Chapter Three Audit of the implementation of cyber security maintenance plan
Article 5
Certain non-official agencies shall be selected each year by the Commission to audit the implementation of their cyber security maintenance plans by means of on-site audit.
In order to conduct the audit specified in the preceding paragraph, the Commission shall establish an audit plan, including audit related matters such as the composition method of the audit team, audit method, period, items and content, benchmarks and methods, confidentiality obligations, etc.
When determining the benchmarks and items of the audit plan specified in the preceding paragraph, factors such as the nation’s cyber security policy, domestic and international cyber security trends, past audit effectiveness, audit resources, etc shall be comprehensively considered by the Commission.
When selecting the specific non-official agencies to be audited in accordance with the provisions of Paragraph 1, the level of cyber security responsibility, the frequency and extent of the occurrence of cyber security incidents, the results of cyber security exercises, the frequency and results of the audit, and other cyber security related factors shall be comprehensively considered by the Commission.
Article 6
The special non-official agency to be audited, as per Paragraph 1 of the preceding article, shall receive written notification one month prior to the planned audit.
Should the special non-official agency be unable to cooperate with the audit specified in the preceding paragraph at the time specified by the Commission due to business factors or other justified reasons, it may, within five days after receiving aforementioned notification, apply in writing to the Commission to change the date of audit.
The application specified in the preceding paragraph shall be limited to one time only except for cases of force majeure.
Article 7
When the Commission handles the audit specified in Paragraph 1 of Article 5, the Commission shall interview the audited special non-official agency prior to conducting the on-site audit. At the time of on-site audit, the audited special non-official agency shall prepare the relevant explanatory documents and supporting materials for the implementation of the cyber security maintenance plan for on-site inspection and review.
If the special non-official agency mentioned in the preceding paragraph has a valid reason for its failure to explain, cooperate with the measures or provide information specified in the preceding paragraph, it shall state the reasons in writing and submit them to the Commission.
After accepting the written document specified in the preceding paragraph, the Commission shall conduct an examination of the documents and in accordance with the following provisions may cancel all or part of the audit operations:
I. If the reasons submitted are deemed sufficient, the basis of the audit and relevant information shall be recorded in the audit result report.
II. If the reasons submitted are deemed insufficient reasons, the audited special non-official agency shall be required to handle in accordance with the provisions of the first paragraph. If the audit operation has ceased, it may be renewed at a selected time, and the audited special non-official agency shall be notified in writing ten days prior to the audit.
Article 8
In order to conduct the audit specified in Paragraph 1 of Article 5, the Commission shall form an audit team in accordance with the considerations specified in Paragraph 4 of the same article and the actual auditing requirements.
The audit team specified in the preceding paragraph shall consist of three to seven members, served by representatives of official agencies or experts and scholars who have the technical, management, legal or practical expertise and knowledge required for the cyber security policy or the audit. The representatives of official agencies shall not be less than one third of the total number of members.
Any representative of official agencies or experts and scholars specified in the preceding paragraph shall voluntarily recuse themselves from serving as the members of the audit team in any of the following circumstances:
I. The person, the spouse, the relatives or family members within the third degree of kinship, or trustees of the property trust of the aforementioned people, have a property or non-property interest relationship with the audited special non-official agency or its responsible person.
II. The person, the spouse, and the relatives or family members within the third degree of kinship, have employment, contract, appointment, agent or other similar relationship with the audited special non-official agency or its responsible person at present or within the past two years.
III. At present or in the past two years, the person has provided consultancy or counseling to the audited special non-official agency on the matters related to the audited items.
IV. Other circumstances which are deemed to be sufficient for the serving as members of the audit team to affect the impartiality of the audit results.
The Commission shall reach an agreement with the members of the audit team in writing on the recusal matters due to conflicts of interest and the confidentiality obligations of executing audit.
Article 9
The Commission shall, within one month after the completion of the audit, deliver the audit result report to the audited special non-official agency.
The contents of the audit result report specified in the preceding paragraph may include the scope of the audit, the deficiencies or pending improvement, the circumstances and reasons for the audited special non-official agency’s failure to explain, cooperate with or provide information as specified in Paragraph 2 of Article 7, and other relevant matters.
The Commission shall collate the audit result reports specified in Paragraph 1 each year and submit them to the competent authority for reference.
Article 10
If the implementation of the audited special non-official agency’s cyber security maintenance plan specifies deficiencies or pending corrective actions to be undertaken after the audit, it shall submit an improvement report to the Commission within one month after receiving the audit result report.
After the special non-official agency submitting the improvement report mentioned in the preceding paragraph, the status of its implementation shall be submitted in writing according to the nature and extent of the deficiencies or pending corrective action. If deemed necessary, the Commission may require the special non-official agency to explain or improve the said report.