Laws of the People's Republic of China

Guidelines on Internal Audit for Banking Financial Institutions

Yin Jian Fa [2006] No. 51 June 27, 2006 Chapter I General Provisions

Article 1

In order to advance banking financial institutions to improve corporate governance, strengthen internal control and perfect the internal audit system, these Guidelines are formulated according to the Banking Supervision Law of the People's Republic of China, the Law of the People's Republic of China on Commercial Banks, the Company Law of the People's Republic of China, the Audit Law of the People's Republic of China, the Regulations for the Implementation of the Audit Law of the People's Republic of China and other relevant laws and regulations.

Article 2

The term "banking financial institutions" as mentioned in these Guidelines shall refer to the policy banks and commercial banks that are established within the territory of the People's Republic of China.

As for other financial institutions established upon approval of the China Banking Regulatory Commission (hereinafter referred to as the CBRC), these Guidelines may be implemented by reference.

Article 3

The term "internal audit" as mentioned in these Guidelines refer to a kind of independent and objective supervision, appraisal or consulting activity, and is an important part of the internal control of banking financial institutions, under which systematic and regularized methods are adopted to examine, appraise and improve the business activities, risk conditions, internal control and corporate governance effects of banking financial institutions, so as to promote the healthy development of banking financial institutions.

Article 4

The internal audit of banking financial institutions aims to guarantee the implementation of related economic and financial laws and regulations, guidelines and policies as well as the rules of supervisory departments of the state, control the risks at an acceptable level within the risk framework of banking financial institutions, improve the operation of banking financial institutions and increase the value.

Article 5

The internal audit work of banking financial institutions shall be independent of the business operation and management, be guided by risks and be guaranteed to be objective and impartial.

Article 6

The CBRC shall examine and appraise the internal audit work of banking financial institutions according to these Guidelines.

Chapter II Framework and Staff

Article 7

The board of directors of a banking financial institution shall be responsible for establishing and maintaining a sound and effective internal audit system. Where there is no independent board of directors, the senior managers shall be responsible for fulfilling the relevant duties.

An audit committee shall be set up under the board of directors, which shall contain at least 3 members and a majority of the members shall be non-executive directors. The chairman of the audit committee shall be an independent director. Where there is no independent board of directors, the organizational structure of the audit committee and the person-in-charge thereof shall be subject to the determination of the senior managers.

Article 8

The banking financial institution shall set up an internal audit department to audit the business operation and management acts of all institutions of the same banking group, and may staff a chief auditor to be responsible for the audit work of all institutions of the same banking group.

The chief auditor shall be appointed by the board of directors, which shall be included into the scope of ratification of the position-holding qualification of senior managers of banking financial institutions. And alteration of the position of the chief auditor shall be reported to the CBRC in advance.

Article 9

Banking financial institutions shall establish an independent and vertical internal audit management system. The audit budget, the remunerations of employees, the appointment and dismissal of major persons-in-charge shall be decided on by the board of directors or its special committee. The remuneration of internal auditors may not be lower than the average level of employees of the same grade in other departments of the institution.

Article 10

The internal auditors of banking financial institutions shall generally be staffed at 1% of the total number of employees, and an internal position-shift system shall be set up.

Article 11

Internal auditors shall be of corresponding professional practicing qualifications:

(1)

Professional level. Internal auditors shall have a diploma of junior college or above, grasp professional knowledge related to internal audit of banking financial institutions, and be familiar with related financial laws and regulations and internal control rules.

(2)

Practicing experience. Internal auditors shall have experienced in practicing finance for at least two years; the person-in-charge of an audit project shall have at least experienced in audit for at least three years, or at least six years in practicing finance.

(3)

Morality criteria. Internal auditors shall have upright, objective, clean-fingered and impartial occupational ethics, and have no bad records since he engaged in financial work.

Chapter III Duties

Article 12

Banking financial institutions shall make rules to clarify the duties of the board of directors, the audit committee, the chief auditor, the internal audit department and the staff thereof.

