Chapter I General Principles
Article 1
These Regulations are adopted under Article 93 of the Securities Investment Trust and Consulting Act.
Article 2
A securities investment trust enterprise (SITE), or a securities investment consulting enterprise (SICE) that conducts discretionary investment business (hereinafter collectively referred to as "enterprise"), shall establish and operate an internal control system in compliance with these Regulations.
Article 3
The internal control system of an enterprise is a management process designed by management, passed by the board of directors, and implemented by the board of directors, management, and other personnel, with the aim of promoting sound operations of the enterprise and providing reasonable assurance regarding the achievement of the following objectives:
1. Effectiveness and efficiency of operations.
2. Reliability of financial reporting.
3. Compliance with applicable laws and regulations.
The objective of effectiveness and efficiency of operations referred to in subparagraph 1 of the preceding paragraph includes objectives such as profits, operating performance, and safeguarding of assets.
The objective of reliability of financial reporting referred to in subparagraph 2 of paragraph 1 includes objectives such as the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and transactions being made with proper approval.
Article 4
An enterprise shall document its internal control system, including internal audit implementation rules, and have them passed by the board of directors. If any director expresses a dissenting opinion, where stated in minutes or in a written statement, the enterprise shall submit the dissenting opinion to each and all supervisors, together with the internal control system that has been passed by the board of directors. The same shall apply to any amendment thereto.
Where an enterprise has established the position of independent director, when it submits its internal control system for deliberation by the board of directors pursuant to the preceding paragraph, the board of directors shall take into full consideration each independent director's opinion; where an independent director has an objection or reservation, the objection or reservation shall be recorded in the minutes of the meeting of the board of directors.
Where an enterprise has established an audit committee in accordance with the Securities and Exchange Act, any adoption of or amendment to its internal control system shall be subject to the consent of one-half or more of the entire membership of the audit committee and be submitted to the board of directors for a resolution.
Any matter under the preceding paragraph that has not been approved with the consent of one-half or more of the entire membership of the audit committee may be adopted with the consent of two-thirds or more of the entire board of directors, and the resolution of the audit committee shall be recorded in the board of directors meeting minutes.
The term "entire membership of the audit committee" as used in paragraph 3, and the term "entire board of directors" as used in the preceding paragraph, shall be calculated as the number of members/directors actually in office.
Chapter II Design and Implementation of the Internal Control System
Article 5
An enterprise shall set out an explicit internal organizational framework in its internal control system and include therein, with respect to members of management, the establishment of positions, position titles, appointment and dismissal, as well as scope of duties and powers.
An enterprise shall consider the overall operational activities of the enterprise and all subsidiaries in designing and scrupulously implementing an internal control system, and review the system from time to time and self-inspect it under these Regulations, to adapt to changes in its internal and external environment and to ensure sustained design and operating effectiveness of the system. By the end of May each year, the enterprise shall file with the Securities Investment Trust and Consulting Association (SITCA), in the format required by the Financial Supervisory Commission, the status of its review and revisions of the internal control system for the preceding fiscal year.
The term "subsidiaries" referred to in the preceding paragraph are those as determined in accordance with Statements of Financial Accounting Standards Nos. 5 and 7 issued by the Accounting Research and Development Foundation.
Article 6
An enterprise's internal control system shall consist of the following components:
1. Control environment. The control environment is a composite factor that shapes organizational culture and affects employees' awareness of control. Factors affecting the control environment include the integrity, ethical values, and competence of employees; the management philosophy and operating style of the board of directors and management; how employees are recruited, developed, and organized and how authority and responsibilities are assigned; and the attention and direction of the board of directors and supervisors. The control environment provides the foundation for the other components.
2. Risk assessment. Risk assessment is a process by which the enterprise identifies internal and external factors that keep it from achieving its objectives and assesses their impact and probability. The assessment results can assist the enterprise in designing, correcting, and implementing necessary controls in a timely manner.
3. Control activities. Control activities are the policies and procedures that establish a complete and sound control framework and adopt control procedures at all levels to help the board of directors and management ensure that their directives are carried out. Control activities include policies and procedures for approvals, authorizations, verifications, reconciliations, reviews, periodic counting, check of records, segregation of duties, safeguarding of physical security of assets, comparison with plans, budgets, or operating performance in prior periods, and supervision and management over subsidiaries.
