Chapter I General Principles
|Article 1||These Regulations are promulgated in accordance with Article 14-1, paragraph 2 of the Securities and Exchange Act and Article 97-1, paragraph 2 of the Futures Trading Act.
|Article 2||A service enterprise shall establish internal control systems in accordance with these Regulations and with internal control system rules adopted hereunder; provided, where another act provides otherwise, the provisions of such act shall prevail.
|Article 3||The term "service enterprise" as used in these Regulations includes securities exchanges, over-the-counter securities exchanges, futures exchanges, centralized securities depository enterprises, securities firms, futures enterprises, securities finance enterprises, securities investment trust enterprises, securities investment consulting enterprises operating discretionary investment services, credit rating enterprises, and other service enterprises designated by the Securities and Futures Commission (SFC), Ministry of Finance.
|Article 4||The internal control systems of a service enterprise shall be designed by its board of directors and managers with the aim of promoting sound corporate operations and reasonably ensuring that the following objectives are achieved:
1. Effectiveness and efficiency of operations;
2. Reliability of financial reporting; and
3. Compliance with applicable acts and regulations.
The objective of effectiveness and efficiency of operations referred to in subparagraph 1 of the preceding paragraph shall include objectives such as profits, performance, and safeguarding of asset security.
|Article 5||A service enterprise shall set out its internal control systems, including internal audit implementation rules, in writing, and have them passed by the board of directors. If any director expresses dissent, where stated in minutes or in a written statement, the service enterprise shall submit the dissenting opinions to each supervisor together with the internal control systems having been passed by the board of directors. The same shall apply to any amendment thereto.
Where a service enterprise has established the position of independent director, when it submits its internal control systems for discussion by the board of directors pursuant to the preceding paragraph, the board of directors shall take into full consideration each independent director's opinions; the independent directors' specific opinions of assent or dissent and the reasons for dissent shall be included in the minutes of the board of directors' meeting.
Chapter II Design and Implementation of Internal Control Systems
|Article 6||A service enterprise shall consider the overall operational activities of its head office and subsidiaries to establish effective internal control systems, and review the systems from time to time, to adapt to changes in its internal and external environment and to ensure sustained design and operating effectiveness of the systems.
The subsidiaries referred to in the preceding paragraph are those as determined under the Statement of Financial Accounting Standards Nos. 5 and 7 issued by the Accounting Research and Development Foundation (ARDF) of the Republic of China.
|Article 7||A service enterprise's internal control systems shall comprise the following constituent elements:
1. Control environment. The control environment is a composite factor shaping organizational culture and affecting employees' awareness of control. Factors affecting control environment include employees' integrity, values, and ability; the management philosophy and operating style of the board of directors and managers; the hiring, training, and organizing of employees and the assignment of powers and duties; and attention and guidance of the board of directors and the supervisors. The control environment is the basis for the other constituent elements.
2. Risk assessment. Risk assessment refers to the processes by which the service enterprise identifies internal and external factors that keep it from achieving its objectives and evaluates their impact and probability. Assessment results can assist the enterprise in designing, correcting, and operating necessary control activities in a timely manner.
3. Control activities. Control activities refers to establishing a complete and sound control framework and adopting control procedures for all levels to help the board of directors and managers ensure that their instructions have been carried out. Control activities include policies and procedures such as approval, authorization, inspection, regulation, review, periodic stocktaking, record reviews, division of functions and powers, safeguarding of physical security of assets, comparison with plans, budgets, or performance in previous periods, and supervision of subsidiaries.
4. Information and communications. Information is the subject matter identified, measured, processed, and reported by information systems. It includes information, financial and non-financial, pertaining to the objectives of operational or financial reporting and compliance with applicable acts and regulations. Communications is the disclosure of information to relevant personnel, including internal and external communications of the company. Internal control systems must have mechanisms for generating information necessary for planning and monitoring and providing timely information to those who need it.
