Search Result

Article Content

 
1     These Guidelines are specially promulgated by the Securities and Futures Commission (SFC) of the Ministry of Finance for observance by Certified Public Accountants (CPA) conducting project audits of internal control systems of public companies
2     CPAs committed to conduct project audits of internal control systems of public companies shall do so in accordance with the provisions of these Guidelines.
3     Project audits of internal control systems of public companies shall be jointly conducted and certified by two or more CPAs qualified under the "Criteria Governing Approval for Certified Public Accounts to Audit and Certify Financial Reports of Public Companies" promulgated by the SFC.
4     Except as otherwise provided by the SFC, the scope of project audits of internal control systems of public companies by CPAs shall be the internal control systems related to financial reports and the internal control systems related to protecting assets security and preventing unauthorized acquisition, usage, and disposition of assets.
5     Except under special circumstances, the time period to be covered by project audits of internal control systems of public companies conducted by CPAs shall be consistent with the time period covered by the Internal Control Declaration of the committing company.
6     CPAs conducting project audits of internal control systems of public companies shall collect sufficient and appropriate evidence to lower the CPAs' certifying risk to an acceptable level, and shall comply with the following audit standards:
  1. General Standards:
    1. Project auditing work shall be conducted by professionally trained and competent CPAs.
    2. The CPAs shall possess adequate knowledge of the matters represented in the Internal Control Declaration issued by the committing company.
    3. The CPAs shall have the ability to assess Internal Control Declarations of committing companies consistently based on reasonable standards before entering into an audit contract. The above-stated standards shall be prescribed by the SFC or by an authority institution.
    4. In affairs relating to project audits, CPAs shall maintain an attitude of rigor and impartiality and a detached and independent viewpoint.
    5. CPAs shall exercise all due professional diligence when conducting the project audits.
  2. Fieldwork Standards:
    1. Project audits shall be carefully planned and assistants, if any, shall be properly supervised.
    2. CPAs shall obtain sufficient and appropriate evidence regarding the effectiveness of each constituent element of the internal controls, to provide a reasonable basis on which to express opinions on the committing company's Internal Control Declaration.
    3. Working papers shall be prepared for project audits.
  3. Reporting Standards:
    1. The audit report shall clearly indicate the Internal Control Declaration audited, describe the nature of the audit, reach conclusions, and explain whether the Declaration is a fair presentation.
    2. The audit report shall clearly explain any instances of insufficient disclosure of necessary internal control information in the Internal Control Declaration or any insufficiency of evidence due to limitations on the scope of the CPA audit.
7     CPAs committed to conduct project audits of internal control systems of public companies shall conduct the audit process in four stages:
  1. Planning:
    1. Obtain written records of the committing company's management-level control objectives and internal control policies and procedures, and other necessary information.
    2. Draw up an audit plan. The following factors at least shall be taken into consideration: the nature of the industry, information obtained when undertaking other contracts with the committing company, the condition of the committing company and recent changes in it, evidence obtainable by the CPAs, the nature of specific internal control procedures and the importance of such procedures to overall internal control, preliminary assessment of the effectiveness of overall internal control, differences among various operating locations, centralization procedures, transactions executed and the control environment, and the control risk and significance level in connection with the internal control that are acceptable to the CPAs.
  2. Gain an understanding of the internal control:
    CPAs may use means such as questioning, examination of written documents, and observation to gain an understanding of the internal control of the committing company, to form a basis for assessing the effectiveness of the internal control.
  3. Assess the effectiveness of the internal control design:
    When assessing the effectiveness of the internal control design of the committing company, CPAs shall collect evidence regarding the effectiveness of the design. Methods for collecting such evidence include questioning, examination of written documents, and observation.
    When assessing the effectiveness of the internal control design, CPAs shall emphasize whether the overall internal control system achieves a given goal rather than whether any given specific internal control operation is inappropriate.
    When CPAs are committed only to evaluate the effectiveness of the internal control design, the necessary control tests shall be conducted based on actual needs.
  4. Testing and assessing the effectiveness of internal control implementation:
    CPAs shall conduct control tests to collect evidence regarding internal control implementation to provide a basis for assessing the effectiveness of internal control implementation.
    Methods used by CPAs in conducting control tests include questioning, examination of written documents, observation, and re-testing. Control tests shall be conducted until sufficient and appropriate evidence has been collected. Evidence collected by the committing company during self-evaluation of the effectiveness of the internal control shall not be substituted directly for evidence that should be collected by the CPAs.
