Data Source:Laws and Regulations Retrieving System of the Banking Bureau


Title: Implementation Rules of Internal Audit and Internal Control System of Financial HoldingCompanies and Banking Industries (2021.09.23 Modified)
  Chapter 3 The inspection of internal control system

   Section 1 Internal audit

Article    9    The purpose of internal audit is to assist the board of directors and the managerial level to verify and evaluate whether the operation of internal control system works effectively and smoothly and provide appropriate suggestions for revision, which can ensure the on-going performance of effective internal control and serve as the basis of internal control system revisions.
Article   10    A financial holding company or banking business should set up an internal audit unit that is directly subsidiary to the board of directors, which should perform audit business independently and honestly. The unit is required to report its audit business to the board of directors and supervisors (board of supervisors) or audit committee at a minimum period of every six months.
A financial holding company or banking business should establish a chief auditor system to manage all audit business. The chief auditor should possess sufficient leadership and ability to carry out effective audit work, whose qualification should be equal to the conditions set for the responsible people of each section and has the power as an general co-manager. The auditor is not allowed to take a job that will cause conflicts or limitations to the audit work.
The employment, dismissal, or transfer of the chief auditor should have the consent of the majority of audit committee members as well as the consent of more than two-thirds of the board of directors and report to the competent authority for ratification.
Where the matter in the preceding paragraph did not have the consent of the majority of audit committee members, the resolution adopted by the audit committee shall be recorded in the board meeting minutes. If there is no audit committee but independent directors set up and an independent director objects to or expresses reservations about the matter, it shall be recorded in the board meeting minutes.
The appointment, dismissal, promotion, reward/ discipline, rotation, and performance review of personnel in the internal audit unit shall become effective after being reported by the chief auditor to chairman of the board. However, if a matter involves personnel of other management or business units, the chief auditor shall first consult the personnel department to refer the matter to the president for approval, and then report to the chairman of the board for final approval.
The regulations in Paragraph 1 to 5 of this article doesn't apply to a company who operates financial and trust business concurrently other than a banking business.
The chief auditor of a financial holding company is allowed to, if required by business, dispatch the internal auditors of a subsidiary company to conduct the internal audit task on the financial holding company or its subsidiary company. The chief auditor should also take up the final responsibility to ensure appropriate and effective internal audit system in the financial holding company or its subsidiary company.
Article   11    When any of the following circumstances applies to a chief auditor in overseeing internal audit work, the competent authority may, having regard to the seriousness of the event, issue an official reprimand, order the chief auditor to make improvements within a specified time limit, or otherwise order the financial holding company to release the auditor general from duty.
A. Has made any improper loan extension, been involved in a material breach of the principles for giving credit, or otherwise engaged in any improper transfer of funds with customers, as established by factual proof.
B. Has abused authority of office, there is evidence showing that he or she has carried out improper activities, or he or she has misused power, in an attempt to seek profits for him or herself or for a third party, or to damage the interest of its belonging financial company (including its subsidiary company) or banking business; and therefore, his or her abuse or misuse of power has thus cause losses for its belonging financial company or its subsidiary company or banking business or a third party.
C. The auditor disclose, deliver, or publicize all or part of the contents of its financial examination reports to a person not related to such job without the consent from the competent authority.
D. Has failed to notify the competent authority of any significant malpractice that due to poor internal management has occurred in the financial holding company (including its subsidiary company) or the banking business.
E. Has failed to disclose in an internal audit report any significant deficiency identified in the financial and business operations of the financial holding company (including its subsidiary company) or the banking business.
F. Has issued a fraudulent internal audit report on internal audit findings.
G. As a result of obviously insufficient staffing or staffing operations by obviously incompetent internal auditors in the financial holding company (including its subsidiary company) or banking business, has failed to identify a serious deficiency in financial and business operations.
H. Has failed to follow the instructions of the competent authority in conducting audit work or in providing relevant information.
