Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming

8/3/2019 Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming

1/40

Risk Based Internal Auditing in Taiwanese Banking Industry

Yung-Ming Shiu

Assistant Professor

Department of Business Administration,

National Cheng Kung University, Taiwan

Email: [email protected]

Mei-Lan Yeh

Department of Business Administration,

National Cheng Kung University, Taiwan

Email: [email protected]

Date: 25 June 2008


2/40

i

CONTENTS

CHAPTER 1 INTRODUCTION 1

1.1 RESEARCH BACKGROUND AND MOTIVATIONS 1

1.2 PURPOSE OF RESEARCH AND FINDINGS 2

1.3 STRUCTURE OF THIS STUDY 3

CHAPTER 2 CURRENT USE OF RBIA IN TAIWANESE BANKING

INDUSTRY.................................................. 4

CHAPTER 3 LITERATURE REVIEW AND HYPOTHESIS

DEVELOPMENT....................................................................... 10

3.1 RISK MANAGEMENT 11

3.2 INTERNAL CONTROL 12

3.3 CORPORATE GOVERNANCE 13

3.4 TECHNICAL COMPETENCE 15

CHAPTER 4 METHOD..................................................................... 17

4.1 DATA COLLECTION AND SAMPLE 17

4.2 NON-RESPONSE BIAS 17

4.3 MEASUREMENT OF VARIABLES 18

4.4 MODEL 20

CHAPTER 5 RESULTS.................................................................. 24

5.1 DESCRIPTIVE STATISTICS 24

5.2 UNIVARIATE RESULTS 24

5.3 ASSUMPTION TEST RESULTS 25

5.4 REGRESSION RESULTS 26

CHAPTER 6 CONCLUSION AND LIMITATION.................................... 32

6.1 CONCLUSION 32

6.2 LIMITATION 33

REFERENCE.................................................................. 34


3/40

ii

TABLES

TABLE 1 RESULTS OF LEVENES TEST AND INDEPENDENT SAMPLE T

TEST 22

TABLE 2 COMPOSITION AND RELIABILITY OF VARIABLES 22

TABLE 3 DEFINITION OF VARIABLES USED IN THE MODEL 23

TABLE 4 DESCRIPTIVE STATISTICS 27

TABLE 5 FACTORS OF DOMESTIC BANKS SEGMENTED BY DEGREE OF

RBIA 28

TABLE 6 CORRELATION MATRIX 30

TABLE 7 VIF VALUE 31

TABLE 8 RESULTS OF TOBIT REGRESSION ANALYSIS 31


4/40

iii

FIGURES

FIGURE 1 USE OF RBIA BY BANKS 4

FIGURE 2 COMPLETENESS AND CORRECTNESS OF THE CONTENT OF

RISK REGISTER 5

FIGURE 3 DEFINITION OF RBIA ACTIVITY IN AUDIT CHARTER 6

FIGURE 4 PROPORTION OF AUDIT PLAN THAT IS RISK-BASED 7

FIGURE 5 ALLOCATION OF INTERNAL AUDIT RESOURCES 7

FIGURE 6 INTERNAL AUDITS EVALUATION BASED ON RISK

ASSESSMENT 8

FIGURE 7 FREQUENCY OF REPORTING TO THE BOARD OF

DIRECTORS 8

FIGURE 8 BANKS CONCERN ABOUT EXECUTING RBIA 9


5/40

-1-

Chapter 1 Introduction

1.1Research Background and MotivationsRecent corporate collapses and financial scandals have provoked world-wide

concern with corporate governance highlighted apparent failures of accountability

(Spira and Page 2003), and subsequent new laws, regulations in response to them (the

Sarbanes-Oxley Act, 2002 and SEC rules) provide compelling evidence that internal

auditing, serves as part of sound corporate governance framework (Spira and Page

2003), matters and is important. More recently, various releases by the Institute of

Internal Auditors (IIA)-UK and Ireland Position Statement on Risk Based Internal

Auditing(hereunder refers to RBIA) (IIA 2003) and the Standards for the

Professional Practice of Internal Auditing (IIA, 2004) reveal the focal point of internal

auditing and the role of this function in organizations has moved from traditional

control and compliance orientation to a more risk-based focus (Kippenberger 1999;

Walker et al. 2003;IIA, 2003).

This is consistent with Turnbulls broader approach to internal control as

Turnbull has stated that directors shall adopt a risk-based approach to establish a

sound system of internal control and reviewing its effectiveness, and to incorporate

risk management and internal control by the company within its normal management

and governance processes (FRC 2005).

