GUIDELINES ON INTERNAL AUDIT FOR BANKING FINANCIAL INSTITUTIONS

Guidelines on Internal Audit for Banking Financial Institutions

Yin Jian Fa [2006] No. 51
June 27, 2006
Chapter I General Provisions

Article 1

In order to advance banking financial institutions to improve corporate governance, strengthen internal control and perfect the internal
audit system, these Guidelines are formulated according to the Banking Supervision Law of the People’s Republic of China, the Law
of the People’s Republic of China on Commercial Banks, the Company Law of the People’s Republic of China, the Audit Law of the People’s
Republic of China, the Regulations for the Implementation of the Audit Law of the People’s Republic of China and other relevant laws
and regulations.

Article 2

The term “banking financial institutions” as mentioned in these Guidelines shall refer to the policy banks and commercial banks that
are established within the territory of the People’s Republic of China.

As for other financial institutions established upon approval of the China Banking Regulatory Commission (hereinafter referred to
as the CBRC), these Guidelines may be implemented by reference.

Article 3

The term “internal audit” as mentioned in these Guidelines refer to a kind of independent and objective supervision, appraisal or
consulting activity, and is an important part of the internal control of banking financial institutions, under which systematic and
regularized methods are adopted to examine, appraise and improve the business activities, risk conditions, internal control and corporate
governance effects of banking financial institutions, so as to promote the healthy development of banking financial institutions.

Article 4

The internal audit of banking financial institutions aims to guarantee the implementation of related economic and financial laws
and regulations, guidelines and policies as well as the rules of supervisory departments of the state, control the risks at an acceptable
level within the risk framework of banking financial institutions, improve the operation of banking financial institutions and increase
the value.

Article 5

The internal audit work of banking financial institutions shall be independent of the business operation and management, be guided
by risks and be guaranteed to be objective and impartial.

Article 6

The CBRC shall examine and appraise the internal audit work of banking financial institutions according to these Guidelines.

Chapter II Framework and Staff

Article 7

The board of directors of a banking financial institution shall be responsible for establishing and maintaining a sound and effective
internal audit system. Where there is no independent board of directors, the senior managers shall be responsible for fulfilling
the relevant duties.

An audit committee shall be set up under the board of directors, which shall contain at least 3 members and a majority of the members
shall be non-executive directors. The chairman of the audit committee shall be an independent director. Where there is no independent
board of directors, the organizational structure of the audit committee and the person-in-charge thereof shall be subject to the
determination of the senior managers.

Article 8

The banking financial institution shall set up an internal audit department to audit the business operation and management acts of
all institutions of the same banking group, and may staff a chief auditor to be responsible for the audit work of all institutions
of the same banking group.

The chief auditor shall be appointed by the board of directors, which shall be included into the scope of ratification of the position-holding
qualification of senior managers of banking financial institutions. And alteration of the position of the chief auditor shall be
reported to the CBRC in advance.

Article 9

Banking financial institutions shall establish an independent and vertical internal audit management system. The audit budget, the
remunerations of employees, the appointment and dismissal of major persons-in-charge shall be decided on by the board of directors
or its special committee. The remuneration of internal auditors may not be lower than the average level of employees of the same
grade in other departments of the institution.

Article 10

The internal auditors of banking financial institutions shall generally be staffed at 1% of the total number of employees, and an
internal position-shift system shall be set up.

Article 11

Internal auditors shall be of corresponding professional practicing qualifications:

(1)

Professional level. Internal auditors shall have a diploma of junior college or above, grasp professional knowledge related to internal
audit of banking financial institutions, and be familiar with related financial laws and regulations and internal control rules.

(2)

Practicing experience. Internal auditors shall have experienced in practicing finance for at least two years; the person-in-charge
of an audit project shall have at least experienced in audit for at least three years, or at least six years in practicing finance.

(3)

Morality criteria. Internal auditors shall have upright, objective, clean-fingered and impartial occupational ethics, and have no
bad records since he engaged in financial work.

