|
Article 21
|
The purposes of self-assessment by a service enterprise of its internal control system is to implement a self-monitoring mechanism and adapt to changes in the environment in a timely manner, so as to adjust the design of the internal control system and enhance the internal audit department's audit quality and efficiency. The assessment scope shall include the design and operation of all aspects of the enterprise's internal control system.
Before carrying out the assessment referred to in the preceding paragraph, a service enterprise shall set out in its internal control system the procedures and methods for self-assessment operations.
A service enterprise shall pay close attention to matters relating to compliance with applicable laws, regulations, and bylaws, and shall, based on the results of the risk assessment, determine the procedures and methods for self-assessment operations referred to in the preceding paragraph, which shall at least include the following:
- Determining which controls should be tested.
- Determining the business units to include in the self-assessment.
- Evaluating the design effectiveness of controls.
- Evaluating the operating effectiveness of controls.
|
|
Article 22
|
When conducting self-assessments of its internal control system, a service enterprise shall, except as otherwise required by the competent authority, first arrange for self-assessments by all internal departments and subsidiaries on an at least annual basis, have its internal audit unit review each unit's self-assessment report, and submit the self-assessment reports, together with the reports on the correction of deficiencies and irregularities of the internal control system identified by the audit unit, as a primary basis for the board of directors and general manager to evaluate the overall effectiveness of the enterprise's internal control system and to produce a Statement on Internal Control.
The self-assessment s under the preceding paragraph shall be recorded in working papers that shall be retained, together with the self-assessment reports and relevant materials, for no less than 5 years.
|
|
Article 23
|
A service enterprise's findings in its self-assessment of the internal control system shall classify the system as either "effective internal control system" or "materially deficient internal control system" based on whether or not the system provides reasonable assurance regarding the following:
- That the board of directors and the general manager understand the degree to which the objective of effectiveness and efficiency of operations has been achieved.
- That reporting is reliable, timely, transparent, and complies with applicable rules.
- That applicable laws, regulations, and bylaws have been complied with.
|
|
Article 24
|
A service enterprise shall conduct annual self-assessment of the design and implementation effectiveness of its internal control system and prepare a Statement on Internal Control in the format required by the competent authority, and, except as otherwise provided by applicable laws and regulations governing the individual service enterprises, shall submit it to the competent authority for recordation within 3 months from the end of each fiscal year.
Where a service enterprise has established an audit committee in accordance with the Securities and Exchange Act, the design and operating effectiveness of the internal control system as referred to in the preceding paragraph shall be subject to the consent of one-half or more of the entire membership of the audit committee, in which case the provisions of paragraphs 4 and 5 of Article 5 shall apply mutatis mutandis.
The Statement on Internal Control, and any amendment thereto, as referred to in paragraph 1 shall first be passed by the board of directors.
A service enterprise that is also a public company, or that is designated by the competent authority, shall publicly announce and report the Statement on Internal Control referred to in paragraph 1 through a website designated by the competent authority, and need not further submit the written materials to the competent authority for recordation.
The Statement on Internal Control referred to in paragraph 1 shall, as required, be included in the enterprise's annual report, stock issue prospectus, prospectus, or investment memorandum.
|
|
Article 36-2
|
A service enterprise with specific requirements shall appoint a person at the level of deputy general manager (vice president) or higher or a person of equivalent position to concurrently serve as its chief information security officer, who shall be in charge of the overall promotion of information security policy and the allocation of related resources. Those requirements shall be prescribed by the competent authority.
A service enterprise shall allocate adequate human resources and equipment for the planning and monitoring of the information security system and the implementation of information security management operations. The competent authority may, after having considered the size, business nature, and organizational characteristics of the services enterprise, order service enterprises to establish a dedicated information security (i.e., cybersecurity) unit, chief officer, and other personnel.
Each year, the service enterprise's chief information officer or highest officer responsible for information security and its chairman, president, and chief internal auditor shall jointly sign and issue the Statement on Internal Control set out in Article 24, with content including the status of overall implementation of information security in the preceding fiscal year, and submit it to the board of directors for approval within 3 months after the end of the fiscal year.
The service enterprise's information security officer and personnel shall attend at least 15 hours of information security professional courses or functional training every year. All other personnel who use the information system shall attend at least 3 hours of information security awareness courses every year.
The Securities Association, National Futures Association, and Securities Investment Trust and Consulting Association of the R.O.C. shall adopt and regularly review self-disciplinary regulations relating to information security.
|