360 Security Technology Inc(601360)
Internal control evaluation report in 2021
360 Security Technology Inc(601360) all shareholders:
In accordance with the provisions of the basic norms of enterprise internal control and its supporting guidelines and other internal control regulatory requirements (hereinafter referred to as the enterprise internal control normative system), combined with the company’s (hereinafter referred to as the company’s) internal control system and evaluation methods, and on the basis of daily and special supervision of internal control, we evaluated the effectiveness of the company’s internal control on December 31, 2021 (the benchmark date of internal control evaluation report). I Important statement
It is the responsibility of the board of directors of the company to establish, improve and effectively implement internal control, evaluate its effectiveness and truthfully disclose the internal control evaluation report in accordance with the provisions of the enterprise’s internal control standard system. The board of supervisors shall supervise the establishment and implementation of internal control by the board of directors. The management is responsible for organizing and leading the daily operation of the enterprise’s internal control. The board of directors, the board of supervisors and the directors, supervisors and senior managers of the company guarantee that there are no false records, misleading statements or major omissions in the contents of this report, and bear individual and joint legal liabilities for the authenticity, accuracy and completeness of the contents of the report.
The objective of the company’s internal control is to reasonably ensure the legal compliance of operation and management, asset safety, authenticity and integrity of financial reports and relevant information, improve operation efficiency and effect, and promote the realization of development strategy. Due to the inherent limitations of internal control, it can only provide reasonable assurance for the realization of the above objectives. In addition, as changes in circumstances may lead to inappropriate internal control or reduced compliance with control policies and procedures, there is a certain risk to speculate the effectiveness of internal control in the future according to the internal control evaluation results. II Internal control evaluation conclusion 1 On the benchmark date of the internal control evaluation report, does the company have any major defects in the internal control of financial reporting
□ yes √ no
2. Evaluation conclusion of internal control over financial reporting
√ valid □ invalid
According to the identification of major defects in the company’s internal control over financial reporting, there are no major defects in the internal control over financial reporting on the benchmark date of the internal control evaluation report. The board of Directors believes that the company has maintained effective internal control over financial reporting in all major aspects in accordance with the requirements of the enterprise’s internal control standard system and relevant regulations. 3. Whether major defects in internal control over non-financial reporting are found
□ yes √ no
According to the identification of major defects in the company’s internal control over non-financial reports, the company did not find non-financial reports on the benchmark date of the internal control evaluation report. 4 Factors affecting the evaluation conclusion of internal control effectiveness from the benchmark date of internal control evaluation report to the date of issuance of internal control evaluation report □ applicable √ not applicable
There are no factors affecting the evaluation conclusion of the effectiveness of internal control from the base date of the internal control evaluation report to the date of issuance of the internal control evaluation report. 5. Whether the internal control audit opinion is consistent with the company’s evaluation conclusion on the effectiveness of internal control over financial reporting
√ yes □ No 6 Whether the disclosure of major defects in internal control of non-financial reports in the internal control audit report is consistent with the disclosure of the company’s internal control evaluation report √ yes □ no III Internal control evaluation (I) Scope of internal control evaluation
According to the risk oriented principle, the company determines the main units, businesses and matters included in the evaluation scope and high-risk areas. 1. The main units included in the evaluation scope include: Internet advertising business line, game business line, intelligent hardware business line, security business line and other important units. 2. Proportion of units included in the scope of evaluation:
Proportion of indicators (%)
The total assets of the units included in the evaluation scope account for 85% of the total assets in the company’s consolidated financial statements
The total operating income of the units included in the evaluation scope accounts for 97% of the total operating income in the company’s consolidated financial statements, accounting for 3.5% The main operations and matters included in the scope of evaluation include:
The company’s main businesses included in the evaluation scope of internal control include Internet advertising business, game business, intelligent hardware business and security business.
The main items included in the evaluation scope of the company include company level control and important business process level control:
Company level control:
1) Control environment
We evaluate the internal control environment from the following aspects: integrity, employee values, executive behavior, management awareness and business style of the management, management competence, participation of the board of directors in governance and supervision, organizational structure setting and distribution of rights and responsibilities, human resources policies and their implementation;
2) Risk assessment
We evaluate the risk assessment from the following aspects: assess the risk level, identify major risks, assess the possibility of risks, and determine the methods to deal with risks. This mechanism can help the company predict, identify and respond to changes in the internal and external environment that may hinder the realization of the company or the company’s objectives in time;
We evaluate information and communication from the following aspects: information systems, including relevant internal and external information, can be provided to appropriate people in detail and in time to enable them to effectively perform their duties. The management provides appropriate human and financial resources for the development of necessary information systems, and ensures the establishment of general control of information systems including program development, program change, program and data access and computer operation to support the continuous operation of application system control. The management has established business continuity plan and disaster recovery plan for all important data;
4) Internal supervision
We evaluate internal supervision from the following aspects: allocate appropriate personnel to carry out internal control evaluation regularly, and obtain evidence to prove whether the internal control system continues to operate effectively in daily work and whether the internal audit function plays an effective role.
