• Font Size:
  • S
  • M
  • L

Amendments

Title:

Regulations Governing the Establishment of Internal Control Systems by Service Enterprises in Securities and Futures Markets  CH

Amended Date: 2024.04.22 

Title: Regulations Governing the Establishment of Internal Control Systems by Service Enterprises in Securities and Futures Markets(2014.09.22)
Date:
Article 2     A service enterprise establishing an internal control system shall do so in accordance with these Regulations and the rules prescribed by the competent authority; provided that where another act or regulation provides otherwise, the provisions of such act shall prevail.
Article 4     The internal control system of a service enterprise is a management process designed by management, passed by the board of directors, and implemented by the board of directors, management, and other personnel, with the aim of promoting sound corporate operations and providing reasonable assurance regarding the achievement of the following objectives:
  1. Effectiveness and efficiency of operations.
  2. Reliability, timeliness, transparency, and regulatory compliance of reporting.
  3. Compliance with applicable laws, regulations, and bylaws.
    The objective of effectiveness and efficiency of operations referred to in subparagraph 1 of the preceding paragraph includes objectives such as profits, operating performance, and safeguarding of assets.
    The reporting referred to in subparagraph 2 of paragraph 1 includes internal and external financial and non-financial reporting of a service enterprise. The objectives of external financial reporting include ensuring that financial statements for external purposes are prepared in accordance with the regulations governing the preparation of financial reports prescribed for individual service enterprises and with generally accepted accounting principles, and that transactions are made with proper approval.
Article 6     A service enterprise shall explicitly specify the internal organizational structure, report system, and appropriate assignment of authority and responsibility in its internal control system and include therein, with respect to members of management, the establishment of positions, position titles, appointment and dismissal, scope of duties and powers, and remuneration policy and system.
    A service enterprise shall consider the overall operational activities of the enterprise and all subsidiaries in designing and scrupulously implementing an internal control system, and review the system from time to time to adapt to changes in its internal and external environment and to ensure sustained design and operating effectiveness of the system.
    The term "subsidiaries" referred to in the preceding paragraph are those as determined in accordance with the regulations governing the preparation of financial reports prescribed for individual service enterprises.
Article 7     A service enterprise's internal control system shall consist of the following components:
  1. Control environment: The control environment is the basis of the design and implementation of the internal control system across the service enterprise. The control environment encompasses the integrity and ethical values of the enterprise, governance oversight responsibility of the board of directors and supervisors, organizational structure, assignment of authority and responsibility, human resources policy, and performance measures and reward and discipline. The board of directors and management shall prescribe internal standards of conduct, including the adoption of code of conduct for directors and employees.
  2. Risk assessment: A precondition to risk assessment is the establishment of objectives, linked at different levels of the service enterprise, and with the suitability of the objects for the enterprise taken into consideration. Management shall consider the impact of possible changes in the external environment and within its own business model that may render internal control ineffective. The risk assessment results can assist the enterprise in designing, correcting, and implementing necessary controls in a timely manner.
  3. Control activities: Control activities are the actions of carrying out policies and procedures taken by the service enterprise on the basis of risk assessment results to limit relevant risks to a sustainable level. Control activities shall be performed at all levels of the enterprise, at various stages within business processes, and over the technology environment, and shall include supervision and management over subsidiaries.
  4. Information and communication: Information and communication means the relevant and quality information that the service enterprise obtains, generates, or uses from both internal and external sources to support the functioning of other components of internal control, and the capability of effective communication between the enterprise and external parties. The Internal control system must have mechanisms to generate information necessary for planning, implementation, and monitoring and to provide information to those who need it in a timely manner.
  5. Monitoring activities: Monitoring activities means ongoing evaluations, separate evaluations, or some combination of the two used by the service enterprise to ascertain whether each of the components of internal control is present and functioning. Ongoing evaluations means routine evaluations built into the course of operations at different levels of the enterprise. Separate evaluations are evaluations conducted by different personnel such as internal auditors, supervisors, or the board of directors. Findings of deficiencies of the internal control system shall be communicated to the management of appropriate levels, the board of directors, and supervisors, and improvements shall be made in a timely manner.
