Advertisement

Built on Value pp 373-415 | Cite as

Internal Controls and Internal Audit

  • Weiwei HuangEmail author
Open Access
Chapter

Abstract

Huawei is committed to its fight against embezzlement, waste, jobbery, and corruption amongst senior managers. It seeks to receive income from a single source. Huawei delegates authority to field offices, enabling them to have more autonomy and operate more flexibly and efficiently. Authority delegated must be exercised with effective oversight, and the purpose of oversight is to delegate more authority. To Huawei, oversight is the best way to care for and protect its managers. The company values basic processes and systems, especially the internal control system. When building its internal control system, Huawei insists on “wearing American shoes” and starting from scratch, rather than patching up an existing system.

Huawei is committed to its fight against embezzlement, waste, jobbery, and corruption amongst senior managers. It seeks to receive income from a single source.

Huawei delegates authority to field offices, enabling them to have more autonomy and operate more flexibly and efficiently. Authority delegated must be exercised with effective oversight, and the purpose of oversight is to delegate more authority. To Huawei, oversight is the best way to care for and protect its managers. The company values basic processes and systems, especially the internal control system. When building its internal control system, Huawei insists on “wearing American shoes” and starting from scratch, rather than patching up an existing system.

The company has established three lines of defense for internal controls. The first line of defense is to control risks in its business operations. This is the most important line of defense, with business managers and process owners serving as the primary owners for internal controls. The second line of defense refers to functional departments, which are accountable for internal controls and risk monitoring. These departments should streamline the management of major risks across processes and domains. The third line of defense is the Internal Audit Department, which establishes cold deterrence through independent assessments and after-fact investigations.

Process controls aim to plug the leaks in processes. ICFR ensures that data in financial reports is reliable, rule-based, and robust. All process activities that affect financial reports, including balance sheets, profit & loss statements, and cash flow statements, fund and asset security, or ITC of Huawei or any of its subsidiaries, fall under ICFR. Financial report quality must meet stringent regulatory standards. To ensure the quality of its financial reports, Huawei must start by managing the quality of business data.

At Huawei, the Internal Audit Department plays an independent oversight role in anti-corruption, anti-fraud, and anti-waste activities. The primary goal of this is to establish cold deterrence. During internal audits, the company separates investigations and disciplinary actions. While investigations are rigorous, disciplinary decisions show leniency. The Internal Audit Department assumes people are innocent before proven guilty and maintain a sense of propriety in imposing disciplinary actions against mistakes made at work.

The Internal Audit Department focuses on individual issues and establishes deterrence by addressing these issues. Oversight is everywhere and focuses on business-specific issues, and partners with business departments to uncover, manage, and mitigate risks throughout the process. The Committee of Ethics and Compliance (CEC) focuses on company-wide issues and aims to create a favorable environment for ethical compliance.

This chapter outlines the big picture for Huawei’s objectives, principles, ownership system, and policy boundaries related to internal controls and internal audit.

15.1 The Company’s Oversight System: The Governance Structure and Three Lines of Defense

15.1.1 The Oversight System: Governance Structure

The Audit Committee is a specialist committee that operates under Huawei’s Board of Directors. Within the scope of authority set forth by the Board of Directors, the Audit Committee oversees internal controls, covering the entire internal control system, internal and external audits, corporate processes, as well as the company’s legal, regulatory, and BCG compliance. The Audit Committee is made up of members of the Supervisory Board, the Board of Directors, and relevant experts. Audit Committee membership must be approved by the Board of Directors. Internal audit organizations and our external auditor report to both the Audit Committee and the Board of Directors. (Source: Audit Committee Charter (Provisional), Board of Directors Doc. No. [2012] 008)

The Supervisory Board is Huawei’s highest oversight body. On behalf of the company’s shareholders, it exercises oversight authority over the company. It oversees members of the Board of Directors and other senior executives, and stands outside of the company’s processes. Departments at different levels implement business rules; the Supervisory Board implements oversight rules. The oversight-oriented subsidiary boards of directors report to the Supervisory Board. (Source: Minutes of the Dali Meeting on the Company’s Future Governance Structure, BOD Executive Committee Meeting Minutes No. [2015] 015)

In the future, the company’s Supervisory Board should focus more on oversight of daily operations. Authority over human resources falls under the purview of the Board of Directors. The Supervisory Board can initiate and handle certain issues, but disciplinary actions against any personnel involved should be taken by the Board of Directors and the HRC. They will hand any personnel issues over to the HRC Disciplinary and Supervisory Sub-committee, which is the organization with personnel management authority. The Supervisory Board doesn’t handle personnel issues directly. (Ren Zhengfei: Speech at the First Meeting of the Fourth Supervisory Board, 2015)

The company’s senior management is ultimately accountable for internal controls of the entire company. They should set the tone for internal controls by emphasizing their importance and building and continuously improving the internal control environment across the company. (Source: Internal Control System 3.0, Corp. Doc. No. [2012] 238)

15.1.2 Internal Controls: Three Lines of Defense

As the company develops more rapidly, our management may not cover all aspects, and we will find increasing numbers of temporary loopholes. This is why we have established three lines of defense within our internal control system.

The first line of defense, which is the most important, controls risks during business operations. We should put over 90% of our effort into developing an effective first line of defense, which should be standardized but flexible. We need to flexibly respond to the service needs of different customers. The ultimate goal is to have business managers take responsibility for internal controls. For example, the manager of a certain business will also be responsible for the internal controls of that business. This approach should be extended all the way up to the top levels of the company. We must never waver in our determination to strengthen our first line of defense, and move towards the process ownership system one step at a time. This means we will gradually delegate authority to process owners. Country representatives will eventually become general managers who need to meet the basic requirements for overall business operations. The company’s processes must be simple and effective. The majority of our oversight must be based on processes. Processes themselves are a line of defense, so if we develop our processes properly, we will already have a strong defense system. Streamlining processes is a goal we will pursue with resolve.

The second line of defense ensures consistent management of major risks across processes and domains. Functional departments for internal controls and risk monitoring must promote the application of methodologies. A large number of managers should be trained on internal controls before going to work in the field. The second line of defense must provide many methodologies and also add, rotate, and develop numerous managers for the first line of defense. We have to define what responsibilities process owners should have. The Semi-Annual Control Assessment (SACA) is an assessment of process owners, and we should help them launch some pilots, establish process control systems, define jobs and roles, and get the whole system working correctly. At the same time, we should plan and deploy a Golden Seeds program country by country to roll out iSales, streamline configuration, and manage delivery in the Enterprise Resource Planning (ERP) system. Once the program succeeds, the golden seeds can be divided into two teams, and transferred to other countries. If they succeed again, a new group of golden seeds will emerge. This acts like an upward spiral that constantly produces new golden seeds. A new cohort of these will be promoted into managers. If they all have successful track records, then why not let them take over representative offices? Why not let them take over HQ? They will be welcomed back to HQ in high spirits. Who says they can’t be leaders in their twenties?

Our third line of defense assesses risks and internal controls independently through audits and investigations. The objective of the third line of defense is to establish cold deterrence. (Ren Zhengfei: Speech at the Briefing on the Proposal for Optimizing the Three Lines of Defense for Corporate Internal Controls and Risk Management, Huawei Executive Office Speech No. [2014] 005)

Our first line of defense should identify the vast majority of issues, but there may still be loopholes. This is where the third line comes in: It locates and closes loopholes to establish cold deterrence. We can also call in external organizations to review our processes. This third line will never vanish. Once the first line of defense is set up, the third line shouldn’t have too much to do. However, this doesn’t mean the first line should be careless and rely on Auditing to clean up issues for them. If a rotten apple gets no attention, it makes no sense. When we build processes and organizations, we should remove this apple. That is to say, once a problem is found, no matter how large or small, an audit must scour every speck of dirt, even removing ant eggs. That helps establish the cold deterrence needed to support the building of the first line of defense. (Ren Zhengfei: Speech at the Briefing on the Proposal for Optimizing the Three Lines of Defense for Corporate Internal Controls and Risk Management, Huawei Executive Office Speech No. [2014] 005)

We need to further define the responsibilities of owners for the three lines of defense.

The first line of defense is comprised of business managers and process owners, who are also the primary owners of internal controls. We must build internal controls, awareness, and capabilities amongst our employees, and ensure process compliance at checkpoints and during real practices. Process compliance ensures the quality of authority exercises. We need to implement a process ownership system that ensures process owners and business managers are truly accountable for internal controls and risk monitoring. This should eliminate 95% of risks during process-based operations. Business managers must be able to do two things: create value and effectively implement internal controls.

The second line of defense is comprised of functional departments that are responsible for internal controls and risk monitoring. These departments should streamline the management of major risks across processes and domains. They should also develop methodologies, promote their application, and ensure employees at all levels have the required capabilities. The inspection team should focus on real-time events and serve as a helping hand to business managers. The inspection team must not overstep its authority though, and should remember that business managers are the primary owners of management. The inspection team needs to help business managers manage their business in a mature manner, identify problems, make improvements, and effectively resolve problems. The inspection and internal controls teams are to exercise the authority of oversight while helping business departments work according to processes. One thing is clear: Neither the Inspection Department nor the Internal Controls Department is accountable for internal controls.

