Chapter 3 Inspection of Internal Control System
Section 1 Internal Audit
The purpose of internal audit is to assist the board of directors and the management in checking and assessing whether the internal control system works effectively and to provide timely suggestions for improvements so as to reasonably ensure the ongoing and effective implementation of the internal control system and to serve as the basis for reviewing and revising the internal control system.
A specialized electronic payment institution shall set up an internal audit unit that is directly under the board of directors and performs audits independently and honestly. The internal audit unit shall report its audit business to the board of directors and supervisors or audit committee at least annually.
A specialized electronic payment institution shall, in view of its business size, business conditions and management needs, establish a chief auditor position of comparable rank to oversee the audit affairs. The chief auditor shall possess sufficient leadership and ability to effectively supervise the audit work, and may not hold other positions that are in conflict or interfere with the audit work.
The employment, dismissal, or reassignment of chief auditor shall first obtain the consent of at least two-thirds of all directors.
Where a specialized electronic payment institution has an audit committee established, the employment, dismissal or reassignment of chief auditor shall first obtain the consent at least the majority of all audit committee members. If the matter does have the consent of at least the majority of all audit committee members, the decision of the audit committee shall be recorded in the meeting minutes of the board of directors. Where a specialized electronic payment institution does not have an audit committee but independent directors, any dissenting opinion or reservation expressed by the independent directors shall also be recorded in the meeting minutes of the board of directors.
The employment, dismissal, promotion, reward and punishment, rotation and performance review of any personnel in the internal audit unit shall become effective after being reported by the chief auditor to the chairman for approval. However, if the matter involves personnel of other management and business units, the chief auditor shall first consult with the personnel office and obtain the consent of the president before reporting the matter to the chairman for approval.
When the chief auditor of a specialized electronic payment institution has any of the following situations, the competent authority may, in view of the severity of the situation, issue an official reprimand, order remedial action within a specified time limit, or order the specialized electronic payment institution to release the chief auditor from duty:
1. Abusing power of office with factual evidence showing that he/she has engaged in improper activities, or acting contrary to his or her duties in an attempt to seek illicit profits for him/herself or for a third party, or to damage the interests of the employer, which results in damages to the employer or its subsidiary or a third party.
2. Disclosing, delivering, or publicizing all or part of the examination reports to a person unrelated to such job without the consent of the competent authority.
3. Failing to notify the competent authority of any material malpractice or fraud at the employer due to internal mismanagement.
4. Failing to disclose in the internal audit report any material deficiency found in the financial or business operations of the employer.
5. Issuing a fraudulent internal audit report after performing the internal audit work.
6. Failing to identify a material deficiency in the financial or business operations of the employer as a result of obviously insufficient or incompetent staffing of the internal audit unit.
7. Failing to follow the instructions of the competent authority in conducting audit work or providing relevant information.
8. Having committed other acts that impair the reputation or interests of the employer.
A specialized electronic payment institution shall be staffed with an appropriate number of competent full-time internal auditors in accordance with the number of users and contracted institutions, business volume, business conditions, management needs, and the requirements of other relevant laws and regulations, who shall perform their duties in an objective detached independent, objective and impartial objective manner. Personnel of the internal audit unit shall be deputy to each other to cover each other's absence.
The internal auditors of a specialized electronic payment institution shall meet the following qualification requirements:
1. Having not less than two years of experience in financial examination; or having graduated from a college or university, or passed a senior civil service examination or an equivalent examination, or the examination of certified internal auditor and having not less than two years of experience in financial business; or having not less than five years of experience in financial business. A specialized electronic payment institution must be staffed with at least one qualified internal auditor who meets the aforementioned qualifications. A person is deemed to meet such requirements if he or she has worked as a professional, such as an auditor or an auditor in an accounting firm, or a programmer or system analyst in a computer company for not less than two years, and has received not less than three months of training in the business operations and management of a specialized electronic payment institution.
