Chapter 3 The Inspection of Internal Control System
Section 1 Internal Audit
Article 9
The purpose of internal audit is to assist the board of directors and the managerial level to verify and evaluate whether the operation of internal control system works effectively and provide appropriate suggestions for revision, which can ensure the on-going performance of effective internal control and serve as the basis of internal control system revisions.
Article 10
An insurance enterprise shall plan the organization, size and responsibilities of its internal audit unit and produce internal audit working manuals, which shall include at least the following particulars:
1. Operational process of annual audit plan;
2. Inspection and assessment of internal control system to measure the effectiveness and compliance status of existing policies and procedures and their effect on various business activities;
3. Audit items, time, procedures and methods; and
4. The contents of the formats, processing and retention of internal audit reports.
An insurance enterprise should see to it that all of its units carry out self-inspection, and have its internal audit unit review the self-inspection reports of each unit, which, together with internal audit unit's report on the deficiencies and irregularities in internal controls found and improvement actions taken will serve as a basis for the board of directors,general manager, chief auditor, and chief compliance officer to evaluate the overall effectiveness of the internal control system and to issue an internal control system statement.
Article 11
An insurance enterprise should set up an internal audit unit that is directly subsidiary to the board of directors which should perform audit business honestly and independently. The chief auditor is required to report its audit business to the board of directors and supervisors or audit committee at least semiannually.
The internal audit unit shall establish a chief auditor system to manage all audit business. The qualifications of chief auditor shall comply with the Regulations Governing Required Qualifications for Responsible Persons of Insurance Enterprises, and has the power as an vic general manager. The auditor is not allowed to take a job that will cause conflicts or limitations to the audit work.
The employment, dismissal or transfer of chief auditor shall have the consent of more than two-thirds of the board of directors and report to the competent authority for ratification.
If an insurance enterprise has an audit committee, the appointment, dismissal or transfer of chief auditor mentioned in the preceding paragraph shall first have the consent of at least the majority of all audit committee members. In the absence of the consent of the majority of all audit committee members, the decision of the audit committee shall be recorded in the meeting minutes of the board of directors. Where an insurance enterprise does not have an audit committee but independent directors, any dissenting opinion or reservation expressed by the independent directors regarding the chief auditor shall also be recorded in the meeting minutes of the board of directors.
Article 12
When any of the following circumstances applies to a chief auditor in overseeing internal audit work, the competent authority may, having regard to the seriousness of the event, issue an official reprimand, order the chief auditor to make improvements within a specified time limit, or otherwise order the insurance enterprise to release the chief auditor from duty:
1. Abusing power of office to engage in improper activities, or acting contrary to his or her duties in an attempt to seek illicit profits for him/herself or for others, or taking advantage of the job to damage the interests of the employer or others.
2. Disclosing, delivering, or publicizing all or part of insurance examination reports on the employer to a person unrelated to such job without the consent of the competent authority.
3. Failing to disclose in the internal audit report any material deficiency found in the financial or business operations of the employer.
4. Failing to notify the competent authority any material malpractice or fraud at the employer due to internal mismanagement.
5. Issuing a fraudulent internal audit report after performing the internal audit work.
6. Failing to follow the instructions of the competent authority in conducting audit work or providing relevant information.
7. Having improper financial dealings with customer or counterparty of transaction involving employer's funds as evidenced by facts.
8. Failing to identify a material deficiency in the financial or business operations of the employer as a result of obviously insufficient or incompetent staffing of internal auditor.
9. Having committed other acts that impair the reputation or interests of the employer.
Article 13
An insurance enterprise shall be staffed with an appropriate number of competent full-time internal auditors based on its scale of investment, business condition (the number of branches and business volume), management needs and applicable laws and regulations. Personnel of the internal audit unit shall be deputy to each other to cover each other's absence.
The appointment, dismissal, promotion, reward/discipline, rotation and performance review of any personnel in the internal audit unit shall become effective after being reported by the chief auditor to the chairman for approval. However, if the matter involves personnel of other management and business units, the chief auditor should first consult with the personnel office and obtain the consent of the general manager before reporting the matter to the chairman for approval.
When the competent authority conducts examination of the insurance enterprise, the internal audit unit shall assign an internal auditor as the contact person and to provide relevant information and assist in the examination.
