Chapter II Design and Implementation of Internal Control System
Article 6
A service enterprise shall explicitly specify the internal organizational structure, report system, and appropriate assignment of authority and responsibility in its internal control system and include therein, with respect to members of management, the establishment of positions, position titles, appointment and dismissal, scope of duties and powers, and remuneration policy and system.
A service enterprise shall consider the overall operational activities of the enterprise and all subsidiaries in designing and scrupulously implementing an internal control system, and review the system from time to time to adapt to changes in its internal and external environment and to ensure sustained design and operating effectiveness of the system.
The term "subsidiaries" referred to in the preceding paragraph are those as determined in accordance with the regulations governing the preparation of financial reports prescribed for individual service enterprises.
Article 7
A service enterprise's internal control system shall consist of the following components:
1. Control environment: The control environment is the basis of the design and implementation of the internal control system across the service enterprise. The control environment encompasses the integrity and ethical values of the enterprise, governance oversight responsibility of the board of directors and supervisors, organizational structure, assignment of authority and responsibility, human resources policy, and performance measures and reward and discipline. The board of directors and management shall prescribe internal standards of conduct, including the adoption of codes of conduct for directors and employees.
2. Risk assessment: A precondition to risk assessment is the establishment of objectives, linked at different levels of the service enterprise, and with the suitability of the objects for the enterprise taken into consideration. Management shall consider the impact of possible changes in the external environment and within its own business model that may render internal control ineffective, and possible fraud scenarios. The risk assessment results can assist the enterprise in designing, correcting, and implementing necessary controls in a timely manner.
3. Control activities: Control activities are the actions of carrying out policies and procedures taken by the service enterprise on the basis of risk assessment results to limit relevant risks to a sustainable level. Control activities shall be performed at all levels of the enterprise, at various stages within business processes, and over the technology environment, and shall include supervision and management over subsidiaries.
4. Information and communication: Information and communication means the relevant and quality information that the service enterprise obtains, generates, or uses from both internal and external sources to support the functioning of other components of internal control, and the capability of effective communication between the enterprise and external parties. The Internal control system must have mechanisms to generate information necessary for planning, implementation, and monitoring and to provide information to those who need it in a timely manner.
5. Monitoring activities: Monitoring activities means ongoing evaluations, separate evaluations, or some combination of the two used by the service enterprise to ascertain whether each of the components of internal control is present and functioning. Ongoing evaluations means routine evaluations built into the course of operations at different levels of the enterprise. Separate evaluations are evaluations conducted by different personnel such as internal auditors, supervisors, or the board of directors. Findings of deficiencies of the internal control system shall be communicated to the management of appropriate levels, the board of directors, and supervisors, and improvements shall be made in a timely manner.
A service enterprise designing and implementing, or carrying out self-assessment of, its internal control system, or a certified public accountant (CPA) engaged to conduct a special audit of the enterprise's internal control system, shall fully consider the components enumerated in the preceding paragraph, and, in addition to the criteria prescribed by the competent authority, may add additional items as dictated by actual needs.
The code of conduct for directors under paragraph 1, subparagraph 1 shall, at the least, specify that when a director discovers that the enterprise is likely to be materially harmed, the director shall handle the matter as quickly as possible, and immediately notify the audit committee, independent director members of the audit committee, or the supervisors, and report to the board of directors, and shall see to it that the service enterprise reports to the competent authority.
Article 8
In addition to setting out control activities for different operating cycles based on the nature of its business, a service enterprise shall also consider its actual needs and include controls over the following activities in its internal control system:
1. Seal use management.
2. Management of the receipt and use of negotiable instruments.
3. Budget management.
4. Property management.
5. Management of endorsements/guarantees.
6. Management of liability commitments and contingencies.
7. Delegation of duties and implementation of deputy system.
8. Management of financial and non-financial information.
9. Management of related party transactions.
10. Management of the preparation process of financial statements, including management of the application of International Financial Reporting Standards, procedures for professional accounting judgments, and processes for making changes in accounting policies and estimates.
11. Supervision and management over subsidiaries.
12. Compliance system.
13. Management of financial examination reports.
14. Management of protection of financial consumers, provided this does not apply to the enterprises that are excluded under Article 3, paragraph 2 of the Financial Consumer Protection Act.
15. Customer data confidentiality.
16. Handling of material events (e.g. a material violation, or a likelihood of suffering material loss).
17. Whistleblower system.
18. Management of outsourcing of operations.
19. Other matters designated by the competent authority.
In addition to controls over the activities under the preceding paragraph, a service enterprise that is a public company, or that is designated by the competent authority, shall also include in its internal control system the management of procedure for board of directors meetings and the management of shareholder services.
The internal control system of a service enterprise that has established an audit committee pursuant to the provisions of the Securities and Exchange Act shall include the management of audit committee meeting operations.
The internal control system of an enterprise whose stock is exchange-listed or traded over-the-counter shall include controls over the following operations:
1. Management of the operations of the remuneration committee.
2. Management of the prevention of insider trading.
The internal control system of a service enterprise whose stock is exchange-listed or traded over the counter shall include the management of sustainability information.
If a service enterprise is a financial institution as defined in the Money Laundering Control Act, its internal control system shall include mechanisms for preventing money laundering and countering terrorism financing, and shall include management of compliance with applicable laws and regulations, including mechanisms for managing the identification and measurement of, and monitoring for, money laundering and terrorism financing.
A service enterprise under the preceding paragraph which has established a domestic or foreign branch office (or subsidiary) shall formulate an overall group plan for preventing money laundering and countering terrorism financing, including policies and procedures for information sharing within the group for the purpose of preventing money laundering and countering terrorism financing that are in accordance with the laws and regulations of the place where the branch office (or subsidiary) is located.
Article 10
A service enterprise that uses a computerized information processing system shall, in addition to clearly differentiating the functions and duties of information and user departments, at least include the following control procedures:
1. Clear demarcation of the functions and duties of the information-processing department.
2. Control of system development and program modification.
3. Control of preparation of system documentation.
4. Program and data access control.
5. Data input/output control.
6. Data processing control.
7. File and facility security control.
8. Control of purchase, usage, and maintenance of hardware and system software.
9. Control of system recovery plan and testing procedures.
10. Control of information and communications security inspection.
11. Control of relevant procedures, if required, for disclosing and reporting public information on a website designated by the competent authority.