Our third line of defense is the Internal Audit Department. Like a government’s legal branch, this department establishes cold deterrence through independent assessments and after-fact investigations. Once the audit team uncovers a small issue, it will dig deep into it, temporarily ignoring all other issues no matter how severe they are. The audit team will focus on that small issue, and thoroughly examine the risks it poses. There are two types of investigation: vertical and horizontal. There are no hard rules about this delineation and issues are not ranked based on severity. The audit team looks into any issues they discover to establish cold deterrence. This will discourage people from acting inappropriately. (Ren Zhengfei: Internal and External Compliance to Generate More Revenue and Pave the Way for the Company’s Future Success—Speech at a Meeting with the Oversight Team, Huawei Executive Office Speech No. [2017] 002)

The three lines of defense for oversight need to operate smoothly under the management of the Supervisory Board and the Audit Committee. The key points to implement the process ownership system are that: (1) Process owners, managers, and key position holders fulfill their full responsibilities; and (2) Effective and closed-loop employee education, management, investigation, as well as disciplinary and legal actions address both the symptoms and the root cause. (Source: Minutes of a Report on the Strategic Plan of the Internal Audit Department, EMT Meeting Minutes No. [2014] 025)

The Internal Audit Department focuses on individual issues and establishes deterrence by addressing these issues. Oversight is everywhere and focuses on business-specific issues, and partners with business departments to uncover, manage, and mitigate risks throughout the process. The CEC focuses on company-wide issues and aims to create a favorable environment for ethical compliance. The CEC exercises oversight throughout the company. (Ren Zhengfei: Minutes of the Meeting with Staff of the Romania Accounting SSC, Huawei Executive Office Speech No. [2011] 021)

15.2 Process Controls

15.2.1 Oversight Aims to Prevent Corruption, Improve Operations, and Establish Deterrence

We must continue our fight against embezzlement, waste, jobbery, and corruption amongst senior managers. (Ren Zhengfei: Working Effortlessly to Build Even Greater Prosperity—Speech at the Inauguration for Managers from Finance and Procurement, 1996)

We don’t perform oversight for the sake of oversight. Nor do we want everyone to be pure and innocent. Oversight acts as deterrence: It helps the company move forward in the right direction, following our pre-set policies and processes. It will keep the whole company from going down the drain because of the greed of some individuals. (Ren Zhengfei: Implementing Oversight with Care, Huawei Executive Office Speech No. [2011] 013)

We seek to receive income from a single source. Our EMT has made it clear that the income of our senior managers and key employees can only come from the salaries, incentives, bonuses, and other schemes offered by Huawei. Income from other sources is not allowed. We have established organizations and systems to prevent anyone at Huawei, from the most senior executives down to the execution level, from destroying our collective interest through conflict-of-interest transactions for personal gain. Over the past two decades, we have mainly received income from a single source, and through this have formed a team of 150,000 employees who are united and dedicated to the company’s success. I am aware there are still many flaws in our management, but we are trying our utmost to improve. I believe our HR policies will become more scientific if we continue to receive income from a single source. Consequently, our employees will become more passionate about their work. Then, there will be nothing that we can’t achieve. (Ren Zhengfei: Working Together Towards the Same Goal, Receiving Income from a Single Source—2013 New Year Greeting, 2012)

If we can work together towards the same goal and receive income from a single source, Huawei will not fail. If we abandon these principles, we will probably fail. (Ren Zhengfei: Working Together Towards the Same Goal, Receiving Income from a Single Source—2013 New Year Greeting, 2012)

I recommend that you all read up on the Enron scandal of 2001. This seemed like it was just a matter of some false accounting. However, this company, worth several hundred billion dollars, tampered with their books and, in the end, the CEO received a 150-year prison sentence and the company collapsed. The reason we have been determined and gone to great expenses to become fully compliant: When we dominate the global market, we must not have an Achilles heel for people to exploit and bring us down. (Ren Zhengfei: Speech at the Mid-year Workshop on the Enablement of Subsidiary Board Directors, Huawei Executive Office Speech No. [2014] 074)

Situations where our strategic competitor hooks or corrupts our employees to acquire information has now become more serious than we could have imagined. We must not treat this lightly and must have stricter controls over our core assets and the commercial and technical information in our contract bids. (Ren Zhengfei: Speech at a Briefing on the Progress of Large-scale Elimination of Corruption, Huawei Executive Office Speech No. [2014] 010)

If we don’t improve our systems or strengthen employee education, corruption will fester and the company will be doomed. (Ren Zhengfei: Speech at a Briefing on the Progress of Large-scale Elimination of Corruption, Huawei Executive Office Speech No. [2014] 010)

After authority is delegated, we must strengthen oversight over its exercise and establish an accountability system. Approval is part of business processes and cannot replace oversight, as oversight is independent from business processes. (Ren Zhengfei: Minutes of the Report on Contract Categorization Analysis and Recommendations, EMT Meeting Minutes No. [2014] 008)

Over the last year or so, the “startup and innovation culture” has swept across China. Increasing numbers of employees are leaving Huawei to start their own businesses, but we must make sure that none of them are taking information assets from the company when they leave. They are not allowed to use the company’s assets as the basis for starting their own businesses. We must deal swiftly and decisively with anyone who starts a business using Huawei’s technical or commercial secrets. (Source: Minutes of the Report on Current Problems and Challenges in Information Security, and Remedies, EMT Meeting Minutes No. [2015] 018)

Our oversight system must be able to make good compromises and establish cold deterrence. The ultimate goal of compromising is to support business growth. (Ren Zhengfei: Speech on the Audit Committee’s 2014 Annual Work Report at the January Board of Directors Meeting, Huawei Executive Office Speech No. [2015] 017)

Many people at Huawei still don’t place much emphasis on internal controls. This might be caused by issues with our HR assessment system, which focuses heavily on how many contracts one wins. Most people don’t do bad things, so they take it for granted that others don’t, either. Why are we building an oversight elite team? We want business managers to receive training and practice so they come to understand what oversight is all about. We have to work hard and must not slack off. Our internal controls and oversight are not designed to slow things down, but to make our processes smoother and faster. As you know, high-speed trains run very fast, but imagine what it would be like if there were no internal controls! High-speed railways have very good processes and internal controls. For example, the direct train from Beijing to Shenzhen does not stop anywhere in-between. Do you know how many checkpoints it passes in one night? Lots, but they don’t slow it down. In addition, we will implement an approval system for large departments, and every department will have only one approval point with a specific time limit. After the deadline, things will be approved automatically. However, when problems arise, the approval point will be accountable. This will ensure that we operate as fast as high-speed trains. (Ren Zhengfei: Internal and External Compliance to Generate More Revenue and Pave the Way for the Company’s Future Success—Speech at a Meeting with the Oversight Team, Huawei Executive Office Speech No. [2017] 002)

15.2.2 “Wearing American Shoes” and Starting from Scratch to Build Huawei’s Internal Control System

The EMT sees great value in IBM’s internal control system. To build Huawei’s internal control system, we must “wear American shoes” and start from scratch, rather than patching up an existing system. If our organizational structure doesn’t quite fit with processes, we should adapt our structure to processes. We can keep managers who understand this system, but those who don’t, no matter how senior, will have to leave their positions. We need to assign some bright minds to learn from IBM and establish such a system in our company. (Ren Zhengfei: Wearing American Shoes and Starting from Scratch to Build Huawei’s Internal Control System—An Introduction to IBM’s Internal Control Practices and EMT’s Guidelines for Building Huawei’s Internal Control System, Huawei Executive Office Speech No. [2007] 032)

To ensure the transformation of our internal control management is implemented effectively, we must first build an environment that is conducive to internal controls. Our managers at different levels must set an example. Those who understand IBM’s internal control management system will be appointed to managerial positions and managers who cannot understand this system will be reassigned. All managers must step up efforts to learn about IBM’s internal control management processes, methods, and experience. They need to take exams, either online or during training sessions, to prove their mastery of essential knowledge about internal controls. Those who fail their exams will have their salaries frozen and will no longer have advancement opportunities. If they fail the exams a second time, or do not take the exams within a specified timeframe, they will be reassigned. (Ren Zhengfei: Wearing American Shoes and Starting from Scratch to Build Huawei’s Internal Control System—An Introduction to IBM’s Internal Control Practices and EMT’s Guidelines for Building Huawei’s Internal Control System, Huawei Executive Office Speech No. [2007] 032)

To continuously increase internal control awareness of business managers, we need to establish career development paths and mobility programs for managers, and assign managers with extensive experience in business operations to our audit and oversight teams. We also need to send internal control high-performers to serve as managers within business departments. (Ren Zhengfei: Wearing American Shoes and Starting from Scratch to Build Huawei’s Internal Control System—An Introduction to IBM’s Internal Control Practices and EMT’s Guidelines for Building Huawei’s Internal Control System, Huawei Executive Office Speech No. [2007] 032)

The company values basic processes and systems, especially the internal control system. We must also establish an accountability system, which needs to define what kinds of disciplinary actions will be taken for different violations. Disciplinary actions need to be taken against wrongdoers themselves and also their senior managers. (Ren Zhengfei: Wearing American Shoes and Starting from Scratch to Build Huawei’s Internal Control System—An Introduction to IBM’s Internal Control Practices and EMT’s Guidelines for Building Huawei’s Internal Control System, Huawei Executive Office Speech No. [2007] 032)

We will rework our Internal Control System document by strictly following IBM’s internal control practices. This document will serve as our guidelines for improving our internal control system and does not need to be confined to the content in our approved documents. (Source: Resolution on the Plan for Improving Huawei’s Internal Controls, EMT Resolution No. [2007] 045)

We need to study IBM’s authority delegation rules, and its philosophy and methodology on how to apply checks and balances through oversight. We must not be too radical when delegating authority and must be careful when defining the scope of authority to be delegated and to whom it will be delegated. We will first delegate limited authority to domains where there is an urgent need for authority and management is relatively mature. In addition, we must build an oversight system to ensure checks and balances. The philosophy must be communicated across all levels and authority must be delegated step by step. After authority has been delegated and exercised, we can review and assess how things work. In mature domains, we can further delegate authority. By proceeding gradually, we can make the system run effectively within three years. (Ren Zhengfei: Speech at the Report on IBM’s Authorization Practices and Huawei’s Direction for Improvement, EMT Meeting Minutes No. [2008] 004)

Authority delegation must revolve around processes, as they determine the organizational structures. If a department’s structure does not align with processes, then we will restructure the department to suit the processes. Departments involved in oversight and checks and balances must participate in the authority delegation project. (Ren Zhengfei: Speech at the Report on IBM’s Authorization Practices and Huawei’s Direction for Improvement, EMT Meeting Minutes No. [2008] 004)

15.2.3 Internal Control Management: Objectives and the Framework

Objectives of internal control management

Internal controls aim to improve our operating processes, procedures, and management, close the loopholes of processes, and summarize the lessons learned. Internal Controls must make friends with people, employees in particular. If there are any issues, Internal Controls must be able to provide methods for addressing these issues through discussion. Internal Controls functions like a business department. It looks at how we do business from a different angle in order to identify potential execution errors. Unless there is sufficient evidence to indicate individual wrongdoing, we should just focus on fixing what has gone wrong, not on assigning blame. If processes are well-defined, we won’t face too many issues. Only when we have created a culture of teamwork, can we help the company develop on a large scale. (Ren Zhengfei: Remarks at a Meeting with Procurement Managers, 2000)

The purpose of internal controls is to ensure the company’s funds and assets are secure, the company’s financial reports are accurate, and the company is fully compliant with the law. Internal controls are meant to effectively control operational risks, improve operating efficiency and effectiveness, and help the company achieve its set goals. (Source: Internal Control System 3.0, Corp. Doc. No. [2012] 238)

During its meeting on April 29, 2015, the EMT defined Huawei’s internal control targets over the next three years as follows:
  1. 1.