Article 13

The board of directors shall bear the final liabilities for the suitability and validity of internal audit, be responsible for approving articles of association of internal audit, medium and long-term audit plan and annual work plan, etc., provide necessary to guarantee the internal audit work be carried out independently and objectively, and examine and supervise the audit work.

Article 14

The audit committee shall be responsible to the board of directors, and, upon authorization of the board of directors, organize and guide the internal audit work. The audit committee shall convene meetings regularly, and may, if necessary, invite senior managers to attend the meeting.

Article 15

The chief auditor shall be responsible for organizing the implementation of internal audit articles of association, medium and long-term audit plan and annual work plan, do well in the coordination work, timely report the audit work to the board of directors and the major persons-in-charge of the senior management staff, and take charge of the overall quality of internal audit.

Article 16

The internal audit department shall be responsible to the board of directors and the audit committee, formulate internal audit procedures, appraise the risk conditions and management status, implement the annual audit work plan, carry out follow-up audit, supervise the rectification, be responsible for the quality of the audit project, and well manage archival.

Article 17

The internal audit items shall mainly include:

(1)

the regularity of business management and the work condition of the related department;

(2)

soundness and validity of the internal control;

(3)

risk conditions, and the applicability and validity of the procedures for risk identification, computation and control;

(4)

information on programming and design, development and operation, management and maintenance of the information system;

(5)

accuracy and reliability of the accounting records and the financial reports;

(6)

information on the asset valuation system related to risks; and

(7)

operational performance of the institution and fulfillment of duties by managers.

Chapter IV Scope of Powers

Article 18

Banking financial institutions shall make rules to clarify powers necessary for the internal audit department to fulfill its duties.

Article 19

The internal audit department can be present at or take part in meetings related to the duties of the internal audit department.

Article 20

The internal audit department shall be entitled to timely and fully know about the management information, investigate and inquire of the entity subject to audit and the related persons involved in the relevant issues, as well as collect evidence from them.

Article 21

The internal audit department may, when deeming it necessary, report audit findings directly to the board of directors.

Article 22

The internal audit department shall have the power to propose suggestion on punishment and power to impose penalties.

Article 23

In case anyone refuses to accept or cooperate in internal audit, refuses to provide true information or provides false information, retaliates or frames up the auditors, the internal audit department shall have the power to report this to the superior department, and request the superior department to timely stop the act and make relevant punishment.

Chapter V Quality Control

Article 24

The internal audit department may provide consultation services regarding risk management, internal control and other related matters, but may not directly participate in or take charge of making decisions on internal control design or management, or implementing such decisions.

Article 25

The internal audit department shall, based on the annual risk evaluation, determine audit focuses. The audit frequency and extent shall accord with the business nature, complexity, risk conditions and management level of banking financial institutions.

Every business office shall be subject to risk evaluation at least once every year, and be audited at least once every two years.

Article 26

The internal audit department and the auditors thereof shall, strictly according to the audit procedures and audit methods, implement the audit project, and make self-evaluation at regular intervals.

Article 27

The internal audit department shall set up an audit withdrawal system for internal auditors, and guarantee the objectivity of internal audit.

Article 28

The internal audit department shall set up a follow-up training system for internal auditors, encourage them to obtain the practicing qualifications of certified public accountant, certified internal auditor, certified information system auditor and etc., so as to guarantee the professional competency of the internal auditors.

Article 29

The internal audit department shall enhance the application of technological means and information technology in audit work, establish and improve the non-on-spot internal audit monitoring system as well as the internal audit operation system and the information management system.

Article 30

The internal audit department may, in light of the need of work, outsource partial internal audit project upon approval of the board of directors, but shall in advance evaluate the independence, objectivity and professional competency of the undertaking institution.

Article 31

The internal audit department shall set up an audit reconsideration system. The audit conclusion to which the entity under audit objects shall be subject to reconsideration of the superior institution of the audit institution that has made the audit conclusion.

