Search Result

Article Content

 
1     These guidelines are promulgated by the Securities and Futures Commission (hereinafter "SFC") of the Ministry of Finance to ensure that service enterprises in the securities and futures markets shall establish internal control systems and implement these systems, to promote the sound development of the market.
Chapter I Internal Control System
2     The term "service enterprises" as used in these Guidelines shall include securities enterprises, securities financing enterprises, securities investment trust enterprises (SITE), centralized securities depository enterprises, futures enterprises, stock exchanges, over-the-counter securities exchanges, futures exchanges, credit rating enterprises, and other service enterprises designated by the SFC.
3     The term "internal control" as used in these Guidelines shall refer to management processes designed by the enterprise's management and executed by the board of directors, management, and other personnel. These processes shall reasonably ensure that the following objectives are met:
  1. Operational efficacy and efficiency
  2. Reliability of financial reporting
  3. Compliance with relevant laws and regulations.
    The objective of operational efficacy and efficiency listed in the preceding paragraph shall include profitability, performance, and assets security.
4     Internal control may be divided into the following three classes depending on the objectives of the internal control system designed by the enterprise's management:
  1. internal control related to operational efficacy and efficiency
  2. internal control related to reliability of financial reporting
  3. internal control related to compliance with relevant laws and regulations.
    An internal control operation may belong to one or more of these classes if it fulfills the objectives of one or more of these internal control classes.
5     Internal control shall include the following constituent elements:
  1. Control environment. The control environment consists of the diverse factors that create an organizational culture and affect employee awareness of control. A control environment is the foundation for the other constituent elements. Factors affecting the control environment include the integrity, values, and ability of employees; the management philosophy and corporate culture; the recruiting, training, and organizing of employees; the manner in which the assignment of duties is carried out; and the oversight and guidance provided by the board of directors and the supervisors.
  2. Risk evaluation. Risk evaluation refers to the process by which the enterprise identifies internal and external factors that prevent the enterprise from achieving its objectives and evaluates the extent of their impact and likelihood. The results of the evaluation can assist the enterprise in designing necessary control operations.
  3. Control operations. Control operations are the policies and procedures that help management to ensure that its orders have been carried out. These operations include approval, verification, regulation, re-checking, periodic checking, record reviews, and the functional division of work; ensuring the safety of assets substantively; and planning, budgeting, and comparison with past performance.
  4. Information and communication. Information is the subject matter that is identified, weighted, processed, and reported by information systems. It includes financial and non-financial information pertaining to the objectives of operational or financial reporting and compliance with relevant laws and regulations. Communication is the disclosure of information to relevant personnel including internal and external communication. Internal control must be capable of generating the information necessary for planning and supervision and providing information to those who need it at the appropriate time.
  5. Supervision. Supervision is the process of evaluating the quality of internal control. It includes evaluation of the soundness of the control environment; whether risk evaluation is timely and accurate, whether control operations are appropriate and accurate; and whether information and communication systems are functioning properly. Supervision may be divided into continuous supervision and individual evaluation. The former refers to routine supervision during operations while the latter is conducted by other personnel including internal auditors or managerial groups.
    When designing its internal control system, a service enterprise should consider the constituent elements in the preceding paragraph. If the evaluation criteria (see Appendix 1) lack key points that ought to be considered, the service enterprise shall add criteria based on its actual needs.
6     An effective internal control system means that the enterprise's board of directors and management reasonably ensure that:
  1. The board of directors and the management are aware of the degree to which operational efficacy and efficiency has been achieved;
  2. Financial reporting is reliable;
  3. Relevant laws and regulations are complied with.
    An internal control system is grossly defective if any of the constituent elements of an internal control system listed in Article 5 has not been able to reasonably ensure the achievement of the aforementioned objectives.
7     A service enterprise shall specify its internal control system in written form including enforcement rules for internal auditing and submit it to the next meeting of the board of directors. The same shall apply to any amendments.
8     In addition to specifying control operations for different types of transaction cycles based on the nature of the enterprise, the internal control system of a service enterprise shall, depending on need, include management of the use of seals, management of the use of negotiable instruments, budget management, financial management, guarantees of endorsements, management of acknowledgments of indebtedness and ad hoc contingencies; a system for authorization of job responsibilities and deputy system; controls over loans to others and the management of financial and non-financial information.