Chapter III Duties

Article 12

Banking financial institutions shall make rules to clarify the duties of the board of directors, the audit committee, the chief auditor,
the internal audit department and the staff thereof.

Article 13

The board of directors shall bear the final liabilities for the suitability and validity of internal audit, be responsible for approving
articles of association of internal audit, medium and long-term audit plan and annual work plan, etc., provide necessary to guarantee
the internal audit work be carried out independently and objectively, and examine and supervise the audit work.

Article 14

The audit committee shall be responsible to the board of directors, and, upon authorization of the board of directors, organize and
guide the internal audit work. The audit committee shall convene meetings regularly, and may, if necessary, invite senior managers
to attend the meeting.

Article 15

The chief auditor shall be responsible for organizing the implementation of internal audit articles of association, medium and long-term
audit plan and annual work plan, do well in the coordination work, timely report the audit work to the board of directors and the
major persons-in-charge of the senior management staff, and take charge of the overall quality of internal audit.

Article 16

The internal audit department shall be responsible to the board of directors and the audit committee, formulate internal audit procedures,
appraise the risk conditions and management status, implement the annual audit work plan, carry out follow-up audit, supervise the
rectification, be responsible for the quality of the audit project, and well manage archival.

Article 17

The internal audit items shall mainly include:

(1)

the regularity of business management and the work condition of the related department;

(2)

soundness and validity of the internal control;

(3)

risk conditions, and the applicability and validity of the procedures for risk identification, computation and control;

(4)

information on programming and design, development and operation, management and maintenance of the information system;

(5)

accuracy and reliability of the accounting records and the financial reports;

(6)

information on the asset valuation system related to risks; and

(7)

operational performance of the institution and fulfillment of duties by managers.

Chapter IV Scope of Powers

Article 18

Banking financial institutions shall make rules to clarify powers necessary for the internal audit department to fulfill its duties.

Article 19

The internal audit department can be present at or take part in meetings related to the duties of the internal audit department.

Article 20

The internal audit department shall be enpost_titled to timely and fully know about the management information, investigate and inquire
of the entity subject to audit and the related persons involved in the relevant issues, as well as collect evidence from them.

Article 21

The internal audit department may, when deeming it necessary, report audit findings directly to the board of directors.

Article 22

The internal audit department shall have the power to propose suggestion on punishment and power to impose penalties.

Article 23

In case anyone refuses to accept or cooperate in internal audit, refuses to provide true information or provides false information,
retaliates or frames up the auditors, the internal audit department shall have the power to report this to the superior department,
and request the superior department to timely stop the act and make relevant punishment.

Chapter V Quality Control

Article 24

The internal audit department may provide consultation services regarding risk management, internal control and other related matters,
but may not directly participate in or take charge of making decisions on internal control design or management, or implementing
such decisions.

Article 25

The internal audit department shall, based on the annual risk evaluation, determine audit focuses. The audit frequency and extent
shall accord with the business nature, complexity, risk conditions and management level of banking financial institutions.

Every business office shall be subject to risk evaluation at least once every year, and be audited at least once every two years.

Article 26

The internal audit department and the auditors thereof shall, strictly according to the audit procedures and audit methods, implement
the audit project, and make self-evaluation at regular intervals.

Article 27

The internal audit department shall set up an audit withdrawal system for internal auditors, and guarantee the objectivity of internal
audit.

Article 28

The internal audit department shall set up a follow-up training system for internal auditors, encourage them to obtain the practicing
qualifications of certified public accountant, certified internal auditor, certified information system auditor and etc., so as to
guarantee the professional competency of the internal auditors.

Article 29

The internal audit department shall enhance the application of technological means and information technology in audit work, establish
and improve the non-on-spot internal audit monitoring system as well as the internal audit operation system and the information management
system.

Article 30

The internal audit department may, in light of the need of work, outsource partial internal audit project upon approval of the board
of directors, but shall in advance evaluate the independence, objectivity and professional competency of the undertaking institution.