    By 2017, the company should achieve maturity in its internal controls, with a minimum internal control score of “Basically Satisfactory” (60%).

     
  2. 2.

    By H1 2015, the minimum internal control maturity score will be 30%. Any manager whose department’s score is below 30%, and who is not making efforts to increase that score, will face impeachment.

     
  3. 3.

    Minimum internal control maturity scores for H2 2015, end of year 2016, and end of year 2017 are set at 40%, 50%, and 60%, respectively. The Worldwide Business Controls Department (WWBC) is authorized to adjust the scores of local offices. After approval by the Audit Committee, these scores will be published at the beginning of each year. (Source: Resolution on Fulfilling the Internal Control Responsibilities of Managers and Process Owners, EMT Resolution No. [2015] 007)

     
To achieve a “Basically Satisfactory” internal control maturity rating, a department must have:
  1. 1.

    Properly designed processes that are implemented accurately, resulting in no major risks and only suffering losses within normal bounds

     
  2. 2.

    Accurate financial reports, with no major discrepancies or post-reporting adjustments

     
  3. 3.

    No serious compliance violations during the reporting period, such as repeated violations. (Source: Minutes of the Meeting on 2015 Internal Control Assessments and More Detailed Definition of the “Basically Satisfactory” Standard, Audit Committee Meeting Minutes No. [2015] 016)

     

The internal control management framework

Layer 1: the Control Environment. This serves as the base of the internal control pyramid. The global end-to-end processes and ownership system act as the foundation for Huawei’s internal control system and must be fully understood and implemented to ensure internal controls are successful. Global process owners have the primary responsibility for internal controls within their processes.

Layer 2: Control Tools and Indicators. This includes the compliance testing of KCPs, internal and external audit results, and other control tools and indicators that have been defined as essential inputs for the internal control assessment.

Layer 3: Assessments. Company management can view and use the assessment reports regularly. Through the use of the control tools at Layer 2 and associated reviews, the control indicators are converted into useful information with which Huawei’s control posture can be assessed regularly.

Layer 4: Appraisal and Accountability. Guided by business controllers, business owners and managers complete performance appraisals and accountability assessments, applying the assessment results from Layer 3 and considering the process for fulfilling their oversight responsibilities. These responsibilities include reviews, discussions, business risk assessments, operations monitoring, communication, information sharing, and professional assessments. Internal audit personnel and business controls departments also combine these outputs with their own professional analysis. This allows them to produce reports on audit findings and the company’s internal controls. These reports are delivered to the Audit Committee and the EMT who then implement appropriate rewards, or disciplinary or corrective actions.

Layer 5: Policies. Top management including the Board of Directors and the EMT is responsible for the effectiveness of internal controls and the company’s control posture; and develops and reviews internal control policies. (Source: Huawei Internal Control Framework V3.0, Corp. Policy No. [2014] 002)

15.2.4 Implementing the Process Ownership System

Currently, authority is centrally controlled by management teams without constraints, especially in junior- and mid-level management teams far away from oversight of HQ. These teams can easily become independent “kingdoms”. Process owners must therefore be given the corresponding authority to review salaries and bonuses and assess and promote managers. This ensures checks and balances. Level-1 departments at HQ are already set up by function, so next, we need to review and streamline level-2 and level-3 departments. We also need to restructure lower-level departments so there is a stronger focus on processes. This will prevent the formation of independent “kingdoms” in departments that are vertically managed instead of being managed under a matrix. We must delegate sufficient authority to process owners, avoid wasting resources, and tear down departmental silos. (Ren Zhengfei: Minutes of the Report on Work Responsibilities of Business Controls and Internal Controls/Internal Audit and Their Relationships, EMT Meeting Minutes No. [2008] 034)

We remain completely committed to a process-based management approach and to improving our process ownership system. We need to shift from process compliance to process ownership. Business managers and process owners need to be truly responsible for oversight. In the past, we focused on process compliance. This meant that you could do a good job just by following a process. Process ownership takes that idea one step further: Whoever signs off on the task is accountable for anything that goes wrong. We’ve made it clear that managers should have to sign off on things they are accountable for. Signing off means that you accept that accountability. (Ren Zhengfei: Speech at a Briefing on the Progress of Large-scale Elimination of Corruption, Huawei Executive Office Speech No. [2014] 010)

Normally, people think that the process ownership system will ensure that nothing ever goes wrong, and owners will be held accountable if something goes wrong, but they are not accountable for being slow. If this is what our process ownership system is all about, our company will slack off and even collapse. When I talk about a process ownership system, I mean timely and accurate services and greater success, not zero accidents. We want a system of fast trains, not a system that keeps trains in the station for the sake of avoiding accidents. If a person cannot achieve this, then they are not capable and we will replace them with someone who is capable. So, what do we do when accidents occur? We hold people accountable. Those who get trains running both fast and accurately should be promoted through fast tracks. (Ren Zhengfei: Speech at the Oath-taking and Awards Ceremony of the Transformation Elite Team, Huawei Executive Office Speech No. [2015] 047)

Processes will require multiple levels of responsibility, with each level being unique. A high-speed train that runs from Beijing to Guangzhou is an end-to-end service. But in Zhengzhou, train station personnel just have to make sure the train leaves their station on time. They do not have to worry about what happens all the way down to Guangzhou. (Ren Zhengfei: Speech at the Oath-taking and Awards Ceremony of the Transformation Elite Team, Huawei Executive Office Speech No. [2015] 047)

Processes are not perfect, so we need to move oversight downward. Increasing the number of checkpoints isn’t the answer to everything. The same goes for the deployment of the process ownership system. We need to remove checkpoints that don’t help us achieve strategic objectives. (Source: Minutes of the Report on the Work Priority of the Company for Building an Oversight and Accountability System, EMT Meeting Minutes No. [2015] 013)

15.2.5 Internal Control Ownership System

Managers at all levels serve as the primary owners for internal controls

Process owners are oversight owners and so must accept oversight responsibilities. The Oversight Management Department has to give process owners methodologies and templates to help them shoulder these responsibilities, and appraise their performance. This department should not perform the oversight responsibility that belongs to process owners. (Ren Zhengfei: Speech at a Briefing on Regional Oversight, 2007)

The EMT has decided that directors of business departments are responsible for oversight. First of all, it must be made clear that process owners shall take responsibility for three tasks: proactive reviews, internal control checks and assessments, and the development of an authority delegation system. (Ren Zhengfei: Speech at a Briefing on Regional Oversight, 2007)

In our company, management teams are the sole decision-makers. Process owners don’t have a say in these decisions. Therefore, I want to suggest that, starting from today, management teams can only determine employees’ salaries and personal grades, leaving bonus allocation in the hands of process owners. We need to assign both responsibility and authority to process departments. Process owners are primarily responsible for building processes, and cannot have much assistance from their own departments. They must therefore get this assistance from process building departments. (Ren Zhengfei: Huawei’s Internal Control Organizations Must First Implement a Transitional Plan to Avoid a Management Vacuum—Minutes of the Report by the IFS-Business Controls & Internal Audit Project Team to Mr. Ren and the EMT on the Organizational Restructuring Plan of Huawei’s Business Controls Departments, EMT Meeting Minutes No. [2008] 017)

Process owners shoulder major responsibility for internal controls. By appointing global process owners, business managers become responsible for process operations and must ensure the processes under their management are running in an efficient and controllable manner. Process controllers are process experts. They help process owners build processes and monitor routine process operations by setting KCPs, performing monthly compliance testing, and sending monthly testing and SACA results to Business Controls. (Ren Zhengfei: Huawei’s Internal Control Organizations Must First Implement a Transitional Plan to Avoid a Management Vacuum—Minutes of the Report by the IFS-Business Controls & Internal Audit Project Team to Mr. Ren and the EMT on the Organizational Restructuring Plan of Huawei’s Business Controls Departments, EMT Meeting Minutes No. [2008] 017)

When we look at which managers to promote, particularly senior managers, we look closely at their conduct regarding key processes, and how they have tried to prevent corruption. Anyone who is not firm in preventing corruption will never be more than an ordinary manager. When we look for new senior managers, we need to emphasize this quality. Process owners and business managers in high risk areas who consistently fail to improve their internal controls will have to explain this to the Audit Committee. If a manager submits false reports about internal controls or does not take on their internal control responsibilities, they will be impeached immediately. (Ren Zhengfei: Speech at a Briefing on the Progress of Large-scale Elimination of Corruption, Huawei Executive Office Speech No. [2014] 010)

Business managers are responsible for inspections and internal controls. The purpose of creating new processes is to improve operations (performance and efficiency). (Ren Zhengfei: Speech at a Meeting with the Managerial Control Elite Team, Huawei Executive Office Speech No. [2015] 060)

Managers at all levels are responsible for internal controls. The Managerial Control Elite Team exists to empower managers through a combination of training and practice. With this help, managers should be able to better fulfill their oversight role during process execution. First, Huawei implements a process ownership system. Overseeing a specific business isn’t the responsibility of the Internal Audit Department or the Supervisory Board. Instead, it is the responsibility of the manager of that business. Second, our management needs to be standardized and streamlined in order to increase efficiency. Process owners need to promptly and accurately provide services, and quickly check relevant issues based on simple and standard processes without exercising excessive oversight, letting them pass quickly like a high-speed train. Strategic business departments need to operate within a strong matrix management system. Matrix management means that they have separate business managers and process owners, with the latter assuming 95% of internal control responsibility. For departments outside the matrix system, process owners and business managers are the same people. (Ren Zhengfei: Speech at a Meeting with the Managerial Control Elite Team, Huawei Executive Office Speech No. [2015] 060)

The Business Controls Department is a key functional department for internal controls

