|
Article 22
|
When the securities firm applies to the TPEx to establish or relocate its place of business, and within 3 months after the end of each fiscal year, it shall have an evaluation report issued by a CPA on the information systems and security control operations in accordance with the Principles for Information System and Security Control Operation Evaluation Reports Issued by Certified Public Accountants, as published by the TPEx.
The content of the evaluation report under the preceding paragraph shall at least include the qualifications of the evaluator, scope of the evaluation, deficiencies found in the evaluation, severity of deficiencies, types of deficiencies, description of associated risks, specific recommendations for corrections, and the results of related exercises. Furthermore, the securities firm shall have its internal audit unit carry out follow-up review of the correction of the deficiencies. The aforementioned report and related documents including those regarding correction of the deficiencies shall be kept for at least 2 years.
When the securities firm engages the CPA to handle the procedures under paragraph 1, the contract for the engagement shall specify that the competent authority or the TPEx, when necessary, may request the CPA to provide explanations or to hand over the CPA's working papers from the evaluation report for review, and the CPA must comply with such requests.
To ensure the privacy and security of data and maintain the accuracy of data transmission, exchange, or processing, the TPEx when necessary may require the securities firm to raise its information system standards and strengthen its security control procedures.
|