risk based internal auditing in taiwanese banking industry yung ming
TRANSCRIPT
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
1/40
Risk Based Internal Auditing in Taiwanese Banking Industry
Yung-Ming Shiu
Assistant Professor
Department of Business Administration,
National Cheng Kung University, Taiwan
Email: [email protected]
Mei-Lan Yeh
Department of Business Administration,
National Cheng Kung University, Taiwan
Email: [email protected]
Date: 25 June 2008
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
2/40
i
CONTENTS
CHAPTER 1 INTRODUCTION 1
1.1 RESEARCH BACKGROUND AND MOTIVATIONS 1
1.2 PURPOSE OF RESEARCH AND FINDINGS 2
1.3 STRUCTURE OF THIS STUDY 3
CHAPTER 2 CURRENT USE OF RBIA IN TAIWANESE BANKING
INDUSTRY.................................................. 4
CHAPTER 3 LITERATURE REVIEW AND HYPOTHESIS
DEVELOPMENT....................................................................... 10
3.1 RISK MANAGEMENT 11
3.2 INTERNAL CONTROL 12
3.3 CORPORATE GOVERNANCE 13
3.4 TECHNICAL COMPETENCE 15
CHAPTER 4 METHOD..................................................................... 17
4.1 DATA COLLECTION AND SAMPLE 17
4.2 NON-RESPONSE BIAS 17
4.3 MEASUREMENT OF VARIABLES 18
4.4 MODEL 20
CHAPTER 5 RESULTS.................................................................. 24
5.1 DESCRIPTIVE STATISTICS 24
5.2 UNIVARIATE RESULTS 24
5.3 ASSUMPTION TEST RESULTS 25
5.4 REGRESSION RESULTS 26
CHAPTER 6 CONCLUSION AND LIMITATION.................................... 32
6.1 CONCLUSION 32
6.2 LIMITATION 33
REFERENCE.................................................................. 34
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
3/40
ii
TABLES
TABLE 1 RESULTS OF LEVENES TEST AND INDEPENDENT SAMPLE T
TEST 22
TABLE 2 COMPOSITION AND RELIABILITY OF VARIABLES 22
TABLE 3 DEFINITION OF VARIABLES USED IN THE MODEL 23
TABLE 4 DESCRIPTIVE STATISTICS 27
TABLE 5 FACTORS OF DOMESTIC BANKS SEGMENTED BY DEGREE OF
RBIA 28
TABLE 6 CORRELATION MATRIX 30
TABLE 7 VIF VALUE 31
TABLE 8 RESULTS OF TOBIT REGRESSION ANALYSIS 31
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
4/40
iii
FIGURES
FIGURE 1 USE OF RBIA BY BANKS 4
FIGURE 2 COMPLETENESS AND CORRECTNESS OF THE CONTENT OF
RISK REGISTER 5
FIGURE 3 DEFINITION OF RBIA ACTIVITY IN AUDIT CHARTER 6
FIGURE 4 PROPORTION OF AUDIT PLAN THAT IS RISK-BASED 7
FIGURE 5 ALLOCATION OF INTERNAL AUDIT RESOURCES 7
FIGURE 6 INTERNAL AUDITS EVALUATION BASED ON RISK
ASSESSMENT 8
FIGURE 7 FREQUENCY OF REPORTING TO THE BOARD OF
DIRECTORS 8
FIGURE 8 BANKS CONCERN ABOUT EXECUTING RBIA 9
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
5/40
-1-
Chapter 1 Introduction
1.1Research Background and MotivationsRecent corporate collapses and financial scandals have provoked world-wide
concern with corporate governance highlighted apparent failures of accountability
(Spira and Page 2003), and subsequent new laws, regulations in response to them (the
Sarbanes-Oxley Act, 2002 and SEC rules) provide compelling evidence that internal
auditing, serves as part of sound corporate governance framework (Spira and Page
2003), matters and is important. More recently, various releases by the Institute of
Internal Auditors (IIA)-UK and Ireland Position Statement on Risk Based Internal
Auditing(hereunder refers to RBIA) (IIA 2003) and the Standards for the
Professional Practice of Internal Auditing (IIA, 2004) reveal the focal point of internal
auditing and the role of this function in organizations has moved from traditional
control and compliance orientation to a more risk-based focus (Kippenberger 1999;
Walker et al. 2003;IIA, 2003).
This is consistent with Turnbulls broader approach to internal control as
Turnbull has stated that directors shall adopt a risk-based approach to establish a
sound system of internal control and reviewing its effectiveness, and to incorporate
risk management and internal control by the company within its normal management
and governance processes (FRC 2005).
In recent years, banking regulators have changed their examination techniques
by placing emphasis on an institutions internal control system and on the way it
manages and controls its risks (McCool 2000). In conjunction with the
implementation of the New Basel Capital Accord (NBCA), known as Basel II, of
which the main goal is to reinforce the risk management system within the banking
industry, the Financial Supervisory Commission of the Executive Yuan (the FSC) in
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
6/40
-2-
Taiwan has pushed the regulatory authority to build up a risk-based supervisory
system and amend related laws and regulations where banks are mandated to conduct
more public disclosure of qualitative and quantitative information for finance,
business, corporate governance and risk management operation (FSC 2004). The FSC
further urges banks to set up a well-arranged risk management mechanism, such as
internal control system, risk management mechanism and internal audit function that
are mandated by the law Enforcement Regulations for Bank Internal Audit Control
System. Furthermore, the risk management strategies and execution quality of the
bank will be the focal point of supervision in the future, and face check and balance
imposed by market functions.
An effective risk management by banks and effective risk-based supervision by
regulators are highly dependent both on the implementation of adequate internal
control systems and on the competence of internal audit staffs (Katz 1998). In Taiwan,
banks operate in an institutional environment where internal auditing is a statutory
requirement1. Despite all of the recent attention focused on RBIA, research on the
existence or extent of this sector in general in corporations has been scant. Therefore,
the purpose of this study aims to investigate the current use of RBIA by Taiwanese
banking industry and to identify factors associate with the demand of RBIA among
banks.
1.2 Purpose of Research and Findings
This study explores factors associate with Taiwanese banks demand of RBIA
from perspectives of risk management, internal control, corporate governance and
internal auditors technical competence. Using data from a survey of domestic banks
1
Implementation Rules for Bank Internal Audit and Internal Control System, 2007 modified;Regulations Governing the Implementation of internal control and Audit Systems by Holding
Companies, 2005 modified.
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
7/40
-3-
together with information from corporate annual reports, we find support that the
degree of RBIA used by banks is associated with information disclosures about
financial, compliance, health and safety, technology, internal process and change
management risk management; the existence of a risk management committee; ratio
of Non-Performing Loan; the banks size and complexity; board size; proportion of
independent board members; the level of shareholdings held by institutional
shareholders; and internal auditors technical competence.