5. Monitoring. Monitoring is the process of self-inspecting the quality of internal control systems. It includes assessing the soundness of the control environment; whether risk assessment is timely and accurate; whether control activities are appropriate and accurate; and whether information and communication systems are functioning properly. Monitoring may be divided into continuous monitoring and individual assessments. The former refers to routine supervision in the course of business, while the latter is the evaluation conducted by different personnel such as internal auditors, supervisors, or the board of directors.
A service enterprise designing and operating or carrying out self-inspection, or a certified public accountant (CPA) retained to conduct a special audit, of the company's internal control systems, shall fully consider the constituent elements enumerated in the preceding paragraph, and, in addition to the criteria prescribed by the SFC, shall add additional items as dictated by actual needs.
|Article 8||In addition to setting out control activities for different transaction cycles based on the nature of its business, a service enterprise shall consider its actual needs and include other control activities in its internal control systems, such as seal use management, management of the acceptance and use of negotiable instruments, budget management, asset management, management of endorsements/guarantees, debt commitments and contingencies, delegation of duties and deputy system, management of financial and non-financial information, and procedures for control over its subsidiaries.
|Article 9||A service enterprise that uses a computerized information system for data-processing shall, in addition to clarifying the functions and duties of information and user departments, include at least the following control procedures:
1. Division of the functions and duties of the information-processing department;
2. Control of system development and program modification;
3. Control of preparing system documentation;
4. Program and data access control;
5. Data input/output control;
6. Data processing control;
7. File and facility security control;
8. Control of purchase, usage, and maintenance of hardware and system software;
9. Control of system recovery plan and testing procedures;
10. Control of information flow security inspection;
11. Control of relevant procedures for disclosing and reporting information on websites designated by the SFC.
Chapter III Inspection of Internal Control Systems
Section I Internal Audits
|Article 10||A service enterprise shall carry out internal audits to assist the board of directors and managers in inspecting and reviewing defects in the internal control systems as well as measuring operational effectiveness and efficiency, and shall make timely recommendations for improvements to ensure the sustained operating effectiveness of the systems and to provide a basis for review and correction.
|Article 11||A service enterprise shall establish an internal audit unit under the board of directors or under direct supervision of the general manager, and shall, except as otherwise provided by the SFC, appoint qualified persons in an appropriate number as full-time internal auditors according to its scale, business condition, management needs, and relevant provisions of acts and regulations.
A service enterprise shall report any appointment or discharge of internal audit executives for passage by the board of directors, and shall, except as otherwise required by provisions governing securities and futures enterprises, report the reason for such change of position and provide a copy of the minutes of the board of directors meeting to the SFC for recordation within five days from approval by the board.
The requirements for the qualified full-time internal auditors referred to in paragraph 1 shall be as prescribed separately by the SFC.
|Article 12||A service enterprise shall include at least the following items in its implementation rules for internal audits:
1. Inspection of internal control systems to measure the effectiveness, and compliance with, existing policies and procedures, and their effects on operational activities; and
2. A detailed listing of the items, time, procedures, and methods of audit.
|Article 13||A service enterprise's internal audit unit shall formulate annual audit plans which, except as otherwise prescribed by the SFC, shall include matters to be audited monthly, by which to check its internal control systems, and prepare audit reports, annexing working papers and relevant materials.
A service enterprise shall include as audit items in its annual audit plan the control activities for major financial or business activities, such as for acquiring or disposing of assets, engaging in derivatives transactions, and making endorsements/guarantees for others.
The audit report, working papers, and relevant information referred to in paragraph 1 shall be preserved for no less than three years.
|Article 14||The internal auditors of a service enterprise shall truly disclose in their audit reports any defects and irregularities of the internal control systems discovered in inspection and, after having presented the reports, follow up on the matters and prepare regular follow-up reports to ensure that relevant departments have taken appropriate corrective measures in a timely manner.
