Chapter III Assessment of Internal Control Systems
|
Section I Internal Audits
|
Article 10 | A public company shall carry out internal audits to assist the board of directors and mangers in inspecting and reviewing defects in the internal control systems as well as measuring operational effectiveness and efficiency, and shall make timely recommendations for improvements to ensure the sustained operating effectiveness of the systems and to provide a basis for review and correction. |
|
Article 11 | A public company shall establish an internal audit unit under the board of directors, and shall appoint, according to its business size, business condition, management needs, and the provisions of other applicable laws and regulations, qualified persons in an appropriate number as full-time internal auditors and have deputies in place for the internal auditors. The deputies are required to carry out audit work in accordance with these Regulations. Any appointment or dismissal of chief internal auditor of a public company shall be subject to approval by the board of directors. Where a public company has established the position of independent director, if an independent director objects to or expresses reservations about the appointment or dismissal, it shall be recorded in the minutes of the board of directors meeting. . Where a public company has established an audit committee, any appointment or dismissal of the chief internal auditor shall be subject to approval by the audit committee and be submitted to the board of directors for a resolution, in which case Article 4, paragraph 4 shall apply mutatis mutandis. When there is a change in the chief internal auditor of a public company, the company shall report the change and the reasons for it within 2 days counting inclusively from the date of occurrence via the Internet-based information system to the FSC for recordation. The date of occurrence referred to in the preceding paragraph means the date of the resolution by the board of directors, or other date sufficient to determine the appointment or dismissal of the chief internal auditor, whichever comes first. The requirements for the qualified full-time internal auditors referred to in paragraph 1 shall be as prescribed separately by the FSC. |
Info |
Article 12 | A public company shall include at least the following in its implementation rules for internal audits: 1. Purpose, functions, and responsibility of the internal audit unit. 2. Assessment of internal control systems to measure the effectiveness of, and compliance with, existing policies and procedures, and their effects on operational activities. 3. A detailed listing of audit items, times, procedures, and methods. |
|
Article 13 | A public company's internal audit unit shall formulate annual audit plans based on the results of the risk assessment, including matters to be audited monthly, and shall faithfully implement the annual audit plans, so as to assess its internal control systems, and prepare audit reports, annexing working papers and relevant materials. A public company shall include at least the following as audit items in its annual audit plan for each year: 1. Matters relating to compliance with applicable laws, regulations, and bylaws. 2. The control activities for major financial or business activities, such as for acquiring or disposing of assets, engaging in derivatives transactions, extending loans to others, granting endorsements or guarantees for others, and management of related party transactions. 3. Supervision and management of subsidiaries. 4. Management of operation of board meetings. 5. Management of preparation process of financial statements, including management of application of International Financial Reporting Standards, procedures for professional accounting judgments, and processes for making changes in accounting policies and estimates. 6. Inspection of information and communications security. 7. Major operating cycles such as the sale and receipt cycle and purchase and payment cycle. The annual audit plan of a public company that has established an audit committee shall also include the management of audit committee meeting operations. Each annual audit plan of a company whose stock is exchange-listed or traded over-the-counter shall also include management of the operations of the remuneration committee. Each annual audit plan of a company whose stock is exchange-listed or traded over the counter shall include the management of sustainability information. A public company's annual audit plan, and any amendments thereto, shall be passed by the board of directors. Where a public company has established independent director position(s), when it submits the annual audit plan to the board of directors for deliberation under the preceding paragraph, the board of directors shall take into full consideration each independent director's opinions, and shall include their opinions in the board meeting minutes. The audit report referred to in paragraph 1, the working papers, and relevant information referred to therein shall be preserved for no less than 5 years. |
|
Article 14 | The internal auditors of a public company shall communicate fully with the audited unit regarding the inspection results of the annual audit items, and shall faithfully disclose in audit reports any defects and irregularities of the internal control systems discovered in assessment and, after having presented the reports, follow up on the matters and prepare follow-up reports at least on a quarterly basis until such time as correction is made, to ensure that the relevant departments have taken appropriate corrective measures in a timely manner. A public company shall include any defects, irregularities, and the status of corrections in the internal control systems as referred to in the preceding paragraph as major items of performance evaluation for each department. The status of correction of defects and irregularities of internal control systems referred to in paragraph 1 shall include all defects found in the course of inspections by the FSC, found in the course of internal audit operations, those listed in Internal Control System Statements, and those discovered in the course of self-assessment or by CPAs in special audits. |