4. Information and communication. Information refers to the subject matter identified, measured, processed, and reported by information systems. It includes information, financial or non-financial, pertaining to the objectives in the areas of operations, financial reporting, and compliance with applicable law and regulations. Communication is the provision of information to relevant personnel, either within or outside the enterprise. The internal control system must have mechanisms to generate information necessary for planning and monitoring and to provide information to those who need it in a timely manner.
5. Monitoring. Monitoring is a process to self-inspect the quality of the internal control. It includes assessing the soundness of the control environment; whether risk assessment is timely and accurate; whether control activities are appropriate and accurate; and whether information and communication systems are functioning properly. Monitoring is accomplished either through ongoing monitoring activities or through separate evaluations. The former is routine monitoring in the course of operations, while the latter is the evaluation conducted by different personnel such as internal auditors, supervisors, or the board of directors.
An enterprise designing and implementing, or carrying out self-inspection of, its internal control system, or a certified public accountant (CPA) engaged to conduct a special audit of the enterprise's internal control system, shall fully consider the components enumerated in the preceding paragraph, and, in addition to the criteria prescribed by the Financial Supervisory Commission, Executive Yuan (FSC), may add additional items as dictated by actual needs.
Article 7
The internal control system of an enterprise shall cover control activities for the following types of transaction cycles:
1. Securities investment trust business: includes "Know Your Customer," sales activities, creation, marketing, and operation of funds, securities lending or borrowing, redemption, accounting, general affairs, prevention of short-swing trading, anti-money laundering, convening of meetings of beneficial owners, and exercise of voting rights.
2. Discretionary investment business: Includes solicitation of business, "Know Your Customer," signing of contracts, operation of assets under discretionary investment agreements, measures to prevent unauthorized trading, and anti-money laundering.
In addition to control activities for the various types of transaction cycles in the preceding paragraph, the internal control system shall also include controls over the following activities:
1. Seal use management.
2. Management of the receipt and use of negotiable instruments.
3. Budget management.
4. Property management.
5. Management of endorsements/guarantees.
6. Management of liability commitments and contingencies.
7. Delegation of duties and implementation of deputy systems.
8. Management of financial and non-financial information.
9. Management of related party transactions.
10. Management of preparation process of financial statements.
11. Supervision and management over subsidiaries.
12. Compliance system.
13. Management of operation of board meetings.
If an enterprise simultaneously operates both securities investment trust business and discretionary investment business or simultaneously operates both securities investment consulting business and discretionary investment business, it shall adopt control activities to prevent conflict of interest between the different kinds of business.
Article 8
If an enterprise is operated concurrently by another enterprise in a different industry or concurrently operates such an enterprise, it shall adopt control activities to prevent conflict of interest with or prejudice to the rights and interest of beneficial owners or customers in terms of concurrent appointments of and codes of conduct for their responsible persons and associated persons, sharing and utilization of information, sharing of operating equipment or places of business, and advertising , public informational meetings, or other business promotion activities.
Article 9
An enterprise that uses a computerized information processing system shall, in addition to clearly differentiating the functions and duties of information and user departments, at least include the following control procedures in its internal control system:
1. Clear demarcation of the functions and duties of the information-processing department.
2. Control of system development and program modification.
3. Control of preparation of system documentation.
4. Program and data access control.
5. Data input/output control.
6. Data processing control.
7. File and facility security control.
8. Control of purchase, usage, and maintenance of hardware and system software.
9. Control of system recovery plan and testing procedures.
10. Control of information and communications security inspection.
11. Control of relevant procedures, if required, for disclosing and reporting public information on a website designated by the FSC.
Chapter III Inspection of the Internal Control System
Section I Internal Audits
Article 10
An enterprise shall carry out internal audits to assist the board of directors and management in inspecting and reviewing deficiencies in the internal control system as well as measuring effectiveness and efficiency of operations, and shall make timely recommendations for improvements to ensure the sustained operating effectiveness of the system and to provide a basis for review and correction.
Article 11
An enterprise shall establish an internal audit unit in a direct reporting line to the board of directors, and, except as otherwise provided by the FSC, shall appoint qualified persons in an appropriate number as full-time internal auditors according to its business size, business condition, management needs, and the provisions of other applicable laws and regulations.
An enterprise shall report any appointment or dismissal of the chief internal auditor for passage by the board of directors; where it has established the position of independent director, if an independent director has an objection or reservation, the objection or reservation shall be recorded in the minutes of the meeting of the board of directors.