    Whether the evidence collected by CPAs is sufficient and appropriate is affected by the following factors: the nature of the committing company's internal control procedures, the importance of the internal control procedures in reaching the objectives of the control, the probability of violation of control procedures by the committing company, the nature and extent of control tests already conducted by the committing company, and the CPAs' preliminary assessment of the effectiveness of the control procedures. CPAs shall also execute necessary procedures and collect necessary evidence regarding subsequent events during the post audit period.
8     The objective of the CPA audit report is to assist users of the Internal Control Declaration of a public company in understanding whether the Declaration is a fair presentation.
9     CPA audit reports are divided into the following five types based on the type of opinion:
  1. Unqualified Opinion (1) - The CPAs shall issue an Audit Report with an Unqualified Opinion (1) with format and content as shown in Attachment 1 when all of the following criteria are met:
    1. The committing company has issued a Declaration on the effectiveness of the design and implementation of the relevant internal control system.
    2. The CPAs have conducted an audit in accordance with the auditing principles and procedures in these Guidelines, and have collected sufficient and appropriate evidence and find no significant defects in the internal control system as presented in the committing company's Declaration.
    3. The committing company's Declaration is fairly presented.
  2. Unqualified Opinion (2) - The CPAs shall issue an Audit Report with an Unqualified Opinion (2) with format and content as shown in Attachment 2 when the following criteria are met:
    1. The committing company has issued a Declaration on the effectiveness of the design and implementation of the relevant internal control system.
    2. The CPAs have conducted an audit in accordance with the auditing principles and procedures in these Guidelines, and have collected sufficient and appropriate evidence, and find significant deficiency in the internal control system as presented in the committing company's Letter.
    3. The committing company's Declaration is fairly presented.
  3. Adverse Opinion - The CPAs shall issue an Audit Report with an Adverse Opinion with format and content as shown in Attachment 3 when the following criteria are met:
    1. The committing company has issued a Declaration on the effectiveness of the design and implementation of the relevant internal control system.
    2. The CPAs have conducted an audit in accordance with the auditing principles and procedures in these Guidelines, and have collected sufficient and appropriate evidence and find significant defects in the internal control system as presented in the committing company's Declaration.
    3. The committing company's Declaration is not fairly presented.
  4. Qualified Opinion - The CPAs shall issue an Audit Report with a Qualified Opinion with the format and content as shown in Attachment 4 when the following criteria are met:
    1. The committing company has issued a Declaration on the effectiveness of the design and implementation of the relevant internal control system.
    2. Because of a scope limitation on the CPA audit or insufficient evidence, the CPAs are unable to determine whether there is any significant deficiency in a specific element of the internal control system as presented in the committing company's Declaration.
    3. The audit procedures unexecuted by the CPAs are not significant to the extent of requiring the CPAs to issue an Adverse Opinion on the internal control system as presented in the committing company's Declaration. That is, the evidence collected by the CPAs is sufficient and appropriate as a whole, but insufficient with respect to the specific part at issue.
  5. Disclaimer of Opinion - The CPAs shall issue an Audit Report with a Disclaimer of Opinion with format and content as shown in Attachment 5 when the following criteria are met:
    1. The committing company has issued a Declaration on the effectiveness of the design and implementation of the relevant internal control system.
    2. The evidence is insufficient due to limitations on the scope of the CPAs' audit.
    3. The lack of evidence is significant to an extent that the CPAs are unable to determine whether there are serious defects in the internal control system as presented in the committing company's Declaration. That is, the CPAs do not know whether the committing company's Declaration is fairly presented.
10     CPAs wishing to emphasize a certain matter of significance, such as the use of other CPAs' reports or occurrence of significant subsequent events, shall give an appropriate explanation of the matter in a single separate paragraph in the audit report with format and content as shown in Attachment 6.
11     CPAs committed only to evaluate the effectiveness of the design of the internal control shall issue an audit report with the format and content as in Attachment 7.
12     The date on the audit report or audit opinion issued by the CPAs shall be the date of completion of the fieldwork.
13     CPAs discovering defects when conducting project audits of internal control systems of public companies shall issue internal control recommendations, with format and content as shown in Attachment 8, to the committing company's board of directors and management, and for reference by the committing company in implementing corrective measures.
14     These Guidelines shall be implemented on the date of promulgation.