A public company's internal control systems shall comprise the following constituent elements:
- Control environment:
Control environment is the basis of the design and implementation of internal control system across the company. Control environment encompasses the integrity and values of the company, governance oversight responsibility of the board of directors and supervisors, organizational structure, assignment of authority and responsibility, human resources policy, and performance measures and reward and discipline. The board of directors and management shall prescribe internal standards of conduct, including the adoption of a code of conduct for directors and a code of conduct for employees.
- Risk assessment:
A precondition to risk assessment is the establishment of objectives, linked at different levels of the company, and with the suitability of the objects for the company taken into consideration. Management shall consider the impact of possible changes in the external environment and within its own business model that may render internal control ineffective.. The risk assessment results can assist the company in designing, correcting, and operating necessary control activities in a timely manner.
- Control activities:
Control activities are the actions of carrying out policies and procedures taken by the company on the basis of risk assessment results to limit relevant risks to a sustainable level. Control activities shall be performed at all levels of the company, at various stages within business processes, and over the technology environment, and shall include supervision and management of subsidiaries.
- Information and communications:
Information and communication means the relevant and quality information that the company obtains, generates, or uses from both internal and external sources to support the functioning of other components of internal control, and the capability of effective communication between the company and external parties. Internal control systems must have mechanisms for generating information necessary for planning, implementation, and monitoring and providing timely information to those who need it.
- Monitoring activities:
Monitoring activities means ongoing evaluations, separate evaluations, or some combination of the two used by the company to ascertain whether each of the components of internal control is present and functioning. Ongoing evaluations means routine evaluations built into the course of operations at different levels of the company. Separate evaluations are evaluations conducted by different personnel such as internal auditors, supervisors, or the board of directors. Findings of deficiencies of the internal control system shall be communicated to the management at appropriate levels, the board of directors, and the supervisors, and improvements shall be made in a timely manner.
A public company designing and operating its internal control systems or carrying out self-assessment, or a certified public accountant (CPA) retained to conduct a special audit of the company's internal control systems, shall fully consider the constituent elements enumerated in the preceding paragraph, and, in addition to the criteria prescribed by the Financial Supervisory Commission (FSC), shall add additional items as dictated by actual needs.
Source: Regulations Governing Establishment of Internal Control Systems by Public Companies,COSO