An enterprise shall set out an explicit internal organizational framework in its internal control system and include therein, with respect to members of management, the establishment of positions, position titles, appointment and dismissal, as well as scope of duties and powers.
An enterprise shall consider the overall operational activities of the enterprise and all subsidiaries in designing and scrupulously implementing an internal control system, and review the system from time to time and self-inspect it under these Regulations, to adapt to changes in its internal and external environment and to ensure sustained design and operating effectiveness of the system. By the end of May each year, the enterprise shall file with the Securities Investment Trust and Consulting Association (SITCA), in the format required by the Financial Supervisory Commission, the status of its review and revisions of the internal control system for the preceding fiscal year.
The term "subsidiaries" referred to in the preceding paragraph are those as determined in accordance with Statements of Financial Accounting Standards Nos. 5 and 7 issued by the Accounting Research and Development Foundation.

An enterprise's internal control system shall consist of the following components:
1. Control environment. The control environment is a composite factor that shapes organizational culture and affects employees' awareness of control. Factors affecting the control environment include the integrity, ethical values, and competence of employees; the management philosophy and operating style of the board of directors and management; how employees are recruited, developed, and organized and how authority and responsibilities are assigned; and the attention and direction of the board of directors and supervisors. The control environment provides the foundation for the other components.
2. Risk assessment. Risk assessment is a process by which the enterprise identifies internal and external factors that keep it from achieving its objectives and assesses their impact and probability. The assessment results can assist the enterprise in designing, correcting, and implementing necessary controls in a timely manner.
3. Control activities. Control activities are the policies and procedures that establish a complete and sound control framework and adopt control procedures at all levels to help the board of directors and management ensure that their directives are carried out. Control activities include policies and procedures for approvals, authorizations, verifications, reconciliations, reviews, periodic counting, check of records, segregation of duties, safeguarding of physical security of assets, comparison with plans, budgets, or operating performance in prior periods, and supervision and management over subsidiaries.
4. Information and communication. Information refers to the subject matter identified, measured, processed, and reported by information systems. It includes information, financial or non-financial, pertaining to the objectives in the areas of operations, financial reporting, and compliance with applicable law and regulations. Communication is the provision of information to relevant personnel, either within or outside the enterprise. The internal control system must have mechanisms to generate information necessary for planning and monitoring and to provide information to those who need it in a timely manner.
5. Monitoring. Monitoring is a process to self-inspect the quality of the internal control. It includes assessing the soundness of the control environment; whether risk assessment is timely and accurate; whether control activities are appropriate and accurate; and whether information and communication systems are functioning properly. Monitoring is accomplished either through ongoing monitoring activities or through separate evaluations. The former is routine monitoring in the course of operations, while the latter is the evaluation conducted by different personnel such as internal auditors, supervisors, or the board of directors.
An enterprise designing and implementing, or carrying out self-inspection of, its internal control system, or a certified public accountant (CPA) engaged to conduct a special audit of the enterprise's internal control system, shall fully consider the components enumerated in the preceding paragraph, and, in addition to the criteria prescribed by the Financial Supervisory Commission, Executive Yuan (FSC), may add additional items as dictated by actual needs.

The internal control system of an enterprise shall cover control activities for the following types of transaction cycles:
1. Securities investment trust business: includes "Know Your Customer," sales activities, creation, marketing, and operation of funds, securities lending or borrowing, redemption, accounting, general affairs, prevention of short-swing trading, anti-money laundering, convening of meetings of beneficial owners, and exercise of voting rights.
2. Discretionary investment business: Includes solicitation of business, "Know Your Customer," signing of contracts, operation of assets under discretionary investment agreements, measures to prevent unauthorized trading, and anti-money laundering.
In addition to control activities for the various types of transaction cycles in the preceding paragraph, the internal control system shall also include controls over the following activities:
1. Seal use management.
2. Management of the receipt and use of negotiable instruments.
3. Budget management.
4. Property management.
5. Management of endorsements/guarantees.
6. Management of liability commitments and contingencies.
7. Delegation of duties and implementation of deputy systems.
8. Management of financial and non-financial information.
9. Management of related party transactions.
10. Management of preparation process of financial statements.
11. Supervision and management over subsidiaries.
12. Compliance system.
13. Management of operation of board meetings.
If an enterprise simultaneously operates both securities investment trust business and discretionary investment business or simultaneously operates both securities investment consulting business and discretionary investment business, it shall adopt control activities to prevent conflict of interest between the different kinds of business.

If an enterprise is operated concurrently by another enterprise in a different industry or concurrently operates such an enterprise, it shall adopt control activities to prevent conflict of interest with or prejudice to the rights and interest of beneficial owners or customers in terms of concurrent appointments of and codes of conduct for their responsible persons and associated persons, sharing and utilization of information, sharing of operating equipment or places of business, and advertising , public informational meetings, or other business promotion activities.

An enterprise that uses a computerized information processing system shall, in addition to clearly differentiating the functions and duties of information and user departments, at least include the following control procedures in its internal control system:
1. Clear demarcation of the functions and duties of the information-processing department.
2. Control of system development and program modification.
3. Control of preparation of system documentation.
4. Program and data access control.
5. Data input/output control.
6. Data processing control.
7. File and facility security control.
8. Control of purchase, usage, and maintenance of hardware and system software.
9. Control of system recovery plan and testing procedures.
10. Control of information and communications security inspection.
11. Control of relevant procedures, if required, for disclosing and reporting public information on a website designated by the FSC.