The oversight department’s work priorities are to oversee process execution and clarify the internal control responsibilities of major process owners in departments at all levels. They are doing something constructive and need to consider how to lay each brick and fill every gap between the bricks of the Great Wall. In the past, our Business Controls Department only oversaw financial processes, rather than addressing issues in company-wide, end-to-end processes. However, in the future, our quality and oversight management must extend to the end-to-end processes. (Ren Zhengfei: Huawei’s Internal Control Organizations Must First Implement a Transitional Plan to Avoid a Management Vacuum—Minutes of the Report by the IFS-Business Controls & Internal Audit Project Team to Mr. Ren and the EMT on the Organizational Restructuring Plan of Huawei’s Business Controls Departments, EMT Meeting Minutes No. [2008] 017)

The Business Controls Department is responsible for our internal control environment: As an oversight COE, this department provides process owners and controllers with control methodologies and tools, performs comprehensive oversight assessments and SACAs, and briefs the Audit Committee on the overall internal control postures of the company. The Business Controls Department reports to the corporate CFO, even though it oversees all businesses, not just financial matters. This department helps process owners create better process controls, and at the same time oversees process control status. It reflects how checks and balances are applied within the company. (Ren Zhengfei: Huawei’s Internal Control Organizations Must First Implement a Transitional Plan to Avoid a Management Vacuum—Minutes of the Report by the IFS-Business Controls & Internal Audit Project Team to Mr. Ren and the EMT on the Organizational Restructuring Plan of Huawei’s Business Controls Departments, EMT Meeting Minutes No. [2008] 017)

The Business Controls Department’s mission, authority, and responsibilities are to:
  • Provide advice and training on controls;

  • Develop appropriate control tools;

  • Offer guidance and training on controls for existing and new processes;

  • Assess and support the improvement of process controls, including SACAs;

  • Help business managers and process owners rank and prioritize control-related risks and defects;

  • Help develop improvement plans;

  • Monitor plan execution;

  • Coordinate deployment of controls resources (i.e., business controls personnel);

  • Optimize resource deployment. (Source: Internal Control System 3.0, Corp. Doc. No. [2012] 238)

Inspection personnel are there to support process owners and managers

Inspection personnel are there to support process owners and managers. These personnel check up on processes as they are taking place. Inspection teams should offer more training to process owners and managers. (Source: Report and Discussions on Latest CEO Rotation, BOD Executive Committee Meeting Minutes No. [2015] 023)

Inspections are in-process spot checks that ensure process compliance and eliminate fraud, thus establishing deterrence. A combination of training and practice can help business managers do the right things in the right way. (Ren Zhengfei: Speech at a Meeting with the Managerial Control Elite Team, Huawei Executive Office Speech No. [2015] 060)

Inspection personnel focus on events during processes. They offer important support for business managers to identify and solve problems. We are going to assign the responsibility of the Engineering Inspection Department for building a COE and the inspection function of the Internal Audit Department to the Transformation Project Management Office. This office will then be responsible for building up inspection capabilities across the company. Other functions of the Engineering Inspection Department will be transferred to the GTS, and an Engineering Inspection Department will be set up under the GTS to carry out inspections during engineering and service delivery. Hui Chun will become the Executive Steering Committee’s executive deputy chair to support Guo Ping, chair of the committee. Hui Chun will take on responsibility for increasing inspection expertise throughout the company, improving inspection practices and ensuring that all related problems are properly followed up on. (Source: Decision on Adjustments to the Reporting Structure of the Corporate Development, Engineering Inspection, and Regions Management Departments, BOD Executive Committee Resolution No. [2015] 012)

Engineering inspection is the end-to-end inspection of any engineering delivery business. It is supposed to create corrective action plans for identified problems in collaboration with business departments. If any evidence of BCG violations is found during the inspection process, these violations are reported to the Investigation Department of the Internal Audit Department. The Internal Audit Department must focus on establishing deterrence, while the priority of engineering inspections is to promptly identify problems and push for improvements in different business departments. (Source: Minutes of the Report on Organizational Building of the Engineering Inspection Department, EMT Meeting Minutes No. [2011] 010)

15.3 Internal Controls Over Financial Reporting (ICFR)

15.3.1 Building Sustainable and Profitable Growth with High-Quality Process Controls and ICFR

ICFR is a system that was established to ensure that data in financial reports is reliable (accurate and fair), rule-based (internal and external rules), and robust (secure and healthy). All process activities that affect financial reports, including balance sheets, profit & loss statements, and cash flow statements, fund and asset security, or ITC of Huawei or any of its subsidiaries, fall under ICFR. (Source: Minutes of the Report on Decisions Made Regarding Phase 2 of ICFR, Finance Staff Team Meeting Minutes No. [2015] 108)

Financial reporting management aims to address all requirements of the Board of Directors, auditors, and government regulators. It primarily does this from three aspects, through company-level financial reports, subsidiary-level financial reports, and ITC. That means it needs to ensure that financial reports are accurate and fair, and that an ICFR mechanism is in place, so that satisfactory financial reports are consistently delivered. (Source: Resolution on Objectives for Improving Quality of Financial Reports, Finance Committee Resolution No. [2016] 014)

ICFR represents all of Finance’s requirements for business. In other words, Finance has but one requirement for business – to manage ICFR based on the three types of financial reports.
  1. 1.

    ICFR is designed to continuously improve the quality of financial reports.

     
  2. 2.

    ICFR management requirements should include requirements on data quality, ITC, subsidiaries’ compliance with local Generally Accepted Accounting Principles (GAAP), subsidiary financial reporting, and financial process control. A sustainable goal should be set to drive continuous improvement in all these areas.

     
  3. 3.

    Finance’s requirements of business must focus on improving the quality of financial reports. ICFR should serve as a management platform that helps business and finance to continuously improve. (Meng Wanzhou: ICFR—Shifting from Moving Targets to Fixed Targets, Improvement Issue No. 492, 2016)

     

The key to ICFR and financial process controls lies in the establishment of long-term mechanisms. Only by doing so can we avoid starting all over again. (Source: Minutes of a Work Report by the Brazil Representative Office on ICFR and Financial Process Controls, Finance Staff Team Meeting Minutes No. [2015] 105)

ICFR can be neither a major campaign nor a sprint race. We shouldn’t try to achieve our ICFR objectives so quickly that we neglect to build a long-term management mechanism. These efforts would make no sense. Achieving internal control targets must have the support of a set of effective management mechanisms. For example, many problems we see today seem like one-off issues and we assume they are caused by poor process execution. However, if we dig a little deeper, it becomes apparent that these problems are caused by missing processes, poorly adapted processes, or improperly integrated processes. Only through thorough analysis can we see the big picture and understand how to design our integrated solutions. This is how we should establish our long-term improvement mechanism. (Meng Wanzhou: Ensuring the Consistency of Business and Accounts and the Accuracy of Financial Reports—On Signing the ICFR Commitment Letter, Improvement Issue No. 479, 2015)

15.3.2 ICFR Is a Means, and Consistency of Business and Accounts Is an End

The company must first achieve consistency of business and accounts

Following the Enron scandal in 2002, the US Congress passed the Sarbanes-Oxley Act. The Act states that CEOs and CFOs of listed companies are responsible for making sure their company has an effective ICFR system that promptly and accurately discloses financial reports and information. The Act also made fraudulent disclosure and commitment subject to legal sanctions. Of the last 10 lawsuits that were filed in the US involving between US$2 billion and US$7 billion, seven involved false accounting or fraudulent disclosure. (Meng Wanzhou: Ensuring the Consistency of Business and Accounts and the Accuracy of Financial Reports—On Signing the ICFR Commitment Letter, Improvement Issue No. 479, 2015)

Consistency of business and accounts means all financial results must reflect the true state of our business operations. This is also a minimum requirement of law and accounting standards. Independent oversight and strict accountability systems help ensure the consistency of business and accounts. This approach is widely adopted across the industry. Consistency of business and accounts requires more than just consistency of inventory accounts and goods, but also requires reliability, accuracy, and timeliness in all financial reporting, including that of revenue, cost, expenses, payments, collections, and fixed assets. (Source: Work Requirements for Fully Implementing the Consistency of Business and Accounts Targets (ICFR), Group Finance Notice No. [2015] 006)

To achieve consistency of our business and accounts, business and financial personnel must work together to fight false accounting. Legal affairs personnel must also take due responsibility for handling this problem. Many international companies encounter nasty obstacles regarding this issue, garnering punishments that range from heavy fines to the imprisonment of their executives. We also have a major problem ensuring the consistency of our business and accounts. We must resolutely address this problem. In fact, the industry already has a mature management solution that solves this: the ICFR mechanism – applying process controls to ensure the consistency of business and accounts. (Ren Zhengfei: Speech at a Meeting with Employees of the Legal Affairs Department, Secretariat Office of the Board of Directors, and Wireless Network Product Line, Huawei Executive Office Speech No. [2015] 015)

Consistency of business and accounts is the foundation of financial report accuracy. This consistency has two primary requirements: appropriate accounting policies and methods based on complete business data, and business data that includes all business information that may affect the financial team’s assessment (business information that truly reflects the nature of business). Only if these requirements are met, can we ensure the objectivity, reliability, and fairness of our financial reports. (Meng Wanzhou: Ensuring the Consistency of Business and Accounts and the Accuracy of Financial Reports—On Signing the ICFR Commitment Letter, Improvement Issue No. 479, 2015)

We must seek to achieve consistency of business and accounts within five years, as we still aren’t there yet. Because of this, on December 31 last year, we offered leniency to anyone who admitted creating false reports. We show leniency when wrongdoers admit their mistakes. In the end, 4000 to 5000 employees came forward to admit their mistakes. This shows we still have a lot of work to do concerning our internal governance. (Ren Zhengfei: Speech at the World Economic Forum in Davos, 2015)

ICFR assessment results as the acceptance criteria for consistency of business and accounts

ICFR is a means, and consistency of business and accounts is an end. ICFR assessment results will be used as the acceptance criteria for the consistency of business and accounts. The Accounting Management Department will be responsible for checking and accepting the improvements made to the consistency of business and accounts. (Source: Work Requirements for Fully Implementing the Consistency of Business and Accounts Targets (ICFR), Group Finance Notice No. [2015] 006)

Assessment methods should be reasonable, reliable, and feasible. They should not overemphasize precision. (Meng Wanzhou: ICFR—Shifting from Moving Targets to Fixed Targets, Improvement Issue No. 492, 2016)