2. Free of any record of demerit or more serious disposition from employer in the last three years, unless the demerit record was a result of joint and several disciplinary action on account of the violation or offense of another person, and the demerit has been offset by other merits; and
3. Internal auditor who acts as a team leader shall have not less than three years of experience in auditing or financial examination, or have not less than one year of experience in auditing and not less than five years of experience in financial business, or have not less than one year of experience in auditing and have worked as an auditor for an accounting firm for at least three years.
A specialized electronic payment institution shall check at any time whether its internal auditors have violated the provisions in the preceding two paragraphs. If an auditor is found to violate the provisions, the institution shall order the auditor to take remedial action within two months from the date of discovery and shall immediately reassign the auditor to another job if he or she fails to complete the remedial action within the specified time period.
The internal auditors of a specialized electronic payment institution shall perform their duties in good faith, and shall not have any of the following situations:
1. Concealing or making false or inappropriate disclosures while being well aware that the business activity, reporting, or regulatory compliance condition of the employer may cause direct damage to the interests of any stakeholder.
2. Acting beyond the scope of audit functions or engaging in other improper activities, or disclosing any acquired information without authorization or in the attempt to profit therefrom, or otherwise using the information against the interest of the employer.
3. Causing damages to the employer or harming the interests of stakeholders due to negligence in duties.
4. Conducting audit on a department where he/she worked within the past one year.
5. Failing to disqualify him/herself from auditing previously handled business or cases or from auditing cases in which he/she has a stake.
6. Accepting any improper entertainment or gift or other improper benefits provided by the employer or its employees or customers.
7. Failing to follow the instructions of the competent authority in conducting audit work or providing relevant information.
8. Engaging in other acts that violate rules or regulations, or are prohibited by the competent authority.
A specialized electronic payment institution shall check at any time whether its internal auditors have violated the provisions in the preceding two paragraphs. If an auditor is found to violate the provisions, the institution shall reassign the auditor to another job within one month from the date of discovery.
The internal audit unit shall undertake the following tasks:
1. Plan the organizational structure, size and responsibilities of the internal audit unit and produce internal audit working manuals and working papers, which shall include at least assessing the various rules and operating procedures of the internal control system to determine whether adequate internal controls are already in place in the current rules and procedures, whether each department has realistically carried out the internal controls, and whether the internal controls are carried out in a reasonably effective manner, and from time to time provide suggestions for improvement.
2. Supervise the formulation of self-inspection contents and procedures by respective units, and the implementation of self-inspection by each unit.
3. Formulate annual audit plans and draw up the audit plans for respective unit based on the business risk profile of and implementation of internal audits by each unit.
A specialized electronic payment institution shall ensure that all of its units carry out self-inspection, and assign its internal audit unit to review the self-inspection reports of each unit, which, together with internal audit unit's report on the deficiencies and irregularities in internal controls found and improvement actions taken, will serve as a basis for the board of directors, president, chief auditor, and chief compliance officer to evaluate the overall effectiveness of the internal control system, and to issue the statement on internal control.
The internal audit unit of a specialized electronic payment institution shall conduct a routine audit and a special audit at least annually on its business, finance, asset safekeeping and information units, and a special audit at least annually on other management units.
The internal audit unit shall include the execution status of the regulatory compliance system into the routine audit or special audit of the business and management units.
When the internal audit unit of a specialized electronic payment institution carries out routine audit, its internal audit report shall disclose the following information based on the business nature of the audited unit:
1. Scope of audit, summary review of audit, financial status, business performance, asset quality, management of the board of directors and audit committee meeting procedures, regulatory compliance, internal controls, the control and internal management of various businesses, management of data protection for users and contracted institutions, information management, employee confidentiality education, protection measures for financial consumers, implementation of self-inspection, and an evaluation of the above matters.
2. Examination opinions on material violations, deficiencies or frauds occurred at various units, and suggestions for disciplinary actions against negligent employees.