9     A service enterprise that uses a computer information system shall in addition to clearly differentiating the duties of the information systems department and user departments, shall at a minimum include the following controls:
  1. A clear division of the function and duties of the information processing departments;
  2. Systems development and program modification controls;
  3. System documentation compiling control;
  4. Programs and data access control;
  5. Data input/output controls;
  6. Data processing controls;
  7. File and equipment security controls;
  8. Purchasing, deployment, usage, and maintenance of software and hardware controls;
  9. System recovery plan and testing procedure controls.
10     A service enterprise shall faithfully execute its internal control system and shall also review or self-evaluate its internal control system based on these Guidelines from time to time to adapt to changes in the environment inside or outside the firm and thereby ensure that the design and execution of the system continues to be effective. The service enterprise shall also report to the SFC on the previous year's review and any modifications each year by the end of May (see Form 1). This report shall be retained by the SFC for record.
    Securities enterprises shall also submit this report to the Taiwan Stock Exchange Co. and the R.O.C. Over-the-Counter Securities Exchange.
Chapter II Internal Audit Operations
11     The purpose of the internal audit referred to in Article 5 lies in the inspection and evaluation of defects in the internal control system as well as a weighing of operational efficiency, the provision of timely recommendations on improvements to ensure that the system will continue to be implemented effectively, and assisting the board of directors and the management in the performance of their duties.
12     Internal auditing rules for a service enterprise shall include at a minimum:
  1. Inspection and evaluation of the internal control system to weigh the effectiveness of and the compliance with existing policies and procedures as well as their effects on operations.
  2. A detailed listing of matters to be audited, the time of the audit, and the procedure (method) of the audit.
13     A service enterprise's internal auditors should be neutral and perform their duties with objectivity, fairness, and due care.
14     A service enterprise's internal auditors shall attend training on internal audits offered by institutions recommended by the SFC or other professional organizations, or by the service enterprise itself to enhance the quality of audits and auditing skills.
    This training in internal audits shall include professional courses, computerized auditing, and basic legal knowledge.
15     In accordance with its scale, business situation, management needs, and other relevant laws and regulations, a service enterprise shall establish an internal audit unit supervised by at least the General Manager. The service enterprise shall also appoint qualified persons in an appropriate number to serve as full time internal auditors.
16     A service enterprise, except as required by other regulations governing securities and futures enterprises, shall report the names, ages, educations, experience, seniority, and training of internal auditors (per Form 2) to the SFC at the end of January each year for record.
17     The appointment and dismissal of internal audit executives shall be approved in advance by a majority of the board of directors. Except as otherwise required by other provisions governing securities and futures enterprises, the service enterprise shall report the reason for any such change and provide a copy of the minutes of the board of directors meeting to the SFC before the 10th day of the following month for record.
18     The internal audit unit of a securities enterprise shall draft an annual audit plan to serve as a basis for the inspection and evaluation of the enterprise's internal control system. This plan shall include budgetary, financial, and business operation controls. A working paper and relevant information shall be attached to the plan, and compiled as an audit report ready for review by the SFC.
19     A security enterprise shall submit its annual auditing plan, an account of its execution, and a description of corrections taken with respect to anomalous matters to the Taiwan Stock Exchange Co. and the R.O.C. Over-the-Counter Securities Exchange for record. The Taiwan Stock Exchange Co. and the R.O.C. Over-the-Counter Securities Exchange shall jointly specify the format and time of the report.
    Securities financing enterprises, SITEs, futures enterprises, credit rating enterprises, and other service enterprises designated by the SFC shall submit their next year's internal audit plan to the SFC for record by the end of each December. They shall also provide a report (per Form 3) on the execution of the internal audit plan in the previous year to the SFC for record by the end of February and report their correction of any anomalies that they have discovered within the last year to the SFC for record (per Table 4) by the end of May.
