• Font Size:
  • S
  • M
  • L

Amendments

Title:

Regulations Governing Establishment of Internal Control Systems by Public Companies  CH

Amended Date: 2024.04.22 

Title: Regulations Governing Establishment of Internal Control Systems by Public Companies(2005.12.19)
Date:
Article 2 A public company shall establish internal control systems in accordance with these Regulations and with internal control system rules adopted hereunder, except where otherwise provided by another act applicable to securities, futures, financial, or insurance enterprises.
Article 3 The internal control systems of a public company are management processes designed by its managers, passed by its board of directors, and implemented by the board of directors, managers, and other employees for purpose of promoting sound operations of the company, so as to reasonably ensure that the following objectives are achieved:
1. Effectiveness and efficiency of operations;
2. Reliability of financial reporting; and
3. Compliance with applicable laws and regulations.
The objective of effectiveness and efficiency of operations referred to in sub-paragraph 1 of the preceding paragraph include objectives such as profits, performance, and safeguard of asset security.
The objective of "reliability of financial reporting" referred to in paragraph 1, subparagraph 2, includes such objectives as ensuring that external financial reports are prepared in accordance with generally accepted accounting principles and that appropriate approvals are obtained for transactions.
Article 5 An explicit internal organizational framework shall be prescribed for the internal control systems of a public company, and shall specify matters including the establishment of positions, occupational titles, appointment and dismissal, and scope of duties and powers of the managerial personnel.
A public company shall consider the overall operational activities of the company and its subsidiaries, design and faithfully implement its internal control systems, and review such systems from time to time, to adapt to changes in its internal and external environment and to ensure sustained design and operating effectiveness of the systems.
The subsidiaries referred to in the preceding paragraph are those as determined under the Statement of Financial Accounting Standards Nos. 5 and 7 issued by the Accounting Research and Development Foundation (ARDF) of the Republic of China.
Article 6 A public company's internal control systems shall comprise the following constituent elements:
1. Control environment. Control environment is a composite factor that shapes an organizational culture and affects employees’ awareness of control. Factors affecting control environment include the integrity, values, and ability of employees; the management philosophy and operating style of the board of directors and managers; the hiring, training, and organizing of employees and assignment of powers and duties; and attention and guidance of the board of directors and the supervisors. The control environment is the foundation for the other constituent elements.
2. Risk assessment. Risk assessment refers to the processes by which the company identifies internal and external factors that keep it from achieving its objectives and assesses their impact and probability. Assessment results can assist the company in designing, correcting, and operating necessary control activities in a timely manner.
3. Control activities. Control activities refers to establishing a complete and sound control framework and adopting control procedures for all levels to help the board of directors and managers ensure that their instructions have been carried out. Control activities include policies and procedures such as those for approval, authorization, inspection, regulation, review, regular inventory taking, record reviews, division of function and powers, safeguard of physical security of assets, comparison with plans, budgets, or performance in previous periods, and supervision and management of subsidiaries.
4. Information and communications. Information is the subject matter identified, measured, processed, and reported by information systems. It includes information, financial or non-financial, pertaining to the objectives of operational or financial reporting and compliance with applicable laws and regulations. Communications is the disclosure of information to relevant personnel, including internal and external communications of the company. Internal control systems must have mechanisms for generating information necessary for planning and monitoring and providing timely information to those who need it.
5. Monitoring. Monitoring is the process of self-inspecting the quality of internal control systems. It includes assessing the soundness of the control environment; whether risk assessment is timely and accurate; whether control activities are appropriate and accurate; and whether information and communication systems are functioning properly. Monitoring may be divided into continuous monitoring and individual assessments. The former refers to routine supervision during operations, while the latter refers to assessments conducted by different personnel such as internal auditors, supervisors, or the board of directors.
A public company designing and operating its internal control systems or carrying out self-inspection, or a certified public accountant (CPA) retained to conduct a special audit of the company's internal control systems, shall fully consider the constituent elements enumerated in the preceding paragraph, and, in addition to the criteria prescribed by the Financial Supervisory Commission (FSC), Executive Yuan, shall add additional items as dictated by actual needs.