I. Has otherwise committed any act that impairs the reputation or interests of the financial holding company (including its subsidiary company) or the banking business.
Article   12    A financial holding company or banking business shall, after having regard to its investmentscale, business condition (the number of its branches and amount of business), managementneeds, and relevant provisions of rules and regulations, staff competent persons in anappropriate number as full-time internal auditors who shall perform their duties in adetached, independent, objective, and impartial manner. Personnel of the internal audit unitshall be deputy to each other to cover each other's absence.
An internal auditor of a financial holding company or banking business shall meet thefollowing qualification requirements:
1. Having not less than two(2) years of experience in financial examination; or havinggraduated from a college or university, or passed a senior civil service examination or anequivalent examination, or the examination of certified internal auditor and having not lessthan two(2) years of experience in financial business; or having not less than five(5) years ofexperience in financial business. A person is deemed to meet such requirements if he or shehas worked as a professional, such as an auditor in an accounting firm, or a computerprogrammer or system analyst for not less than two(2) years, and has received not less thanthree(3) months of training in the business operations and management of a financialinstitution. However, the number of this type of auditor cannot exceed one-third of the totalauditors.
2. Free of any record of demerit or more serious from employer in the last three(3) years,unless the demerit record was a result of joint and several disciplinary action on account ofthe violation or offense of another person, and the demerit has been offset by other merits;and
3. If a lead auditor, have no less than three(3) years of experience in auditing or financialexamination, or have no less than one(1) year of experience in auditing and no less thanfive(5) years of experience in financial business.
The qualifications of the dedicated internal audit personnel of banks’ foreign business unitsmust comply with the local regulations and the requirements of the local competentauthority. However, if the local competent authority does not specify the qualifications forinternal auditors hired locally, the foreign business unit shall hire employees in accordancewith the evaluation and selection regulations passed by the board of directors, and theaforementioned regulations do not apply.
The financial holding company or the banking business shall examine at all time whether theinternal auditors have violated the regulations in the preceding three paragraphs. If theauditor has violated the rules, the company should order the auditor to make improvementwithin two(2) months and should be transferred to other job if he or she fails to make suchimprovement.
Article   13    The internal auditors of a financial holding company or banking business shall perform their duties in good faith, and may not do any of the following:
A. Conceal or make false or inappropriate disclosures of any of the financial holding company's or the banking business's business activities, reporting, or compliance with rules and regulations that they know to directly cause damage to any interested party.
B. Act beyond the scope of audit functions or engage in other improper activities, or externally disclose any acquired information, attempt to profit therefrom, or otherwise use the information against the interest of the financial holding company (including its subsidiary company) or banking business.
C. Cause losses to the financial holding company (including its subsidiary company) or the banking business or harm the interests of its stakeholders
due to negligence.
D. Conduct audit work within one (1) year to the department where the auditor used to work at.
E. Fail to recuse himself or herself from auditing of cases or business within the scope of his or her past duties or matters in which he or she has a personal interest.
F. Directly or indirectly provide, promise, demand or accept any unreasonable gift, hospitality or other improper benefits of any form to or from employees or customers of the same financial holding company (including its subsidiaries) or the banking business.
G. Fail to audit matters that the competent authority has instructed to him or her to audit or to provide relevant information.
H. Any other violation of rules, regulations or practices prohibited by the competent authority.
The financial holding company or the banking business should examine at all time whether the internal auditors have violated the regulations in the preceding two paragraphs. If the auditor has violated the rules, the company should order the auditor to make improvement within one(1) month and should be transferred to other job if he or she fails to make such improvement.
Article   14    The internal audit unit shall undertake the following tasks:
A. Plan the organization structure, size and duty of the internal audit unit. Prepare internal audit working manuals and working papers, which shall at least include assessing the various rules and operating procedures of the internal control system to determine whether adequate internal controls are already in place in the current rules and procedures, whether each department has realistically carried out the internal controls, and whether the internal controls are carried out in a reasonably effective manner, and from time to time provide recommendations for improvement.
