internal control system
(revised in April 2022)
Chapter I General Provisions
Article 1 in order to improve the risk management level of Gosun Holdings Co.Ltd(000971) (hereinafter referred to as “listed company”) and protect the legitimate rights and interests of investors, in accordance with the company law of the people’s Republic of China, the securities law of the people’s Republic of China, the basic norms of enterprise internal control and the supporting guidelines of enterprise internal control This system is hereby formulated in accordance with the self regulatory guidelines for listed companies of Shenzhen Stock Exchange No. 1 – standardized operation of listed companies on the main board and other relevant provisions.
Article 2 the internal control referred to in this system (hereinafter referred to as “internal control”) is a process implemented by the company’s board of directors, board of supervisors, management and all employees to achieve control objectives. The objective of internal control is to reasonably ensure the legal compliance of enterprise operation and management, asset safety, authenticity and integrity of financial reports and relevant information, improve operation efficiency and effect, and promote the realization of enterprise development strategy.
Article 3 a listed company shall ensure the complete, reasonable and effective implementation of this system, so as to improve the effect and efficiency of the company’s operation, enhance the reliability of the company’s information disclosure and ensure the legality and compliance of the company’s behavior.
Article 4 the board of directors of a listed company shall be responsible for the establishment, improvement, effective implementation, inspection and supervision of the company’s internal control system. The board of directors and all its members shall ensure the authenticity, accuracy and integrity of the information disclosure related to internal control.
Article 5 this system is applicable to listed companies and subsidiaries.
The “subsidiaries” mentioned in this system refer to wholly-owned subsidiaries, holding subsidiaries and equity investment enterprises that have not reached the controlling position but have actual control within the scope of the consolidated statements of listed companies. Chapter II framework of internal control
Article 6 when establishing and implementing internal control, listed companies and subsidiaries shall follow the following principles:
(I) principle of comprehensiveness. Internal control shall run through the whole process of decision-making, implementation and supervision, covering various businesses and matters of listed companies and subsidiaries.
(II) principle of importance. Internal control should pay attention to important business matters and high-risk areas on the basis of comprehensive control.
(III) principle of checks and balances. Internal control shall form mutual restriction and supervision in the aspects of governance structure, institutional setting, distribution of rights and responsibilities, business process, etc., and take into account the operation efficiency.
(IV) principle of adaptability. The internal control shall adapt to the business scale, business scope, competition and risk level, and shall be adjusted in time with the changes of the situation.
(V) cost benefit principle. Internal control should weigh the implementation cost and expected benefits to achieve effective control at an appropriate cost.
Article 7 when establishing and implementing the internal control system, listed companies and subsidiaries shall consider the following basic elements: (I) goal setting refers to the strategic objectives set by the board of directors and management according to the company’s risk preference. (II) internal environment refers to the governance structure, institutional setting and distribution of rights and responsibilities, internal audit, human resources policies, corporate culture, etc., which is the basis for the implementation of internal control.
(III) risk identification refers to the internal and external risk factors confirmed by the board of directors and the management that affect the achievement of the company’s objectives.
(IV) risk assessment refers to the method that the board of directors and the management determine to manage risks according to the possibility and impact of risk factors.
(V) risk response refers to the selection of risk management strategies by the board of directors and management according to the company’s risk tolerance and risk preference.
(VI) control activities refer to the systems and procedures formulated to ensure the effective implementation of risk management strategies, including approval, authorization, verification, adjustment, review, regular inventory, record check, functional division, asset preservation, performance appraisal, etc.
(VII) information communication refers to the timely and accurate collection and transmission of information related to internal control to ensure effective communication within the company and between the company and the outside.
(VIII) internal supervision refers to the supervision and inspection of the establishment and implementation of internal control, the evaluation of the effectiveness of internal control, and the timely improvement of internal control defects found.
Article 8 the internal control of listed companies and subsidiaries shall generally cover all business links in business activities, including but not limited to:
(I) sales and collection: including order processing, submitting solutions and quotations according to customer needs, customer testing, credit management, providing services, sales invoices, confirming revenue and accounts receivable, cash receipt and its records, etc.
(II) purchase and payment links: including purchase application, processing purchase order, accepting goods, filling in acceptance report or processing return, recording accounts payable, approving payment, payment and its records, etc.
(III) operation links: including service opening, daily operation and maintenance, cost calculation, etc.
(IV) fixed assets management links: including self construction, purchase, disposal, maintenance, custody and recording of fixed assets.
(V) monetary fund management links: including the entry, transfer out, recording and reporting of monetary funds, and the authorization of cashier and financial personnel.
(VI) related party transactions: including the definition of related parties, pricing, authorization, execution, reporting and recording of related party transactions.
(VII) guarantee and financing links: including authorization, execution and recording of borrowing, guarantee, acceptance, financial leasing, issuance of new shares, issuance of bonds, etc.
(VIII) investment links: including investment in securities, equity, real estate, operating assets, financial derivatives, financial products and other long-term and short-term investments, entrusted financial management, decision-making, implementation, custody and records of the use of raised funds, etc.
(IX) R & D links: including basic research, product design, technology development, product testing, R & D records and document storage.
(x) personnel management links: including employment, signing employment contracts, training, asking for leave, overtime, leaving, dismissal, retirement, timing, salary calculation, calculation of individual income tax and various withholding, salary records, salary payment, attendance and assessment, etc.
