of 60% and cutting audit fees by 15–25%. This guide provides a practical framework for building internal controls that satisfy both Chinese regulatory requirements and international corporate governance standards.
Why Internal Controls Are Critical for FIE Audits
Chinese auditing standards (CAS 1101 and related standards) require the external auditor to assess the FIE’s internal control environment as part of the risk assessment procedures. A weak control environment leads to higher assessed risks of material misstatement, which in turn drives more extensive substantive testing, longer fieldwork, and higher audit fees. Conversely, a strong control environment that the auditor can rely on reduces sample sizes and shortens the audit timeline.
- Regulatory foundation: The Ministry of Finance’s “Basic Standard for Enterprise Internal Control” (2008, updated 2021) lays out the five components of effective internal control: control environment, risk assessment, control activities, information and communication, and monitoring. These align closely with the COSO 2013 framework, making integration with global group policies straightforward.
- COSO-adapted compliance: Over 80% of Fortune 500 companies use the COSO framework as their internal control baseline. The Chinese Basic Standard mirrors COSO’s five components, enabling FIEs to adopt a single control framework for both Chinese statutory and group-wide compliance purposes.
- Fraud prevention: The 2025 China Fraud Survey reported that FIEs with formalised internal control systems experienced 67% fewer material fraud incidents than those relying on ad-hoc procedures. The most common fraud schemes in FIEs include procurement kickbacks (34% of cases), payroll ghost employees (22%), and false vendor creation (18%).
COSO Framework Adaptation for China Operations
The COSO 2013 framework provides an internationally recognised structure that maps naturally onto China’s Basic Standard for Enterprise Internal Control. The table below shows how COSO components align with Chinese regulatory expectations:
| COSO Component | China Basic Standard Equivalent | FIE-Specific Considerations |
|---|---|---|
| Control environment | Internal environment (Ch. 2) | Chinese legal structure (WFOE, JV, RO); bilingual code of conduct; whistleblower hotline |
| Risk assessment | Risk assessment (Ch. 3) | FX risk, tax risk, regulatory change risk, IP protection risk |
| Control activities | Control activities (Ch. 4) | Seal/chop management, invoice control, bank payment dual-authorisation |
| Information & communication | Information & communication (Ch. 5) | ERP system access controls, Chinese-language financial reporting, regulatory filings tracking |
| Monitoring | Internal monitoring (Ch. 6) | Internal audit function, quarterly control self-assessments, audit committee oversight |
Control Environment: Tone at the Top
The control environment — the “tone at the top” — is the foundation of all other internal controls. For FIEs in China, this takes on additional dimensions due to the dual-management structure (foreign-appointed directors and local Chinese management) and the legal representative’s statutory responsibilities.
- Bilingual code of conduct: Develop a code of conduct in both English and Chinese that is signed by every employee annually. The code should address: anti-bribery and corruption (especially relevant under China’s 2024 amended Anti-Unfair Competition Law), conflict of interest, confidentiality of business information, and adherence to the FIE’s internal control policies.
- Legal representative awareness: Ensure the legal representative (who bears personal criminal liability for certain financial reporting violations under Chinese law) understands their responsibilities and receives quarterly internal control briefing packs. This is a critical safeguard that many FIEs overlook.
- Whistleblower mechanism: Establish an anonymous whistleblower hotline operated by an independent third party. The 2025 EY survey found that whistleblower tips were the source of 42% of fraud detection in FIEs — the single most effective detection mechanism.
- Organisational structure and delegation of authority: Maintain a clear organisational chart with defined reporting lines and a Delegation of Authority (DOA) matrix that specifies approval thresholds for: expenditure (by amount and category), contracting (by value and term), bank payments (dual approval requirement for amounts above RMB 50,000), and hiring (by level and salary band).
Risk Assessment Procedures for FIEs
Risk assessment in an FIE context must address risks that are specific to operating in China’s regulatory and business environment.
- Foreign exchange risk: The dual-currency operating environment (RMB income, USD/EUR/JPY input costs or remittances) generates translation and transaction FX exposure. Controls should include: monthly FX exposure reporting, hedging policy (forward contracts, FX swaps), and approval thresholds for unhedged positions.
- Tax compliance risk: China’s tax system is subject to frequent changes. The 2025 tax year saw 14 circulars from the State Taxation Administration affecting CIT, VAT, and stamp duty. Establish a tax watch function that tracks new circulars and assesses their impact on the FIE’s tax position within 15 working days of issuance.