ICFR assessment methods are based on common, company-wide practices at Huawei, and may not be appropriate for use in high-risk countries. Therefore, regional CFOs in high-risk countries must create their own ICFR assessment methods in accordance with general ICFR principles and methodologies. Local offices in high-risk countries can choose the same assessment methods or tailor their own methods. (Meng Wanzhou: ICFR—Shifting from Moving Targets to Fixed Targets, Improvement Issue No. 492, 2016)

Generally speaking, the assessment rating of internal control maturity should not be higher than that of ICFR. Exceptions can be justified with examples and facts. (Source: Minutes of the Report on the 2016 H1 SACA, Finance Staff Team Meeting Minutes No. [2016] 113)

Quality management of financial reports aims to ensure they meet stringent external regulatory standards

The objective of managing financial report quality is to achieve a “Very Satisfactory” rating (barring certain matters for which the company makes exceptions), according to stringent external regulatory standards, by 2020. (Source: Resolution on Objectives for Improving Quality of Financial Reports, Finance Committee Resolution No. [2016] 014)

Now that we have achieved the CIAG, the EMT has agreed to add one more corporate-level work priority – improving financial report quality to a “Very Satisfactory” rating. Efforts surrounding this goal will be made to drive representative office-oriented integration and achieve the Five Ones1 and consistency of business and accounts. (Source: Minutes of the Report on the Progress of Driving Representative Office-oriented Integration Forward and Achieving Five Ones and CIAG, EMT Meeting Minutes No. [2017] 003)

15.3.3 ICFR: Starting by Managing the Quality of Business Data to Ensure the Quality of Financial Reports

Finance cannot create data out of thin air. Financial data is generated either from business data or business decisions. For this reason, the objectivity, completeness, and accuracy of business data directly determine the quality of financial reports. To ensure financial work quality, we must first manage the quality of business data. This is ICFR. (Meng Wanzhou: ICFR Is a Means, and Consistency of Business and Accounts Is an End, Improvement Issue No. 460, 2014)

The ICFR Regulations must clearly state the ICFR responsibilities of managers at all levels. The responsibilities of CEOs/CFOs and process owners for ensuring the data quality of their respective domains must be clearly defined. Also, in this document, the responsibilities related to managing different types of financial data must be clarified. The document must also contain information about a layered commitment mechanism for fulfilling ICFR responsibilities. Responsibility fulfillment needs the support of tools and methodologies. Key control over financial reporting (KCFR) is a key tool for supporting ICFR. What is KCFR? KCFR is a tool used to identify key control elements that impact financial report quality throughout processes. Internal control methods, such as compliance testing and SACA, are then used to regularly monitor KCFR compliance during day-to-day work. This way, we can determine whether key data and information from business domains are accurate and reliable. There is no way to completely ensure that financial reports will always be of high quality, even if we clarify ICFR responsibilities, identify KCFR throughout processes, and regularly perform compliance testing and SACAs. This is because even if we keep each KCFR under control, there may be manual account adjustments to stock data and provisions for project losses. Manually adjusted financial data must also be managed. Data management coupled with KCFR assessments makes the ICFR mechanism complete. (Meng Wanzhou: ICFR Is a Means, and Consistency of Business and Accounts Is an End, Improvement Issue No. 460, 2014)

At the start of the ICFR project, we examined the issues that relate most to finance and business departments and have bigger impacts on the company’s financial reports. This will allow us to help everyone understand what ICFR is and which business actions can affect the quality of financial reports. One such issue is related to revenue data accuracy. After identifying and analyzing all the elements that affect revenue recognition, from opportunity identification to contract closure, we identified problems and their root causes in business processes, and incorporated KCFR to quickly monitor revenue recognition quality. As our accounting for the last two years indicates, revenue data quality has improved significantly. (Meng Wanzhou: ICFR—Shifting from Moving Targets to Fixed Targets, Improvement Issue No. 492, 2016)

15.3.4 ICFR Management Should Shift Its Focus from Moving Targets to Fixed Targets

Let’s compare our moving target-based management approach to seeing a medical specialist. When a certain part of our body hurts, we go to a specialist for specialized treatment. This type of management approach resolves existing problems, but cannot comprehensively assess our health. A fixed target-based management approach is more like getting a complete physical examination. Even if we don’t have any specific health problems, we should still schedule regular checkups to identify potential risks as early as possible. To maintain sustainable, healthy development, Huawei must regularly undergo comprehensive checkups and take preventative or corrective actions as necessary. A fixed target-based management approach should be the ultimate goal of our ICFR. Regular and comprehensive assessments, analyses, and improvements will help ensure the fairness and reliability of our financial reports. The moving target-based approach to ICFR management is intended to help everyone learn the specifics of small sections of business and understand and embrace ICFR. The fixed target-based approach aims to manage all types of data that affects the quality of financial reports, thus ensuring their fairness, reliability, timeliness, and accuracy. Moving targets allow us to better understand business specifics, while fixed targets allow us to fulfill responsibilities from end to end. By shifting our focus from moving targets to fixed targets, we can actively fulfill our ICFR responsibilities, instead of merely embracing ICFR. (Meng Wanzhou: ICFR—Shifting from Moving Targets to Fixed Targets, Improvement Issue No. 492, 2016)

There are three major financial reports: profit & loss statements, balance sheets, and cash flow statements. These statements are complementary to one another and combine to reflect the entire company’s financial health. Financial robustness is usually measured through financial performance and financial report fairness and reliability. The latter is guaranteed by effective ICFR. Therefore, all business and financial items that affect the three major financial reports must be managed as part of ICFR. The structure and internal control elements of financial reports are largely fixed, so items that affect financial reports must also be fixed – this is why we have adopted a fixed target-based approach to ICFR management. (Meng Wanzhou: ICFR—Shifting from Moving Targets to Fixed Targets, Improvement Issue No. 492, 2016)

We currently focus most heavily on the management of profit & loss statements. However, when standing in the shoes of the company to comprehensively assess financial results, we must pay attention to the health and fairness of our balance sheets and cash flow statements. While it is vital to manage business performance, asset safety and ITC are equally important. The company’s financial reports reflect the company’s overall strength, while subsidiary financial reports show our business performance in specific market segments. Financial reports are the results, and business and financial activities are processes. That’s why all business and financial activities that affect financial reports must be managed under ICFR. (Meng Wanzhou: ICFR—Shifting from Moving Targets to Fixed Targets, Improvement Issue No. 492, 2016)

15.3.5 Finance: Building an Effective Internal Control System; Business Departments: Rigorously Fulfilling Their Internal Control Responsibilities

Huawei’s CEO takes the most responsibility for the accuracy and reliability of the company’s financial reports. The CFO also assists the CEO in building, implementing, and managing the ICFR system. (Source: ICFR Regulations, Group Finance Business Directive No. [2014] 005)

As the owner of financial reports and financial data, Finance is responsible for ICFR. This means it needs to establish an effective ICFR mechanism and roll it out in different departments. It would be impossible for Finance to be responsible for the quality of all business data. That’s why an effective and complete internal control mechanism must be in place to encourage business managers and process owners to take responsibility for business data quality, accuracy, completeness, timeliness, and reliability in their domains. Finance is responsible for building an effective internal control system, while business departments are responsible for rigorously fulfilling its internal control responsibilities. (Meng Wanzhou: ICFR Is a Means, and Consistency of Business and Accounts Is an End, Improvement Issue No. 460, 2014)

Regarding ICFR, Finance must: establish an effective internal control system; regularly assess the effectiveness of internal controls; correctly understand business scenarios and process business data as per appropriate accounting policies; and create financial and internal control reports based on business departments’ description of matters without defects or omissions. Regarding ICFR, business departments must provide accurate business data and key information, regularly and effectively carry out the internal control activities as required by the internal control system, and make commitments regarding internal controls. (Meng Wanzhou: ICFR Is a Means, and Consistency of Business and Accounts Is an End, Improvement Issue No. 460, 2014)

An ICFR accountability system is used to ensure the accuracy of financial reports. ICFR accountability systems are commonly used throughout the industry. IBM has an ICFR commitment mechanism that clearly states related responsibilities. Under this mechanism, all levels of IBM’s management rigorously control all data and information that may affect their financial reports, fulfilling their obligations to manage ICFR. This system guarantees the reliability and fairness of the company’s financial reports. (Meng Wanzhou: Ensuring the Consistency of Business and Accounts and the Accuracy of Financial Reports—On Signing the ICFR Commitment Letter, Improvement Issue No. 479, 2015)

Within our management teams, some people are still passing the buck. Ultimately, this is because our process ownership system is not yet fully in place. Process owners at different levels must proactively take on process building and internal control responsibilities for their respective domains. The Quality, Business Process, and IT Management Department will centrally manage business process architectures and process integration across domains. We can fundamentally ensure process compliance and data cleanness if we truly make the process ownership system part of our day-to-day work. (Meng Wanzhou: Ensuring the Consistency of Business and Accounts and the Accuracy of Financial Reports—On Signing the ICFR Commitment Letter, Improvement Issue No. 479, 2015)

It is key that business managers and process owners at all levels are held accountable for the consistency of business and accounts. They need to avoid recurring problems by developing and implementing processes. (Ren Zhengfei: Speech at a Meeting with Employees of the Legal Affairs Department, Secretariat Office of the Board of Directors, and Wireless Network Product Line, Huawei Executive Office Speech No. [2015] 015)

15.3.6 ICFR Is Designed to Continuously Improve the Quality of Financial Reports, Not Merely to Hold People Accountable

Huawei Audit Committee Doc No. [2013] 002 Internal Control Impeachment System and Standards states that process owners and business managers who commit fraud on ICFR or do not act upon known ICFR problems will be directly impeached. Those who fail to properly manage ICFR or cannot generate expected results, need to report directly to the company’s CFO and Audit Committee. If the CFO and Audit Committee decide to reject two reports consecutively, the involved process owner or business manager will be impeached.

All employees must act with integrity, diligently fulfill their duties, and comply with all applicable laws and regulations, as well as Huawei’s own BCGs. Huawei prohibits all business fraud, including but not limited to:
  • Forging or altering seals or signatures, and signing false contracts or other false documents.

  • Signing two different contracts at the Huawei side and the customer side for the same business transaction.

  • Falsely recognizing sales revenue by falsifying delivery progress information or delivery documents, and hiding true business information.