    A service enterprise designing and implementing, or carrying out self-assessment of, its internal control system, or a certified public accountant (CPA) engaged to conduct a special audit of the enterprise's internal control system, shall fully consider the components enumerated in the preceding paragraph, and, in addition to the criteria prescribed by the competent authority, may add additional items as dictated by actual needs.
Article 8     In addition to setting out control activities for different operating cycles based on the nature of its business, a service enterprise shall also consider its actual needs and include controls over the following activities in its internal control system:
  1. Seal use management.
  2. Management of the receipt and use of negotiable instruments.
  3. Budget management.
  4. Property management.
  5. Management of endorsements/guarantees.
  6. Management of liability commitments and contingencies.
  7. Delegation of duties and implementation of deputy system.
  8. Management of financial and non-financial information.
  9. Management of related party transactions.
  10. Management of the preparation process of financial statements, including management of the application of International Financial Reporting Standards, procedures for professional accounting judgments, and processes for making changes in accounting policies and estimates.
  11. Supervision and management over subsidiaries.
  12. Compliance system.
  13. Management of financial examination reports.
  14. Management of protection of financial consumers, provided this does not apply to the enterprises that are excluded under Article 3, paragraph 2 of the Financial Consumer Protection Act.
  15. Management of personal information protection.
    In addition to controls over the activities under the preceding paragraph, a service enterprise that is a public company, or that is designated by the competent authority, shall also include in its internal control system the management of procedure for board of directors meetings and the management of shareholder services.
    The internal control system of a service enterprise that has established an audit committee pursuant to the provisions of the Securities and Exchange Act shall include the management of audit committee meeting operations.
    The internal control system of an enterprise whose stocks are already listed or traded over-the-counter at securities firms shall include controls over the following operations:
  1. Management of the operations of the remuneration committee.
  2. Management of the prevention of insider trading.
Article 12     A service enterprise shall establish an internal audit unit in a direct reporting line to the board of directors and, except as otherwise provided by the competent authority, shall appoint, according to its business size, business condition, management needs, and the provisions of other applicable laws and regulations, qualified persons in an appropriate number as full-time internal auditors and have deputies in place for the internal auditors; the deputies are required to carry out audit work in accordance with these Regulations.
    A service enterprise shall establish a chief internal auditor to oversee audit affairs, and who shall possess leadership ability and the ability to effectively oversee audit work. Any appointment or dismissal of the chief internal auditor shall be passed by the board of directors; where it has established the position of independent director, if an independent director has an objection or reservation, the objection or reservation shall be recorded in the minutes of the meeting of the board of directors.
    Where a service enterprise has established an audit committee in accordance with the Securities and Exchange Act, any appointment or dismissal of the chief internal auditor shall be subject to the consent of one-half or more of the entire membership of the audit committee and be submitted to the board of directors for a resolution, in which case the provisions of paragraphs 4 and 5 of Article 5 shall apply mutatis mutandis.
    Except as otherwise required by provisions governing securities or futures enterprises, a service enterprise shall report any appointment or dismissal of the chief internal auditor, specifying the reason for such a change of position and providing a copy of the minutes of the board of directors meeting, to the competent authority for recordation within 5 days from the date of passage by the board of directors.
    The appointment, dismissal, promotion, reward/discipline, rotation, and performance review of any personnel in the internal audit unit shall become effective after being reported by the chief auditor to the board of directors and ratified by the board. However, if a matter involves personnel of other management or business units, the chief auditor shall first request the personnel department to refer the matter to the general manager for consent, and it shall then be reported to the chairperson for ratification.
    The requirements for the qualified full-time internal auditors referred to in paragraph 1 shall be as prescribed separately by the competent authority.
Article 13     A service enterprise shall include at least the following items in its implementation rules for internal audits:
  1. Purpose, functions, and responsibilities of the internal audit unit.
  2. Assessment of the system of internal controls to measure the effectiveness of, and compliance with, the established policies and procedures, and their effects on operational activities.
  3. A detailed listing of audit items, times, procedures, and methods.
Article 14     A service enterprise's internal audit unit shall, based on the results of the risk assessment, prepare an annual audit plan which, except as otherwise required by the competent authority, shall include matters to be audited monthly; the internal audit unit shall scrupulously implement the annual audit plan, so as to assess its internal control system, and prepare audit reports annexed with working papers and relevant materials.