Article 7 The internal control systems of a public company shall cover all its operational activities, and control activities shall be prescribed for the cycles listed below, classified by transaction cycle type according to the characteristics of the industry to which the enterprise belongs:
1. Sale and receipt cycle. This cycle includes policies and procedures such as for processing customer orders, credit management, delivery of goods or provision of services, issuance of sales invoices, issuance of bills, recording of revenues and accounts receivable, sales allowances and returns, execution and recording of cash receipts.
2. Purchase and payment cycle. This cycle includes policies and procedures such as for requisitioning, purchasing, and procuring goods, materials, supplies, assets, and services; processing purchase lists; accepting goods; quality inspection; preparing inspection reports or returning goods; recording suppliers’ liabilities; approving payment; purchase allowances; and executing and recording cash payments.
3. Production cycle. This cycle includes policies and procedures such as for production scheduling, creating bills of materials, storing materials and supplies, requisitioning materials, putting them into production, calculating inventory and production costs, and calculating sales costs.
4. Labor and wage cycle. This cycle includes policies and procedures such as for hiring, leave-taking, overtime work, dismissal, training, retirement, determining wage rates, calculating working time, calculating salaries and benefits, calculating payroll taxes and withholdings, creating payroll records, salary payment, and review of attendance and performance.
5. Finance cycle. This cycle includes policies and procedures such as for authorization, execution, and record-keeping with regard to finance and financing matters such as borrowing of funds, granting of guarantees, acceptance of checks, renting/leasing, and issuance of corporate bonds and/or other securities.
6. Fixed asset cycle: This cycle includes policies and procedures such as for acquisition, disposition, maintenance, safeguarding, and recording of fixed assets.
7. Investment cycle: This cycle includes policies and procedures such as for decision-making, trading, safekeeping, and recording with respect to securities, real estate, derivatives, and other investments.
8. Research and development (R&D) cycle. This cycle includes policies and procedures such as for fundamental research, product design, technology development, prototype manufacturing and product testing, recording of R&D operations, and safekeeping of documents.
A public company may tailor its control activities to meet the needs of its actual business activities according to the characteristics of the industry to which the enterprise belongs.
Article 8 In addition to control activities for different types of transaction cycles as set out in the preceding article, a public company shall include controls for the activities listed below in its internal control systems:
1. management of the use of seals.
2. management of the receipt and use of negotiable instruments.
3. management of the budget.
4. management of assets.
5. management of endorsements and guarantees.
6. management of liabilities, commitments, and contingencies.
7. implementation of authorization and deputy systems.
8. management of loans to others.
9. management of financial and non-financial information.
10. management of related party transactions.
11. management of the procedures for preparation of financial statements.
12. supervision and management of subsidiaries.
Article 11 A public company shall establish an internal audit unit under the board of directors, and shall appoint qualified persons in an appropriate number as full-time internal auditors according to size, business condition, management needs, and other applicable laws and regulations.
A public company shall report any appointment or discharge of internal audit officers for passage by the board of directors, and shall report such information to the FSC for recordation via the Internet-based information system by the 10th day of the month next following passage by the board of directors.
The requirements for the qualified full-time internal auditors referred to in paragraph 1 shall be as prescribed separately by the FSC.
Article 13 A public company's internal audit unit shall formulate annual audit plans based on the results of the risk assessment, including matters to be audited monthly, and shall faithfully implement the annual audit plans, so as to check its internal control systems, and prepare audit reports, annexing working papers and relevant materials.
A public company shall include as audit items in its annual audit plan, at least, the control activities for major financial or business activities, such as for acquiring or disposing of assets, engaging in derivatives transactions, extending loans to others, granting endorsements or guarantees for others, supervision and management of subsidiaries, information flow security inspection, and major transaction cycles set out in Article 7 such as the sale and receipt cycle and purchase and payment cycle.