- Regulatory change risk: China’s regulatory environment for FIEs evolves rapidly. Key areas to monitor include: negative list updates (2025 edition reduced restricted industries to 31), data security compliance (CSL, DSL, PIPL — all with FIE-specific implications), and industry-specific regulations (automotive, pharmaceutical, financial services).
- Related party transaction risk: Transfer pricing documentation requirements continue to tighten. Conduct an annual related party transaction risk assessment that identifies: transactions requiring contemporaneous documentation, benchmarking study updates needed, and potential adjustments from the annual CIT filing.
Control Activities: Transaction-Level Safeguards
Control activities are the specific policies and procedures that ensure management directives are carried out. For FIEs in China, the following control activities deserve particular attention due to local regulatory requirements and cultural business practices.
| Process | Control Activity | Frequency |
|---|---|---|
| Procurement | Three-quote competitive bidding requirement for purchases above RMB 50,000; vendor master file changes require dual approval | Per transaction |
| Cash disbursements | Dual signature on all cheques; electronic bank payment requires two separate approvers in the banking system | Per transaction |
| Inventory | Cycle counting programme with full physical count annually; segregation of duties between warehouse, accounting, and purchasing | Monthly/Annual |
| Revenue | Sales order, delivery note, and invoice matching (three-way match) before revenue recognition; credit note approval by sales director and finance manager | Per transaction |
| Payroll | HR master data changes (new hires, terminations, salary changes) require HR manager and finance manager approval; payroll register reviewed by CFO before disbursement | Monthly |
| Seal/Chop management | Company seal, legal representative seal, financial seal, and contract seal kept in separate locked safes; seal usage requires a signed application form with dual approval | Per usage |
| Fixed assets | Annual physical verification of all assets above RMB 2,000; capital expenditure approval according to DOA thresholds; disposal of assets requires board approval for items above RMB 100,000 | Annual |
Information and Communication Systems
Effective internal controls require timely, accurate information and clear communication channels. For FIEs, this means ensuring that financial and operational data flows correctly between the China entity and the global headquarters, and that both English and Chinese versions of key documents remain consistent.
- ERP system controls: Implement role-based access controls in the ERP system. Segregation of duties should prevent any single user from having both origination and approval capabilities within a transaction cycle. User access reviews should be conducted quarterly.
- Financial reporting templates: Standardise financial reporting templates in both English and Chinese. The statutory CAS-based reporting package and the group IFRS-based reporting package should be reconciled monthly, not annually, to avoid year-end surprises.
- Regulatory filing tracker: Maintain a centralised regulatory filing tracker that records all government filings (SAMR, tax bureau, SAFE, customs, industry regulators) with submission dates, reference numbers, and renewal schedules.
- Communication with the board: Provide the board of directors with a quarterly internal control dashboard that includes: control deficiency tracking (open, closed, overdue), audit adjustment summary, fraud incident log, and regulatory compliance status.
Monitoring Activities and Remediation
Monitoring ensures that internal controls continue to operate effectively over time. The monitoring framework should include both ongoing monitoring activities and separate evaluations.
- Continuous monitoring: Configure the ERP system to flag transactions that exceed approval thresholds, match to unauthorised vendors, or fall outside expected patterns. Automated controls monitoring reduces reliance on manual review and catches exceptions in real time.
- Quarterly control self-assessments: Each process owner completes a quarterly control self-assessment (CSA) that rates the effectiveness of key controls on a 1–5 scale. CSAs are reviewed by the internal audit function and presented to the audit committee.
- Annual internal audit: For larger FIEs, an independent internal audit function should conduct an annual review of internal controls over financial reporting. The scope should cover all five COSO components and include sample testing of control activities across significant transaction cycles.
- Remediation tracking: Maintain a formal deficiency register that records: deficiency description, root cause, remediation action plan, responsible owner, target completion date, and actual completion date. The register should be reviewed monthly by the CFO and quarterly by the audit committee.
Internal controls are not a one-time setup project. They require continuous attention, periodic updating as the business changes, and active engagement from senior management. FIEs that treat internal controls as a strategic investment rather than a compliance burden consistently achieve better audit outcomes, lower costs, and stronger business performance.
Where to Go From Here
Based on what you just read:
- Ready to act? Read a step-by-step guide to implementing COSO-based controls in China
- Still comparing? See a side-by-side comparison of internal control software for FIEs
- Need numbers? Try an interactive calculator for your FIE internal control maturity score
How to Set Up Internal Controls for FIE Audit in China: 2026 Guide — first published on China Gateway 360. Last updated: July 2026.