Business process level control activities:
We evaluate the control activities from the following aspects. The company has established supporting control policies and procedures for each business activity. Establish incompatible job separation control, authorization approval control, accounting system control, budget control, operation analysis control and performance evaluation control to reduce the risk of fraud or misoperation; Establish effective security measures to prevent unauthorized access to or destruction of documents, records and assets, including:
1) Fund management: fund management, bank account management, financial authorization, collection and payment, bank bills and e-banking;
2) Procurement management: procurement plan, procurement implementation, supplier management, procurement settlement, etc;
3) Asset management: authorization and approval procedures for fixed assets and intangible assets management, procurement bidding of fixed assets and intangible assets, accounting treatment of fixed assets and intangible assets, inventory of fixed assets, subsequent measurement and disposal of fixed assets and intangible assets;
4) Sales management: sales policies and procedures, customer management, revenue recognition;
5) Human resources: human resources planning, recruitment, personnel transfer, resignation, salary and welfare, etc;
6) Tax management: compliance control of value-added tax and enterprise income tax;
7) Expense management: expense approval process, expense accounting, etc;
8) Investment management: investment approval and subsequent management, accounting treatment of investment, initial recognition and subsequent measurement of investment, etc;
9) Financial report closing procedures: accounting policies and procedures, separation of responsibilities, accounting voucher management, financial statement consolidation, related party transactions, closing procedures, financial report disclosure procedures, etc;
10) Information system: general control and application level control of IT system.
4. High risk areas of focus mainly include:
Fund management, sales revenue recognition and collection, cost recognition and payment, foreign investment, fixed asset management, long-term asset impairment, information system management, information disclosure, etc. 5. The above units, businesses and matters included in the evaluation scope and high-risk areas cover the main aspects of the company’s operation and management. Is there any major omission □ yes √ no
6. Is there a statutory exemption
□ yes √ No 7 Other explanatory matters
None (II) Basis of internal control evaluation and identification standard of internal control defects
The company organizes and carries out internal control evaluation according to the enterprise internal control standard system and enterprise internal control system. 1. Whether the specific identification standard of internal control defects is adjusted with that of previous years
□ yes √ no
The board of directors of the company distinguished the internal control of financial report from the internal control of non-financial report according to the identification requirements for major defects, important defects and general defects of the enterprise internal control standard system, combined with the factors such as the company’s size, industry characteristics, risk preference and risk tolerance, and studied and determined the specific identification standards of internal control defects applicable to the company, which are consistent with the previous years. 2. Identification standard of internal control defects in financial reporting
The quantitative criteria for the evaluation of internal control defects in financial reporting determined by the company are as follows:
Index name major defect quantitative standard important defect quantitative standard general defect quantitative standard
The tax on consolidated financial statements may lead to significant defects and general deficiencies in the financial statements, which may lead to the potential pre tax profit misstatement amount of financial statements ≥ the tax trap of consolidated statements, and the misstatement amount is less than 5% of the pre tax profit of consolidated statements and 1% of the pre tax profit of consolidated statements
Description: None
The qualitative criteria for the evaluation of internal control defects in financial reporting determined by the company are as follows:
Qualitative standard of defect nature
A combination of one or more control defects that may lead to the failure to prevent or detect and correct the material misstatement of the financial report in a timely manner.
Signs of significant defects in the company’s internal control related to financial reporting include:
① Fraud by directors, supervisors and senior managers, resulting in material misstatement of the financial statements;
② The company corrects the published financial statements;
③ There is a material misstatement in the company’s financial statements, and the internal control fails to find the misstatement in the operation process;
④ The supervision of the company’s audit department on internal control is invalid.
The combination of one or more control defects whose severity and economic consequences are lower than those of major defects, but may still lead to misstatement in the financial report.
Signs of significant defects in the company’s internal control related to financial reporting include:
① Failing to select and apply accounting policies in accordance with the accounting standards for business enterprises;
② There is no corresponding control mechanism or compensatory control for important unconventional or special transactions;
③ There are one or more defects in the financial reporting process at the end of the period, which have an important impact on the authenticity and accuracy of the financial report.
General defects except for the above identified as major defects and important defects, other internal control defects related to financial reporting are identified as general defects.
explain:
None 3 Identification standard of internal control defects in non-financial reporting
The quantitative criteria for the evaluation of internal control defects in non-financial reporting determined by the company are as follows:
Index name major defect quantitative standard important defect quantitative standard general defect quantitative standard
Possible direct property possible direct property losses are between major defects and general deficiencies. The amount of possible direct property losses ≥ the amount of profit before tax in the consolidated statements < 1% of 5% of the profit before tax in the consolidated statements
Description: None
The qualitative criteria for the evaluation of internal control defects in non-financial reporting determined by the company are as follows:
Qualitative standard of defect nature
Major defects may lead to the failure to timely prevent or discover one or more control defects that cause major economic and reputation losses to the company or have a significant negative impact on the company’s achievement of key business objectives.
Signs of significant defects in the company’s internal control related to non-financial reporting include:
① Serious violation of national laws, regulations and rules, resulting in punishment by regulatory authorities, causing significant economic losses to the company or serious damage to the company’s reputation;
② The important defects found in the early test have not been rectified in the later test, and there is no corresponding compensatory control;
③ The company’s key control in important business lines and key risk areas has design defects or internal control execution failure, and there is no corresponding compensatory control;
④ Corruption, bribery, misappropriation of public funds and other fraudulent acts committed by directors, supervisors and senior managers;