    A service enterprise shall include at least the following as audit items in its annual audit plan for each year:
  1. Matters relating to compliance with applicable laws, regulations, and bylaws.
  2. The control activities for major financial or business activities, such as for acquiring or disposing of assets, engaging in derivatives transactions, management over making endorsements/guarantees for others, and management of related party transactions.
  3. Supervision and management over subsidiaries.
  4. Management of the preparation process of financial statements, including management of application of the International Financial Reporting Standards and procedures for professional accounting judgments and processes for making changes in accounting policies and estimates.
  5. Inspection of information and communications security.
    Each annual audit plan of a financial service enterprise as defined in the Financial Consumer Protection Act shall also include management of the protection of financial consumers, in addition to the audit items of the preceding paragraph.
    Each annual audit plan of a service enterprise that is a public company, or that is designated by the competent authority, shall also include management of the procedure for board of directors meetings, in addition to the audit items of the preceding two paragraphs.
    Each annual audit plan of a service enterprise whose stock is already listed or traded over-the-counter at securities firms shall also include management of the operations of the remuneration committee, in addition to the audit items of the preceding three paragraphs.
     The annual audit plan of a service enterprise that has established an audit committee pursuant to the provisions of the Securities and Exchange Act shall also include the management of audit committee meeting operations.
    A service enterprise shall have its annual audit plan, and any amendments thereto, passed by the board of directors.
    Where a service enterprise has established the position of independent director, when it submits its annual audit plan for deliberation by the board of directors pursuant to the preceding paragraph, the board of directors shall take into full consideration each independent director's opinion; when an independent director has an objection or reservation, the objection or reservation shall be recorded in the minutes of the meeting of the board of directors.
    The audit reports, working papers, and relevant materials under paragraph 1 shall be retained for no less than 5 years.
Article 15     The internal auditors of a service enterprise shall communicate fully with the audited unit about the audit results of the items audited in the annual audit, and shall factually disclose in audit reports any deficiencies and irregularities of the internal control system identified in assessments and, after having presented the reports, shall follow up on the matters and prepare follow-up reports at least on a quarterly basis to be reported to the board of directors until correction is made, to ensure that the relevant departments have taken appropriate corrective actions in a timely manner.
    The service enterprise shall include any identified deficiencies and irregularities of the internal control system and the correction thereof, as referred to in the preceding paragraph, as major items of performance evaluation for each department.
    The correction of deficiencies and irregularities of internal control system referred to in paragraph 1 shall include all deficiencies identified by the competent authority or a self-regulatory organization in the course of examination, those identified in the course of internal audit operations, those listed in the Statement on Internal Control, and those identified in the course of self-assessment or by CPAs in special audits.
Article 17     The internal auditors of a service enterprise shall be detached, independent, objective, and impartial, in scrupulously performing their duties, and fulfill the duty of professional care, and report their audit operations to each and all supervisors on a regular basis; in addition, the chief internal auditor shall attend a board of directors meeting to present a report.
    The internal auditors shall perform their duties in good faith and shall not do any of the following:
  1. Conceal or make false or inappropriate disclosures of any of the enterprise's business activities, reporting, or compliance with applicable laws, regulations, and bylaws that they know has caused direct damage to a beneficiary, a customer, or an interested party.
  2. Cause damage to the right or interest of the enterprise or any beneficiary, customer or interested party through neglect of duty.
  3. Act beyond the scope of audit functions or engage in other improper activity, or with the intent to gain illegal benefit for him/herself or a third party, violate the auditor’s duties or embezzle company assets.
  4. Conduct an audit on a department where he/she worked within the past 1 year, provided that this rule does not apply where the competent authority provides otherwise.
  5. Fail to recluse himself/herself from auditing of cases in which he or she has a personal interest or has a conflict of interest.
  6. Fail to audit the matters instructed by competent authorities or provide relevant information.
  7. Provide, promise, request, or accept, directly or indirectly, unreasonable gifts, entertainment, or any other improper benefits in whatever form.
  8. Any other activity in violation of any law or regulation or otherwise prohibited by the competent authority.
Article 21     The purposes of self-assessment by a service enterprise of its internal control system is to implement a self-monitoring mechanism and adapt to changes in the environment in a timely manner, so as to adjust the design of the internal control system and enhance the internal audit department's audit quality and efficiency. The assessment scope shall include the design and operation of all aspects of the enterprise's internal control system.
