To standardize the internal department system administrators’ review processes for accessing application system resources and further enhance employees’ information security awareness, the Group conducts in-depth analysis and exploration of application scenarios for cloud bastion host solutions. The aim is to achieve fine-grained control of permissions, ensure that resource operations leave a complete trace, effectively audit user actions, and trace and hold accountable for potential incidents. By strengthening operational procedures, we reduce the risk of illegal operations such as non-compliant actions and abuse of authority, ensuring information security and achieving a fully traceable information security accountability mechanism, thereby comprehensively improving the level of information security management.
The Group’s systems are hosted on a third-party cloud platform, which holds ISO 27001 Information Security Management System Certification and ISO 27017 Cloud Services Information Security Management System Certification, to further ensure the security of the Group’s data and information. Furthermore, the Group regularly undergoes digital audits and IT audits of its IT infrastructure and information security management system relevant to the financial statements audit conducted by external auditors. Based on the audit results, we continuously optimize our management level to ensure compliance and security.
The Group strictly complies with the Anti-Unfair Competition Law, the Anti-Money Laundering Law and all other applicable legislation, and has enacted the Audit & Supervision Incentives and Penalties Measures, Anti-Fraud Management Rules, Audit & Supervision Procedures, Conflict-of-Interest Declaration Policy and Code of Business Conduct. These instruments standardize every step of audit and supervision and provide a robust safeguard against abuse of authority, insider dealing, money-laundering and conflicts of interest.
A closed-loop governance mechanism underpins this system: the Board exercises continuous oversight and periodic review, while the independent audit and supervision department carries out objective assessments, ensuring that the internal-control framework remains both compliant and efficient.
The Group has formulated and released the Code of Business Conduct (《商業行為準則》). In this way, we focus on strengthening management and prevention of matters such as ethics and integrity, bribery and interests, gifts and hospitality, insider trading and fraud. We will issue warning, demerit, demotion, dismissal, termination of labour contract in accordance with the Measures for the Administration of Rewards and Punishments in Auditing and Supervision (《審計監察獎懲管理辦法》). Those whose violations constitute a criminal offense will be handed over to the judicial authorities according to the law. In this way, we will work together with all parties to create a clean and fair working environment. To avoid damage to the Company due to conflicts of interest, the Group strictly prevents integrity risks in all aspects of daily operations, implements a list of prohibited practices in important operations such as procurement and capital transfer, and manages key personnel through interest declarations.
The Group pays great attention to integrity risk prevention and control, run it through all levels of daily operation. Especially in key links such as procurement and capital flow, we have formulated a set of comprehensive and detailed list of prohibited regulations, to eliminate the occurrence of violations from the source. We have implemented a strict interest declaration system, and clearly require directors, senior managers and key employees in the project process to submit the Conflict-of-Interest Declaration Form on time every year, to encourage them to fully and truthfully disclose potential conflicts of interest, so as to avoid damage to the company due to conflicts of interest.
We continued to strengthen our anti-fraud supervision of project companies. We conducted seven unannounced surprise audits to thoroughly investigate potential fraud issues within the project companies. After the audits, we promptly communicated with the project companies and, based on the audit results, jointly discussed and formulated targeted corrective measures in terms of risk prevention, cost reduction and efficiency improvement, standardized management, and customer management. We also clarified who would be responsible for implementing the corrective measures within a specified timeframe. In the subsequent work, we strictly supervised the implementation of the rectification measures in accordance with the relevant provisions of the Audit and Supervision Issue Rectification Management System to ensure that each rectification task was completed on time and with high quality, thus further strengthening the Group’s integrity defense line.
The Group has strengthened its daily anti-fraud oversight through the establishment of the Complaint and Whistleblowing Management Regulations and the Anti-Fraud Management System, which clearly define reporting and handling procedures within the audit and supervision framework. At the same time, the Group has expanded reporting channels by publicly providing multiple submission methods—including dedicated email addresses, whistleblowing hotlines, postal mailing addresses, and designated in-person interview locations—to facilitate feedback from both internal employees and external stakeholders.