  • Forging or falsifying business documents and financial records, resulting in inaccurate financial statements.

Wrongdoers will be dismissed and will need to compensate Huawei for any losses in accordance with corporate regulations. Huawei will pursue legal action against any individuals who break the law. The immediate and higher-level managers of wrongdoers will be subject to joint liability. (Source: Resolution on Disciplinary Rules for Business Fraud, EMT Resolution No. [2014] 030)

ICFR is designed to continuously improve the quality of financial reports, not merely to hold people accountable. (Meng Wanzhou: ICFR—Shifting from Moving Targets to Fixed Targets, Improvement Issue No. 492, 2016)

15.4 Internal Audits and Investigations

15.4.1 Establishing Deterrence Through Internal Audits

Internal oversight is an indispensable part of the company’s financial operations mechanism. The reason we have established an audit team is to build a reasonable and standardized business management system and build simple but reliable operating procedures. In the short term, the audit team needs to set rules and procedures, create a framework for managing and controlling funds and logistics across the company, and ensure rule-based operations one step each time. This team must also help to maintain a firm grasp on rule-based operations, control key procedures, and delegate authority level by level. We don’t want a small audit team. Instead, we want automated reviews and sign-offs for each operating procedure. We must strictly control contract reviews to narrow and close gaps, and gradually create an effective oversight system. (Ren Zhengfei: Speech at a Briefing on Four Unifications and 2000 Work Plan of Finance, 1999)

Finance is rolling out its Four Unifications project. Audit also has a role to play in this project, which is to perform retroactive oversight functions. All processes must be audited in a reverse order to determine the root causes of any problems. The results of the Four Unifications project must also be audited. If a problem is caused by our financial system, Finance must be held accountable. However, if there are recurring problems, then Audit must also be held accountable. Audit personnel must fully engage in the Four Unifications project. When initiating an audit project, we need to invite a consulting firm to help us build an audit and internal control system. (Ren Zhengfei: Speech at a Briefing on Four Unifications and 2000 Work Plan of Finance, 1999)

The Audit Department must clearly understand its top work priorities. First, they need to make sure no serious issues occur. Second, they need to make sure the same issues do not keep reoccurring. Audit personnel must assess risks concerning process operations and controls. They must also exercise stringent oversight to ensure that the company is moving in the pre-set direction. The work of the Audit Department is part business and part accounting. Therefore, you must play your role in building both accounting systems and business processes. (Source: Minutes of a Meeting Between the Finance Management Department and the Audit Department, 2002)

The Audit Department is accountable for results and behaviors, but not processes. They must maintain a high level of independence. All functions related to behavior and results currently under the Oversight Department will be transferred to the Audit Department. The Audit Department needs to establish deterrence against violations. There may be 10,000 items that need to be investigated annually, but the Audit Department only investigates 100 a year. You have no way of knowing which items they will select for investigation. If they find your problems, they will investigate thoroughly. The Audit Department should not be creating policies and they are only responsible for results. They just need to determine who needs to be held accountable and hand them over to the Audit Committee. Despite this, the Audit Committee may pardon these wrongdoers. The final authority for determining guilt and punishment lies with the Audit Committee. The committee sets the policies; therefore, the Audit Department is there to create deterrence. (Ren Zhengfei: Huawei’s Internal Control Organizations Must First Implement a Transitional Plan to Avoid a Management Vacuum—Minutes of the Report by the IFS-Business Controls & Internal Audit Project Team to Mr. Ren and the EMT on the Organizational Restructuring Plan of Huawei’s Business Controls Departments, EMT Meeting Minutes No. [2008] 017)

The Audit Committee ensures the independence and deterrence of internal audits. Specifically, it reviews SACA and audit results, builds up an executive accountability system for internal controls, and provides guidance to internal audit personnel and process owners on strategies and directions for internal controls. (Ren Zhengfei: Huawei’s Internal Control Organizations Must First Implement a Transitional Plan to Avoid a Management Vacuum—Minutes of the Report by the IFS-Business Controls & Internal Audit Project Team to Mr. Ren and the EMT on the Organizational Restructuring Plan of Huawei’s Business Controls Departments, EMT Meeting Minutes No. [2008] 017)

During organizational restructuring, field managers may not strictly follow rules, regulations, or methodologies when exercising the authority delegated to them, so enhanced oversight is necessary. Finance and audit departments need to constantly perform spot checks at key checkpoints during the oversight process and establish deterrence to ensure the proper exercise of authority. (Ren Zhengfei: Timely, Accurate, High Quality, and Low Cost Delivery Calls for Professional Process-compliant CFOs—Minutes of a Meeting with Trainees of the CFO Session of the Reserve Pool, Huawei Executive Office Speech No. [2009] 021)

Audit must be lenient to those who admit their mistakes and be strict with those who don’t. We can offer lighter penalties to those who admit their mistakes, to encourage others to do the same. Once a problem is found, Audit must keep chipping away at it until they uncover the truth. Do not try to get ideal results; instead, hold on to the truth using a targeted approach. Don’t invest too much making everything 100% clear; instead, close a case when 20–30% of the evidence is sufficient to reach a conclusion. Even in such a case though, we reserve the right to continue investigations at a later date. This is an imperfect world, so it is impractical to seek perfection. (Ren Zhengfei: Minutes of the Report on Work Responsibilities of Business Controls and Internal Controls/Internal Audit and Their Relationships, EMT Meeting Minutes No. [2008] 034)

At Huawei, the Internal Audit Department plays an independent oversight role in anti-corruption, anti-fraud, and anti-waste activities. The primary goal of this is to establish cold deterrence. The Internal Audit Department must also help set rules, implement a process ownership system, and build a culture of integrity. (Source: Minutes of a Report on the Strategic Plan of the Internal Audit Department, EMT Meeting Minutes No. [2014] 025)

We currently have an inspection and audit system in place. The Inspection Department is responsible for spot-checks of onsite activities. They investigate thoroughly, identify loopholes, and create solutions. The Audit Department is responsible for looking deeper into issues once they have been identified. I once said that we must not investigate managers randomly, and that we must not use approaches such as eavesdropping or spying on the communications of others. We must use appropriate means to gather factual evidence, and the investigation approach needs to be voted on by the managers’ upper-level organizations following the majority rule. We should put in place our inspection and audit system before issues arise. This is the right way to manage managers, show care to them, and protect them. (Ren Zhengfei: Speech at the Mid-year Workshop on the Enablement of Subsidiary Board Directors, Huawei Executive Office Speech No. [2015] 082)

I have said that, “If an audit finds 30% of the problems, that’s enough to draw a conclusion.” When I said 30%, I meant that you have to get right to the bottom of a specific problem. Investigate thoroughly or not at all. If you get halfway through an investigation and then switch to a new problem, then the audit will be ineffective. When you are investigating one problem, if it leads to a broader set of problems and you lose your focus, then you’re not achieving that 30% clarity. You’re going the wrong way. What you have to do is find one thread and follow it right to its end. Be sure to understand every detail, and let the subject of the investigation see that you have both the capabilities and methods. Then when you turn to look at the next problem, they will know whether they ought to volunteer to tell you about other mistakes they have made. (Ren Zhengfei: Speech at the Report on Optimizing the Delegation of Authority and Process for Internal Investigations, 2015)

15.4.2 Strengthening Legal Deterrence and Tightening Accountability Criteria Every Year

We will strengthen legal deterrence, increase accountability criteria year by year, and align our internal regulations with the law within the next three years. We need to rely more on legal forces to ensure deterrence. As long as we find 30% of the evidence to prove that an employee has violated the law, we can turn them over to the relevant legal authorities. If the wrongdoer is willing to confess everything, we can reconsider their case, but if they don’t, we will hand them over to the legal authorities. If law enforcement bodies get involved, it doesn’t matter if the employee confesses or not. This is how we ensure deterrence. (Ren Zhengfei: Speech at a Briefing on the Progress of Large-scale Elimination of Corruption, Huawei Executive Office Speech No. [2014] 010)

The multiplier for repayments by wrongdoers to the company should be increased each year to raise the cost of wrongdoing. For example, this year it is 1, next year 1.1, and so on, increasing year by year. If someone confesses their wrongdoing, then their repayment amount can be reduced a little. In the future, we can consider making this multiplier public to establish deterrence, so that everyone knows the true cost of wrongdoing. (Ren Zhengfei: Speech at the Report on Optimizing the Delegation of Authority and Process for Internal Investigations, 2015)

We must not allow problems to continue unchecked. If a problem has become very serious, to the point where it could impact the company, then we must take action. If a case involves illegal activities, in principle we handle it as the law says. But we do not have to take things to extremes. Where we can, we will allow wrongdoers to turn over a new leaf. However, those who reject our generosity though are beyond our help. (Ren Zhengfei: Speech at the Report on Optimizing the Delegation of Authority and Process for Internal Investigations, 2015)

We need to improve our accountability system. During the transition, we established integrity accounts, which provided wrongdoers with an opportunity to correct their mistakes and gain a fresh start. We have now closed these accounts. You need to be stricter with yourselves. Closing the accounts doesn’t mean we are relaxing efforts to fight corruption. Instead, we are further strengthening the constraints placed on our team. One approach we may also take is to turn cases over to the local legal authorities. By developing this accountability system, we hope that our employees will follow the right rules and work conscientiously. (Ren Zhengfei: Internal and External Compliance to Generate More Revenue and Pave the Way for the Company’s Future Success—Speech at a Meeting with the Oversight Team, Huawei Executive Office Speech No. [2017] 002)

15.4.3 Separating Investigations from Disciplinary Actions

We should always keep a few key principles in mind. First, daily operations and human resources should be managed separately. The Supervisory Board and the Audit Committee have authority over daily operations. The HRC has authority over human resources. As for how the HRC delegates authority to lower levels, we can define another set of rules. The HRC needs to develop rules for managerial discipline. (Ren Zhengfei: Speech on the Audit Committee’s 2014 Annual Work Report at the January Board of Directors Meeting, Huawei Executive Office Speech No. [2015] 017)