Article 31

The internal audit department shall set up an audit reconsideration system. The audit conclusion to which the entity under audit
objects shall be subject to reconsideration of the superior institution of the audit institution that has made the audit conclusion.

Article 32

The board of directors may hire an institution outside to appraise the due diligence of the internal audit department, and guarantee
that the external inspectors are independent of the entity subject to appraisal, have the professional competency and are in no interest
and conflict with the entity subject to appraisal.

Chapter VI Report System

Article 33

The banking financial institution shall set up an internal audit report system and a report avenue, which are suitable for the vertical
management system.

Article 34

The audit committee shall report its audit work to the board of directors on a quarterly basis, and notify the senior management
staff and the board of supervisors of it.

Article 35

The chief auditor and the internal audit department shall report the audit work to the board of directors and the main principal
of the senior management staff on a quarterly basis, and shall, at least once every year, submit to the board of directors the audit
work reports containing contents such as fulfillment of the duties, audit findings and suggestion and etc.

Article 36

The chief auditor and the internal audit department shall, after finishing a matter subject to audit, timely submit to the board
of directors and the main principals of the senior management staff the project audit report containing contents such as the survey
of audit, audit basis, audit conclusion, audit decision, audit suggestion, feedback opinions of the entity subject to audit and etc.

Article 37

The banking financial institution shall set up and improve the system for communicating with and making reports to the CBRC.

The board of directors and the senior management staff shall timely report to the CBRC the major audit findings.

The internal audit department shall report the following items to the CBRC or the dispatched office thereof:

(1)

The all-round audit work report submitted to the board of directors;

(2)

Where the internal audit department conducts audit at a different place, it shall meanwhile make a copy of the audit report to the
dispatched office by the CBRC at the locality of the entity subject to audit;

(3)

After finding any major problem and reporting it to the board of directors, the internal audit department shall directly report the
related information to the CBRC, under the circumstance that the problem has not been carefully investigated, no punishment has been
imposed and no rectification has been made.

(4)

The audit report of the external intermediary institution on the banking financial institution. And

(5)

Other matters as required by the CBRC or its dispatched office to be reported.

Chapter VII Assessment and Accountability

Article 38

The board of directors and the senior management staff shall take effective measures to guarantee the sufficient utilization of the
internal audit achievements.

As for issues not rectified in light of the rectification requirements, the senior management staff shall supervise and urge to make
rectification, investigate the liabilities of related persons, and bear the liabilities and risks for not taking timely rectifying
measures against the audit findings.

Article 39

The board of directors shall set up an incentive and restrictive mechanism, assess and appraise the due diligence and fulfillment
of duties of all related parties to the internal audit, set up an accountability system for internal audit, and clarify the standards
and procedures for investigating the internal audit liabilities and the exemption thereof.

Article 40

The board of directors shall investigate the liabilities of the person in charge of the internal audit department or any other person
directly liable under any of the following circumstances:

(1)

failing to implement the audit plan, procedures or methods and thus caused major problems unable to be found;

(2)

concealing any problem found from the audit or failing to truthfully report it;

(3)

the audit conclusion violating the facts seriously;

(4)

doing a poor job in following up the investigation and rectification of the problems found from the audit;

(5)

failing to implement the confidentiality system in light of the requirements; or

(6)

committing other acts injuring the interests or fame of banking financial institutions.

Article 41

Where, upon inspection, supervision and affirmation of liabilities, a banking financial institution has sufficient evidence to prove
that the internal audit department and the auditors have performed the duties in due diligence according to related laws, regulations,
rules, these Guidelines and its internal audit rules, and have timely reported the problems found from the examination, it may, when
the related problems of the entity subject to audit are exposed, exempt or partially exempt the liabilities of the internal audit
department and the related auditors by considering the conditions.

Chapter VIII Supplementary Provisions

Article 42

Banking financial institutions shall, according to these Guidelines, formulate their respective detailed implementation rules, and
make reports to the CBRC for archival filing.

Article 43

The power to interpret these Guidelines shall remain with the CBRC.

Article 44

These Guidelines shall enter into effect as of July 1, 2006.