Internal Controls

Huawei continued to design and implement an internal control system based on its organizational structure and operating model. The internal control framework and its management system apply to all business and financial processes of the company and its subsidiaries and business units. The internal control system is based on the five components of the COSO framework: Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring. It also covers internal controls of financial statements to ensure their truthfulness, integrity, and accuracy.

Control Environment

A control environment is the foundation of an internal control system. Huawei is committed to a corporate culture of integrity, business ethics, and compliance with laws and regulations. Huawei has issued the BCGs to identify acceptable business conduct. The BCGs must be observed by all employees, including senior executives. Regular training programs are offered, and all employees are requested to sign the BCGs to ensure that the BCGs have been read, understood, and observed.

Huawei has implemented a mature governance structure, with clearly defined authorization and accountability mechanisms. The governance structure comprises the Board of Directors (BOD), its committees, group functions, and multi-level management teams. Huawei clearly defines the roles and responsibilities of its organizations to ensure the effective separation of authority and responsibilities as well as checks and balances through mutual oversight. The company designates a BOD Executive Committee member to act as the internal control owner. The internal control COE is responsible for overall internal control management and regularly reports its findings and proposals regarding internal controls to the company. The internal control owner guides the direction for the internal control COE and assists the COE in building the internal control environment. The internal audit department independently monitors and assesses the status of internal controls for all business operations.

Risk Assessment

Huawei has a department dedicated to internal controls and risk management to regularly assess risks to the company's global business processes. This department identifies, manages, and monitors significant risks, forecasts potential risks caused by changes to the internal and external environments, and submits risk management strategies along with risk mitigation measures for decision making. All process owners are responsible for identifying, assessing, and managing business risks and taking necessary internal control measures. Huawei has instituted a mechanism for improving internal controls and risk controls to efficiently manage critical risks.

Control Activities

Huawei has established the Global Process Management System and the Business Transformation Management System, released the global Business Process Architecture (BPA), and appointed Global Process Owners (GPOs) in line with the BPA.

Responsible for building processes and internal controls, GPOs:

• Identify key control points and the Separation of Duties Matrix for each process, and apply these to all regional offices, subsidiaries, and BUs.
• Conduct compliance tests on key control points and issue test reports to ensure the effectiveness of internal controls is continuously monitored.
• Optimize processes and internal controls based on business pain points and key requirements for financial statements. The aim is to improve operating efficiency and financial results, ensure compliance and the accuracy and reliability of financial statements, and help achieve business objectives.
• Perform annual assessments of internal controls, comprehensively assess overall process design and process execution within each business unit, and then report the results to the Audit Committee (AC).

Information & Communication

Huawei has developed multi-dimensional information and communication channels to ensure the timely acquisition of external information from customers, suppliers, and other parties. It has also created formal channels for transferring internal information, and offered an online space, the Xinsheng Community, for employees to freely communicate their thoughts and ideas. Corporate management holds regular meetings with departments at all levels to effectively communicate management orientation to employees and ensure effective implementation of management decisions. All business policies and processes are available on the company's Intranet.

Managers and process owners regularly organize training programs on business processes and internal controls to ensure that up-to-date information is made available to all employees. The company has established a mechanism for process owners at all levels to regularly communicate with each other, review the execution of internal controls, follow up on internal control issues, and implement improvement plans.

Monitoring

Huawei has established an internal complaint channel, an investigation mechanism, an anti-corruption mechanism, and an accountability system. The Agreement on Honesty and Integrity that Huawei has signed with its suppliers clearly stipulates that suppliers may report improper conduct by Huawei employees through the channels stipulated in the Agreement to assist the company in monitoring the integrity of its employees. The internal audit department independently assesses the overall status of the company's internal controls, investigates any suspected violations of the BCGs, and reports the audit and investigation results to the AC and senior management. Huawei has also implemented a mechanism for internal control appraisals of GPOs and regional managers, holding them accountable and pursuing impeachment when and where necessary. The AC and the CFO regularly review the company's internal control status, and listen to and review reports on action plans for improving internal controls and plan execution progress. Both have the authority to request the relevant GPOs or business executives to explain their internal control issues and take corrective actions.