Article 14
The internal auditors of an insurance enterprise shall meet the following qualification requirements:
1. Having not less than 2 years of experience in insurance examination; or having graduated from a junior college, college or university, or passed a senior civil service examination or an equivalent examination, or the examination of certified internal auditor and having not less than 2 years of experience in insurance business; or having not less than 5 years of experience in insurance business; or having not less than 5 years of experience in insurance business. A person is deemed to meet such requirements if he or she has worked as a professional, such as an auditor in an accounting firm or a system analyst in a computer company for not less than 2 years, and has received not less than 3 months of training in insurance business and administration. However, the number of auditor with such qualification shall not exceed one third of total number of auditors;
2. Free of any record of demerit or more serious disposition from employer in the last three years, unless the demerit record was a result of joint and several disciplinary action on account of the violation or offense of a co-worker, and the demerit has been offset by other merits; and
3. An internal auditor who acts as a lead auditor shall have not less than 3 years of experience in auditing or insurance examination, or have not less than 1 year of experience in auditing and not less than 5 years of experience in insurance business.
Article 15
The internal auditors of an insurance enterprise shall perform their duties in good faith, and shall not have any of the following situations:
1. Acting beyond the scope of audit functions or engaging in other improper activities, or disclosing any acquired information without authorization or in the attempt to profit therefrom, or otherwise using the information against the interest of the insurance enterprises.
2. Conducting audit on operations where he/she worked on within one year or failing to disqualify him/herself from auditing cases or operations in which he/she has a stake or conflict of interest.
3. Accepting improper entertainment or gift or other improper benefits provided by people in insurance business or customers.
4. Failing to follow the instructions of the competent authority in conducting audit work or providing relevant information.
5. Concealing or making false or inappropriate disclosures while well aware that the business activity, reporting, or regulatory compliance condition of the employer may cause direct damage to the interests of beneficiaries, policyholders or any stakeholder.
6. Causing harm to the interests of the company, beneficiaries, policyholders or any stakeholder due to dereliction of duty.
7. Any other violation of rules or regulations, or practices prohibited by the competent authority.
Article 16
Auditors of the internal audit unit of an insurance enterprise shall, before starting the job or within half a year after starting the job, enroll in the following trainings held by institutions recognized by the competent authority:
1. When acting as an internal auditor for the first time, the auditor should participate in the audit training course or computer audit training course for more than sixty hours. The auditor should also pass the exam and obtain the completion certificate.
2. An internal auditor with leadership duty should participate in the internal auditor leader train course for more than nineteen hours.
3. The auditor manager should participate in audit manager training course for more than twelve hours.
Internal auditors, internal auditor with leadership and auditor manager in charge of audit operations shall attend more than 30 hours of insurance-related professional training offered by the aforementioned training institutions or financial holding companies or the employing insurance enterprise every year. If an auditor has obtained a certified internal auditor certificate in a year, the certificate may be used to offset the training hours for the year.
Insurance-related professional training courses offered by competent authority-recognized institutions shall comprise not less than one half of the required hours of training under the preceding paragraph.
For auditors stationed overseas, the training hours they have received from insurance-related training institutions established in accordance with the local laws and regulations are also recognized.
An insurance enterprise shall verify that its internal auditors meet the qualification requirements set forth herein, and retain the verification documentation and records for future reference.
Article 17
The department heads/office chiefs of an insurance enterprise or the head of its branch office or persons with comparable decision-making authority shall, before taking office or within half a year after taking office shall meet one of the following requirements:
1. Having worked as an auditor of the internal audit unit and conducted internal audit work for more than one year; or
2. Having attended an auditor, computer audit or supervisor audit training course offered by a competent authority recognized institution, and passed the exam conducted by the aforementioned training institution and obtained a completion certificate therefor. In case of a foreigner, he or she may choose to attend the internal audit training course held by the employing insurance enterprise.
The person who acts for the first time as the department head/office chief of an insurance enterprise or the head of its branch office or person with sufficient decision-making authority shall meet all of the requirements listed in the preceding paragraph. In addition, the person who meets the requirement set forth in Subparagraph 2 of the preceding paragraph shall participate in at least four times of audit practices with the internal audit unit before actually assuming the post or within six months after assuming the post. Such person shall be responsible for at least one item in each practice, audit at least four items in the audit practices, write a report on the practice, and submit it to the chief auditor for acknowledgement. The chief auditor shall issue a certificate and keep the report for further reference.
Article 18
The internal audit unit of an insurance enterprise shall conduct at least a routine audit every year on its business, finance, information and other management units, and conduct special audits as needed. The audit of its overseas branches (including liaison office) may be replaced with a reporting audit or have site audit frequency adjusted flexibly.
The internal audit unit shall include the implementation status of regulatory compliance system into the routine audit or special audit of the business and management units.
