| Chapter 2. Internal Control System. |
Section 4. Internal Audit System and Inspection. |
| Article 14 |
The purposes of the internal audit system are to inspect and evaluate the effectiveness of internal control system and provide timely suggestions for improvement to ensure that the system will continue to be effective and to assist the board of directors and the management in performing their duties. |
| Article 15 |
A bank shall establish an internal audit unit under its board of directors that performs its duties with independent spirit and objectivity, and reports to the board of directors regularly at least once every half a year.
A bank shall establish the position of chief auditor who oversees the audit business. The chief auditor should have leadership and the capability to effectively oversee the audit work. The qualifications of chief auditor shall comply with the Regulations Governing Qualification Requirements for Responsible Persons of Banks, and such position shall be equivalent to a vice president. The chief auditor shall not hold concurrent position that may conflict with or impede his or her audit duties.
The appointment, dismissal or transfer of the chief auditor shall have the consent of at least two third (2/3) of the members of the board of directors and the prior approval of the competent authority. The appointment, discharge, promotion, reward, punishment, transfer and performance review of audit personnel will be handled by the chief auditor and take effect after approval by the chairman of the board. Where such action involves the personnel of other administrative or business units, the chief auditor shall first consult the personnel office to seek the consent of the president and then final approval from the chairman of the board. |
| Article 16 |
Internal auditors shall perform their duties based on the principles of honesty and credibility and stay free of the following conducts:
1. Concealing knowledge of bank’s business activity, financial reporting and compliance status that directly impairs the interests of stakeholders, or making untruthful or improper disclosure.
2. Engaging in conduct exceeding the bounds of audit authority or other illicit activity by disclosing privileged information to others for personal gain or damaging the interests of the bank.
3. Not withdrawing from audit cases involving business he or she used to perform or is having an interest in.
4. Accepting unjustified entertainment or gratuity or other illicit benefits from bank employee or customer.
5. Failing to carry out audit or provide related information as instructed by the competent authority.
6. Engaging in activities that violate laws and regulations or is prohibited by the competent authority. |
| Article 17 |
The internal audit unit shall undertake the following tasks:
1. A bank should outline the organization, organizational structure and responsibility of its internal audit unit, and draft the internal audit manual and working papers. The internal audit manual shall contain at least the evaluation of established internal control requirements and business procedures to determine whether the existing requirements and procedures are properly controlled and whether the administrative units and business units faithfully implement internal control and the outcome of implementation is reasonably effective, and to make suggestions for improvement whenever needed.
2. Drawing up the content and procedure for self-inspection and overseeing the self-inspection carried out by respective units.
3. Drafting an annual audit plan and audit plans for individual units in view of the risk exposures and internal audit implementation of respective units.
The bank should urge respective units to undertake self-inspection. The internal audit unit will review the self-inspection reports produced by respective units, which, together with the internal control deficiencies discovered by the internal audit unit and results of improvement actions taken, will be used as basis for the board of directors, president, chief auditor and chief compliance officer to assess the effectiveness of the bank’s internal control system and issue an internal control statement. |
| Article 18 |
A bank’s internal audit report in general audit shall, by the nature of the audited unit, disclose the following:
1. The scope of audit, summary evaluation, financial status, capital adequacy, business performance, asset quality, regulatory compliance, internal control, transactions with related parties, procedural control and internal management for respective business, security management of customer data, information management, employee’s education concerning confidentiality, and status of self-inspection; and
2. A status report with regard to status of improvement and inactions by each business unit in response to the examination opinions of or deficiencies found by banking examiner, accountant, or internal auditor (including the internal auditor of the financial holding company) or self-inspection personnel, and recommendations enumerated in the internal control statement. |
| Article 19 |
The internal audit unit shall conduct general audit and target audit of the domestic business, asset management, and information units at least once a year, and conduct target audit of other administrative units at least once each year, and general audit of operations centers and oversees business units at least once a year. The internal audit unit may conduct document audit of the overseas liaison offices or adjust the frequency of their field audit.
The bank’s internal audit unit should include the implementation of regulatory compliance system into the general audit or target audit of business and administrative units.
The internal audit report, working papers and relevant data in the first paragraph shall be retained for at least five years. |
| Article 20 |
A bank shall allocate qualified and a suitable number of full time internal auditors commensurate with the number of business units and the size of such businesses, and such auditors should include computer auditors who perform their duties in an independent, objective and impartial manner.