    Before carrying out the assessment referred to in the preceding paragraph, a service enterprise shall set out in its internal control system the procedures and methods for self-assessment operations.
    A service enterprise shall pay close attention to matters relating to compliance with applicable laws, regulations, and bylaws, and shall, based on the results of the risk assessment, determine the procedures and methods for self-assessment operations referred to in the preceding paragraph, which shall at least include the following:
  1. Determining which controls should be tested.
  2. Determining the business units to include in the self-assessment.
  3. Evaluating the design effectiveness of controls.
  4. Evaluating the operating effectiveness of controls.
Article 22     When conducting self-assessments of its internal control system, a service enterprise shall, except as otherwise required by the competent authority, first arrange for self-assessments by all internal departments and subsidiaries on an at least annual basis, have its internal audit unit review each unit's self-assessment report, and submit the self-assessment reports, together with the reports on the correction of deficiencies and irregularities of the internal control system identified by the audit unit, as a primary basis for the board of directors and general manager to evaluate the overall effectiveness of the enterprise's internal control system and to produce a Statement on Internal Control.
    The self-assessment s under the preceding paragraph shall be recorded in working papers that shall be retained, together with the self-assessment reports and relevant materials, for no less than 5 years.
Article 23     A service enterprise's findings in its self-assessment of the internal control system shall classify the system as either "effective internal control system" or "materially deficient internal control system" based on whether or not the system provides reasonable assurance regarding the following:
  1. That the board of directors and the general manager understand the degree to which the objective of effectiveness and efficiency of operations has been achieved.
  2. That reporting is reliable, timely, transparent, and complies with applicable rules.
  3. That applicable laws, regulations, and bylaws have been complied with.
Article 24     A service enterprise shall conduct annual self-assessment of the design and implementation effectiveness of its internal control system and prepare a Statement on Internal Control in the format required by the competent authority, and, except as otherwise provided by applicable laws and regulations governing the individual service enterprises, shall submit it to the competent authority for recordation within 3 months from the end of each fiscal year.
    Where a service enterprise has established an audit committee in accordance with the Securities and Exchange Act, the design and operating effectiveness of the internal control system as referred to in the preceding paragraph shall be subject to the consent of one-half or more of the entire membership of the audit committee, in which case the provisions of paragraphs 4 and 5 of Article 5 shall apply mutatis mutandis.
    The Statement on Internal Control, and any amendment thereto, as referred to in paragraph 1 shall first be passed by the board of directors.
    A service enterprise that is also a public company, or that is designated by the competent authority, shall publicly announce and report the Statement on Internal Control referred to in paragraph 1 through a website designated by the competent authority, and need not further submit the written materials to the competent authority for recordation.
    The Statement on Internal Control referred to in paragraph 1 shall, as required, be included in the enterprise's annual report, stock issue prospectus, prospectus, or investment memorandum.
Article 33     Under any of the following circumstances, the competent authority may order a service enterprise to make improvements within a prescribed time limit, or where necessary, to engage a CPA to conduct a special audit of its internal control system and obtain an audit report and submit it to the competent authority for recordation:
  1. Failure to document its internal control system.
  2. Failure to appoint qualified personnel as full-time internal auditors or to appoint them in an appropriate number.
  3. Failure to file a report within a prescribed time limit on, or fail to scrupulously execute, its annual audit plan.
  4. Failure to file a report within a prescribed time limit on the actual execution of its annual audit plan.
  5. Failure to file a report within the prescribed time limit on the correction of any deficiency or irregularity of the internal control system identified in an audit.
  6. Failure to duly conduct self-assessment of its internal control system or to prepare a Statement on Internal Control.
  7. Serious instance of failure to correct a deficiency of the internal control system pursuant to the internal control recommendations issued by a CPA.
  8. Serious instance of false external financial reporting or violating a law, regulation, or bylaw.
  9. Any material fraud or suspicion of fraud.
  10. Other condition where the competent authority deems a special audit to be necessary.
Article 39     These Regulations shall enter into force from the date of issuance.
    The 21 December 2011 amendments shall enter into force 3 months after the date of issuance, except Article 8, paragraph 1, subparagraph 14 and Article 14, paragraph 3, which shall enter into force from 30 December 2011.
     The provisions amended and issued on 22 September 2014 shall enter into force from 1 January 2015.