Where an enterprise has established an audit committee in accordance with the Securities and Exchange Act, any appointment or dismissal of the chief internal auditor shall be subject to the consent of one-half or more of the entire membership of the audit committee and be submitted to the board of directors for a resolution, in which case the provisions of paragraphs 4 and 5 of Article 4 shall apply mutatis mutandis.
An enterprise shall report any appointment or dismissal of the chief internal auditor, specifying the reason for such a change of position and providing a copy of the minutes of the board of directors meeting to the FSC for recordation within five days from the date of passage by the board of directors.
The qualified full-time internal auditors referred to in paragraph 1 shall meet the qualifications and conditions prescribed in the "Regulations Governing Responsible Persons and Associated Persons of Securities Investment Trust Enterprises" or the "Regulations Governing Responsible Persons and Associated Persons of Securities Investment Consulting Enterprises."
Article 12
An enterprise shall include at least the following items in its implementation rules for internal audits:
1. Inspection of the system of internal controls to measure the effectiveness of, and compliance with, the established policies and procedures, and their effects on operational activities.
2. A detailed listing of audit items, times, procedures, and methods.
Article 13
An enterprise's internal audit unit shall prepare an annual audit plan based on the results of the risk assessment.
The annual audit plan under the preceding paragraph shall at least include as items to be audited monthly the controls over operation, creation, and redemption of funds, securities lending or borrowing, accounting, and operation of assets under discretionary investment agreements; the internal audit unit shall scrupulously implement the annual audit plan, so as to inspect its internal control system and prepare audit reports annexed with working papers and relevant materials.
An enterprise shall include as audit items in its annual audit plan for each year the control activities for major financial or business activities, such as for acquiring or disposing of assets, and management over "Know Your Customer," prevention of short-term trading, anti-money laundering, and information on interested companies, management over trade reporting by individuals, management of operation of board meetings, as well as inspection of information and communications security.
An enterprise shall have its annual audit plan, and any amendments thereto, passed by the board of directors.
Where an enterprise has established the position of independent director, when it submits its annual audit plan for deliberation by the board of directors pursuant to the preceding paragraph, the board of directors shall take into full consideration each independent director's opinion; when an independent director has an objection or reservation, the objection or reservation shall be recorded in the minutes of the meeting of the board of directors.
The audit reports, working papers, and relevant materials referred to under paragraph 2 shall be preserved for no less than five years.
Article 14
The internal auditors of an enterprise shall factually disclose in audit reports any deficiencies and irregularities of the internal control system identified in inspection and, after having presented the reports, shall follow up on the matters and prepare follow-up reports on a regular basis to ensure that the relevant departments have taken appropriate corrective actions in a timely manner.
The enterprise shall include any identified deficiencies and irregularities of the internal control system and the correction thereof, as referred to in the preceding paragraph, as major items of performance evaluation for each department.
The correction of deficiencies and irregularities of internal control system referred to in paragraph 1 shall include all deficiencies identified by the FSC or SITCA in the course of examination, those identified in the course of internal audit operations, those listed in the Statement on Internal Control, and those identified in the course of self-inspection or by CPAs in special audits.
Article 15
After having presented the audit and follow-up reports, an enterprise shall submit the same for review by each and all supervisors by the end of the month next following the completion of the audit items.
An enterprise's internal auditors identifying any material violation or any likelihood of material loss to the enterprise shall promptly prepare and present a report and notify each and all supervisors.
Where an enterprise has established the position of independent director, when an action is taken under the two preceding paragraphs, a copy of the submission or notice shall be provided simultaneously to the independent director(s).
Article 16
The internal auditors of an enterprise shall be detached, independent, objective, and impartial, in scrupulously performing their duties, and report their audit operations to each and all supervisors on a regular basis; in addition, the chief internal auditor shall attend a board of directors meeting to present a report.
The internal auditors shall perform their duties in good faith and shall not do any of the following:
1. Conceal or make false or inappropriate disclosure of any of the enterprise's business activities, financial reporting, or compliance with applicable laws and regulations that they know have caused direct damage to a beneficial owner, customer, or interested party.
2. Cause damage to the rights or interest of the enterprise or any beneficial owner, customer, or interested party through improper intent or neglect of duty.
3. Fail to audit the matter instructed by the FSC or provide relevant information.
4. Any other activity in violation of any law or regulation or otherwise prohibited by the FSC.
Article 17
The internal auditors of an enterprise shall pursue continuing training as well as attend internal audit training held by institutions recognized by the FSC, so as to improve their auditing quality and competence.