A public company's annual audit plan, and any amendments thereto, shall be passed by the board of directors.
Where a public company has established independent director position(s), when it submits the annual audit plan to the board of directors for deliberation under the preceding paragraph, the board of directors shall take into full consideration each independent director's opinions, and shall include their opinions in the board meeting minutes.
The audit report referred to in paragraph 1 shall be preserved for no less than five years, and the working papers, and relevant information referred to therein shall be preserved for no less than three years.
Article 14 The internal auditors of a public company shall faithfully disclose in audit reports any defects and irregularities of the internal control systems discovered in inspection and, after having presented the reports, follow up on the matters and prepare follow-up reports on a regular basis to ensure that the relevant departments have taken appropriate corrective measures in a timely manner.
A public company shall include any defects, irregularities, and the status of corrections in the internal control systems as referred to in the preceding paragraph as major items of performance evaluation for each department.
The status of correction of defects and irregularities of internal control systems referred to in paragraph 1 shall include all defects found in the course of inspections by the FSC, found in the course of internal audit operations, those listed in Internal Control System Statements, and those discovered in the course of self-inspection or by CPAs in special audits.
A public company that has established independent director position(s) or an audit committee shall, when complying with the preceding two paragraphs, additionally forward the materials or give notice to the independent director(s) or audit committee.
Article 15 After having presented the audit and follow-up reports, a public company shall submit the same for review by the supervisors by the end of the month next following the completion of the audit items.
A public company's internal auditors discovering any material violation or any likelihood of material damage to the company shall promptly prepare and present a report and notify the supervisors.
Article 16 The internal auditors of a public company shall be detached, independent, objective, and impartial, in faithfully performing their duties, and in addition to reporting their audit operations to each supervisor on a regular basis, the internal audit officer shall also attend and deliver a report to a board of directors meeting.
The internal auditors shall perform their duties in good faith and shall not do any of the following:
1. Conceal or make false or inappropriate disclosure of any the company's business activities, financial reports, or compliance with applicable laws or regulations, knowing that they have caused direct damage to an interested party;
2. Damage any right or interest of the company or any interested party through improper motive or neglect of duty;
3. Fail to audit any matter as instructed by the FSC or provide relevant information; or
4. Any other activity in violation of any act or regulation or prohibited by any rule of the FSC.
Article 17 The internal auditors of a public company shall pursue continuing education as well as attend internal audit training held by institutions recognized by the FSC, to improve their auditing quality and competence.
The internal audit training referred to in the preceding paragraph shall include the various professional courses, computerized auditing, and basic legal knowledge.
The hours required for the continuing education under paragraph 1 shall be as prescribed separately by the FSC.
Article 21 The purpose of self-inspection by a company of its internal control systems is to implement the company’s self-monitoring mechanisms and adapt to changes in the environment in a timely manner, so as to adjust the design and operation of the internal control systems and to enhance the internal audit department's inspection quality and efficiency. The inspection scope shall include the design and operation of all of the company's internal control systems.
Before carrying out the inspection under the preceding paragraph, a public company shall set out in its internal control systems the procedures and methods for self-inspection operations.
A public company shall decide procedures and methods for self-inspection operations based on the results of the risk assessment, and the following items, at least, shall be included:
1. determination of the control activities that shall be tested.
2. determination of the business units that shall be included in the self-inspection.
3. assessment of the design effectiveness of each control activity.
4. assessment of the operating effectiveness of each control activity.
Article 22 When conducting self-inspections of its internal control systems, a public company shall first see that all internal departments and subsidiaries conduct self-inspections at least once each year, have its internal audit departments review the self-inspection reports prepared by all departments and subsidiaries, and submit the self-inspection reports, together with the reports on the correction of defects and irregularities of internal control systems discovered by its internal audit departments, to serve as the primary basis for the board of directors and general manager to evaluate the overall efficacy of all internal control systems and to produce Internal Control System Statements.
The self-inspections under the preceding paragraph shall be recorded in working papers that shall be preserved, together with the self-inspection reports and relevant materials, for no less than three years.