3. The examination opinions or deficiencies identified by the financial examination agency, accountants, internal audit unit (including the internal audit unit of the parent company), and self-inspection personnel, and the improvement status of items that are listed as needing further improvement in the statement on internal control.
The internal audit reports, working papers and relevant information shall be retained for at least 5 years.
Where a significant fraudulent event occurs at a specialized electronic payment institution as a result of poor internal management, unsatisfactory internal controls, inadequate implementation of the internal audit system and regulatory compliance system, or concealment of the results of improvement actions taken for any deficiency specified by a financial examination agency in an examination opinion requiring review and follow-up, or the audit findings of the internal audit unit (including the internal audit unit of parent company), the personnel involved shall be held responsible for dereliction of duties. A specialized electronic payment institution shall reward its internal auditors who identify any significant fraud or negligence and thereby avert material loss to the institution.
When a significant deficiency or fraudulent event arises within a unit of a specialized electronic payment institution, the internal audit unit shall have the power to suggest penalties and shall make a full disclosure of the responsible negligent personnel in the internal audit report.
A specialized electronic payment institution shall deliver its internal audit report to its supervisors or audit committee for review and, submit same to the competent authority within two months following completion of the audit. The internal audit report shall also be delivered to the independent directors if such positions are set up by the specialized electronic payment institution.
The first-time internal auditors of a specialized electronic payment institution shall attend at least eighteen hours of audit-related professional training courses held by professional training institutions designated by the competent authority within six months from the date they start the audit work.
The internal auditors (including the chief auditor) of a specialized electronic payment institution shall attend professional training related to electronic payment business offered by competent authority-designated professional training institutions or by the specialized electronic payment institution itself every year. The minimum number of training hours shall be ten hours for the chief auditor, and fifteen hours for the other internal auditors. If an auditor has obtained a certified internal auditor certificate in a year, the certificate may be used to offset the training hours for the year.
Professional training courses related to electronic payment business offered by competent authority-designated professional training courses shall comprise not less than one half of the total hours of training under the preceding paragraph.
A specialized electronic payment institution shall formulate self-inspection programs every year and continuously provide proper training to self-inspection personnel in accordance with the business nature of each unit.
A specialized electronic payment institution shall verify that its internal auditors meet the qualification requirements set forth herein, and retain the verification documentation and records for future reference.
A specialized electronic payment institution shall file the data on its internal auditors with the competent authority for record before the end of January every year via a web-based information system and in a format prescribed by the competent authority.
When filing the basic data of internal auditors according to the preceding paragraph, a specialized electronic payment institution shall verify whether these auditors have met the requirements stipulated in Paragraph 2 of Article 13 and the preceding article herein. If an internal auditor fails to meet the requirements, the auditor shall take remedial actions within two months, or else be reassigned to another job.
A specialized electronic payment institution shall file the next year's audit plan to the competent authority for record by the end of each fiscal year, and a report on the execution of its preceding year's annual audit plan within two months from the end of each fiscal year, in a prescribed format stipulated by the competent authority via a web-based information system.
A specialized electronic payment institution shall deliver its next year's audit plan in writing to the supervisors or audit committee for review and record the comments of supervisors or audit committee by the end of each fiscal year. If the institution does not have an audit committee, it shall deliver the audit plan to its independent directors for comments. The annual audit plan and changes thereof shall be approved by the board of directors.
The audit plan mentioned in the preceding paragraph shall contain at least a description of the audit plan, key annual audit items, units to be audited, nature of audit (routine audit or special audit), frequency of audit, and whether the audit plan is in compliance with the requirements of the competent authority. If the audit is a special audit, the scope of audit shall also be noted.
A specialized electronic payment institution shall file the deficiencies, irregularities, and improvement of internal audit of the previous year to the competent authority for record in a format prescribed by the competent authority via a web-based information system within five months after the end of each fiscal year.