|
Article 15 | After having presented the audit and follow-up reports, a public company shall submit the same for review by the supervisors by the end of the month next following the completion of the audit items. A public company's internal auditors discovering any material violation or any likelihood of material damage to the company shall promptly prepare and present a report and notify the supervisors. If a public company has independent directors, when complying with the preceding two paragraphs, it shall simultaneously submit the materials or notification to the independent directors. |
|
Article 16 | The internal auditors of a public company shall be detached, independent, objective, and impartial, in faithfully performing their duties, and shall exercise due professional care, and in addition to reporting their audit operations to each supervisor on a regular basis, the internal audit officer shall also attend and deliver a report to a board of directors meeting. The internal auditors shall perform their duties in good faith and shall not do any of the following: 1. Conceal or make false or inappropriate disclosure of any the company's business activities, reporting, or compliance with applicable laws, regulations, and bylaws, knowing that they have caused direct damage to an interested party; 2. Damage any right or interest of the company or any interested party through neglect of duty; 3. Act beyond the scope of audit functions or engage in other improper activity, with the intent to gain illegal benefit for him/herself or a third party, violate the auditor’s duties or embezzle company assets. 4. Conduct an audit on a department where he/she worked within the past 1 year. 5. Fail to recuse him/herself from auditing of cases in which he or she has a personal interest or has a conflict of interest. 6. Fail to audit any matter as instructed by the FSC or provide relevant information; or 7. Provide, promise, request, or accept, directly or indirectly, unreasonable gifts, entertainment, or any other improper benefits in whatever form. 8. Any other activity in violation of any act or regulation or prohibited by any rule of the FSC. |
Info |
Article 17 | The internal auditors of a public company shall pursue continuing education as well as attend internal audit training held by institutions recognized by the FSC, to improve their auditing quality and competence. The internal audit training referred to in the preceding paragraph shall include the various professional courses, computerized auditing, and basic legal knowledge. The hours required for the continuing education under paragraph 1 shall be as prescribed separately by the FSC. |
|
Article 18 | A public company shall report to the FSC for recordation the names, ages, educational background, experience, seniority, and training of its internal auditors by the end of January each year via the Internet-based information system. |
Info |
Article 19 | A public company shall submit to the FSC for recordation its next year's audit plan by the end of each fiscal year and a report on the execution of its previous year's annual audit plan within 2 months from the end of each fiscal year in the prescribed format via the internet-based information system. |
Info |
Article 20 | A public company shall report to the FSC for recordation its corrections of any defects and irregularities of the internal control system discovered during the past year's internal auditing within 5 months from the end of each fiscal year in the prescribed format and via the internet-based information system. |
|
Section II Self-assessment and Internal Control System Statement
|
Article 21 | The purpose of self-assessment by a company of its internal control systems is to implement the company’s self-monitoring mechanisms and adapt to changes in the environment in a timely manner, so as to adjust the design and operation of the internal control systems and to enhance the internal audit department's audit quality and efficiency. The self-assessment scope shall include the design and operation of all of the company's internal control systems. Before carrying out the assessment under the preceding paragraph, a public company shall set out in its internal control systems the procedures and methods for self-assessment operations. A public company shall pay close attention to matters relating to compliance with applicable laws, regulations, and bylaws, and shall decide procedures and methods for self-assessment operations based on the results of the risk assessment, and the following items, at least, shall be included: 1. Determination of the control activities that shall be tested. 2. Determination of the business units that shall be included in the self-assessment. 3. Assessment of the design effectiveness of each control activity. 4. Assessment of the operating effectiveness of each control activity. |
|