Article 24 A company conducting initial public issuance of its stock, or a public company, shall conduct annual self-inspection of the design and operating effectiveness of its internal control systems, and publicly announce and report the Internal Control System Statement on the websites designated by the FSC within four months from the end of each fiscal year in the prescribed format.
The Internal Control System Statement referred to in the preceding paragraph, and any amendments thereto, shall be passed by the board of directors.
The Internal Control System Statement referred to in paragraph 1 shall be published in the company's annual report, public offering and issuance prospectus, and other prospectuses in compliance with relevant regulations.
Article 31 CPAs retained to conduct special audits of internal control systems of a public company shall conduct such procedures in four stages:
1. Planning:
(1) Obtain written records of the audited company's board of directors' and managers' control objectives and internal control system policies and procedures, and other necessary information.
(2) Formulate an audit plan. The following factors at least shall be taken into consideration: the characteristics of the industry to which the enterprise belongs, information obtained when undertaking work under other contracts with the audited company, the condition of the audited company and recent changes in it, evidence available to the CPAs, the nature of specific internal control system procedures and the importance of such procedures to the overall internal control systems, preliminary assessment of the effectiveness of the overall internal control systems, differences among various operating locations, degree of centralization, transactions executed and the control environment, and the materiality/significance level and control risk in connection with the internal control system that are acceptable to the CPAs.
2. Gaining an understanding of the internal control system:
CPAs may use means such as inquiries, examination of written documents, and observation to gain an understanding of the internal control system of the audited company, by which to assess the effectiveness of the internal control system.
3. Assessing the effectiveness of the design of the internal control system:
(1) When assessing the effectiveness of the design of the audited company's internal control system, CPAs shall collect evidence regarding the effectiveness of the design. Methods for collecting such evidence include inquiries, examination of written documents, and observation.
(2) When assessing the effectiveness of the design of the internal control system, CPAs shall focus on whether the overall internal control system achieves a given goal rather than whether any given specific operation of the internal control system is inappropriate.
(3) When engaged only to evaluate the effectiveness of the design of the internal control system, CPAs shall conduct necessary control tests based on actual needs.
4. Testing and assessing the operating effectiveness of the internal control system:
(1) CPAs shall conduct control tests to collect evidence regarding the operation of the internal control system to provide a basis for assessing the operating effectiveness of the internal control system.
(2) Methods for conducting control tests by CPAs include inquiries, examination of written documents, observation, and re-testing. Control tests shall be conducted until sufficient and appropriate evidence has been collected. Evidence collected by the audited company during self-inspection of the internal control system shall not be substituted directly for evidence to be collected by the CPAs.
(3) Whether the evidence collected by CPAs is sufficient and appropriate is affected by the following factors: the nature of the audited company's internal control procedures, the importance of the internal control procedures to attainment of the control objectives, the probability of violation of control procedures by the audited company, the nature and extent of control tests already conducted by the audited company, and the CPAs' preliminary assessment of the effectiveness of the control procedures. CPAs shall also execute necessary procedures and collect necessary evidence regarding subsequent events during the post audit period.
Article 37 CPAs retained to conduct special audits of the internal control systems of a company conducting initial public offering of stocks shall conduct such audits pursuant to Articles 25 through the preceding article.
When conducting special audits under the preceding paragraph, CPAs shall focus on whether the company has meet the requirements of applicable laws and regulations, and, particularly, express opinions on the company's operational procedures such as for acquiring or disposing of assets, engaging in derivatives transactions, management of loans to others, management of endorsements or guarantees for others, management of related party transactions, management of the procedures for preparation of financial statements, and supervision and management of subsidiaries, and shall give an appropriate explanation thereof in a single separate paragraph in the audit report.
Except as otherwise provided by the FSC, the time period covered by a special audit under paragraph 1 shall be the most recent fiscal year before the company filed its report with the FSC for public issuance of its stock. If on the date of the report for public issuance eight months have already lapsed since the beginning of the fiscal year, the time period covered shall be the second half of the most recent fiscal year and the first half of the current fiscal year.