We must strictly follow the principle of separating investigations and disciplinary actions. Investigations must be rigorous, but we should remain lenient when taking disciplinary actions. We need to be both lenient and strict with our managers. Being strict means we are rigorous during the process of finding out facts. If there is something we ought to know about, then we need to find it out. But when it comes to taking disciplinary action, we will be as lenient as we can. This will ensure Audit uncovers and reports on the facts, including everything they think may be relevant, like the attitude of the subject of the investigation and whether they have made significant contributions to the case under investigation. Disciplinary actions will be taken by the HRC Disciplinary and Supervisory Sub-committee. This is the separation we want between investigations and disciplinary actions. (Ren Zhengfei: Speech at the Report on Optimizing the Delegation of Authority and Process for Internal Investigations, 2015)

When it comes to disciplinary actions, we must learn to put ourselves in the shoes of the wrongdoers, not just our own position. It is unjust to be overly heavy-handed with our discipline. You can talk as much as you want to the HRC Disciplinary and Supervisory Sub-committee, but our disciplinary actions must not be too rigid. We should allow a certain amount of flexibility, and we must listen to what the wrongdoer has to say. Even before we hand someone over to the legal authorities, we can still listen to what they have to say. Of course, if they are not willing to talk to us, then we will have to let the legal authorities talk to them. However, if a wrongdoer is willing to talk to us, we can be lenient with our discipline, within reason, even if they have committed a serious fault. Our primary purpose is to keep our organization clean and warn everyone against doing bad things. Our measurement of punishments is not designed to target particular individuals. (Ren Zhengfei: Speech at the Report on Optimizing the Delegation of Authority and Process for Internal Investigations, 2015)

We need to have strict principles and disciplinary procedures that specify which level of department can investigate which managers. Investigators can give their own opinions, but they do not have the authority to discipline those under investigation – this authority is held by the HRC Disciplinary and Supervisory Sub-Committee. (Ren Zhengfei: Speech at a Meeting with the Managerial Control Elite Team, Huawei Executive Office Speech No. [2015] 060)

When we investigate an incident, we can share all clarified results with management teams at all levels, but some say that sharing information leads to leaks. In that case though, if the leak makes the wrongdoer stop doing what they are doing wrong, then we will have achieved our objective. Catching someone doing something wrong is not our goal because our colleagues are not our enemies. We simply want to clarify the issue during the investigation and wipe the slate clean for those involved so they can start again and become heroes. (Ren Zhengfei: Speech at a Meeting with the Managerial Control Elite Team, Huawei Executive Office Speech No. [2015] 060)

In addition to one or two spot audits during a manager’s tenure, we should also conduct an audit when they leave their position. Then, everyone will feel that audits are normal at Huawei. (Ren Zhengfei: Speech at a Meeting with the Managerial Control Elite Team, Huawei Executive Office Speech No. [2015] 060)

At every key decision point of an investigation, decisions must be made according to the majority rule.

First, you must stick to the principle of collective decision making through votes by majority rule at every stage of an investigation, from launching the investigation, communication, and approval, to deciding on legal involvement. Business decisions can be left in the hands of the manager, but investigations into people cannot be the responsibility of only one person. No individual has the authority to approve or reject investigations into people. We stick to the majority rule, but the department head can chair meetings. We must avoid anyone abusing their authority to form cliques. No single manager has the authority to directly order an investigation into someone. Investigations must not become a tool for making people with different ideas suffer; otherwise, we will start to get cliques within the company. On this issue, we’d better be a bit conservative. We are all in favor of proactive auditing, but there have to be checks on authority, and the majority rule creates checks and balances.

Second, once an investigation has been started, it must reach a conclusion, and must be strictly confidential while it is ongoing. Every investigation must produce a result. Preliminary inquiries are not investigations. In general we do not accept anonymous complaints, but if an anonymous tip seems to have some substance, you may make preliminary inquiries. This does not constitute an investigation. As with the legal authorities, once an investigation is formally launched, it cannot be abandoned. There must be a conclusion. During an investigation, we must ensure that there are no leaks, neither from the decision-makers, nor from the investigators themselves. If information is leaked before the facts of a matter have been gathered and a conclusion has been reached, then how are the subject of the investigation and their manager supposed to work? (Ren Zhengfei: Speech at the Report on Optimizing the Delegation of Authority and Process for Internal Investigations, 2015)

In the future, we must have boundaries for our oversight. Daily operations and human resources must be managed separately, and we must be careful when investigating people. We cannot arbitrarily oversee or snoop on our managers. Investigation into managers is a process of collecting facts and reasoning things out. The higher-level management team of the manager under investigation should make decisions by following the majority rule. If a consensus cannot be reached, the matter needs to be escalated to the management team at a higher level, which still needs to follow the majority rule. (Ren Zhengfei: Speech at the Report on Optimizing the Delegation of Authority and Process for Internal Investigations, 2015)

We know that some managers are not good enough. It is fine that you voice your opinions about them, but you must have evidence. You cannot randomly accuse someone of stealing your axe when it is missing. Investigations into managers must follow the proper approval procedures. Once the facts have been gathered, you can submit the case to the HRC Disciplinary and Supervisory Sub-Committee for disciplinary actions. (Ren Zhengfei: Speech at a Meeting with the Managerial Control Elite Team, Huawei Executive Office Speech No. [2015] 060)

Showcasing contributions and enumerating merits are not the responsibility of our audit personnel. These activities are the responsibility of the highest levels of management. Contributions and mistakes are two different things. Auditing should be based on facts and aim to bring clarity to a situation. The HRC Disciplinary and Supervisory Sub-committee is responsible for discipline. This separates investigation from discipline. We should also separate contributions from mistakes. If we tolerate the mistakes of those who have made contributions, we will not be able to establish iron discipline. Our audit personnel should be independent, stick to principles, and adopt appropriate approaches. I hope that our audit personnel will have both the courage and tact to fight against corruption. We need to develop a team that is courageous and able to stick to principles. This is very important to the company. (Ren Zhengfei: Internal and External Compliance to Generate More Revenue and Pave the Way for the Company’s Future Success—Speech at a Meeting with the Oversight Team, Huawei Executive Office Speech No. [2017] 002)

15.4.4 Oversight Is the Best Way to Care for and Protect Our Managers

While making our anti-corruption policies stricter, we will continue the policy of allowing employees to declare their own wrongdoing. This is a principle of being both strict and lenient, aiming to cure the disease and save the patient. Don’t suppose that we will not hold people accountable for past wrongdoings. Without accountability, we won’t establish cold deterrence. We need to establish cold deterrence so that our employees will not violate the BCG rules in the first place. Therefore, if you have already done something wrong, please report this voluntarily as soon as you can. Get them off your chest. Senior managers should take the lead in doing this to set an example. We should publicize it so that people know, through the offices of ethics and compliance (OECs), to send the message of a harder crackdown on BCG violations across the company. Cases which have been passed on to the legal authorities can be published on the company’s bulletin board as well. (Ren Zhengfei: Speech at a Briefing on the Progress of Large-scale Elimination of Corruption, Huawei Executive Office Speech No. [2014] 010)

When it comes to overseeing managers, we need to be both strict and lenient.
  1. 1.

    We don’t exercise oversight for the sake of oversight, but to scale new heights for our business.

     
  2. 2.

    We need to develop documents that give specific details about the standards that we can use to discipline managers. We should let employees know what will happen to them after their wrongdoing is discovered. They should also be aware of how lenient we can be. Making our standards public is a kind of deterrence. We want employees to know that they must not cross the line, as that will ruin their career. However, they will be all right if they choose to step back. This is a good way to prevent wrongdoing among our employees in the first place.

     
  3. 3.

    When we deal with managers, it’s not an “us or them” situation. We have to apply a certain amount of huidu. We have to give managers, or any employees, the chance to correct their mistakes and move on. We are becoming increasingly scientific in our management, which makes major problems less likely to occur. When we do have to slap their wrist, we can do it with a feather duster, not a baseball bat. Make no mistake though, there must be penalties. The CEC needs to rate the severity of integrity issues in its files; during disciplinary actions, we must also distinguish serious issues from minor ones. If someone manages to keep their nose clean for long enough, their record can be wiped clean. That way we are both strict and lenient. Everyone will correct their mistakes, and with the past behind them, they will be more determined to forge ahead. (Source: Minutes of the Report on the Work Priority of the Company for Building an Oversight and Accountability System, EMT Meeting Minutes No. [2015] 013)

     

An audit is like a medical intervention: The goal is to cure the disease and save the patient. The company and business departments can decide how to deploy wrongdoers according to the nature of their violations and their improvements. Even a wrongdoer should be given the chance to clearly explain themselves and correct their mistakes. Once a person has made things right, their past should be left behind. They should have a way to move forward and an opportunity to showcase their better side. (Ren Zhengfei: Speech on the Audit Committee’s 2014 Annual Work Report at the January Board of Directors Meeting, Huawei Executive Office Speech No. [2015] 017)

The right way to go about this work is to be responsible for the people under investigation. You need to help them understand their mistakes and get issues off their chest. Second, you have to select the right investigators based on the seniority of the people involved and the severity of the incident. You need the right strategy for the investigation. To be explicit about it, when the subjects of your investigation are senior and older members of staff, you have to send experienced investigators, even including their department heads in your investigation team. Where an issue does not involve any illegal activity (for example, claiming private expenses from the company), you should apply huidu. Not everything has to be dealt in absolute black and white. You should let the person involved retain a bit of dignity, and believe that Huawei employees are prepared to correct their mistakes once they are aware of their wrongdoings. (Ren Zhengfei: Speech on the Audit Committee’s 2014 Annual Work Report at the January Board of Directors Meeting, Huawei Executive Office Speech No. [2015] 017)

To err is human. When we find that a manager makes a small mistake, we can take appropriate disciplinary actions against them to remind them not to do so again. This way, the manager may grow into a great man in the future. This is how we care for our managers. However, if we do not let them know they’ve made a small mistake, this manager may make a bigger one later and ruin their future. This is not caring for our managers. (Source: Oversight Is the Best Way to Care for Managers, EMT Resolution No. [2016] 007)

Developing a manager is not easy. I feel it a great pain each time the Board of Directors Executive Committee reports the disciplining of a manager. In fact, managers benefit more from contributing to the company than from fraud or corruption. Total reward at Huawei is competitive, even more so for senior managers. It isn’t worthwhile for them to engage in wrongdoings for small gains. The way we audit managers upon their departure and during their tenure is actually a kind of care for them. This helps them avoid doing irredeemable things. If they commit a crime, they might end up in prison, which is miserable. They will feel even worse after we change our approach and turn cases over to the local legal authorities. (Ren Zhengfei: Internal and External Compliance to Generate More Revenue and Pave the Way for the Company’s Future Success—Speech at a Meeting with the Oversight Team, Huawei Executive Office Speech No. [2017] 002)