Article 9 the internal control system of listed companies not only covers the control of all links of business activities, but also includes various management systems throughout all links of business activities, including but not limited to: investment management, guarantee management, financial management, asset management, information disclosure management, subsidiary management and other management systems. Article 10 listed companies and subsidiaries shall use information technology to strengthen internal control, establish an information system suitable for operation and management, promote the organic combination of internal control process and information system, realize the automatic control of business and matters, and reduce or eliminate human manipulation factors. The internal control system of information management should at least cover the following contents: (I) the division of rights and responsibilities between information processing department and user department; (II) functions and responsibilities of information processing department; (III) control of system development and program modification; (IV) control of program and data access and data processing; (V) security control of archives, equipment and information; (VI) control of public information disclosure on the company’s website or other websites.
Article 11 listed companies and subsidiaries shall establish an incentive and restraint mechanism for the implementation of internal control, incorporate the implementation of internal control by each responsible unit and all employees into the performance evaluation system, and promote the effective implementation of internal control.
Article 12 an accounting firm entrusted by a listed company to engage in internal control audit shall audit the effectiveness of the internal control of a listed company and issue an audit report in accordance with relevant laws, regulations and practice standards. An accounting firm that provides consultation for the internal control of a listed company shall not provide internal control audit services for a listed company at the same time.
Chapter III Control of special risks
Section I management control of subsidiaries
Article 13 a listed company shall focus on strengthening the management and control of its subsidiaries, mainly including:
(I) establish a control system for each subsidiary, and clarify the selection methods, responsibilities and authorities of directors, supervisors and important senior managers appointed to the subsidiary;
(II) according to the strategic planning of the listed company, coordinate the business strategy and risk management strategy of the subsidiaries, and urge the subsidiaries to formulate relevant business operation plans, risk management procedures and internal control systems;
(III) formulate the performance evaluation and incentive and restraint system of subsidiaries;
(IV) formulate an internal reporting system for major events of subsidiaries, timely report major business events, major financial events and other information that may have a great impact on the trading price of shares and their derivatives of listed companies to listed companies, and report major events to the board of directors or the general meeting of shareholders of the company for deliberation in strict accordance with the authorization provisions;
(V) require subsidiaries to timely submit important documents such as resolutions of the board of directors, resolutions of the general meeting of shareholders or the general meeting of shareholders to the Secretary of the board of directors of the listed company;
(VI) regularly obtain and analyze the quarterly or monthly reports of each subsidiary, including operation reports, production and sales statements, balance sheets, income statements, cash flow statements, statements of providing funds to others and external guarantees, and entrust an accounting firm to audit the financial reports of the subsidiary in accordance with relevant regulations;
(VII) evaluate the implementation, inspection and supervision of the internal control system of subsidiaries.
Section II internal control of other risks
Article 14 a listed company shall take relevant internal control measures for specific risks according to different industry characteristics, strategic objectives and risk management strategies. Establish a special internal control system for the control of related party transactions, provision of guarantees, use of raised funds, major investments, information disclosure and other activities.
Chapter IV Inspection and supervision of internal control
Article 15 listed companies and subsidiaries shall regularly and irregularly inspect the implementation of the internal control system. Through the inspection and supervision of the internal control system, the board of directors and the management shall find out whether there are defects in the internal control system and problems in the implementation, and make timely improvement to ensure the effective implementation of the internal control system.
Article 16 listed companies and subsidiaries shall determine that the internal audit department is responsible for the daily inspection and supervision of internal control, and allocate special internal control inspection and supervision personnel according to relevant regulations and actual conditions. Listed companies and subsidiaries can arrange the setting of this functional department according to their own organizational structure and industry characteristics.
Article 17 a listed company shall formulate the annual internal control inspection and supervision plan of the listed company and its subsidiaries according to its own business characteristics, which shall be used as the basis for evaluating the operation of internal control.
Article 18 the internal audit department of a listed company shall submit a report on the inspection and supervision of internal control to the board of directors after the end of the year.
Article 19 the board of directors of a listed company shall guide the inspection and supervision of internal control and review the report on the inspection and supervision of internal control submitted by the inspection and supervision department. The specific work shall be implemented by the audit committee under the board of directors.
Article 20 the inspection and supervision staff shall truthfully reflect the internal control defects found in the inspection and supervision and the problems existing in the implementation in the internal control inspection and supervision report, and track them after reporting to the board of directors, so as to ensure that relevant departments and subsidiaries have taken appropriate improvement measures in time.
Article 21 the working materials of the inspection and supervision department, including the internal control inspection and supervision report, working papers and relevant materials, shall be kept for at least 10 years.
Chapter V Information Disclosure of internal control
Article 22 in the inspection and supervision of internal control, if a listed company and its subsidiaries find that there are major defects or risks in internal control, they shall report to the board of directors in time.
Listed companies and subsidiaries shall explain the links, consequences, relevant responsibilities and remedial measures to be taken in the report.
Article 23 the board of directors of a listed company shall evaluate the establishment and implementation of internal control according to the report on the inspection and supervision of internal control and relevant information, and form a self-evaluation report on internal control. The board of directors of a listed company shall form a resolution on the self-evaluation report of internal control while considering the annual financial report and other matters. Article 24 the board of directors of a listed company shall disclose the annual self-evaluation report of internal control and the verification and evaluation opinions of the accounting firm on the self-evaluation report of internal control at the same time as the disclosure of the annual report. Article 251 the internal control self-evaluation report shall at least include the following contents:
(I) statement of the board of directors on the authenticity of the internal control report;
(II) overall situation of internal control evaluation;
(III) basis, scope, procedures and methods of internal control evaluation;
(IV) internal control defects and their identification;
(V) rectification of internal control defects of the previous year;
(VI) proposed rectification measures for internal control defects this year;
(VII) conclusion on the effectiveness of internal control.
Chapter VI supplementary provisions
Article 26 this system shall come into force as of the date when it is approved by the board of directors of listed companies.
Article 27 the internal audit department of listed companies shall be responsible for the interpretation of this system.