B. Monitor the formulation of rules and procedures for self-inspection and assessments of the internal control system by business and management units, and the implementation of periodic self-inspection by each unit.
C. Formulate annual audit plans and, based on the business risk profile of and implementation of internal audits by each subsidiary or department, determine audit plans targeted at each individual subsidiary or department.
For the purpose of self-inspecting its internal control system, a financial holding company (including its subsidiary companies) or a banking business shall see to it that all of its internal departments and subsidiaries carry out self-inspection, and have its internal audit unit review the self-inspection reports of each department and subsidiary (including its subsidiary companies if it is a financial holding company); such self-inspection, together with the reports on the correction of any deficiencies and irregularities discovered in the internal control system by the internal audit unit, shall serve as a basis for the board of directors, president, chief auditor, and chief compliance officer to evaluate the overall efficacy of the internal control system and to issue internal control system statements.
Article   15    A banking business shall conduct a routine audit at least annually, and a special audit on its and all its subsidiaries' operation, finance, asset quality and information departments; a special audit at least annually on other management departments; a routine audit at least annually on its all business centers, foreign business units and foreign subsidiary companies. The auditing method for a foreign office can be replaced with a report auditing or adjust the auditing frequency flexibly.
The contents of the routine audit or the special audit, which is performed by the audit unit of a banking business to its business unit, should cover whether there are improper marketing activities when dealing with trust business, financial management, and the sale of financial products; whether the contents of the products are clearly disclosed; whether the risks are well notified; whether the contract is fair and other obligations are performed appropriately following the law or self-regulatory guidelines.
The internal auditing unit of a financial holding company shall conduct a routine audit at least annually; a special audit on its finance, risk management, and compliance with applicable acts and regulations at least semiannually; where the routine business has covered the scope of the special audit and its audit results reveal no significant deficiency, and it expressly states such in the internal audit report, it is not required to conduct a special audit for that current half-year.
The internal audit unit should include the execution status of the regulatory compliance system into the routine audit or special audit of the business and management units.
Article   15- 1 A domestic bank may apply to the competent authority for approval to adopt a risk-basedinternal auditing system. A subsidiary that was evaluated and exempted from adopting thesystem for implementation in accordance with Paragraph 2 of Article 16 shall provideevaluation documents. The competent authority may ask a domestic bank to apply forapproval to adopt a risk-based internal auditing system in view of the bank's asset size,business risks, and other necessary conditions.
A domestic bank thatapplies for approval to adopt a risk-based internal auditing system mustmeet the following criteria:
1. The bank's most recently filed ratio of regulatory capital to risk-weighted assets meets therequirements set out in Article 5 of the Regulations Governing the Capital Adequacy andCapital Category of Banks;
2. The bank does not show insufficient loan loss provision and reserves based on the mostrecent financial examination and the most recent CPA-audited and certified financialstatements;
3. The bank's non-performing loan ratio of the most recent quarter does not exceed 1%; and
4. The bank has an effective internal control system.
The provisions on auditing frequency in Paragraph 1 of the preceding article and Paragraph 2of Article 16 do not apply to domestic banks that have been approved to adopt a risk-basedinternal auditing system.
Article   16    A financial holding company or a banking business shall formulate annual audit plans and, based on the business risk profile of and implementation of internal audits by each subsidiary, determine audit plans targeted at each individual subsidiary.
The internal audit unit of a financial holding company or a banking business, except those foreign branches of a banking business and other business ratified by the competent authority, conduct a target audit on its subsidiaries' finance, risk management, and compliance with applicable acts and regulations at least semiannually and incorporate the audit results into its annual audit project.
All subsidiaries shall submit to the financial holding company or the banking business their board meeting minutes, CPA audit reports, examination reports issued by the financial examination agency, and other relevant materials, and, for subsidiaries having established an internal audit unit, audit plans and reports on significant deficiencies identified in internal audit reports and the status of improvements thereof; the mother company shall review such documents and monitor the implementation of improvements by each subsidiary.
