To improve the operation and development of the securities investment consulting enterprises, enhance the industry’s information security protection capabilities and awareness, strengthen the ability to respond to incidents, maintain sustainable business operation as well as the order of the financial market, and protect the rights and interests of the investing public, on February 23, 2023, the Financial Supervisory Commission (FSC) mandated TDCC to audit the investment consulting enterprises’ information security operation in fund sales on electronic trading platforms for their compliance with relevant regulations and to discuss the future routine audit mechanism and report.

To complete the related audit operation, TDCC s Intermediaries Compliance & Inspection Department first drafted the “Audit Plan for investment consulting enterprises’ information security operation in fund sales business on electronic trading platforms” and completed each phase according to the schedule:

I.Pre-audit preparation

(i) Establishing a cross-departmental audit team Given that the audit of the information security operation of the investment consulting enterprises was not a part of our company’s routine business, in response to the FSC’s aforementioned assignment, TDCC’s Intermediaries Compliance & Inspection Department formed a cross-departmental audit team with its Digital & Information Security Department and Internal Auditing Department. The colleagues from Digital & Information Security Department and Internal Auditing Department possess information security professional certification and background Together, they will jointly perform the audit work.

(ii) Discussing the scope and items of the audit and setting up audit working paper The priority of the audit is to discuss and formulate the audit scope, items, working paper, and other audit-related forms that fit the nature of the investment consulting enterprises. During the formulation, the audit team members, through cross-departmental discussions and exchange of opinions, could better grasp the scope, items, and key points to be audited, thereby ensuring the comprehensiveness and effectiveness of the audit operation. After consulting TDCC’s and relevant units’ information security audit materials as well as the control measures of ISO 27001 information security risk management regulations, the audit team completed drafting 12 audit operation items, including a total of 64 sub-audit items in a very short time.

(iii) Pre-audit education and training To enhance the auditors’ professional knowledge and audit skills of information security, TDCC invited professionals with practical experience in information security audit from the Securities Brokerage Supervision Department of the Taiwan Stock Exchange to conduct external education and training. In addition, colleagues from the Fund and Global Services Department and Intermediaries Compliance & Inspection Department were invited to share their experiences so that auditors could receive complete education and training before performing the audit.

II. Conducting audits and sharing experiences

The project was undertaken from March 28 to April 14 this year. The audit operation of three investment consulting enterprises was completed one after another; experience sharing and review followed afterward. This fully embodied the spirit of learning during the audit and improving professional knowledge and skills through learning. A total of 12 deficiencies in information security were found during the audit (as shown in the figure), and 38 suggestions for optimization were proposed. The three audited units all believed that it was helpful to improve their information security management systems and optimize their risk management systems.

After the audit ended, TDCC President presided over the audit operation summary symposium on April 19. In the future, audit operation will be conducted based on the suggestions from the symposium. If an audited unit is required to improve within a certain period, the feasibility of the improvement period for the unit should be considered. In addition, when routine audits are conducted, the appropriate execution methods should be taken into account depending on the number of future audited enterprises. This will help promote communication with the enterprises and increase audit effectiveness at the same time.

III. Reports of audit results and drafts of audit-related measures

In terms of the FSC’s instructions on researching future routine audit mechanism, TDCC adopted relevant information security operation and referred to regulations related to shareholder services agents’ operation that the FSC entrusted TDCC to audit to create three drafts related to auditing investment consulting enterprises: “Operational Measures for Auditing Information Security Operation of Investment Consulting Enterprises,” “Guidelines for Follow-up, Assessment, and Guidance in regard to Audit Deficiencies in Information Security Operation of Investment Consulting Enterprises, “and “Guidelines for Special Audit Project for Information Security Operation of Investment Consulting Enterprises.” At the same time, the “Audit Manual for Information Security Operation of Investment Consulting Enterprises” was formulated.

From receiving the instructions to reporting, this project took about two months. Under the guidance of the executives and the interdepartmental cooperation of coworkers, the task was completed with joint efforts. This fully demonstrates the features of TDCC’s teamwork. In addition to being capable of implementing the FSC’s policy of promoting the Financial Information Security Action Plan 2.0, TDCC can review the legal compliance and overall information security protection of the audited investment consulting enterprises to build a secure service development environment and maintain the order of the financial market.