||Regulations Governing the Establishment of Internal Control Systems by Service Enterprises in Securities and Futures Markets(2011.12.21)
A service enterprise's internal control system shall consist of the following components:
A service enterprise designing and implementing, or carrying out self-inspection of, its internal control system, or a certified public accountant (CPA) engaged to conduct a special audit of the enterprise's internal control system, shall fully consider the components enumerated in the preceding paragraph, and, in addition to the criteria prescribed by the competent authority, may add additional items as dictated by actual needs.
- Control environment. The control environment is a composite factor that shapes organizational culture and affects organization members??awareness of control. Factors affecting the control environment include the integrity, ethical values, and competence of the organization members; supervision and direction of the board of directors and supervisors; the management philosophy and operating style of the board of directors and management; and organizational structure, division and assignment of powers and responsibilities, and human resources policies and implementation. The control environment provides the foundation for the other components.
- Risk assessment. Risk assessment is a process by which the service enterprise identifies internal and external factors that keep it from achieving its objectives and evaluates their impact and probability. The risk assessment results can assist the enterprise in designing, correcting, and implementing necessary control in a timely manner.
- Control activities. Control activities are the policies and procedures that establish a complete and sound control framework and adopt control procedures at all levels to help the board of directors and management ensure that their instructionshave been carried out. Control activities include policies and procedures for approvals, authorizations, verifications, reconciliations, reviews, periodic counting, check of records, segregation of duties, safeguarding of physical security of assets, comparison with plans, budgets, or operating performance in prior periods, and supervision and management over subsidiaries.
- Information and communication. Information is the subject matter identified, measured, processed, and reported by information systems. It includes information, financial or non-financial, pertaining to the objectives in the areas of operations, financial reporting, and compliance with applicable laws and regulations. Communication is the provision of information to relevant personnel, either within or outside the company. The Internal control system must have mechanisms to generate information necessary for planning, implementation, and monitoring and to provide information to those who need it in a timely manner.
- Monitoring. Monitoring is a process to self-inspect the quality of internal control. It includes assessing the soundness of the control environment; whether risk assessment is timely and accurate; whether control activities are appropriate and accurate; and whether information and communication systems are functioning properly. Monitoring is accomplished either through ongoing monitoring activities or through separate evaluations. The former is routine monitoring in the course of operations, while the latter is the evaluation conducted by different personnel such as internal auditors, supervisors, or the board of directors.
In addition to setting out control activities for different transaction cycles based on the nature of its business, a service enterprise shall also consider its actual needs and include controls over the following activities in its internal control system:
In addition to controls over the activities under the preceding paragraph, a service enterprise that is a public company, or that is designated by the competent authority, shall also include in its internal control system the management of procedure for board of directors meetings. The internal control system of an enterprise whose stocks are already listed or traded over-the-counter at securities firms shall include controls over the following operations:
- Seal use management.
- Management of the receipt and use of negotiable instruments.
- Budget management.
- Property management.
- Management of endorsements/guarantees.
- Management of liability commitments and contingencies.
- Delegation of duties and implementation of deputy system.
- Management of financial and non-financial information.
- Management of related party transactions.
- Management of preparation process of financial statements.
- Supervision and management over subsidiaries.
- Compliance system.
- Management of financial examination reports.
- Management of protection of financial consumers, provided this does not apply to the enterprises that are excluded under Article 3, paragraph 2 of the Financial Consumer Protection Act.
The internal control system of an enterprise that is required by the competent authority to adopt, or that is approved by the competent authority for early adoption of, the International Financial Reporting Standards (IFRSs), shall include controls over the following operations:
- Management of the operations of the remuneration committee.
- Management of the prevention of insider trading.
- Management of the adoption of the International Financial Reporting Standards (IFRSs).
- The accounting professional judgment process, and the process for changes in accounting policies and accounting estimates.
A service enterprise's internal audit unit shall, based on the results of the risk assessment, prepare an annual audit plan which, except as otherwise required by the competent authority, shall include matters to be audited monthly; the internal audit unit shall scrupulously implement the annual audit plan, so as to inspect its internal control system, and prepare audit reports annexed with working papers and relevant materials.
A service enterprise shall include as audit items in its annual audit plan for each year the control activities for major financial or business activities, such as for acquiring or disposing of assets, engaging in derivatives transactions, management over making endorsements/guarantees for others, and management over related party transactions, as well as supervision and management over subsidiaries, the items listed in Article 8, paragraph 4, and inspection of information and communications security.
Each annual audit plan of a financial service enterprise as defined in the Financial Consumer Protection Act shall also include management of the protection of financial consumers, in addition to the audit items of the preceding paragraph.
Each annual audit plan of a service enterprise that is a public company, or that is designated by the competent authority, shall also include management of the procedure for board of directors meetings, in addition to the audit items of the preceding two paragraphs.
Each annual audit plan of a service enterprise whose stock is already listed or traded over-the-counter at securities firms shall also include management of the operations of the remuneration committee, in addition to the audit items of the preceding three paragraphs.
A service enterprise shall have its annual audit plan, and any amendments thereto, passed by the board of directors.
Where a service enterprise has established the position of independent director, when it submits its annual audit plan for deliberation by the board of directors pursuant to the preceding paragraph, the board of directors shall take into full consideration each independent director's opinion; when an independent director has an objection or reservation, the objection or reservation shall be recorded in the minutes of the meeting of the board of directors.
The audit reports, working papers, and relevant materials under paragraph 1 shall be retained for no less than five years.
A service enterprise shall adopt appropriate risk management policies and procedures, and establish independent and effective risk management mechanisms, to assess and monitor the overall risk-bearing capacity, and the current status of risk already incurred, and to determine its compliance with the risk response strategies and risk management procedures.
These Regulations shall enter into force from the date of issuance.
The 21 December 2011 amendments shall enter into force three months after the date of issuance, except Article 8, paragraph 1, subparagraph 14 and Article 14, paragraph 3, which shall enter into force from 30 December 2011.