15.4.5 Audit: Assuming Innocence Until Proven Guilty and Taking Appropriate Disciplinary Actions Against Mistakes at Work

In our company, Audit must assume the subject of the investigation is innocent until proven guilty. You must be responsible for employees and managers. Whatever you do, don’t turn it into a battle against the person under investigation. Policies and strategies are our lives. The audit results must help unite our employees. (Source: Requirements of Audit Work, EMT Resolution No. [2010] 019)

The requirements of the company regarding auditing and audit personnel are outlined as follows: Audit must implement organizational controls and create rules for their work. These rules should cover the selection of a subject, the content and scope of auditing, ways to obtain evidence, ways to assign someone to talk with the subject, the content and scope of communication, and so on. All these things must be approved by the organization. Approval levels will vary by grade, depending on the seniority of the subject and the content of the audit. An audit of the president of a level-1 department or a more senior position must be approved by the Huawei Executive Office. An audit of the director of a level-2 department or a more senior managerial position must be approved by the HRC. Audits of other employees must be approved by level-1 management teams. As for financial BCG violations, audit personnel cannot speak with the subject unless they have irrefutable evidence. Such communication must also stay within the scope of their authority. When you perform an audit, be careful not to go beyond the scope set forth by the organization. There must be an end to every audit; otherwise, employees would just live in fear. The subject of an audit is not our enemy. If new clues outside the approved work scope are found during the audit, you must ask an appropriate manager to decide whether to continue or adjust the audit. The audit scope must not be extended at will. Audit must operate within the scope of authority of the Internal Audit Department. Currently, Audit manages problems related to violations of the law, and company rules and regulations. Other issues are still in the hands of management teams at all levels. Audit must not go beyond the scope of their own authority. (Source: Requirements of Audit Work, EMT Resolution No. [2010] 019)

Audit personnel must build up their strength. You auditing people must learn how to treat others with respect. Get off your high horse. You must be committed to principles and follow them well. (Source: Requirements of Audit Work, EMT Resolution No. [2010] 019)

I think our audits should be based on the following four principles. First, our basic assumption should be that the vast majority of Huawei employees and the vast majority of our activities are good. Individual instances of rule breaking are not the result of ill motives; they are more often caused by ignorance or unawareness. The number of people who intentionally break the rules is very few. This means that we should exercise oversight out of care for employees. Second, we should value facts and evidence. We must stand in the shoes of the subject of the audit and avoid subjective judgment. Don’t rush to a conclusion. We should make employees and managers feel relaxed, instead of terrified. Even if someone breaks rules, we need to give them the chance to fully explain themselves and correct their mistakes. Third, we should allow leniency when wrongdoers admit their mistakes. Once a person has corrected their mistakes, their past should be left behind. They should have an opportunity to showcase their better side. If we fail to do this, many people will be forced to take the road to ruin. Fourth, Audit must be a department that unites our employees together. (Ren Zhengfei: Implementing Oversight with Care, Huawei Executive Office Speech No. [2011] 013)

I believe that our company is increasingly open-minded. However, our oversight is becoming more stringent. We are opening up on the basis of this increasingly stringent oversight, rather than doing so randomly. (Ren Zhengfei: Implementing Oversight with Care, Huawei Executive Office Speech No. [2011] 013)

We must delegate appropriate authority to lower levels, align their authority with their responsibilities, and build an environment in which everyone is taking on greater responsibilities. Managers at all levels must fulfill their job responsibilities. On top of this, the company needs to delegate appropriate authority to them. When it comes to accountability, we must distinguish between BCG violations and mistakes at work. The company has a very clear accountability framework in place for BCG violations. If a mistake is made during work, we must analyze it in detail and take appropriate disciplinary actions. (Ren Zhengfei: Unite as Many People as Possible—Speech at the Self-reflection Session of the Board of Directors Executive Committee, Huawei Executive Office Speech No. [2013] 143)

The purpose of investigations is to save our managers. First of all, don’t be too fast to divide the world into friends and enemies. There are a lot of gradations between those two extremes, and you don’t have to scour this company for every last speck of dirt. Relax that hair trigger a little. You need a sense of moderation. Second, we should value the careers of our managers. Since the goal of an investigation is to save our people, we should begin to increase transparency in our work. The company is gradually becoming more disciplined, and what we need when resolving many problems is transparency, not covert investigations. Our goal is to save our managers, not to punish them. Don’t tell me that we have to be covert to catch them in the act. Letting them know that the company sees what they are doing will stop their wrongdoing. That is one of our objectives. We have to value our managers. We have invested a lot of time and effort developing them, so now we have to remind them that they still have the chance to correct their mistakes: They can admit what they’ve done, return any corrupt earnings, and make good the company’s losses. That at least will stop them from making any more mistakes. At the end of the day, our objective is to motivate everyone to fight hard, rather than turning Huawei into a kindergarten. Kindergartens are full of pure, innocent kids, but Huawei is not a kindergarten. Third, we must not snoop on our managers. We must treat people with respect, and respect their human rights. If you’re watching over people left, right, and center, then no one will feel safe. And then how will the company function? If you have evidence, present it. (Ren Zhengfei: Speech at the Report on Optimizing the Delegation of Authority and Process for Internal Investigations, 2015)

The primary responsibility of the CEC is to discover good people. Don’t twist it to help those who aren’t keeping up. When it comes to manager oversight, our starting assumption must always be that they are all good people, so we help them to work better, and to steer clear of high-voltage lines. Another aspect is employee education (this includes identifying and promoting good people, guiding the majority through praise, encouraging self-education, and providing remedial training). The CEC will be responsible for this. (Ren Zhengfei: Speech at the Meeting with the CEC on Improving the Use of Non-monetary Incentives, Huawei Executive Office Speech No. [2014] 085)

The ability to compromise is invaluable to the company, and the audit system must be able to compromise. It is this compromise that helps establish cold deterrence. Slap their wrists with a feather duster. Managers are wise people and will get the message. What exactly does this deterrence do for us? To answer this question, we can look at the company’s return on investment and our financial report. Overall, we have a very fine team of managers in this company. There are problems, and we should deal with them, but we need to think about how to go about this. We need to be gentle. It is not easy to develop a manager, so unless there are ill motives, we should educate the wrongdoers for the majority of problems and let bygones be bygones. The HRC needs to develop rules for disciplining managers. (Ren Zhengfei: Speech on the Audit Committee’s 2014 Annual Work Report at the January Board of Directors Meeting, Huawei Executive Office Speech No. [2015] 017)

In the reporting outline, there should be a section explaining things from the perspective of the person under audit. We must fully understand their circumstances and their responses. At the same time, we have to stick to the facts. Sticking to the facts may just be four words, but it is not an easy thing to do, not easy at all! Whatever you do, don’t turn the process into a battle against the person under audit. We still need to motivate more people to fight on our side. It’s easy to impose penalties; but it’s hard to help a person with a checkered past get back onto their feet. Many heroes from our history books had huge flaws, and there is no such thing as a perfect person. The reason Wang Anshi2 failed was that he insisted drawing a clear line between black and white. With our managers, we must assume they are innocent until proven guilty. China is a country that places great emphasis on the rule of law, and we have to respect human rights. It is better to leave some things unclear than to harm our own people. You must not walk into someone’s home and start insulting them. Above all, don’t let the children of the person under investigation know the investigation is going on. This can be emotionally damaging. (Ren Zhengfei: Speech on the Audit Committee’s 2014 Annual Work Report at the January Board of Directors Meeting, Huawei Executive Office Speech No. [2015] 017)

Audit personnel need to make friends with the subjects of investigations. Audit has to help the subjects find evidence to prove their innocence and clear them of any mistakes. You can’t get to the bottom of things unless the subjects see you as a friend. You have to remember this truth: Audit personnel must not be afraid to be by-the-book in order to obtain the truth. (Ren Zhengfei: Speech on the Audit Committee’s 2014 Annual Work Report at the January Board of Directors Meeting, Huawei Executive Office Speech No. [2015] 017)

The HRC Disciplinary and Supervisory Sub-committee should be lenient and rescue people by curing their diseases. But the ATs of business departments should make stricter suggestions. We can’t expect leniency at every layer of management. There have to be limits to our leniency; otherwise, how would ATs manage other employees? (Ren Zhengfei: Speech at the Report on Optimizing the Delegation of Authority and Process for Internal Investigations, 2015)

First, our audit aims to conclude that someone is innocent. You must have evidence. Without evidence, you must not randomly discredit a manager. You also need to adopt a scientific approach, base your judgment on facts, and respect human rights. Managers should be strict with themselves and try not to make mistakes. When mistakes are made, sympathy won’t help. If we showed sympathy to those who made mistakes, we would ultimately harm good people. Currently, over 90% of Huawei employees are good people, so we must not let a few bad apples ruin our company. Even if you have evidence, you should still be reasonable, forceful, and moderate. You should never consider your actions to be a merciless blow, as such an approach does not solve problems. (Ren Zhengfei: Internal and External Compliance to Generate More Revenue and Pave the Way for the Company’s Future Success—Speech at a Meeting with the Oversight Team, Huawei Executive Office Speech No. [2017] 002)

Footnotes

  1. 1.

    “Five Ones”: any PO from receiving to order generation in One day, any shipment preparation in One week, any product delivered at agreed location in One month, any software ready for download in One minute, and any site from delivery to customer acceptance in One month.

  2. 2.

    Wang Anshi (December 8, 1021–May 21, 1086) was a Chinese economist, statesman, chancellor, and poet of the Song Dynasty who attempted major and controversial socioeconomic reforms known as the New Policies. His reform program was doomed to fail because too many interest groups resisted the reforms.

Copyright information

© The Author(s) 2019

Open Access This chapter is licensed under the terms of the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (http://creativecommons.org/licenses/by-nc-nd/4.0/), which permits any noncommercial use, sharing, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if you modified the licensed material. You do not have permission under this license to share adapted material derived from this chapter or parts of it.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Authors and Affiliations

  1. 1.School of BusinessRenmin University of ChinaBeijingChina

Personalised recommendations