1.3 Structure of This Study
The paper is structured as follows. The next section discusses current use of
RBIA in Taiwanese Banking Industry. The third section describes a literature review
and the hypothesis development. Subsequent sections present the method and results.
The final section provides discussion, conclusions and limitations of the study, and
also suggestions for future research.
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
8/40
-4-
Chapter 2 Current Use of RBIA in Taiwanese Banking Industry
A survey is designed to gather information on the current use of RBIA in banking
industry. The questionnaire is developed based on the Standards for the Professional
Practice of Internal Auditing (IIA 2004a) and the Implementation Rules for Bank
Internal Audit and Internal Control System (FSC 2007), and includes four parts: part
one asked about current status of the banks risk management; part two requests for
the definition of RBIA activity in audit charter and technical competence of internal
auditors; part three investigates the performance of RBIA in related to audit planning,
nature of work and communication; and part four inquire about basic information of
the banks. Our sample consists of all of the 39 domestic banks, and of the 39 surveys
mailed, 24 completed responses were returned for a response rate of 61.54%.
Of the 24 survey responses, 13 (54.1%) of the banks report that more than 60%
of their internal audit activities are risk oriented. As Figure 1 illustrates, we find that 8
of 24 (33.3%) respondents indicating that they use a relatively high level of RBIA,
about 61%-80%, while 6 (25%) of the banks report that about 21%-40% of their
internal audit work are risk-based.
FIGURE 1
0% 5% 10% 15% 20% 25% 30% 35%
Percentage of Responding Banks
0-20%
21%-40%
41%-60%
61%-80%81%-100%
PercentageofRBIA
Used
Use of RBIA by Banks
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
9/40
-5-
The effectiveness of RBIA derives from a reliable risk register, also a complete
risk register will be available for audit planning (Griffiths 2006). Question 1 and 2
asked each bank to identify the completeness and the correctness of the content of its
risk register. Of all the 24 responses, there is one missing data on these two questions.
As illustrated by Figure 2, a significant percentage reported a complete and correct of
the risk register, notably 3 (13%) of the banks reported no risk register.
FIGURE 2
0% 10% 20% 30% 40% 50%
Percentage of Responding Banks
No Risk Register
General
Complete/Correct
Most Complete/Correct
Completeness and Correctness of the Content of Risk register
Completeness Correctness
As regulated by the Standards for the Professional Practice of Internal Auditing,
the purpose, authority, and responsibility of the internal audit activity should be
formally defined in a charter (IIA 2004a). To get an indication of how clearly RBIA
activities are defined, banks were asked whether it is been clearly defined in the audit
charter or work manual that internal auditor should audit and assure the adequacy and
effectiveness of risk management and control system in Question 5. As shown in
Figure 3, a large majority of banks (70%) reported RBIA activities are been clearly
defined in the audit charter, while only 1 bank reported no definition of any RBIA
activities in audit charter or work manual.
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
10/40
-6-
FIGURE 3
0% 10% 20% 30% 40% 50% 60% 70% 80%
Percentage of Responding Bank
Not Defined
General
Clear
Very Clear
Definition of RBIA Activity in Audit Charter
To see the extent of audit activities that are risk-based, we asked banks a series of
questions concerning audit planning. Question 8.2 asked respondents the proportion
of Engagement plan that are based on annual risk assessment. Except 3 missing data,
approximately 12 of 21 (57.1%) respondents expressing that less than 40% of
Engagement plan are based on annual risk assessment. We also inquired about the
proportion of annual audit plan that is based on each business units risk character and
that the priority of audit activities is determined on risk assessment in Question 8.3
and 8.4. As Figure 4 demonstrates, the percentage drops to about 50% for
approximately 61%-100% of annual audit plan to each business unit that is risk-based,
while 42% of banks indicated less than 40% of annual audit plan that is risk-based.
The annual audit plan on the priority of audit activities shows the same outcome, with
50% and 38% respectively for about 61%-100% and less than 40%.
Question 9.5 asked banks to rank the allocation of internal audit resources on
each of audit activities. Figure 5 presents the percentage of responding banks that
expressed none, a few, few, regular, many, great many about each audit activities. A
great many of internal audit resources were allocated to internal control audit, with
92% of responding banks expressing many to great many of audit resources.
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
11/40
-7-
FIGURE 4
0%
5%
10%
15%
20%
25%
30%35%
40%
Percentageof
RespondingBank
s
0-20% 21%-40% 41%-60% 61%-80% 81%-100%
Proportion of Audit Plan
Proportion of Audit Plan that is Risk-based
Engagement
Business Unit
Audit Priority
Financial, operational and information system audits are also audit activities that
have been allocated of most audit resources for the respondents, with 54%, 55% and
51%, respectively, indicating many to great many audit resources. Risk management
and special projects and others audits are the next two audit activities, with 46% and
41%, respectively, expressing many to great many of resources for each activity. The
activity of least allocation is corporate governance audit, where only 34% of
responding banks that allocate many to great many of audit resources.
FIGURE 5
4%8%
33%
46%
8%
0%0%8%
63 %
29 %
4%8%
38 %
25 %
21 %
4%8%
33%
38%
17%
0%0%
50%
38%
13%
4%
17%
42%
21%
13%
8%
8%
42%
33%
8%
0%
20%
40%
60%
80%
100%
Pcao
Rep
n
Ba
Financial Internal
Controls
Risk Mgt. Operational Info rmation
system
Corporate
Governance
Special
Projects and
Others
Allocation of Internal Audit Resources
None A Few Few Regular Many Great Many
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
12/40
-8-
RBIA is all about providing an opinion on whether risks are being properly
managed (IIA 2003; Griffiths 2006). Question 9.4 asked banks to indicate how
frequency internal auditors would evaluate the adequacy and effectiveness of control
of following issues based on results of risk assessment. As Figure 6 presented, most of
banks evaluation on the issues always based on risk assessment results.
FIGURE 6
0%
20%
40%
60%
80%
Percentageof
RespondingBanks
Rarely Regular Sometimes Always
Internal Audit's Evaluation based on Risk Assessment Reliability andIntegrity of Financial
and Operational
Information
Effectiveness andEfficiency of
Operations
Safeguarding of
Assets
Compliances with
Laws, Regulations
and Contracts
The frequency that chief internal auditor is reported to the board of directors has
important impacts on RBIA. Question 10.2 asked banks the frequency chief internal
auditor is reported to the board of directors regarding banks significant risk exposures
and controls. Figure 7 presented that a large majority of banks (88%) responded
regular to frequently report to the board of directors.
FIGURE 7
0%
10%
20%
30%
40%
50%
Percentageof
RespondingBanks
None Seldom Regular Frequently
Frequency of Reporting to the Board of Directors
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
13/40
-9-
Question 13 asked responding banks to specify their concerns regarding RBIA
usage. As shown in Figure 8, the greatest concern is lack of proper tool to identify
risks, with 14 of 24 responding banks. Lack of experience is the next greatest concern
to the banks, with 12 of banks. Lack of relevant principles or guidelines is also issue
of some concern for the respondents, with 7 responding banks. The item of least
concern is lack of relevant knowledge. Other concern specify by the responding banks
is the difficulty of present risk-based concept to internal auditors.