The internal audit training referred to in the preceding paragraph shall include various professional courses, computerized auditing, and basic legal knowledge.
The number of hours required for the continuing training under paragraph 1 shall be as publicly announced by the FSC.
Article 18
An enterprise shall file with the SITCA, in the format required by the FSC, the names, ages, educational background, work experience, years of service, and professional training of its internal auditors by the end of January each year.
Article 19
An enterprise shall, in the format required by the FSC, file with the SITCA its next fiscal year's annual audit plan by the end of each fiscal year and a report on the implementation of its previous fiscal year's annual audit plan within two months from the end of each fiscal year; additionally, it shall report to the SITCA the status of corrections of any irregularities identified during the previous fiscal year's internal auditing within five months from the end of each fiscal year.
After the SITCA has reviewed the matters reported under the preceding paragraph, it shall compile information on all irregularities and send it to the FSC.
Section II Self-Inspection and Statement on Internal Control
Article 20
The purpose of self-inspection by an enterprise of its internal control system is to implement a self-monitoring mechanism and adapt to changes in the environment in a timely manner, so as to adjust the design of the internal control system and enhance the internal audit department's inspection quality and efficiency. The inspection scope shall include the design and operation of all aspects of the internal control system.
Before carrying out the inspection referred to in the preceding paragraph, an enterprise shall set out in its internal control system the procedures and methods for self-inspection operations.
An enterprise shall, based on the results of the risk assessment, determine the procedures and methods for self-inspection operations referred to in the preceding paragraph, which shall at least include the following:
1. Determining which controls should be tested.
2. Determining the business units to include in the self-inspection.
3. Evaluating the design effectiveness of controls.
4. Evaluating the operating effectiveness of controls.
Article 21
When conducting self-inspections of its internal control system, an enterprise shall, except as otherwise required by the FSC, first arrange for self-inspections by all internal departments and subsidiaries on an at least annual basis, have its internal audit unit review each unit's self-inspection report, and submit the self-inspection reports, together with the reports on the correction of deficiencies and irregularities of the internal control system identified by the audit unit, as a primary basis for the board of directors and general manager to evaluate the overall effectiveness of the enterprise's internal control system and to produce a Statement on Internal Control.
The self-inspections under the preceding paragraph shall be recorded in working papers that shall be preserved, together with the self-inspection reports and relevant materials, for no less than five years.
Article 22
An enterprise's findings in its self-inspection of the internal control system shall classify the system as either "effective internal control system" or "materially deficient internal control system" based on whether or not the system provides reasonable assurance regarding the following:
1. That the board of directors and the general manager know the degree to which the objective of effectiveness and efficiency of operations has been achieved.
2. That financial reporting is reliable.
3. That applicable acts and regulations have been complied with.
Article 23
An enterprise shall conduct annual self-inspection of the design and operating effectiveness of its internal control system, and prepare a Statement on Internal Control in the format required by the FSC, and submit it to the FSC for recordation within three months from the end of each fiscal year.
Where an enterprise has established an audit committee in accordance with the Securities and Exchange Act, the design and operating effectiveness of the internal control system as referred to in the preceding paragraph shall be subject to the consent of one-half or more of the entire membership of the audit committee, and the provisions of paragraphs 4 and 5 of Article 4 shall apply mutatis mutandis.
The Statement on Internal Control referred to in paragraph 1, and any amendments to the Statement, shall first be passed by the board of directors.
The Statement on Internal Control referred to in paragraph 1 shall be publicly announced and reported through a website designated by the FSC; it is not necessary to further submit the written materials to the FSC for recordation.
The Statement on Internal Control referred to in paragraph 1 shall be included in the enterprise's prospectus or private placement memoranda.
Section III Special Audits
Article 24
Articles 25 through 36 of the Regulations Governing Establishment of Internal Control Systems by Public Companies shall apply mutatis mutandis where a CPA is engaged by an enterprise to conduct a special audit of its internal control system.
Section IV Compliance System
Article 25
The FSC may, after considering the size and business nature of an enterprise, order it to establish a unit in a direct reporting line to the board of directors or to the general manager, to be charged with the planning, management and execution of a compliance system.
The board of directors shall designate a member of the senior management as the chief compliance officer, to be responsible for overseeing compliance matters and submitting a report to the board of directors and to each and all supervisors at least semi-annually.
