A service enterprise's internal control system shall consist of the following components:
A service enterprise designing and implementing, or carrying out self-assessment of, its internal control system, or a certified public accountant (CPA) engaged to conduct a special audit of the enterprise's internal control system, shall fully consider the components enumerated in the preceding paragraph, and, in addition to the criteria prescribed by the competent authority, may add additional items as dictated by actual needs.
- Control environment: The control environment is the basis of the design and implementation of the internal control system across the service enterprise. The control environment encompasses the integrity and ethical values of the enterprise, governance oversight responsibility of the board of directors and supervisors, organizational structure, assignment of authority and responsibility, human resources policy, and performance measures and reward and discipline. The board of directors and management shall prescribe internal standards of conduct, including the adoption of codes of conduct for directors and employees.
- Risk assessment: A precondition to risk assessment is the establishment of objectives, linked at different levels of the service enterprise, and with the suitability of the objects for the enterprise taken into consideration. Management shall consider the impact of possible changes in the external environment and within its own business model that may render internal control ineffective, and possible fraud scenarios. The risk assessment results can assist the enterprise in designing, correcting, and implementing necessary controls in a timely manner.
- Control activities: Control activities are the actions of carrying out policies and procedures taken by the service enterprise on the basis of risk assessment results to limit relevant risks to a sustainable level. Control activities shall be performed at all levels of the enterprise, at various stages within business processes, and over the technology environment, and shall include supervision and management over subsidiaries.
- Information and communication: Information and communication means the relevant and quality information that the service enterprise obtains, generates, or uses from both internal and external sources to support the functioning of other components of internal control, and the capability of effective communication between the enterprise and external parties. The Internal control system must have mechanisms to generate information necessary for planning, implementation, and monitoring and to provide information to those who need it in a timely manner.
- Monitoring activities: Monitoring activities means ongoing evaluations, separate evaluations, or some combination of the two used by the service enterprise to ascertain whether each of the components of internal control is present and functioning. Ongoing evaluations means routine evaluations built into the course of operations at different levels of the enterprise. Separate evaluations are evaluations conducted by different personnel such as internal auditors, supervisors, or the board of directors. Findings of deficiencies of the internal control system shall be communicated to the management of appropriate levels, the board of directors, and supervisors, and improvements shall be made in a timely manner.
The code of conduct for directors under paragraph 1, subparagraph 1 shall, at the least, specify that when a director discovers that the enterprise is likely to be materially harmed, the director shall handle the matter as quickly as possible, and immediately notify the audit committee, independent director members of the audit committee, or the supervisors, and report to the board of directors, and shall see to it that the service enterprise reports to the competent authority.