Article 22 | When conducting self-assessments of its internal control systems, a public company shall first see that all internal departments and subsidiaries conduct self-assessments at least once each year, have its internal audit departments review the self-inspection reports prepared by all departments and subsidiaries, and submit the self-assessment reports, together with the reports on the correction of defects and irregularities of internal control systems discovered by its internal audit departments, to serve as the primary basis for the board of directors and general manager to evaluate the overall efficacy of all internal control systems and to produce Internal Control System Statements. The self-assessments under the preceding paragraph shall be recorded in working papers that shall be preserved, together with the self-assessment reports and relevant materials, for no less than 5 years. |
|
Article 23 | A public company's findings in its self-assessment of its internal control systems shall classify the systems as either "effective internal control systems" or "materially defective internal control systems" based on whether or not they can reasonably ensure the following: 1. That the board of directors and the general manager understand the degree of achievement of operational effectiveness and efficiency objectives. 2. That the reporting of the company reliable, timely, transparent, and complies with applicable rules. 3. That applicable laws, regulations, and bylaws have been complied with. |
|
Article 24 | A company conducting initial public issuance of its stock, or a public company, shall conduct annual self-assessment of the design and operating effectiveness of its internal control systems, and, except as otherwise provided by the FSC, shall publicly announce and report the Internal Control System Statement on the websites designated by the FSC within 3 months from the end of each fiscal year in the prescribed format. Where a public company has established an audit committee, the design and operating effectiveness of the internal control system as referred to in the preceding paragraph shall be subject to the approval of the audit committee, and the provisions of Article 4, paragraph 4 shall apply mutatis mutandis. The Internal Control System Statement referred to in paragraph 1 shall be passed by the board of directors. The same shall apply to any amendments thereto, and the company furthermore shall publicly announce the reasons for and content of the amendments on the websites designated by the FSC within 2 days counting inclusively from the date of passage by the board of directors. The Internal Control System Statement referred to in paragraph 1 shall be published in the company's annual report, public offering and issuance prospectus, and other prospectuses in compliance with relevant regulations. |
Info |
Section III Special Audits by Certified Public Accountants |
Article 25 | The engagement of a CPA by a public company, or the appointment thereof by the FSC pursuant to Article 38-1 of the Act, to conduct a special audit of the company's internal control systems shall be governed by these Regulations and other applicable laws and regulations; matters not provided for therein shall be handled in accordance with the Standards on Assurance Engagements issued by the Accounting Research and Development Foundation (the "Standards on Assurance Engagements"). |
Info |
Article 26 | The purpose for a CPA to conduct a special audit of a public company's internal control systems is to inform the company's interested persons of whether the company's internal control systems are effectively designed and operating. |
|
Article 27 | Special audits of internal control systems of a public company shall be jointly carried out and attested by two or more CPAs qualified under the Criteria Governing Approval for Auditing and Certification of Financial Reports of Public Companies prescribed by the FSC. |
|
Article 28 | Except as otherwise provided by the FSC, the scope of special audits of internal control systems of a public company by CPAs shall be the internal control systems of the audited company with respect to external financial reporting and safeguarding of asset security. The term "safeguarding of asset security" referred to in the preceding paragraph means preventing unauthorized acquisition, use, and disposition of assets. |
|
Article 29 | Except as otherwise provided by the FSC, the time period covered by a special audit of a public company's internal control systems by CPAs shall be consistent with the time period covered in its Internal Control System Statement. |
|
Article 30 | When auditing the internal control design and operation of a public company and the matters represented in the Internal Control System Statement produced by the audited company, the CPAs shall provide reasonable assurance, and collect sufficient and appropriate evidence to reduce their attestation risks to an acceptable degree, and shall comply with the following matters: 1. Special audits shall be conducted by professionally trained and competent CPAs. 2. CPAs shall possess adequate knowledge of the matters represented in the Internal Control System Statement produced by the audited company. 3. CPAs shall have the ability to assess statements or internal control systems of the audited company consistently by using reasonable assessment items as standards before accepting audit engagements. The above-stated standards shall be prescribed by the FSC or by an authoritative institution. 4. In affairs relating to special audits, CPAs shall maintain an attitude of rigor and impartiality and a detached and independent viewpoint. 5. CPAs shall exercise all due professional diligence when conducting special audits. 6. Special audits shall be carefully planned and assistants, if any, shall be properly supervised. 7. CPAs shall obtain sufficient and appropriate evidence regarding the effectiveness of each constituent element of the internal control systems, to provide a reasonable basis on which to form a conclusion on the audited company's internal control systems. 8. The preparation and retention of the working papers of special audits shall be handled in compliance with Standard on Assurance Engagements 3000. 9. The issuance of the internal control system audit report shall be handled in compliance with Standard on Assurance Engagements 3000. |
