When it comes to “internal control,” many people’s first reaction is: “Isn’t that the audit department’s job? As long as we comply with the regulator’s requirements and nothing goes wrong, why should we make a big deal out of it or pay special attention?”

Let me start with the conclusion—so you can immediately grasp the seriousness of the issue: violating internal control procedures can directly cross the red line into criminal breach of trust.

Consider the following hypothetical case: Company A, a listed company, urgently needs a batch of specialized raw materials. The procurement department quickly signs a contract with Supplier B for an amount exceeding NT$100 million. According to the internal control procedures, payment can only be made after completion of the “three-way match”— purchase order, acceptance/inspection record, and invoice. However, under pressure from senior management (Chairman A), the finance department makes payment before inspection. After receiving the funds, the supplier delivers only part of the goods, delays the rest under various pretexts, and ultimately disappears. Subsequent investigation reveals that the supplier and Chairman A had undisclosed personal financial dealings. In such a case, the breach of trust issue is self-evident.

Some may ask: Even if something does go wrong, surely it has nothing to do with the directors or independent directors, right?

Not quite. A closer look at several key regulations, including the Regulations Governing the Establishment of Internal Control Systems by Public Companies, the Securities and Exchange Act, and the Corporate Governance Best-Practice Principles for TWSE/TPEx Listed Companies, reveals a consistent logic: internal control is closely tied to the reliability of financial statements; the establishment, amendment, and effectiveness of an internal control system must all be evaluated by the audit committee; any opinions raised by independent directors should be recorded in the minutes of the board meeting; and, the final statement on internal control system needs to be approved by the board of directors.

In short, from design and implementation to supervision and final announcement, both directors and independent directors are jointly accountable.

Since the responsibilities of (independent) directors are significant, which operational cycles or project controls carry higher risks and warrant closer attention?

Based on experience, the following areas require particular caution: 1. Cash cycle: for example, when financial officers allocate funds without proper approval, resulting in bad debts; 2. Procurement cycle: such as inflated purchase amounts; 3. Fixed asset cycle: such as large purchases or inaccurate valuations; 4. Investment cycle: such as external investments lacking due diligence or uncontrolled mergers and acquisitions. The risks are even higher if these areas involve related parties.

Therefore, how should (independent) directors respond in order to protect themselves while still fulfilling their duties?

They must ensure that procedural discussions for transactions are not omitted and have the courage to ask questions. When encountering unreasonable transactions (what constitutes a non-routine transaction?), suspect involvement of related parties (how perpetrators avoid scrutiny as related parties), or dealing with high-risk issues such as loans, endorsements, or guarantees (which topics are considered significant or high-risk issues), they should not just listen to the presentations but ask: Is there procedural evidence? Is there a third-party opinion? If not, such evidence or opinions should be promptly supplemented and properly recorded in the meeting minutes.

Keep records.

Why is it necessary to keep records after asking questions? Because if something goes wrong, having no evidence to prove that one has fulfilled their duty of care makes it difficult to avoid liability.

Internal control is both the company’s seatbelt and the directors’ firewall. Every vote, every signature, is not merely a formality but a concrete manifestation of legal responsibility. Peter Drucker once reminded us: “The most dangerous thing is to think that there is no risk.” This is especially true in the boardroom. Don’t assume that going through the motions ensures immunity. What truly protects you is asking one more question, taking one more look, and keeping one more record before risks emerge.

This article was published in the Expert’s Commentary column of the Commercial Times. https://www.ctee.com.tw/news/20250603700129-431303