FIGURE 8
0
2
4
6
8
10
12
14
Numberof
RespondingBanks
Lack ofrelevant
Knowledge
Lack ofExperience
Lack ofProper Tool
to Identify
Risks
Lack ofRelevant
Principles or
Guidelines
Others
Banks' Concern About Executing RBIA
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
14/40
-10-
Chapter 3 Literature Review and Hypothesis Development
In 1999, the Institute of Internal Auditors (IIA) promulgated a new
definition of internal auditing which identifying an assurance and consulting role for
internal audit, highlighting the changing focus and the expansion scope of internal
auditing into risk management, corporate governance, and adding value2
(The IIA,
2004;Walker et al. 2003; Jenny 2004). The new definition emphasize that internal
audit function can add value to the organization in terms of risk management and
corporate governance, and RBIA is an approach that can help to meet these
requirements (IIA 2003). This approach is consistent with Turnbulls broader
approach to internal control as Turnbull implies that high level, risk-based internal
audit functions are a sine qua non (Fraser and Henry 2007).
Empirical research has investigated the existence or extent of internal auditing
from risk or governance perspectives. Goodwin-Stewart and Kent (2006) use an
agency framework to explore firm characteristics associated with the existence of
internal audit function from risk management, control and governance perspectives.
He argues that internal auditing is either to be a complementary or substitution
mechanism aligns with other risk management and governance mechanisms, and that
survey evidence indicates a significant association between the use of internal
auditing and a commitment to strong risk management and firm size, however, the
results reveal a mixed support for the corporate governance factors.
Using an agency cost framework, Carey, et al.(2000) examined demand for both
internal and external auditing by family business with two agency proxies which are:
2 In 1999, the Institute of Internal Auditors (IIA) approved the new definition of internal auditing as:
an independent, objective assurance and consulting activity designed to add value and improve an
organizations operations. It helps an organization accomplish its objectives by bringing a systematic,disciplined approach to evaluate and improve the effectiveness of risk management, control, and
governance process.
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
15/40
-11-
(1) the proportion of nonfamily management, and (2) the proportion of nonfamily
representation on the board of directors. They found that the two agency cost proxies
are associated with demand for external audit, but do not explain the demand for
internal audit. Carcello, et al. (2005) examines factors associated with U.S. public
companies investment in internal auditing, and the result indicates that total internal
audit budgets (in-house plus outsourced portions) are related to factors associated
with company risk, e.g. company size, complexity and leverage.
3.1 Risk Management
The separation of ownership and management functions and the presence of
information asymmetry introduce the possibility of principal-agent conflicts (Haniffa
and Hudaib 2006), it also incurs risks to stakeholders in the organization
(management, shareholders, creditors, etc.) (Spira and Page 2003). Those agency
conflicts, agency costs and risks are now managed within the corporate governance
framework through accountability mechanisms, such as internal control and audit.
(Haniffa and Hudaib 2006; Spira and Page 2003). Stakeholders now compete to
participate in corporate governance to seek power in organizations by asserting their
own conceptions of risk and how it should be managed, and a focus on risk
management has become central to this competition since it defines the accountability
of the management of the organization (Spira and Page 2003). This is consistent with
Hay and Knechels (2004) argument that the demand for auditing is a function of the
set of risks faced by individual stakeholders in an organization and the set of control
mechanisms available for mitigating those risks. Therefore, internal auditing's risk
management orientation has given the audit function increased credibility across the
enterprise and greater acceptance by management (Beumer 2006). Drawing from the
preceding discussion, the following hypothesis is therefore proposed:
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
16/40
-12-
H1: The use of RBIA is positively associated with the level of risk confronting
with the stakeholders.
The objective of RBIA is to provide independent assurance to the board that
there is a sound of risk management framework within the organization, and risks that
may affect the organisations business objectives and strategies are been identified,
managed and reduced to a level that is acceptable to the board (IIA 2003) . One
indication of risk management framework is the existence of a separate committee or
group, comprised of directors and managers (Goodwin-Stewart and Kent 2006) to
develop risk management development policy. The preceding discussion is reflected
in following hypothesis:
H2: The use of RBIA is positively associated with the existence of a risk
management committee.
3.2 Internal Control
As organizations grow in size and complexity, effective risk management
becomes increasingly problematic (Fraser and Henry 2007). Previous study for
demand of internal auditing linked to the cost vs. benefit from undertaking monitoring
(Carcello et al. 2005; Goodwin-Stewart and Kent 2006). Carcello, et al. (2005) asserts
that increased organizational complexity would result in greater risk and companies
facing higher risk will increase their organizational monitoring. In addition, from
transaction cost perspective, larger firms have opportunities to gain economies of
scale from investment in the fixed costs of internal auditing (Carey et al. 2000; Carey
et al. 2006). From preceding discussion, the following hypotheses are therefore
proposed:
H3a: The use of RBIA is positively associated with a banks size.
H3b: The use of RBIA is positively associated with the complexity of a bank.
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
17/40
-13-
Recently, Taiwanese authorities have urged for financial reforms, many domestic
banks are merged into one large financial holding company. Based on preceding
discussion, we would expect that as the financial holding company is larger in size
and more complicated, it would be more likely to use RBIA and request its subsidiary
to use RBIA for monitoring of risk management. Therefore, this study tests whether
domestic banks that are a subsidiary of financial holding companies are more likely to
use RBIA. The preceding discussion is reflected in following hypothesis:
H3c: The use of RBIA is positively associated with a bank that is a subsidiary of
a financial holding company.
3.3 Corporate Governance
IIA (2005) in their submission to the Turnbull Review Group, requested that
boards should be responsible for determining acceptable risks and for managing them.
While board members have ultimate responsibility for risk management and internal
control, they require assurance that risks throughout the organization have been
identified, assessed and managed (Fraser and Henry 2007). Hence, internal auditings
risk-based orientation would be a key component for such assurance. Haniffa and
Hudaib (2006) indicates that board size affects the extent of monitoring and
controlling. As a small board may be seen to be more effective, we would expect a
higher percentage of RBIA may be used. However, as bigger boards seems to be more
symbolic rather than being a part of the management process (Hermalin and Weisbach,
2000; Haniffa and Hudaib 2006; Chen 2003), they would require internal audit
activities to be more risk orientation, as a substitute mechanism. From preceding
discussion, we test whether the use of RBIA is associated with board size, but do not
predict a direction:
H4: The use of RBIA is significantly associated with the board size.