|
Article 31 | CPAs retained to conduct special audits of internal control systems of a public company shall conduct such procedures in four stages: 1. Planning: A. Obtain written records of the audited company's board of directors' and managers' control objectives and internal control system policies and procedures, and other necessary information. B. Formulate an audit plan. The following factors at least shall be taken into consideration: the characteristics of the industry to which the enterprise belongs, information obtained when undertaking work under other engagements with the audited company, the condition of the audited company and recent changes in it, evidence available to the CPAs, the nature of specific internal control system procedures and the importance of such procedures to the overall internal control systems, preliminary assessment of the effectiveness of the overall internal control systems, differences among various operating locations, degree of centralization, transactions executed and the control environment, and the materiality/significance level and control risk in connection with the internal control system that are acceptable to the CPAs. 2. Gaining an understanding of the internal control system: CPAs may use means such as inquiry, inspection, and observation to gain an understanding of the internal control system of the audited company, by which to assess the effectiveness of the internal control system. 3. Assessing the effectiveness of the design of the internal control system: A. When assessing the effectiveness of the design of the audited company's internal control system, CPAs shall collect evidence regarding the effectiveness of the design. Methods for collecting such evidence include inquiry, inspection, and observation. B. When assessing the effectiveness of the design of the internal control system, CPAs shall focus on whether the overall internal control system achieves a given goal rather than whether any given specific operation of the internal control system is inappropriate. C. When engaged only to evaluate the effectiveness of the design of the internal control system, CPAs shall conduct necessary control tests based on actual needs. 4. Testing and assessing the operating effectiveness of the internal control system: A. CPAs shall conduct control tests to collect evidence regarding the operation of the internal control system to provide a basis for assessing the operating effectiveness of the internal control system. B. Methods for conducting control tests by CPAs include inquiry, inspection, observation, and re-testing. Control tests shall be conducted until sufficient and appropriate evidence has been collected. Evidence collected by the audited company during self-assessment of the internal control system shall not be substituted directly for evidence to be collected by the CPAs. C. Whether the evidence collected by CPAs is sufficient and appropriate is affected by the following factors: the nature of the audited company's internal control procedures, the importance of the internal control procedures to attainment of the control objectives, the probability of violation of control procedures by the audited company, the nature and extent of control tests already conducted by the audited company, and the CPAs' preliminary assessment of the effectiveness of the control procedures. CPAs shall also execute necessary procedures and collect necessary evidence regarding subsequent events during the post audit period. |
|
Article 32 | (Deleted) |
|
Article 33 | (Deleted) |
|
Article 34 | Where appointed by the FSC pursuant to Article 38-1 of the Act, CPAs failing to acquire the audited company's Statement about the internal control system at issue shall provide reasonable assurance with respect to the audited company's internal control design and operating effectiveness, and issue an audit report in compliance with Standard on Assurance Engagements 3000. |
Info |
Article 35 | (Deleted) |
|
Article 36 | CPAs discovering defects when conducting special audits of internal control systems of a public company shall issue internal control system recommendations in the prescribed format, for reference by the audited company to take corrective measures. |
|
Article 37 | CPAs retained to conduct special audits of the internal control systems of a company conducting initial public offering of stocks shall conduct such audits pursuant to Articles 25 through the preceding article. When conducting special audits under the preceding paragraph, CPAs shall focus on whether the company has meet the requirements of applicable laws and regulations, and, particularly, express opinions on the company's operational procedures such as for acquiring or disposing of assets, engaging in derivatives transactions, management of loans to others, management of endorsements or guarantees for others, management of related party transactions, management of the procedures for preparation of financial statements, and supervision and management of subsidiaries, and shall give an appropriate explanation thereof in a single separate paragraph in the audit report. Except as otherwise provided by the FSC, the time period covered by a special audit under paragraph 1 shall be the most recent fiscal year before the company filed its report for public issuance of its stock. If on the date of the report for public issuance eight months have already lapsed since the beginning of the fiscal year, the time period covered shall be the second half of the most recent fiscal year and the first half of the current fiscal year. |
Info |