Article 18-1
An insurance company may apply to the competent authority for approval to adopt a risk-based internal auditing system. A subsidiary that was evaluated and exempted from adopting the system for implementation in accordance with Paragraph 3, Article 38 shall provide evaluation documents. The competent authority may ask an insurance company to apply for approval to adopt a risk-based internal auditing system in view of the insurance company's asset size, business risks, and other necessary conditions.
An insurance company that applies for approval to adopt a risk-based internal auditing system must meet the following criteria:
1.The insurance company's capital adequacy ratio and net worth ratio in the most recent filing to the competent authority complies with regulations regarding the capital adequacy ratio in Subparagraph 1, Paragraph 1, Article 5 of the Regulations Governing Capital Adequacy of Insurance Companies.
2. The amounts in preparatory funds based on the most recent actuarial opinions meet requirements in related regulations and adequacy requirements.
3. The insurance company has established an effective internal control system.
The provisions on auditing frequency in Paragraph 1 of the preceding article do not apply to insurance companies that have been approved to adopt a risk-based internal auditing system.
The provisions in this article do not apply to branch companies of foreign insurance companies in Taiwan, reinsurance companies, and insurance cooperatives.
Article 19
When an insurance enterprise carries out routine audit, its internal audit report shall disclose the following information based on the business nature of the audited unit:
1. Scope of audit, summary commentary, financial status, capital adequacy, business performance, asset quality, management of shares, management of the board of directors and audit committee meeting procedures, regulatory compliance, related-party transactions, control and internal management of various businesses, management of customer data confidentiality, information management, employee confidentiality education, management of sustainability information, and implementation of self-inspection, and an evaluation of the above matters.
2. Examination opinions on material violations, deficiencies or frauds occurred at various units, and suggestions for disciplinary actions against negligent employees.
3. The examination opinions or deficiencies identified by the competent authority, accountants, internal audit unit (including the internal audit unit of the financial holding company), and self-inspection personnel, and the improvement status of items that are listed as needing further improvement in the statement on internal control.
The internal audit reports, working papers and relevant information under the preceding paragraph shall be retained for at least 5 years.
An insurance enterprise shall, in a prescribed format and via a Web-based information system, file with the competent authority for record next year's audit plan before the end of December each year and a report on the execution of its previous year's annual audit plan before the end of February each year.
An insurance enterprise shall, by the end of each fiscal year, deliver its next year's audit plan in writing to its supervisors or audit committee for review and record the comments of supervisors or audit committee. If the insurance enterprise does not have an audit committee but independent directors, it shall deliver the audit plan to the independent directors for comments.
The audit plan under the preceding paragraph shall contain at least: a description of the audit plan, key annual audit items, units to be audited, nature of audit (routine audit or special audit), and frequency of audit and whether the audit plan is in compliance with the requirements of the competent authority. If the audit is a special audit, the scope of audit should also be noted.
The annual audit plan and changes thereof shall be approved by the board of directors.
Article 20
The internal audit unit shall follow up on the status of improvements made by respective units regarding the examination opinions of or deficiencies found by competent authority, accountants, internal audit units (including the internal audit unit of the parent financial holding company) and self-check personnel, and recommendations enumerated in the statement on internal control, and produce a written follow-up report to be provided to the board of directors and the supervisors or the audit committee for review and to be used as important reference in reward/discipline decisions and performance review.
The internal audit report shall be provided to the supervisors or the audit committee for review, and unless it is otherwise stipulated by the competent authority, submitted to the competent authority within two (2) months from the date the audit is completed.
Where an insurance enterprise has independent director(s), the reports shall be simultaneously provided to the independent director(s) when an action is taken under the two preceding paragraphs.
The major points of audit task for an insurance enterprise should be prescribed by the competent authority.
Article 21
An insurance enterprise shall, in the format prescribed by the competent authority and via a Web-based information system, file with the competent authority for record information on its internal auditors, including the name and years of service by the end of January each year.
Article 22
An insurance enterprise shall, before the end of May each year, file with the competent authority for record the improvement actions taken for deficiencies and irregularities in its internal control system identified during the previous year's internal audit via a Web-based information system and in a format prescribed by the competent authority.
Article 23
An insurance enterprise should examine at all time whether its internal auditors have violated the provisions of Article 15 herein. If an auditor is found to violate the provisions, the insurance enterprise shall reassign the auditor within one month from the date of discovery.
When filing the basic data of internal auditors according to Article 21 herein, an insurance enterprise should verify whether its auditors meet the requirements stipulated in Article 14 and Article 16 herein. If an internal auditor fails to meet the requirements, the auditor shall take remedial actions within 2 months, or else be reassigned to another job.