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
18/40
-14-
In banking industry, information asymmetry problem is relatively higher among
external bank stockholders, including institutional investors as they have little control
over bank managers (Zeckhauser and Pound 1990; Ross 1989). Meanwhile, Pound
(1988) and Cebenoyan et al. (1999) suggest that because of contractual clauses
specifying what types of investments institutional investors must hold, they have less
ability to diversify risks and stronger incentives to monitor individual investments.
Therefore, we would expect that when institutional investors shareholdings are
proportionately higher, they will be more likely to ensure that internal auditing
focuses its resources on the banks business and strategic risks. The preceding
discussion is reflected in following hypothesis:
H5: The use of RBIA is positively associated with the level of shareholdings held
by institutional shareholders.
Internal auditing plays an important role in organizational governance by
monitoring organizational risks and assessing controls (IIARF 2003). Previous study
argues that internal audit is a substitute mechanism for monitoring by directors
(Anderson et al.1993), however, Goodwin-Stewart and Kent (2006) argues that
information asymmetry problems exist between executive and independent directors,
internal auditing is more likely to be a complementary mechanism among other
corporate governance mechanism. Since independent directors lack of day-to-day
business involvement, they may not have enough information, moreover, they also
may concern about his or her personal exposure if management commits fraud or
some other scandal erupts related to the organization (i.e., reputation risk) (Knechel
and Willekens 2006). Internal auditings risk-based orientation would be a key
component for such information risk assurance. The preceding discussion is reflected
in following hypothesis:
H6: The use of RBIA is positively associated with the proportion of independent
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
19/40
-15-
board members on the board of directors3.
3.4 Technical Competence
The IIAs standard 1210 on proficiency of the auditor requires that the internal
auditors possess the knowledge, skills and other competencies needed to perform their
responsibilities (IIA 2004a; Dessalegn Getie and Aderajew Wondim 2007).
Internal auditors are potentially important providers of independent evaluations
of the organizations risk management and internal control system (assurance),
eventually combined with more practice-oriented management assistance (consulting)
in this area (Sarens and De Beelde 2006). Following Turnbull and Position Statement
(IIA 2004b), internal auditors are being expected to be increasingly prominent in
ERM but concerns have been expressed about expertise (Fraser and Henry 2007).
This new role has led internal auditors to internal expertise that requires different
technical competence and in-depth understanding of risk that some internal audit may
not possess, for example, the appropriate qualifications and experience; including the
necessary specialized skills (e.g. risk management and system design), industry
specializations as industry-specific factors influenced the risk appetite of the business
and technological expertise (Spira and Page 2003; Spekle et al. 2007; Carey et al.
2006; Fraser and Henry 2007). This situation could have potentially serious
consequences as an internal audit function which has been allocated a prominent role
in the assessment of the appropriateness of risk management but which lacks the
necessary expertise could be a weak link in the risk management chain (Fraser and
Henry 2007).
Over the last decade, the cost of finding, recruiting and keeping appropriately
qualified staff has become increasingly more difficult and expensive (Martin et al.
3 In Taiwan, members of the board of directors contain directors and supervisors.
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
20/40
-16-
2000). In terms of cost-benefit perspective, the organizations economic
principle/agent seeks to adopt governance structures that match their control needs in
a cost-effective way, thus may consider the benefits and drawbacks of adopting RBIA
while lacking of technical competence internal auditors. Consequently, the propensity
for banks to use RBIA is more likely to be high when internal auditors are
technologically competent in this area. Based on the preceding discussion, the
following hypothesis is therefore proposed:
H7: The use of RBIA is positively associated with the internal auditors technical
competence.
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
21/40
-17-
Chapter 4 Method
4.1 Data Collection and Sample
The present study combined data collected from the corporate annual report and
a survey of domestic banks. Data that are extracted from the banks annual report
contains information regarding the disclosures of the banks risk management,
corporate governance structure and ownership of shareholdings, based on fiscal year
ends from 1 January 2006 to 31 December 2006. A survey was developed to gather
information on the degree of RBIA employed by the bank, the existence of risk
management committee and internal auditors technical competence.
As the questionnaires were to be sent out via mail, initial versions were drafted
and tested by three non-specialists to eliminate misunderstanding due to wording and
technical terms. After the initial alteration, a further test was conducted by two
specialists. With minor modifications, the final questionnaire was mailed to chief
internal auditors in January, 2008, with a letter explaining the purpose of the survey
and assuring that the response would be treated in a strictly confidential manner. A
reminder phone call was made two weeks later.
The population from which our sample is drawn consists of all of the 39
domestic banks that are under operation and regulated by the Financial Supervisory
Commission of the Executive Yuan. Of the 39 surveys mailed, 24 responses were
received, generating a response rate of 61.54 per cent. Of all the 24 responses, there
were no unusable responses; hence, the final usable response rate was also 61.54 per
cent.
4.2 Non-response Bias
To assess whether non-respondents (n=15) differed significantly from usable
responding banks (n=24), the present paper compared the scores of responding banks
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
22/40
-18-
on total assets and net income before tax to those of the non-respondents. We use
Levenes test and Independent Sample T test to examine the Homogeneity of
variances and Equality of Means, respectively. The results indicate that there were no
significant differences between the two groups on these variables. Thus, there have no
indications of non-response bias (see table 1 for further details).
4.3 Measurement of Variables
The dependent variable is the percentage of RBIA employed by the bank (RBIA).
This variable is derived from a single question: percentage of internal audit activities
that are considered to be risk-based.
The independent variables used in the analyses are summarized in Table 3 and
explained below:
Risk ManagementPrevious research has used a set of risk and risk management measures that
reflect the organizations own assessment of risk and risk management efforts. This
study adopts the same risk measures to Knechel and Willekens (2006) where six areas
of risk and related risk management practice are measured. We use annual report to
evaluate risk management information disclosed by the bank to compute the six
separate risk management measures. Each risk management measure is computed on a
five-item scale where one point is added for disclose each of the five information
regarding a specific area of risk and risk management. As no companies scored the
maximum score (5) on each risk variable, each risk measure is scaled by its own
maximum score actually observed, e.g. a company with a score of three for a measure
where the maximum observed value across all companies was four was scaled to 0.75.
The six separate risk management measures are as following:
RISK 1 A score from 1 to 5, scaled by the maximum value in the sample, reflecting
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
23/40
-19-
the extent of disclosures aboutfinancial risk and risk management.
RISK 2 A score from 1 to 5, scaled by the maximum value in the sample, reflecting
the extent of disclosures about compliance risk and risk management.
RISK 3 A score from 1 to 5, scaled by the maximum value in the sample, reflecting
the extent of disclosures about environmental and safety risk and risk
management.
RISK 4 A score from 1 to 5, scaled by the maximum value in the sample, reflecting
the extent of disclosures about technology risk and risk management.
RISK 5 A score from 1 to 5, scaled by the maximum value in the sample, reflecting
the extent of disclosures about internal process risk and risk management.
RISK 6 A score from 1 to 5, scaled by the maximum value in the sample, reflecting
the extent of disclosures about change management risk and risk
management.
