| Title: |
Regulations Governing Establishment of Internal Control Systems by Public Companies(2009.03.16) |
| Date: |
|
|
Article 6
|
A public company's internal control systems shall comprise the following constituent elements:
1. Control environment. Control environment is a composite factor that shapes an organizational culture and affects organization members’ awareness of control. Factors affecting control environment include the integrity, values, and ability of organization members; the oversight of the board of directors and supervisors; the management philosophy and operating style of the board of directors and managers; organizational structure, assignment of powers and duties, and human resources policies and the implementation thereof . The control environment is the foundation for the other constituent elements.
2. Risk assessment and response. Risk assessment refers to the processes by which the company identifies internal and external factors that keep it from achieving its objectives and assesses their impact and probability. After assessing relevant risks, the company shall decide how to respond to the risks, and shall, in deciding on the manner to respond, take into overall consideration risk assessment results, risk preferences, and risk-bearing capacity in order to assist the company in designing, correcting, and operating necessary control activities in a timely manner.
3. Control activities. Control activities refers to establishing a complete and sound control framework and adopting control procedures for all levels to help the board of directors and managers ensure that their risk responses could be carried out. Control activities include policies and procedures such as those for approval, authorization, inspection, regulation, review, regular inventory taking, record reviews, division of function and powers, safeguard of physical security of assets, comparison with plans, budgets, or performance in previous periods, and supervision and management of subsidiaries.
4. Information and communications. Information is the subject matter identified, measured, processed, and reported by information systems. It includes information, financial or non-financial, pertaining to the objectives of operational or financial reporting and compliance with applicable laws and regulations. Communications is the disclosure of information to relevant personnel, including internal and external communications of the company. Internal control systems must have mechanisms for generating information necessary for planning, implementation, and monitoring and providing timely information to those who need it.
5. Monitoring. Monitoring is the process of self-inspecting the quality of internal control systems. It includes assessing the soundness of the control environment; whether risk assessment and response are timely and accurate; whether control activities are appropriate and accurate; and whether information and communication systems are functioning properly. Monitoring may be divided into continuous monitoring and individual assessments. The former refers to routine supervision during operations, while the latter refers to assessments conducted by different personnel such as internal auditors, supervisors, or the board of directors.
A public company designing and operating its internal control systems or carrying out self-inspection, or a certified public accountant (CPA) retained to conduct a special audit of the company's internal control systems, shall fully consider the constituent elements enumerated in the preceding paragraph, and, in addition to the criteria prescribed by the Financial Supervisory Commission (FSC), Executive Yuan, shall add additional items as dictated by actual needs.
|
|
Article 8
|
In addition to control activities for different types of transaction cycles as set out in the preceding article, a public company shall include controls for the activities listed below in its internal control systems:
1. management of the use of seals.
2. management of the receipt and use of negotiable instruments.
3. management of the budget.
4. management of assets.
5. management of endorsements and guarantees.
6. management of liabilities, commitments, and contingencies.
7. implementation of authorization and deputy systems.
8. management of loans to others.
9. management of financial and non-financial information.
10. management of related party transactions.
11. management of the procedures for preparation of financial statements.
12. supervision and management of subsidiaries.
13. management of operation of board meetings.
The internal control system of a company whose stock is exchange-listed or traded over the counter shall also include measures to prevent insider trading.
|
|
Article 14
|
The internal auditors of a public company shall communicate fully with the audited unit regarding the inspection results of the annual audit items, and shall faithfully disclose in audit reports any defects and irregularities of the internal control systems discovered in inspection and, after having presented the reports, follow up on the matters and prepare follow-up reports at least on a quarterly basis until such time as correction is made, to ensure that the relevant departments have taken appropriate corrective measures in a timely manner.
A public company shall include any defects, irregularities, and the status of corrections in the internal control systems as referred to in the preceding paragraph as major items of performance evaluation for each department.
The status of correction of defects and irregularities of internal control systems referred to in paragraph 1 shall include all defects found in the course of inspections by the FSC, found in the course of internal audit operations, those listed in Internal Control System Statements, and those discovered in the course of self-inspection or by CPAs in special audits.
A public company that has established independent director position(s) or an audit committee shall, when complying with the preceding two paragraphs, additionally forward the materials or give notice to the independent director(s) or audit committee.
|
|
Article 16
|
The internal auditors of a public company shall be detached, independent, objective, and impartial, in faithfully performing their duties, and shall exercise due professional care, and in addition to reporting their audit operations to each supervisor on a regular basis, the internal audit officer shall also attend and deliver a report to a board of directors meeting.
The internal auditors shall perform their duties in good faith and shall not do any of the following:
1. Conceal or make false or inappropriate disclosure of any the company's business activities, financial reports, or compliance with applicable laws or regulations, knowing that they have caused direct damage to an interested party;
2. Damage any right or interest of the company or any interested party through neglect of duty;
3. Act beyond the scope of audit functions or engage in other improper activity, with the intent to gain illegal benefit for him/herself or a third party, violate the auditor’s duties or embezzle company assets.
4. Conduct an audit on a department where he/she worked within the past 1 year.
5. Fail to recuse him/herself from auditing of cases in which he or she has a personal interest or has a conflict of interest.
6. Fail to audit any matter as instructed by the FSC or provide relevant information; or
7. Any other activity in violation of any act or regulation or prohibited by any rule of the FSC.
|
|
Article 40
|
A public company shall execute at least the following control activities when supervising and managing its subsidiaries' financial and business information:
1. Supervise the establishment of independent financial and business information systems by its subsidiaries.
2. Establish effective financial and business communication systems between it and each subsidiary; in addition to the major financial and business matters referred to in the preceding article that shall be reported prior to their occurrence, the subsidiary shall also immediately report to the company the occurrence of any other material event that, under the Act or any applicable regulations, shall be announced or reported as likely to affect company rights and interests and securities prices.
3. Obtain, and analyze and review, at least on a quarterly basis, each subsidiary's monthly management reports, including business report, monthly statement of production and sales volumes, monthly balance sheet, monthly income statement, monthly cash flow statement, aging account receivable analysis and delinquent debt report, aging inventory analysis, monthly report on loaned funds, and monthly report on endorsements/guarantees.
4. Arrange for each subsidiary to provide necessary financial and business information or retain CPAs to audit or review each subsidiary's financial report in compliance with the requirements of laws and regulations regarding matters to be publicly announced or reported and the time limits therefor.
The FSC shall prescribe compliance matters in connection with companies' obtaining, and analyzing and reviewing, of each subsidiary's monthly management reports under subparagraph 3 of the preceding paragraph.
|