Article 39 A public company shall execute at least the following control activities when supervising and managing its subsidiaries' business management:
1. Establish an adequate organizational control structure between it and each subsidiary, including the methods to elect, and to appoint power and duties to, the subsidiary's directors, supervisors, and high-level managers.
2. Set out overall business strategies, risk management policies, and guidelines applicable to it and its subsidiaries, as a basis for each subsidiary to map out business plan and risk management policies and procedures for relevant business operations.
3. Set forth policies and procedures applicable to it and each subsidiary in relation to business segmentation, liaison regarding order placement, materials preparation methods, inventory allocation, conditions for accounts receivable and accounts payable, and account processing.
4. Set forth policies and procedures for supervising each subsidiary's material financial and business matters such as business plan and budget, material investment and reinvestment in equipment, borrowings and debt, lending of funds to others, endorsement/guarantees, obligations and commitments, investment in securities and derivatives, important contracts, and major changes in assets.
Article 40 A public company shall execute at least the following control activities when supervising and managing its subsidiaries' financial and business information:
1. Supervise the establishment of independent financial and business information systems by its subsidiaries.
2. Establish effective financial and business communication systems between it and each subsidiary; in addition to the major financial and business matters referred to in the preceding article that shall be reported prior to their occurrence, the subsidiary shall also immediately report to the company the occurrence of any other material event that, under the Act or any applicable regulations, shall be announced or reported as likely to affect company rights and interests and securities prices.
3. Regularly obtain, and analyze and review, each subsidiary's monthly management reports, including business report, monthly statement of production and sales volumes, monthly balance sheet, monthly income statement, monthly cash flow statement, aging account receivable analysis and delinquent debt report, aging inventory analysis, monthly report on loaned funds, and monthly report on endorsements/guarantees.
4. Arrange for each subsidiary to provide necessary financial and business information or retain CPAs to audit or review each subsidiary's financial report in compliance with the requirements of laws and regulations regarding matters to be publicly announced or reported and the time limits therefor.
The FSC shall prescribe compliance matters in connection with companies' regular obtaining, and analyzing and reviewing, of each subsidiary's monthly management reports under subparagraph 3 of the preceding paragraph.
Article 41 A public company shall execute at least the following control activities when supervising and managing its subsidiaries' audit management:
1. Direct each subsidiary to establish an internal audit department and to adopt procedures and methods for self-inspection of its internal control systems, based upon the nature of its business, its operational scale, and number of employees, and monitor the subsidiary's execution of such matters.
2. Include all subsidiaries in the internal audit scope in the company's internal audit implementation rules, and regularly, or from time to time, conduct audits. Upon submission of the audit findings and recommendations in reports, the public company shall notify the audited subsidiary to make corrections and prepare follow-up reports on a regular basis, to ensure that proper corrective measures have been taken in a timely manner.
3. All subsidiaries shall, with the least delay, report to the public company matters such as special audit plans, annual audit plans and the implementation thereof, and the correction of any defects and irregularities discovered in their internal control systems.
4. The public company's internal audit department shall review the audit reports or self-inspection reports submitted by each subsidiary, and shall follow up on the correction of any defects and irregularities in internal control systems.
Article 42 A pubic company shall specify in its internal control systems the penalties for violations of these Regulations or its internal control system rules by managers and relevant personnel.
A public company shall from time to time check whether there is any violation of the provisions of Article 11, paragraph 1, concerning "qualified" and "full-time," or any of the circumstances set out in Article 16, paragraph 2, by its internal auditors; and shall, upon discovery of any violation, adjust the position of such auditor within one month from the date of discovery.
When reporting basic information of internal auditors pursuant to Article 18, a public company shall check whether or not the internal auditors have met the requirements under Article 17, paragraph 1. If not, the auditor shall take corrective measures within one month; otherwise, the public company shall promptly adjust the auditor's position.