Article 32

The board of directors may hire an institution outside to appraise the due diligence of the internal audit department, and guarantee that the external inspectors are independent of the entity subject to appraisal, have the professional competency and are in no interest and conflict with the entity subject to appraisal.

Chapter VI Report System

Article 33

The banking financial institution shall set up an internal audit report system and a report avenue, which are suitable for the vertical management system.

Article 34

The audit committee shall report its audit work to the board of directors on a quarterly basis, and notify the senior management staff and the board of supervisors of it.

Article 35

The chief auditor and the internal audit department shall report the audit work to the board of directors and the main principal of the senior management staff on a quarterly basis, and shall, at least once every year, submit to the board of directors the audit work reports containing contents such as fulfillment of the duties, audit findings and suggestion and etc.

Article 36

The chief auditor and the internal audit department shall, after finishing a matter subject to audit, timely submit to the board of directors and the main principals of the senior management staff the project audit report containing contents such as the survey of audit, audit basis, audit conclusion, audit decision, audit suggestion, feedback opinions of the entity subject to audit and etc.

Article 37

The banking financial institution shall set up and improve the system for communicating with and making reports to the CBRC.

The board of directors and the senior management staff shall timely report to the CBRC the major audit findings.

The internal audit department shall report the following items to the CBRC or the dispatched office thereof:

(1)

The all-round audit work report submitted to the board of directors;

(2)

Where the internal audit department conducts audit at a different place, it shall meanwhile make a copy of the audit report to the dispatched office by the CBRC at the locality of the entity subject to audit;

(3)

After finding any major problem and reporting it to the board of directors, the internal audit department shall directly report the related information to the CBRC, under the circumstance that the problem has not been carefully investigated, no punishment has been imposed and no rectification has been made.

(4)

The audit report of the external intermediary institution on the banking financial institution. And

(5)

Other matters as required by the CBRC or its dispatched office to be reported.

Chapter VII Assessment and Accountability

Article 38

The board of directors and the senior management staff shall take effective measures to guarantee the sufficient utilization of the internal audit achievements.

As for issues not rectified in light of the rectification requirements, the senior management staff shall supervise and urge to make rectification, investigate the liabilities of related persons, and bear the liabilities and risks for not taking timely rectifying measures against the audit findings.

Article 39

The board of directors shall set up an incentive and restrictive mechanism, assess and appraise the due diligence and fulfillment of duties of all related parties to the internal audit, set up an accountability system for internal audit, and clarify the standards and procedures for investigating the internal audit liabilities and the exemption thereof.

Article 40

The board of directors shall investigate the liabilities of the person in charge of the internal audit department or any other person directly liable under any of the following circumstances:

(1)

failing to implement the audit plan, procedures or methods and thus caused major problems unable to be found;

(2)

concealing any problem found from the audit or failing to truthfully report it;

(3)

the audit conclusion violating the facts seriously;

(4)

doing a poor job in following up the investigation and rectification of the problems found from the audit;

(5)

failing to implement the confidentiality system in light of the requirements; or

(6)

committing other acts injuring the interests or fame of banking financial institutions.

Article 41

Where, upon inspection, supervision and affirmation of liabilities, a banking financial institution has sufficient evidence to prove that the internal audit department and the auditors have performed the duties in due diligence according to related laws, regulations, rules, these Guidelines and its internal audit rules, and have timely reported the problems found from the examination, it may, when the related problems of the entity subject to audit are exposed, exempt or partially exempt the liabilities of the internal audit department and the related auditors by considering the conditions.

Chapter VIII Supplementary Provisions

Article 42

Banking financial institutions shall, according to these Guidelines, formulate their respective detailed implementation rules, and make reports to the CBRC for archival filing.

Article 43

The power to interpret these Guidelines shall remain with the CBRC.

Article 44

These Guidelines shall enter into effect as of July 1, 2006.