The service enterprise shall include any defects and irregularities of the internal control systems referred to in the preceding paragraph as major items of performance evaluation for each department.
The correction of defects and irregularities of internal control systems referred to in paragraph 1 shall include all defects found in the course of internal audits, those listed in internal control system statements, and those discovered in the course of self-inspection or by CPAs in special audits.
|Article 15||After presenting the audit and follow-up reports for approval, a service enterprise shall submit the same for reference by the supervisors by the end of the month following the completion of the audit items.
A service enterprise's internal auditors discovering any material violation or any likelihood of material damage to the enterprise shall promptly prepare and present a report for approval and notify the supervisors.
|Article 16||The internal auditors of a service enterprise shall be detached, independent, objective, and impartial, in faithfully performing their duties, and regularly report their audit operations to the board of directors and the supervisors.
The internal auditors shall perform their duties in good faith and shall not do any of the following:
1. Conceal or make false or inappropriate disclosures of any of the enterprise's business activities, financial reports, or compliance with acts and regulations that they know have caused direct damage to an interested party.
2. Cause damage to the rights and interests of the enterprise or any interested party through improper intent or neglect of duty.
3. Fail to audit the matters instructed by competent authorities or provide relevant information.
4. Any other activity in violation of any act or regulation or prohibited by the SFC.
|Article 17||The internal auditors of a service enterprise shall pursue continuing education as well as attend internal audit training held by institutions designated by the SFC, so as to improve their auditing quality and competence.
The training on internal audits referred to in the preceding paragraph shall include various professional courses, computerized auditing, and basic legal knowledge.
The hours required for the continuing education under paragraph 1 shall be as prescribed separately by the SFC.
|Article 18||In addition to other regulations governing securities firms, futures enterprises, securities investment trust enterprises, and securities investment consulting enterprises operating discretionary investment services, a service enterprise shall report to the SFC for recordation the names, ages, educational background, work experience, service seniority, and professional training of its internal auditors by the end of January each year in the format required by the SFC.
|Article 19||Securities firms and futures enterprises shall submit for recordation their annual audit plan, an account of the execution thereof, and a description of the correction of any irregularities discovered, to the securities exchanges, over-the-counter securities exchanges, centralized securities depository enterprise, or futures exchanges in the format and at the time prescribed respectively by each such institution.
Securities finance enterprises, securities investment trust enterprises, securities investment consulting enterprises operating discretionary investment services, credit rating enterprises, and other service enterprises designated by the SFC shall submit their next year's annual audit plan to the SFC for recordation by the end of each fiscal year in the format required by the SFC, and the report on the implementation of their previous year's annual audit plan within two months from the end of each fiscal year in the format prescribed by the SFC. They shall also submit to the SFC for recordation their corrections of any irregularities discovered in the previous year's internal auditing within five months from the end of each fiscal year.
Securities exchanges, over-the-counter securities exchanges, centralized securities depository enterprise, and futures exchanges shall submit to the SFC for recordation their annual audit plans for the next year by the end of each fiscal year, and reports on the implementation of audit plans for, any irregularities discovered during, and their corrections for the previous quarter's internal auditing within two months from the end of each quarter.
Section II Self-inspection and Internal Control System Statement
|Article 20||The purposes of self-inspection by a service enterprise of its internal control systems is to implement a self-monitoring mechanism and adapt to changes in the environment in a timely manner, so as to adjust the design of the internal control systems and enhance the internal audit department's inspection quality and efficiency. The inspection scope shall include the design and operation of all the enterprise's internal control systems.
Before carrying out the inspection referred to in the preceding paragraph, a service enterprise shall set out in its internal control systems the procedures and methods for self-inspection operations.
|Article 21||When conducting self-inspections of its internal control systems, a service enterprise shall first see to periodic self-inspections by all its internal departments and subsidiaries, have its internal audit unit review each department's self-inspection reports, together with the reports on the correction of any defects and irregularities discovered in internal control systems by its internal audit departments, as a basis for the board of directors and general manager to evaluate the overall efficacy of the enterprise's internal control systems and to prepare internal control system statements.