In addition, since financial characteristics reflect company risk and ability to pay
for monitoring, company in weak financial condition would try to mitigate their
heightened risk through enhanced monitoring by internal audit (Carcello et al. 2005).
Consequently, we include the following financial proxy in the analysis that is most
concerned in banking industry:
NPL Ratio of Non-Performing Loan.
One additional variable is included in the model based on the hypothesis:
RMC Dummy variable = 1 if the bank has a risk management committee, zero
otherwise.
Internal ControlLNINTEST Natural log of net interest revenue.
FORBNH Foreign branches divided by total branches (if there are no foreign
branches, this variable equals 0).
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
24/40
-20-
FHC Dummy variable =1 if the bank is a subsidiary of financial holding
company; zero otherwise.
Corporate GovernmentBODNR Total number of members on the Board of Directors
4.
INSOWN Percentage of shareholdings held by institutional shareholders.
NONEXD Percentage of non-executive directors and supervisors on the board of
directors
Technical CompetenceThe questionnaire contains 7 items that were measured on a five-point scale, and
designed to acquire different aspects of technical competence of the internal auditors
(Q7.1~Q7.7). Confirmatory factor analysis conveys that five of these items load on a
single factor. Therefore, we combine these items by calculating the mean of the five
items to obtain a single score for technical competence (see table 2 for further details).
The correlations of the other two items with the factor were too low and we dropped
these items from the analysis. The Cronbachs alpha coefficient for TECHCOM is
0.836.
TECHCOM A score measured by computing the mean of five questionnaires,
representing the extent of technical competence of internal auditors in
the internal audit department.
4.4 Model
We use a Tobit model in our analyses, which is a regression technique suited to
analyse limited (censored) dependent variables (Tufano 1996; Spekle et al. 2007):
RBIA= bo + b1RISK1 + b2RISK2 + b3RISK3 + b4RISK4 + b5RISK5 +
b6RISK6 + b7NPL+ b8RMC + b9LNINTEST + b10FORBNH +
4 In Taiwan, members of the board of directors contain directors and supervisors ; therefore, this paper
investigates the proportion of non-executive directors and supervisors
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
25/40
-21-
b11FHC + b12BODNR + b13INSOWN + b14NONEXD +
b15TECHCOM + e
Where:
RBIA Percentage of RBIA employed by the bank
RISK 1 The extent of disclosures about financial risk and risk
management
RISK 2 The extent of disclosures about compliance risk and risk
management
RISK 3 The extent of disclosures about environmental and safety
risk and risk management
RISK 4 The extent of disclosures about technology risk and riskmanagement
RISK 5 The extent of disclosures about internal process risk and
risk management
RISK 6 The extent of disclosures about change management risk
and risk management
NPL Ratio of Non-Performing Loan
RMC Dummy variable = 1 if the bank has a risk management
committee, zero otherwise
LNINTEST Natural log of net interest revenue
FORBNH Percentage of foreign branches on total branches
FHC Dummy variable =1 if the bank is a subsidiary of a financial
holding company; zero otherwise
BODNR Total number of members on the Board of Directors
INSOWN Percentage of shareholdings held by institutional
shareholders
NONEXD Percentage of non-executive directors and supervisors on
the board of directors
TECHCOM A score measured by computing the mean of five
questionnaires, representing the extent of technical
competence of internal auditors in the internal audit
department
Since tobit regression is used to test the hypotheses, assumptions of
multicollinearity, independence of error terms and heteroskedasicity are also tested.
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
26/40
-22-
The Pearson Correlation Matrix and Variance Inflation Factor (VIF) are used to test
the multicollinearity assumption, while an analysis of residuals and the plots of the
studentised residuals against predicted values are conducted to test for independence
of error terms and heteroskedasicity.
TABLE 1
Results of Levenes Test and Independent Sample T Test
Levenes Test Independent Sample T Test
Variables F-statistics p-value t-value p-value
Assets 6.562 0.015* -1.164 0.258
Net Income before Tax 0.180 0.673 -1.480 0.147
Note: Significant at the 0.05 level.
TABLE 2
Composition and Reliability of Variables
ItemsComponent
Loading
Understanding of COSOs ERM (Q7.1) Understanding of risk management framework that are
established for Basel II (Q7.2)
knowledge of information technology risk and controls (Q7.3) proportion auditing related certificates holders (Q7.6)
proportion of risk management related certificates holders (Q7.7)Cronbachs alpha: 0.836.
0.900
0.859
0.779
0.925
0.921
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
27/40
-23-
TABLE 3
Definition of Variables Used in the Model
Variables Definition Expected sign
Dependent Variable
RBIA Percentage of internal audit activities that are
considered to be risk-based.
Independent Variables
Risk Management Variables
Risk 1 A score from 1 to 5, scaled by the maximum value in
the sample, reflecting the extent of disclosures about
financial risk and risk management.
+
Risk 2 A score from 1 to 5, scaled by the maximum value in
the sample, reflecting the extent of disclosures about
compliance risk and risk management.
+
Risk 3 A score from 1 to 5, scaled by the maximum value in
the sample, reflecting the extent of disclosures about
environmental and safety risk and risk management.
+
Risk 4 A score from 1 to 5, scaled by the maximum value in
the sample, reflecting the extent of disclosures about
technology risk and risk management.
+
Risk 5 A score from 1 to 5, scaled by the maximum value in
the sample, reflecting the extent of disclosures about
internal process risk and risk management.
+
Risk 6 A score from 1 to 5, scaled by the maximum value in
the sample, reflecting the extent of disclosures about
change managementrisk and risk management.
+
NPL Ratio of Non-Performing Loan. +
RMC Dummy variable = 1 if the bank has a risk
management committee, zero otherwise.
+
Internal Control Variables
LNINTEST Natural log of net interest revenue +
FORBNH Percentage of foreign branches on total branches +
FHC Dummy variable =1 if the bank is a subsidiary of a
financial holding company; zero otherwise.
+
Corporate Governance Variables
BODNR Total number of members on the Board of Directors. ?
INSOWN Percentage of shareholdings held by institutional
shareholders.
+
NONEXD Percentage of non-executive directors and
supervisors on the board of directors.
+
Technical Competence Variable
TECHCOM A score measured by computing the mean of five
questionnaires, representing the extent of technical
competence of internal auditors in the internal auditdepartment.
+
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
28/40
-24-
Chapter 5 Results
5.1 Descriptive Statistics
Table 4 presents descriptive statistics for the dependent and independent
variables in the model. Start from independent variable in Panel A, the 24 responding
samples have conducted moderate RBIA, with a mean RBIA about 0.5833 reflecting
58.33% of internal auditing activities are risk-oriented. The risk management
disclosure scores could be divided into two groups. Standardized risk management
scores 0.7708 and 0.7292 for financial risk management and compliance risk
management respectively, comparatively higher than that for the rest of four risk
management, ranging from 0.375 for change management risk management to 0.4563
for internal process risk management. The percentage of foreign branches on total
branches ranges from 0 to 0.2727, with a mean of 0.0377. For corporate government
variables, Panel A indicates that, on average, 12.5313 per cent of shareholdings held
by institutional shareholders. Technical competence of internal auditors in the internal
auditing department ranges from 2 to 4.2, with a mean score of 2.7667.