The chief auditor of a financial holding company or a banking business shall periodically evaluate the efficacy of the internal control activities of a subsidiary as set forth in the preceding paragraph and, after having reported to the board of directors, send the evaluation results to the relevant subsidiary's board of directors for their reference in personnel evaluations.
Article   17    A financial holding company or the banking business shall disclose at least the following information in its internal audit report for routine business audits.
A. Audit scope; summary commentary; financial status; capital adequacy; operation performance; asset quality; management of shares; management of the operation of board of directors and audit committee; compliance with major acts, regulations, and rules; internal controls; interested party transactions; the control and internal management of all business tasks; protection and management of customers' data; information management; management of customer data confidentiality; protection measures of consumers and investors and the results of self-inspection, and the evaluation to above matters.
B. Opinions for the major illegal errors or faults in all departments, and the suggestions for punishment for employees fail to fulfill their duties.
C. The examination comments or faults listed by the financial examination agency, accountants, internal audit unit (including the internal audit unit of the mother company), and self-inspection people, and the improvement status of items that enlisted as 'need further improvement' by the internal control statement.
The record of the results in working papers shall be preserved together with the self-inspection or internal audit reports and relevant materials for no less than five(5) years.
Article   18    Where a financial holding company or a banking business makes any concealment of poor internal management, unsatisfactory internal controls, inadequate implementation of the internal audit system and regulatory compliance system, or the results of implementation of improvement of any deficiency specified by a financial examination agency in an examination opinion requiring review and follow-up, or the internal audit unit (including the internal audit unit of parent company) otherwise conceals any audit findings, and where such concealment constitutes significant malpractice, the personnel involved shall be held responsible for negligence in their duties. A financial holding company (including its subsidiaries) or a banking business shall commend an internal auditor who identifies any significant malpractice or negligence and thereby averts material loss to the company.
When a significant deficiency or malpractice arises within the management or business departments of a financial holding company or a banking business, the internal audit unit shall have the power to suggest penalties and shall make a full disclosure of the responsible negligent personnel in an internal audit report.
Article   19    The internal audit report of a financial holding company or banking business shall be delivered to the supervisors (board of supervisors) or audit committee for review and unless it is otherwise provided by the competent authority, shall be submitted to the competent authority within two (2) months following completion of the audit. The audit report shall also be delivered to the independent directors if such positions are set up by the financial holding company or the banking business.
Article   20    Before assuming the following post, the person should enroll in the following trainings heldby the institutes recognized by the competent authority and obtain completion certificatefrom them:
1. When acting as an internal auditor for the first time, the auditor should participate in theaudit training course, computer audit training course or billing audit training course for noless than sixty (60) hours. The auditor should also pass the exam and obtain the completioncertificate.
2. An internal auditor with leadership duty should participate in the internal auditor leadertrain course for no less than nineteen (19) hours.
3. The chief auditor and official, deputy managers should participate in audit managertraining course for no less than twelve (12) hours.
The regulations in the preceding paragraph do not apply to the training required for locallyhired internal audit personnel hired by the foreign business unit. However, where the localcompetent authority has other regulations, such regulations shall apply.
Internal auditors (including the official, deputy managers and chief auditor) of a financialholding company (including its subsidiary companies) or a banking business (including theparent company) each year shall attend a finance-related professional training held by acompetent authority-designated institution or by the financial holding company or asubsidiary thereof. For the minimum number of training hours, the total hour should be noless than twenty(20) for the official, deputy managers and chief auditors; no less thanthirty(30) for the other internal auditors. If an auditor has obtained an international internalauditor certificate within the current year, the certificate can be transferred to the traininghours.
The total hour of a finance-related professional training held by a competent authority-designated institution shall not be less than half of the training hours in the precedingparagraph.