The self-inspections under the preceding paragraph shall be recorded in working papers that shall be preserved, together with the self-inspection reports and relevant materials, for no less than three years.
|Article 22||A service enterprise's internal control systems, of which it carries out self-inspections, shall be categorized as either effective or significantly defective by whether or not they can reasonably ensure the following:
1. That the board of directors and the general manager know the degree of achievement of operational effectiveness and efficiency objectives;
2. That financial reporting is reliable; and
3. That applicable acts and regulations have been complied with.
|Article 23||A service enterprise shall conduct self-inspection of the efficacy of the design and execution of its internal control systems each year and submit to the SFC for recordation the internal control system statement within four months from the end of each fiscal year in the format prescribed by the SFC.
Any service enterprise that is also a public stock issuer shall publicly announce and report the internal control system statement referred to in the preceding paragraph on the websites designated by the SFC; further submission of a hard copy thereof to the SFC is not required.
The internal control system statement referred to in paragraph 1 shall be published in the enterprise's annual report and prospectus in conformity with relevant provisions.
Section III Special Audits
|Article 24||To strengthen the control of computer information systems, securities exchanges, over-the-counter securities exchanges, futures exchanges, and centralized securities depository enterprises shall periodically retain professionals to conduct special audits regarding the use of computer information systems in the handling of various operations.
|Article 25||Articles 25 through 36 of the Regulations Governing the Establishment of Internal Control Systems by Public Companies apply mutatis mutandis where a CPA is retained by a service enterprise to conduct a special audit of its internal control systems.
Chapter IV Supplementary Provisions
|Article 26||Articles 38 through 41 of the Regulations Governing the Establishment of Internal Control Systems by Public Companies shall apply mutatis mutandis to a service enterprise' supervision of its subsidiaries.
Where a service enterprise's subsidiary is also a service enterprise as defined under Article 3 of these Regulations, its supervision over such subsidiary may be exempt from the application of the preceding paragraph.
|Article 27||A service enterprise shall specify in its internal control systems the penalties for violation of these Regulations or its internal control systems rules by managers and relevant personnel.
A service enterprise shall from time to time check whether there is any violation of Article 16, paragraph 2 by its internal auditors; and shall, upon discovery of any violation, adjust the position of the auditor within one month from the date of discovery, unless otherwise provided by act or regulation.
When reporting basic information of internal auditors pursuant to Article 18, a service enterprise shall check whether or not the internal auditors have met the requirements under Article 17, paragraph 1. If not, the auditors shall take corrective measures within one month; otherwise, the service enterprises shall promptly adjust the auditor's position, unless otherwise provided by act or regulation.
|Article 28||Under any of the following circumstances, the SFC may order a public company to make improvements within a prescribed time limit, or where necessary, to retain CPAs to conduct a special audit of its internal control system and submit an audit report to the SFC for recordation:
1. Failure to set out its internal control systems in writing.
2. Failure to appoint an appropriate number of qualified personnel as full-time internal auditors.
3. Failure to file a report within a prescribed time limit on, or fail to faithfully execute, its annual audit plan.
4. Fail to file a report within a prescribed time limit on the execution of its annual audit plan.
5. Fail to file a report within the prescribed time limit on the correction of any defect or irregularity of the internal control systems discovered in an audit.
6. Fail to duly conduct self-inspection of its internal control systems or to prepare an internal control system statement.
7. Serious instance of failure to correct a defect of any internal control system pursuant to the internal control recommendations issued by the CPA.
8. Serious instance of false financial reporting or violation of an act or regulation.
9. Any material malpractice or suspicion of malpractice.
10. Other condition where the SFC deems a special audit to be necessary.
|Article 29||The SFC shall separately prescribe the formats under these Regulations.
|Article 30||These Regulations shall be enforced from the date of promulgation.