The information on the compliance officer described in the preceding paragraph shall be filed with the FSC for recordation, specifying the reason for the designation and annexing the minutes of the board of directors meeting, within five days from the date of passage by the board of directors.
Article 26
A unit responsible for legal and regulatory compliance shall carry out the following activities:
1. Establish clear and adequate systems of advocacy of laws and regulations, consultation, coordination, and communication.
2. Ensure that procedural and managerial bylaws are updated in a timely manner in response to applicable laws and regulations, so that operations are in compliance with all laws and regulations.
3. Formulate the content of and procedures for assessing compliance with laws and regulations and monitor the periodic self-assessment of the implementation thereof by each unit.
4. Administer adequate and proper legal training on laws and regulations to personnel of each unit.
5. Carry out such other activities as may be required by the FSC.
Self-assessment of compliance with laws and regulations shall be performed no less frequently than annually, with the results delivered to the compliance unit for future reference. The head of a unit shall designate a person responsible for performing self-assessment within that unit.
Working papers and materials in connection with the self-assessment under the preceding paragraph shall be preserved for no less than five years.
Article 27
An internal audit unit shall incorporate the implementation status of the compliance system into its audit of the business and management units.
Chapter IV Supplementary Provisions
Article 28
Articles 38 through 41 of the Regulations Governing Establishment of Internal Control Systems by Public Companies shall apply mutatis mutandis to an enterprise' supervision and management over its subsidiaries.
Article 29
An enterprise shall specify in its internal control system the penalties for violation of these Regulations or its internal control system rules by members of management and relevant personnel.
An enterprise shall from time to time check, with respect to its internal auditors, whether there is any violation of Article 11, paragraph 1 in relation to the "qualified" and "full-time" requirements or of Article 16, paragraph 2, and upon discovery of any violation, shall adjust the position of the auditor within one month from the day of discovery, unless otherwise provided by law or regulation.
When reporting the basic information on internal auditors pursuant to Article 18, an enterprise shall check whether or not the internal auditors have met the requirements under Article 17, paragraph 1. If any auditor has not, the enterprise shall take corrective measures within one month; upon failure to do so within that period, the enterprise shall promptly adjust the auditor's position, unless otherwise provided by law or regulation.
Article 30
Under any of the following circumstances, the FSC may order an enterprise to make improvements within a prescribed time limit, or where necessary, to engage a CPA to conduct a special audit of its internal control system and obtain an audit report and submit it to the FSC for recordation:
1. Failure to document its internal control system.
2. Failure to appoint qualified personnel as full-time internal auditors or to appoint them in an appropriate number.
3. Failure to file a report within a prescribed time limit on, or failure to scrupulously execute, its annual audit plan.
4. Failure to file a report within a prescribed time limit on the actual execution of its annual audit plan.
5. Failure to file a report within the prescribed time limit on the correction of any deficiency or irregularity of the internal control system identified in an audit.
6. Failure to duly conduct self-inspection of its internal control system or to prepare a Statement on Internal Control.
7. Serious instance of failure to correct a deficiency of the internal control system pursuant to the internal control recommendations issued by a CPA.
8. Serious instance of false financial reporting or violating a law or regulation.
9. Any material fraud or suspicion of fraud.
10. Other condition where the FSC deems a special audit to be necessary.
Article 31
Where an enterprise has established an audit committee in accordance with the Securities and Exchange Act, the provisions of Article 4, paragraph 1, Article 6, paragraph 1, subparagraphs 1 and 5, Article 15, paragraphs 1 and 2, Article 16, paragraph 1, and Article 25, paragraph 2 of these Regulations in relation to supervisors shall apply mutatis mutandis to the audit committee.
Article 32
The FSC shall publicly announce the formats referred to in these Regulations.
Article 33
The provisions of Article 4, paragraphs 2 through 5, Article 7, Article 8, Article 13, Article 21, Article 23, paragraphs 2 through 5, and Articles 24 through 30 shall apply mutatis mutandis to a securities broker, futures broker or insurance enterprise concurrently operating discretionary investment business, or to a trust enterprise, futures trust enterprise or managed futures enterprise concurrently operating securities investment trust business or discretionary investment business, unless otherwise provided by the Securities and Exchange Act, the Trust Enterprise Act, the Futures Trading Act, the Insurance Act, or any other law.
Article 34
These Regulations shall be implemented from the date of issuance.