    The Taiwan Stock Exchange Co., the R.O.C. Over-the-Counter Securities Exchange, the centralized securities depository enterprises, and the Taiwan Futures Exchange shall provide an internal audit plan for the coming year by the end of each December to the SFC. They shall also provide reports on the execution of the internal audit plan and their correction of any anomalies that they have discovered during previous quarters to the SFC for record within two months.
20     In addition to providing the audit report stipulated in Article 18 to its supervisors for review, a service enterprise shall also report the annual internal audit plan, the status of its execution, any internal control defects, and the correction of any anomalies to the supervisors with all possible speed.
21     The Taiwan Stock Exchange Co., the R.O.C. Over-the-Counter Securities Exchange, the centralized securities depository enterprises, and the Taiwan Futures Exchange shall retain their audit reports, working papers of audit reports, and sampled data for at least five years.
    Other service enterprises shall retain their audit reports for at least three years and the working papers of their audit reports and sampled data for at least two years.
22     To strengthen computer information systems controls, the Taiwan Stock Exchange Co., the R.O.C. Over-the-Counter Securities Exchange, the centralized securities depository enterprises, and the Taiwan Futures Exchange shall periodically commit professional personnel to conduct project audit operations related to the use of computer information systems processing.
Chapter III Self-Evaluation Operations
23     The purpose of self-evaluation as referred to Article 10 lies in assisting the enterprise's board of directors and management to understand the effectiveness of the enterprise's internal control system so as to perform their duties. The scope of the evaluation shall include the design and execution of the classes of internal control system listed in Article 4.
24     To evaluate its internal control system, a service enterprise may first oversee periodic reviews by its internal units of their internal control systems and use the results of those reviews by internal audit units as the basis for the evaluation of the effectiveness of the service enterprise's overall internal control.
    The working paper and related information from the self-evaluation in the preceding paragraph shall be retained for at least two years.
25     A service enterprise shall develop an evaluation procedure (method) with which to self-evaluate its internal control system. This evaluation procedure and any amendment shall be reported to the board of directors.
26     When self-evaluating its internal control system, a service enterprise shall be mindful of the constituent elements and their criteria listed in Article 5. The evaluation results shall be divided into effective internal control systems and grossly defective internal control systems.
27     The board of directors and the management of the Taiwan Stock Exchange Co., the R.O.C. Over-the-Counter Securities Exchange, the centralized securities depository enterprises, the Taiwan Futures Exchange, and securities investment trust enterprises shall conduct yearly reviews of internal checks performed by internal units and the audit reports from the internal auditing unit. These shall be compiled into an internal control declaration (per Appendix 2) and submitted to the SFC for record by the end of April of the following year.
    The above internal control declarations shall be duly published in the annual report and prospectus according to regulation.
Chapter IV Evaluation
28     In any of the following circumstances, the SFC may order the service enterprise to commit a certified public accountant to conduct a project audit of the enterprise's internal control system and submit a review report to the SFC for record:
  1. Failure to duly compile an internal control system in written form;
  2. Failure to appoint qualified or an appropriate number of full time internal auditors;
  3. Failure to report within the prescribed period or failure to implement fully the annual internal audit plan;
  4. Failure to report the status of the implementation of the annual audit plan within the prescribed period;
  5. Failure to report defects and corrections of anomalies discovered during the audit within the prescribed period;
  6. Failure to report reviews and amendments to the internal control system within the prescribed period;
  7. Failure to conduct self-evaluation of the internal control system or failure to compile and publish an internal control declaration in the annual report and prospectus;
  8. Failure to correct defects in internal control systems per recommendations made by a certified public accountant in serious circumstances;
  9. Poor performance, false financial reporting, or serious violation of the law;
  10. Serious malfeasance or suspicion of malfeasance;
  11. Other circumstances in which the SFC deems a project audit necessary.
29     If a service enterprise fails to comply with these Guidelines or a certified public accountant issues an unqualified opinion (2), a qualified opinion, an adverse opinion, or a disclaimer of opinion pursuant to the Guidelines for Certified Public Accountants Conducting Project Audits of Internal Control Systems of Public Companies, or defects are not corrected, the SFC shall not only place the enterprise under project supervision, but shall also consider these facts when it decides whether or not to approve the enterprise to offer and issue securities or other applications filed by the enterprise.