The Group strictly adheres to the principle of protecting whistleblowers’ privacy and has established a comprehensive information confidentiality mechanism. This mechanism implements tiered access controls over the identity information of whistleblowers and the content of reports, ensuring the security and anonymity of reporting channels, while offering full legal protection and safety safeguards for individuals who report in good faith.
The Group has established a robust mechanism for managing complaints and whistleblower reports. Upon receipt of any complaint or whistleblowing information, a preliminary analysis and assessment will be completed within five working days to determine whether the case meets the criteria for formal investigation. For cases that warrant investigation, the Group will establish a dedicated investigation team to conduct an independent, impartial, and thorough inquiry, culminating in the issuance of a comprehensive investigation report. In accordance with applicable laws, regulations, and internal Group policies, appropriate accountability measures will be implemented, and corrective actions will be ensured to address identified deficiencies. Furthermore, for project companies with a history of fraudulent activities, the Group will enhance supervisory oversight through expanded audit scopes and increased audit frequency during subsequent management and operational audits, thereby strengthening risk prevention and control mechanisms.
The Group places consistent emphasis on safeguarding the legitimate rights and interests of whistleblowers and strictly prohibits any form of obstruction to whistleblowing or retaliation against individuals who report concerns in good faith. Any conduct that violates the rights of whistleblowers or those assisting in investigations will be subject to strict disciplinary action under the Audit and Supervision Rewards and Punishments Management System, and such violations will not be tolerated. Where warranted, cases may be referred to judicial authorities in accordance with the law to ensure that responsible parties are held accountable under legal provisions.
The contract signed by the Group and the supplier clearly lists the “Prohibition of Fraudulent Behavior” clause, which states that neither party shall provide benefits outside the contract to the other party’s handler or other personnel, and it also clearly defines the acceptance of reports by the Group Department, including dedicated reporting department, reporting telephone number, and reporting mailbox. This action makes supplier cooperation fairer and more transparent and effectively avoids integrity risks in the supply chain management process. In addition, during the business management audits, the Group conducts appropriate inspections on the suppliers for their performance in compliance with laws and regulations, integrity management, and anti-corruption policies. In this way, we provide further guarantee for the building of a clean supply chain.
The Group has been running a comprehensive anti-corruption training program persistently. In 2023, the Company conducted integrity training for all employees, combining offline training, online self-study, and prerecorded training videos. This training further promoted the knowledge of anti-fraud related laws and regulations, as well as the Company’s policies, and reinforced the integrity awareness of employees at all levels through analysis of industry cases. For board members, the Group deepens the directors’ understanding and awareness of anti-corruption and integrity responsibilities by distributing anti-corruption and integrity training materials and conducting training seminars related to the responsibilities of directors under the Listing Rules. This initiative covers all members of the board.
With reference to the Enterprise Risk Management Integrated Framework developed by COSO2 , the Group established a risk management structure of “three levels + three lines of defense”. The first line of defense consists of business units and operational departments at headquarters, which are responsible for identifying, evaluating and monitoring their own risks. The second line of defense comprises the risk management functions and other functional departments at headquarters, which are responsible for developing a risk management mechanism that fits the corporate goals, to identify, control, determine and manage the risks faced by the Group. The third line of defense is the Audit and Supervisory Center, which is responsible for the independent review of the major business procedures and monitoring in accordance with relevant evaluation.
The Group conducts regular training on the Listing Rules regarding directors’ responsibilities (including risk management) and other related matters, and the Audit Committee, comprising independent non-executive directors, meets regularly twice a year to consider the Group’s risk management auditing and monitoring work.
The Group adheres to the basic principles of the Five Key Components of Internal Control (《內部控制五要素》), establishes a correct concept of internal control and compliance from the design level, continuously improves management to establish various standardized processes and management systems, continuously optimizes governance, and builds a comprehensive internal control and compliance system that meets regulatory requirements. The internal control is carried out on the basis of the relevant regulations of the Group.
The Group strengthened the execution of internal control audits, compliance management, establishment of systems and processes, the scope of audits, and follow-up of audit rectification and cross-departmental collaboration. In this way, we achieved closed-loop management of internal control audits. The Group strengthened the building of internal control and compliance culture and organized training sessions on the compliance culture Meanwhile, the compliance concept was fully established and enforced through online platforms, training videos and other channels.
