Chapter II Design and Operation of Internal Control Systems |
Article 5 | A public company shall explicitly specify the internal organizational structure, report system, and appropriate assignment of authority and responsibility in its control system, and shall specify therein, with respect to members of management, the establishment of positions, occupational titles, appointment and dismissal, scope of duties and powers, and remuneration policy and procedure. A public company shall consider the overall operational activities of the company and its subsidiaries, design and faithfully implement its internal control systems, and review such systems from time to time, to adapt to changes in its internal and external environment and to ensure sustained design and operating effectiveness of the systems. The subsidiaries referred to in the preceding paragraph are those as determined under the Regulations Governing the Preparation of Financial Reports by Securities Issuers. |
Info |
Article 6 | A public company's internal control systems shall comprise the following constituent elements: 1. Control environment: Control environment is the basis of the design and implementation of internal control system across the company. Control environment encompasses the integrity and values of the company, governance oversight responsibility of the board of directors and supervisors, organizational structure, assignment of authority and responsibility, human resources policy, and performance measures and reward and discipline. The board of directors and management shall prescribe internal standards of conduct, including the adoption of a code of conduct for directors and a code of conduct for employees. 2. Risk assessment: A precondition to risk assessment is the establishment of objectives, linked at different levels of the company, and with the suitability of the objects for the company taken into consideration. Management shall consider the impact of possible changes in the external environment and within its own business model that may render internal control ineffective.. The risk assessment results can assist the company in designing, correcting, and operating necessary control activities in a timely manner. 3. Control activities: Control activities are the actions of carrying out policies and procedures taken by the company on the basis of risk assessment results to limit relevant risks to a sustainable level. Control activities shall be performed at all levels of the company, at various stages within business processes, and over the technology environment, and shall include supervision and management of subsidiaries. 4. Information and communications: Information and communication means the relevant and quality information that the company obtains, generates, or uses from both internal and external sources to support the functioning of other components of internal control, and the capability of effective communication between the company and external parties. Internal control systems must have mechanisms for generating information necessary for planning, implementation, and monitoring and providing timely information to those who need it. 5. Monitoring activities: Monitoring activities means ongoing evaluations, separate evaluations, or some combination of the two used by the company to ascertain whether each of the components of internal control is present and functioning. Ongoing evaluations means routine evaluations built into the course of operations at different levels of the company. Separate evaluations are evaluations conducted by different personnel such as internal auditors, supervisors, or the board of directors. Findings of deficiencies of the internal control system shall be communicated to the management at appropriate levels, the board of directors, and the supervisors, and improvements shall be made in a timely manner. A public company designing and operating its internal control systems or carrying out self-assessment, or a certified public accountant (CPA) retained to conduct a special audit of the company's internal control systems, shall fully consider the constituent elements enumerated in the preceding paragraph, and, in addition to the criteria prescribed by the Financial Supervisory Commission (FSC), shall add additional items as dictated by actual needs. |
|
Article 7 | The internal control systems of a public company shall cover all its operational activities and comply with the laws and regulations governing the industry to which the company belongs, and control activities shall be prescribed for the cycles listed below, classified by operating cycles according to the characteristics of the industry to which the enterprise belongs: 1. Sale and receipt cycle: This cycle includes policies and procedures such as for processing customer orders, credit management, delivery of goods or provision of services, issuance of sales invoices, issuance of bills, recording of revenues and accounts receivable, sales allowances and returns, customer complaints, destruction of products, and execution and recording of receipts of negotiable instruments and cash payments. 2. Purchase and payment cycle: This cycle includes policies and procedures such as for managing suppliers; managing contractors; requisitioning, comparing or negotiating prices; contracting; purchasing or procuring goods, materials, supplies, assets, and services; processing purchase lists; accepting goods; quality inspection; preparing inspection reports or returning goods; recording suppliers’ liabilities; approving payments; purchase allowances; and execution and recording of negotiable instruments handed over and cash payments. 