Panel B shows that of the 24 respondent banks, 79.2 per cent have a risk
management committee. Panel B also shows that 45.8 per cent of banks in the sample
are under controlled by a financial holding company.
5.2 Univariate Results
We report further descriptive statistics for the banks in the sample, breaking the
sample on the 25th percentile and the 75th percentile of the degree of RBIA where
banks engage in infrequent RBIA (RBIA30 percent), some RBIA (RBIA between
30 and 70 percent), and extensive RBIA (RBIA exceeding 70 percent). Table 5 reports
a t-test of the differences in the means of these groups and a nonparametric Wilcoxon
signed-rank test of the differences between the distributions.
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
29/40
-25-
The univariate analysis of means represents that banks employing infrequent
RBIA are hardly distinguishable from those employing moderate levels of RBIA,
apart from the percentage of non-executive directors and supervisors on the board of
directors (as predicted). The Wilcoxon signed-rank test reports the same result.
Banks employing extensive RBIA differ from those employing moderate level of
RBIA along a variety of factors. They disclose less about internal processrisk and risk
management (contrary to the predictions) and have fewer board members. The
percentage of non-executive directors and supervisors on the board of directors is
higher. Finally, technical competence of internal auditors in the internal audit
department is higher as anticipated.
Finally, we examine whether banks employing intensive RBIA distinguishable
from those employing infrequent of RBIA. Three factors are significant differs:
disclosure about internal process risk and risk management, percentage of
non-executive directors and supervisors on the board of directors and technical
competence of internal auditors in the internal audit department.
5.3 Assumption Test Results
Table 6 presents the correlation matrix for the dependent and continuous
independent variables. TECHCOM is significantly associated with the degree of
RBIA ( r.546, p0.01). The highest correlation for the independent variables is
-0.404 between RISK1 and NONEXD. In addition, table 7 reports VIF values for the
continuous independent variables. FORBNH has the highest VIF value of 4.521. The
correlation matrix and VIF values present that multicollinearity is not a problem5. The
Durbin-Watson value (2.250) and the plots of the residuals indicate no problems of
independence of error terms and heteroskedasicity.
5 Multicollinearity problem exists when the correlation exceeded 0.80 and VIF values exceeds 10.
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
30/40
-26-
5.4 Regression Results
The results of the tobit regression are shown in Table 6. This model identifies
factors that are associated with a banks use of risk-basked internal auditing. The
model is significant atp0.000 with an Adjusted R2of 0.944.
As expected, all of our risk and risk management variables are significant. Risk 1,
Risk 2 and Risk 4 are positive and significant, consistent with hypothesis 1. Risk 3,
Risk 5 and Risk 6 are significant but negative. The three variables that are significant
and positive support our hypothesis that banks that are more sensitive to risks, are
more likely to employ higher percentage of RBIA. Moreover, NPL is positively and
significantly associated with RBIA, also supporting Hypothesis 1, this reflects that
banks with higher NPL levels appear to be more risk-based in internal auditing
activities so as to mitigate their higher agency costs. The use of RBIA is significantly
positively associated with the existence of a risk management committee. The finding
support Hypothesis 2 and suggests that banks with an integrated risk management
framework are more likely to have a higher percentage of RBIA.
Results for use of RBIA from internal control perspective are mixed. Hypotheses
3a is supported, with the results presenting a positive and significant association
between banks size and the use of RBIA (p0.05). Moreover, as expected, the
complexity of a bank is found to have a positive and significant (p0.01) relationship
with the level of RBIA employed (Hypothesis 3b). However, contrary to our
expectations, the hypothesized impact of whether the bank is a subsidiary of a
financial holding company (FHC) is not associated with the use of RBIA, and hence
Hypothesis 3c is not supported.
Results for the use of RBIA from corporate governance factors are substantially
supported. Board size (BODNR) is found to have a significant and negative
relationship with the level of RBIA employed, thus allowing us to accept Hypothesis
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
31/40
-27-
4. We observe that INSOWN is significant and positive, consistent with Hypothesis 5.
The result indicates a significant and negative association between NONEXD and the
degree of RBIA. This suggests that banks that have a lower proportion of
non-executive Directors have, on average, use higher percentage of RBIA. Finally,
TECHCOM is also found to have significant and positive coefficient with the degree
of RBIA used, supporting Hypothesis 7.
TABLE 4
Descriptive Statistics
Variable (N=24) Mean S.D. Minimum Maximum
Panel A: Continuous variables
RBIA 0.5833 0.2761 0.1000 0.9000
RISK 1 0.7708 0.0706 0.7500 1.0000
RISK 2 0.7292 0.1021 0.5000 1.0000
RISK 3 0.3958 0.2545 0.0000 1.0000
RISK 4 0.4558 0.2580 0.3300 1.0000
RISK 5 0.4563 0.2387 0.3300 1.0000
RISK 6 0.3750 0.3970 0.0000 1.0000
NPL 2.4938 2.2399 0.2400 10.8300
LNINTEST 15.4814 1.2443 13.0451 17.3089
FORBNH 0.0377 0.0712 0.0000 0.2727
BODNR 16.1667 3.7027 10.0000 23.0000
INSOWN 12.5313 27.2462 0.0000 100.0000
NONEXD 0.6591 0.1691 0.3800 0.9300
TECHCOM 2.7667 0.6767 2.0000 4.2000
Panel B: Dichotomous variables
Yes % No %
RMC 19 79.2 5 20.8
FHC 11 45.8 13 54.2
Notes: See Table 3 for variable definitions.
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
32/40
- 28 -
TABLE 5
Factors of Domestic Banks Segmented by Degree of RBIA
All variables are defined in Table 3. Banks are partitioned on the 25th percentile and the 75th percentile of pro
30 percent), some RBIA (30 percentRBIA70 percent), and extensive RBIA (RBIA70 percent)). Thon the level of RBIA. Mean and medians are reported. The pairs ofp-values represent the t-tests of the differ
level of the Wilcoxon sign-rank test. P-values less than 0.10 are shown in boldface type.
Factors of Domestic Banks by Level of RBIA Values of D
Infrequent
(30%,N=8)
Some (between
30-70%,N=9)
Extensive
(70%,N=7)Infrequent vs.
SomeSome vs.