The bank’s internal auditors shall meet the following requirements:
1. Having minimum two years of experience in financial examination; or having graduated from a collage or university; or have passed the Higher Civil Service Examination or any examination equivalent thereto and with minimum two years of experience in the financial business; or having minimum five years of experience in financial business; or having minimum two years of professional experience as an auditor in a accounting firm, or a programmer or systems analyst in a computer firm and having received minimum three months of training in financial business and management;
2. Free of any record of demerit from employer in the last three years, unless the demerit record was a result of joint disciplinary action on account of the violation or offense of a colleague, and the demerit has been offset by other merits; and
3. The lead auditor shall have minimum three years of experience in audit or insurance examination, or minimum one year of audit experience and five years of experience in financial business. |
| Article 21 |
The auditors, lead auditor, and chief and assistant chief of the internal audit unit shall attend at least one session of auditor training class, computer auditing training class, lead auditor training class or chief and assistant chief training class sponsored by a training institution designated by the competent authority. New auditors shall pass the examination of aforesaid training institution and receive a certificate of class completion.
Internal auditors shall attend more than thirty (30) hours of finance-related professional training sponsored by a training institution designated by the competent authority, or the financial holding company or the employer bank each year.
The hours of finance-related professional training received from training institutions designated by the competent authority shall make up at least half of the required training hours specified in the foregoing paragraph.
A bank shall have a plan for continuous and proper training of personnel involved in self-inspection. |
| Article 22 |
A bank shall affirm that its internal auditors meet the qualifications as stipulated in the Rules herein. The affirmation documents and records shall be filed and saved for future reference. |
| Article 23 |
To enhance internal check and balance so as to prevent the occurrence of fraud, a bank shall establish a self-inspection system. The business, asset management and information units of the bank shall conduct general self-inspection at least once every half a year, and special self-inspection at least once every month. Notwithstanding the foregoing, special self-inspection is not required in the month when a general self-inspection has been conducted, or when a general business audit has been conducted by the internal audit unit of the bank or the financial holding company, or when a general business examination has been conducted by the financial examiner, or when the audit department has conducted a full business audit, or when a self-evaluation of regulatory compliance has been conducted.
When conducting self-inspection, the chief of the business, asset management or information units shall assign a personnel other than the one who handles the work to carry out self-inspection, and keep the self-inspection operation confidential beforehand.
The self-inspection report, its working papers and related data shall be retained for at least five years. |
| Article 24 |
Bank officers at various levels with the authority to approve bank business or transactions shall meet any of the requirements below prior to taking office:
1. Having minimum one year of practical experience in conducting internal audits as an employee of the internal audit unit;
2. Having passed the examination and received a certification of course completion in an auditor or computer auditor training course offered by an institution designated by the competent authority.
3. Having passed the test for of banking internal control and internal audit and received a certificate therefore from an institution designated by the competent authority. The content of the test should be comparable to the training course and examination mentioned in the preceding subparagraph.
Bank officers at various levels in overseas business office with the authority to approval bank business or transactions may attend professional audit training sponsored by foreign institutions or obtain similar examination credential in lieu of the requirements specified in paragraph 1 hereof.
First-time business unit manager of a domestic bank shall, in addition to meeting a requirement as provided in the first paragraph hereof, participate in the audit internship of the internal audit unit at least four times in the first half year of appointment, provided he or she is qualified for the job by meeting the requirement specified in subparagraph 2 or 3 in the first paragraph hereof. The aforesaid internship shall cover at least one audit item in each audit and at least four audit items cumulatively. The intern shall also produce an internship report for the perusal of the chief auditor. The chief auditor, after approving the report, will issue a certificate and preserve it along with other documents for future reference.
Officers of the branch of a foreign bank in Taiwan with the authority to approve bank business or transactions may be exempted from the requirements in this article provided he or she has completed the training required by the foreign bank for its internal auditor and such training requirement is at par with the requirements specified in the first paragraph hereof.
If a foreign bank has already set up a branch in Taiwan when the amended Rules herein were promulgated on June 14, 2005, its officers having the authority to approve bank business or transactions shall possess the qualification as provided in the first paragraph hereto or complete the training described in the foregoing paragraph in one year from the promulgation date of the amended Rules herein on June 14, 2005. |