The number of required training hours each year for an auditor stationed in a foreign countryor locally hired internal audit personnel hired by the foreign business unit shall meetrequirements in local regulations, and the regulations in the two preceding paragraphs do notapply. However, where requirements are not specified in the local regulations, the number of on-the-job training hours required each year for the supervisor and the personnel of the internalaudit unit of the head office in Taiwan shall be adopted. The training hours can also berecognized by enrolling with a financial training institute established according to the localregulations.
The financial holding company or the banking business should organize self-inspectionprograms for every year and continue proper training courses for auditors in accordance withthe nature of each department.
A financial holding company or a banking business shall verify that its internal auditors meetthe qualification requirements set forth herein. The verification documentation and recordsfor such purpose shall be kept on file for future reference.
Article   21    A financial holding company or banking business shall, in a prescribed format and via anInternet-based information system, file with the competent authority for recordation theinformation on the name and years of service of its internal auditors by the end of Januaryeach year.
When preparing the basic information of internal auditors, the financial holding company orthe banking business should verify whether these auditors have met the requirementsstipulated in Paragraph 2 and Paragraph 3, Article 12 and Article 20. If the auditor fails tomeet the requirements, it should be improved within two(2) months, if not, the auditor shouldbe re-assigned to another job.
Article   22    A financial holding company shall, in a prescribed format and via an Internet-based information system, file with the competent authority for recordation its next year's audit plan by the end of each fiscal year and a report on the execution of its preceding year's annual audit plan within two(2) months from the end of each fiscal year.
By the end of each accounting year, the financial holding company or the banking business shall deliver a written audit plan for the next year to the supervisors (supervisors, board of supervisors) or the audit committee for examination and compilation. If the company doesn't have an audit committee, the report shall be delivered to the independent directors for comments. The annual audit plan and changes thereof shall be approved by the board of directors.
The contents of audit plan mentioned in the preceding paragraph shall at least include: an explanation of the audit plan, annual audit points, units that will receive the audit, nature of audit (routine audit or special audit), and whether the frequency of audit comply with the regulation of the competent authority. If the audit is a special audit, then it is necessary to notify the range of audit.
Article   23    A financial holding company or banking business shall, in a prescribed format and via an Internet-based information system, file with the competent authority for recordation its improvements of deficiencies and irregularities identified in the internal control system in previous year within five (5) months from the end of each fiscal year.
Article   24    For a banking business, officers at various levels with the authority to approve business and transactions shall meet any of the requirements below prior to taking office:
A. Have served as auditors in the internal audit unit and worked for over one(1) year with actual auditing affairs.
B. Have enrolled in the audit training course or computer audit training course held by a competent authority-designated institution and passed the exam and obtained the completion certificate.
C. Obtaining the qualification certificates in banking business internal control and internal audit exam held by a competent authority-designated institution. The contents of the exam should be similar to the contents mentioned in the preceding paragraph.
For the heads of individual levels at foreign business units that have authorization in business or transactions, they are allowed to enroll in professional audit training held by a foreign professional institute or obtain a similar certificate from a foreign institute to replace the certificate mentioned in Paragraph 1.
When acting as the manager of a local business unit, the manager should meet the conditions listed in Paragraph 1, besides, if the manager qualifies the conditions in Subparagraph 2 or 3 of Paragraph 1, the manager should participate in more than four(4) times of audit practices with the internal audit unit before actually assuming the post or within six(6) months after assuming the post. Each practice should be responsible for as least one(1) item, practicing at least four(4) items, write a report on the practice, and send to the chief auditor for verification. The chief auditor should present a certificate and keep the report for further reference.
For the heads of individual levels in the banks of a foreign bank in Taiwan, if they are responsible for tasks involving the authorization in business or transactions, and they have finished the internal audit trainings requirement by the bank, when the training is higher than the requirements listed in Paragraph 1, then they can be exempt for the regulations in this article.