Mean Med. Mean Med. Mean Med.t-value
(p-value)
-statistic
(p-value)
t-value
(p-value)
Z
RBIA 0.25 0.30 0.63 0.70 0.90 0.90
RISK 1 0.78 0.75 0.78 0.75 0.75 0.750.083
(0.93)
-0.086
(0.93)
0.875
(0.40)
RISK 2 0.72 0.75 0.72 0.75 0.75 0.75-0.057
(0.96)
-0.130
(0.90)
-0.875
(0.40)
RISK 3 0.44 0.50 0.44 0.50 0.29 0.50-0.057
(0.96)
0.000
(1.00)
1.099
(0.29)
RISK 4 0.50 0.33 0.48 0.33 0.38 0.330.127
(0.90)
-0.131
(0.90)
0.914
(0.38)
RISK 5 0.54 0.33 0.48 0.33 0.33 0.33 0.448(0.66)
-0.340(0.73)
1.842(0.10)
RISK 6 0.44 0.50 0.22 0.00 0.50 0.501.138
(0.27)
-1.166
(0.24)
-1.438
(0.17)
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
33/40
- 29 -
TABLE 5
Factors of Domestic Banks Segmented by Degree of RBIA
Factors of Domestic Banks by Level of RBIA Values of D
Infrequent
(30%,N=8)
Some (between
30-70%,N=9)
Extensive
(70%,N=7)Infrequent vs.
SomeSome vs.
Mean Med. Mean Med. Mean Med.t-value
(p-value)
-statistic
(p-value)
t-value
(p-value)
Z
NPL 2.32 1.71 3.33 1.99 1.63 1.61-0.810
(0.43)
-0.770
(0.44)
1.369
(0.19)
LNINTEST 15.44 15.60 15.46 15.50 15.55 15.53-0.039
(0.97)
-0.096
(0.92)
-0.125
(0.90)
FORBNH 0.03 0.00 0.02 0.00 0.07 0.020.355
(0.73)
-0.450
(0.65)
-1.214
(0.24)
BODNR 16.50 16.00 17.56 18.00 14.00 13.00-0.604
(0.56)
-0.681
(0.50)
2.035
(0.06)
INSOWN 9.76 0.00 13.19 0.57 14.85 0.00-0.297
(0.77)-0.625
(0.53)
-0.107
(0.92)
NONEXD 0.67 0.74 0.52 0.50 0.82 0.822.193
(0.05)
-1.879
(0.06)
-6.859
(0.00)
TECHCOM 2.38 2.20 2.60 2.40 3.43 3.60-1.065
(0.30)
-0.851
(0.39)
-2.610
(0.02)
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
34/40
- 30 -
TABLE 6
Correlation Matrix
RBIA RISK1 RISK2 RISK3 RISK4 RISK5 RISK6 NPL LN-INTEST
FORBNH
Q11PRO
RISK1 -0.093 1.000
RISK2 0.141 0.063 1.000
RISK3 -0.304 -0.176 -0.087 1.000
RISK4 -0.071 0.250 0.104 0.096 1.000
RISK5 -0.343 0.276 0.113 0.226 0.209 1.000
RISK6 0.020 0.097 -0.335 0.081 0.160 -0.056 1.000
NPL -0.037 -0.146 -0.044 0.179 -0.221 -0.118 -0.116 1.000
LNINTEST 0.005 0.344 0.242 0.134 0.257 0.111 0.356 0.034 1.000
FORBNH 0.161 0.371 0.113 0.124 0.279 0.010 0.167 -0.338 0.209 1.000
BODNR -0.295 0.152 -0.048 -0.096 -0.207 -0.008 -0.177 0.082 -0.351 -0.313
INSOWN 0.092 -0.142 0.063 0.182 0.062 0.362 -0.265 -0.111 -0.300 0.375
NONEXD 0.235 -0.404 0.000 -0.171 -0.319 -0.259 0.051 0.014 -0.033 -0.085
TECHCOMP 0.546*** -0.212 -0.105 -0.349 -0.225 -0.299 0.356 -0.339 -0.191 -0.228
Notes:
*** Correlation is significant at the 0.01 level (two-tailed).
See Table 3 for variable definitions.
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
35/40
- 31 -
TABLE 7
VIF Value
RISK1 RISK2 RISK3 RISK4 RISK5 RISK6 NPL
2.993 2.159 1.636 1.629 2.679 2.601 2.178
LNINTEST FORBNH BODNR INSOWN NONEXD TECHCOMP
4.335 4.521 2.094 4.120 1.993 3.215
TABLE 8
Results of Tobit Regression Analysis
Variable (N=24) Expectedsign
Coefficient S.E. z-Statistic Prob.*
C -1.188 0.210 -5.654 0.000
RISK1 + 0.535 0.181 2.959 0.003
RISK2 + 0.489 0.106 4.604 0.000
RISK3 + -0.147 0.037 -3.965 0.000
RISK4 + 0.116 0.037 3.185 0.001
RISK5 + -0.229 0.051 -4.517 0.000
RISK6 + -0.269 0.030 -8.968 0.000
NPL + 0.046 0.005 9.460 0.000
RMC + 0.330 0.025 13.172 0.000
LNINTEST + 0.026 0.012 2.073 0.038
FORBNH + 1.642 0.221 7.442 0.000
FHC + 0.005 0.031 0.154 0.878
BODNR ? -0.033 0.003 -11.318 0.000
INSOWN + 0.003 0.001 6.135 0.000
NONEXD + -0.308 0.062 -4.991 0.000
TECHCOM + 0.384 0.020 19.659 0.000
R2 0.983 Adjusted R
20.944
Log likelihood 46.129
Notes: *One-tail test where direction predicted, otherwise two-tail.See Table 3 for variable definitions
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
36/40
- 32 -
Chapter 6 Conclusion and Limitation
6.1 Conclusion
This study aims to investigate current use of RBIA by Taiwanese banks and to
explore factors associated with the adoption of RBIA by Taiwanese banking industry.
To understand banks demand of RBIA, this study examines whether the use of RBIA
varies with factors reflecting banks risk management, internal control, corporate
governance and internal auditors technical competence.
The models tested in this study find empirical support that banks use a relatively
high level of RBIA when disclose more information about financial risk management,
compliance risk management, technology risk management and have a higher ratio of
Non-Performing Loan. The results support H1 that the level of RBIA employed is
positively associated with the banks risk management. However, the results present
that the use of RBIA is negatively correlated with information disclosure about
environmental and safety risk management, internal process risk management, and
change management risk management.
Results support H2 that use of RBIA is positively correlated with the existence of
a risk management committee. This finding is consistent with findings from prior
empirical research investigation voluntary demand for internal auditing
(Goodwin-Stewart and Kent 2006). Results from the present study suggest that a
firms risk management framework is highly associated with the role of internal
auditing in the firm. Results for H3 are mixed. Our results indicate a significant
positive relationship between the level of RBIA used and Banks size, as well as the
complexity of the banks. However, no support was found for H3c that the use of
RBIA is positively correlated with a bank that is a subsidiary of a financial holding
company.