3. Production cycle: This cycle includes policies and procedures such as for managing environment safety; managing occupational safety and health; production scheduling; creating bills of materials; storing materials and supplies; requisitioning materials; putting materials into production; managing process safety; controlling the quality of finished goods; managing scrap and refuse; product composition labeling; calculating inventory and production costs, and calculating sales costs. 4. Labor and wage cycle: This cycle includes policies and procedures such as for hiring, job rotation, leave-taking, shift planning, overtime work, dismissal, training, retirement, determining wage rates, calculating working time, calculating salaries and benefits, calculating payroll taxes and withholdings, creating payroll records, salary payment, and review of attendance and performance. 5. Finance cycle: This cycle includes policies and procedures such as for authorization, execution, and record-keeping with regard to finance and financing matters such as borrowing of funds, granting of guarantees, acceptance of checks, renting/leasing, and issuance of corporate bonds and/or other securities. 6. Property, plant and equipment cycle: This cycle includes policies and procedures such as for acquisition, disposition, maintenance, safeguarding, and recording of property, plant and equipment. 7. Investment cycle: This cycle includes policies and procedures such as for decision-making, trading, safekeeping, and recording with respect to securities, investment property, derivatives, and other investments. 8. Research and development (R&D) cycle: This cycle includes policies and procedures such as for fundamental research, product design, technology development, prototype manufacturing and product testing, recording of R&D operations, safekeeping of documents, and acquisition, maintenance, and utilization of intellectual property. A public company may tailor its control activities to meet the needs of its actual business activities according to the characteristics of the industry to which the enterprise belongs. |
|
Article 8 | In addition to control activities for different types of operating cycles as set out in the preceding article, a public company shall include controls for the activities listed below in its internal control systems: 1. Management of the use of seals. 2. Management of the receipt and use of negotiable instruments. 3. Management of the budget. 4. Management of assets. 5. Management of endorsements and guarantees. 6. Management of liabilities, commitments, and contingencies. 7. Implementation of authorization and deputy systems. 8. Management of loans to others. 9. Management of financial and non-financial information. 10. Management of related party transactions. 11. Management of the procedures for preparation of financial statements, including management of application of International Financial Reporting Standards, procedures for professional accounting judgments, and processes for making changes in accounting policies and estimates. 12. Supervision and management of subsidiaries. 13. Management of operation of board meetings. 14. Management of shareholder services. 15. Management of personal information protection. The internal control system of a public company that has established an audit committee shall include the management of audit committee meeting operations. The internal control system of a company whose stock is exchange-listed or traded over the counter shall also include controls over the following operations: 1. Management of the operations of the remuneration committee. 2. Management of the prevention of insider trading. The internal control system of a company whose stock is exchange-listed or traded over the counter shall include the management of sustainability information. |
Info |
Article 9 | A public company that uses a computerized information processing system shall, in addition to clearly differentiating the functions and duties of information and user departments, include at least the following control procedures: 1. A clear division of the functions and duties of the information-processing department; 2. Control of system development and program modification; 3. Control of preparing system documentation; 4. Program and data access control; 5. Data input/output control; 6. Data processing control; 7. File and equipment security control; 8. Control of purchase, usage, and maintenance of software and hardware; 9. Control of system recovery plan and testing procedures; 10. Control of information flow security inspection; 11. Control of relevant procedures for disclosing and reporting information on websites designated by the FSC. |
|
Article 9-1 | A public company shall allocate adequate human resources and equipment for the planning and monitoring of the information security system and the implementation of information security management operations. If certain conditions are met, the FSC may order the company to appoint a person with overall responsibility for the promotion of information security policies and the deployment of related resources to serve on a concurrent basis as chief information security officer, and to establish a dedicated information security unit, chief officer, and other personnel. The certain condition referred to in the preceding paragraph shall be prescribed by the FSC. |
|