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
37/40
- 33 -
The findings of this study indicate a significant negative correlation exists
between the level of RBIA employed by a bank and the board size. Our finding
suggests that a small board size seems to be more effective, and is more likely to use
RBIA, as a complementary mechanism. Contrary to our expectations, the percentage
of non-executive directors and supervisors on the board of directors is significant
negative associated with the use of RBIA, the finding indicates that the higher
percentage of independent directors and supervisors on the board presents better
corporate governance, hence may not employ higher percentage of RBIA for
monitoring of risk management, this result presents that the use of RBIA as substitute
mechanism. Finally, the result support the hypotheses that banks use a relatively high
level of RBIA when have a higher percentage of shareholdings held by institutional
shareholders and internal auditors technical competence are higher.
6.2 Limitation
The result of this study should be considered in light of two limitations. First, our
measure of dependent variable- the percentage of RBIA employed by the bank is
derived from questionnaire and subject to subjective judgments of each banks
executive internal auditor, and we rely on the accuracy of these responses. Second,
our sample is relatively small. However, this study surveys all of the 39 domestic
banks in Taiwan; the response rate is relatively high: 61.54% and non-response bias
tests indicate that there is no significant difference between the responding banks and
non-respondents. Future research might expand the sample and to test our hypothesis
in the entire finance industry.
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
38/40
- 34 -
REFERENCES
Beumer, H. 2006. A Risk- oriented Approach.Internal Auditor63 (1):72-76.
Carcello, J. V., D. R. Hermanson, and K. Raghunandan. 2005. Factors Associated with
U.S. Public Companies' Investment in Internal Auditing.Accounting Horizons
19 (2):69-84.
Carey, P., R. Simnett, and G. Tanewski. 2000. Voluntary Demand for Internal and
External Auditing by Family Businesses.Auditing 19 (1):37.
Carey, P., N. Subramaniam, and K. C. W. Ching. 2006. Internal audit outsourcing in
Australia.Accounting & Finance 46 (1):11-30.
Cebenoyan, A. S. Cooperman, E. S. Register, and C. A. 1999. Ownership structure,
charter value, and risk-taking behavior for thrifts. Financial Management28
(1):43-60.
Chen, H.-J. 2003. The Relationship Between Corporate Governance And Risk-Taking
Behavior in Taiwanese Banking Industry. Journal of Risk Management5
(3):363-391.
Dessalegn Getie, M., and Y. Aderajew Wondim. 2007. Internal audit effectiveness: an
Ethiopian public sector case study. Managerial Auditing Journal 22
(5):470-484.
Fraser, I., and W. Henry. 2007. Embedding risk management: structures and
approaches.Managerial Auditing Journal 22 (4):392 - 409.FRC. 2005. Internal Control: Revised Guidance for Directors on the Combined Code.
Financial Reporting Council, London London.
FSC. 2004. Status of Preparation for Implementation of New Basel Capital Accord
(Basel II). the Financial Supervisory Commission of the Executive Yuan
(http://www.banking.gov.tw/ct.asp?xItem=57716&ctNode=701&mp=7 and
http://www.banking.gov.tw/ct.asp?xItem=31509&ctNode=700&mp=7).
. 2007. Implementation Rules for Bank Internal Audit and Internal Control
System. Financial Supervisory Commission of the Executive Yuan.
Goodwin-Stewart, J., and P. Kent. 2006. The use of internal audit by Australian
companies.Managerial Auditing Journal 21 (1):81-101.
Griffiths, D. M. 2006. Risk Based Internal Auditing- An Introduction.
Haniffa, R., and M. Hudaib. 2006. Corporate Governance Structure and Performance
of Malaysian Listed Companies. Journal of Business Finance & Accounting
33 (7-8):1034-1062.
Hay, D., and W. R. Knechel. 2004. Evidence on the Association among Elements of
Control and External Assurance. Working Paper (University of Auckland).
IIA. 2003. Risk Based Internal Auditing, Position Statement. The Institute of Internal
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
39/40
- 35 -
Auditors UK and IrelandLondon.
. 2004a. The Professional Practices Framework. The Institute of Internal
Auditors.
. 2004b. The Role of Internal Auditing in Enterprise-wide Risk Management,
Position Statement.Institute of Internal Auditors UK and IrelandLondon.
. 2005. Review of the Turnbull guidance on internal control proposals for
updating the guidance consultation paper, September. Institute of Internal
Auditors UK and IrelandLondon.
IIARF. 2003. Research Opportunities in Internal Auditing. Institute of Internal
Auditors Research Foundation Altamonte Springs, FL: IIARF.
Jenny, G. 2004. A comparison of internal audit in the private and public sectors.
Managerial Auditing Journal 19 (5):640 - 650.
Katz, E. M. 1998. Risk-based supervision, internal controls, and the internal audit
function. Bank Accounting & Finance (Euromoney Publications PLC) 11
(4):49.
Kippenberger. 1999. Internal audit and governance: the shift from control to risk. The
Antidote 4 (3):6 - 7.
Knechel, W. R., and M. Willekens. 2006. The Role of Risk Management and
Governance in Determining Audit Demand. Journal of Business Finance &
Accounting 33 (9-10):1344-1367.
Martin, C. L., M. K. Lavine, C. R. Baker, and J. J. O'Leary. 2000. Outsourcing theInternal Audit Function. CPA Journal 70 (2):58.
McCool, T. J. 2000. Risk-Focused Bank Examinations: Regulators of Large Banking
Organizations Face Challenges: GGD-00-48. In GAO Reports: U.S.
Government Accountability Office, 1.
Pound, J. 1988. Proxy Contests and the Efficiency of Shareholder Oversight.Journal
of Financial Economics January/March:237-265.
Ross, S. A. 1989. Institutional Markets, Financial Markets, and Financial Innovation.
Journal of Finance July:541-556.
Sarens, G., and I. De Beelde. 2006. Internal auditors' perception about their role in risk
management: A comparison between US and Belgian companies.Managerial
Auditing Journal 21 (1):63-80.
Spekle, R. F., H. J. van Elten, and A.-M. Kruis. 2007. Sourcing of internal auditing:
An empirical study.Management Accounting Research 18 (1):102-124.
Spira, L. F., and M. Page. 2003. Risk management: The reinvention of internal control
and the changing role of internal audit.Accounting, Auditing & Accountability
Journal 16 (4):640-661.
Tufano, P. 1996. Who Manages Risk? An Empirical Examination of Risk
-
8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming
40/40
Management Practices in the Gold Mining Industry. Journal of Finance 51
(4):1097-1137.
Walker, P. L., W. G. Shenkir, and T. L. Barton. 2003. ERM in practice. Internal
Auditor60 (4):51.
Zeckhauser, R. J., and J. Pound. 1990. Are Large Shareholders Effective Monitors?
An Investigation of Share Ownership and Corporate Performance. in R.G.
Hubbard, Ed., Asymmetric Information Corporate Finance, and Investment
(Chicago, IL, University of Chicago Press):149-180.