In recent years, banking regulators have changed their examination techniques

by placing emphasis on an institutions internal control system and on the way it

manages and controls its risks (McCool 2000). In conjunction with the

implementation of the New Basel Capital Accord (NBCA), known as Basel II, of

which the main goal is to reinforce the risk management system within the banking

industry, the Financial Supervisory Commission of the Executive Yuan (the FSC) in


6/40

-2-

Taiwan has pushed the regulatory authority to build up a risk-based supervisory

system and amend related laws and regulations where banks are mandated to conduct

more public disclosure of qualitative and quantitative information for finance,

business, corporate governance and risk management operation (FSC 2004). The FSC

further urges banks to set up a well-arranged risk management mechanism, such as

internal control system, risk management mechanism and internal audit function that

are mandated by the law Enforcement Regulations for Bank Internal Audit Control

System. Furthermore, the risk management strategies and execution quality of the

bank will be the focal point of supervision in the future, and face check and balance

imposed by market functions.

An effective risk management by banks and effective risk-based supervision by

regulators are highly dependent both on the implementation of adequate internal

control systems and on the competence of internal audit staffs (Katz 1998). In Taiwan,

banks operate in an institutional environment where internal auditing is a statutory

requirement1. Despite all of the recent attention focused on RBIA, research on the

existence or extent of this sector in general in corporations has been scant. Therefore,

the purpose of this study aims to investigate the current use of RBIA by Taiwanese

banking industry and to identify factors associate with the demand of RBIA among

banks.

1.2 Purpose of Research and Findings

This study explores factors associate with Taiwanese banks demand of RBIA

from perspectives of risk management, internal control, corporate governance and

internal auditors technical competence. Using data from a survey of domestic banks

1

Implementation Rules for Bank Internal Audit and Internal Control System, 2007 modified;Regulations Governing the Implementation of internal control and Audit Systems by Holding

Companies, 2005 modified.


7/40

-3-

together with information from corporate annual reports, we find support that the

degree of RBIA used by banks is associated with information disclosures about

financial, compliance, health and safety, technology, internal process and change

management risk management; the existence of a risk management committee; ratio

of Non-Performing Loan; the banks size and complexity; board size; proportion of

independent board members; the level of shareholdings held by institutional

shareholders; and internal auditors technical competence.

1.3 Structure of This Study

The paper is structured as follows. The next section discusses current use of

RBIA in Taiwanese Banking Industry. The third section describes a literature review

and the hypothesis development. Subsequent sections present the method and results.

The final section provides discussion, conclusions and limitations of the study, and

also suggestions for future research.


8/40

-4-

Chapter 2 Current Use of RBIA in Taiwanese Banking Industry

A survey is designed to gather information on the current use of RBIA in banking

industry. The questionnaire is developed based on the Standards for the Professional

Practice of Internal Auditing (IIA 2004a) and the Implementation Rules for Bank

Internal Audit and Internal Control System (FSC 2007), and includes four parts: part

one asked about current status of the banks risk management; part two requests for

the definition of RBIA activity in audit charter and technical competence of internal

auditors; part three investigates the performance of RBIA in related to audit planning,

nature of work and communication; and part four inquire about basic information of

the banks. Our sample consists of all of the 39 domestic banks, and of the 39 surveys

mailed, 24 completed responses were returned for a response rate of 61.54%.

Of the 24 survey responses, 13 (54.1%) of the banks report that more than 60%

of their internal audit activities are risk oriented. As Figure 1 illustrates, we find that 8

of 24 (33.3%) respondents indicating that they use a relatively high level of RBIA,

about 61%-80%, while 6 (25%) of the banks report that about 21%-40% of their

internal audit work are risk-based.

FIGURE 1

0% 5% 10% 15% 20% 25% 30% 35%

Percentage of Responding Banks

0-20%

21%-40%

41%-60%

61%-80%81%-100%

PercentageofRBIA

Used

Use of RBIA by Banks


9/40

-5-

The effectiveness of RBIA derives from a reliable risk register, also a complete

risk register will be available for audit planning (Griffiths 2006). Question 1 and 2

asked each bank to identify the completeness and the correctness of the content of its

risk register. Of all the 24 responses, there is one missing data on these two questions.

As illustrated by Figure 2, a significant percentage reported a complete and correct of

the risk register, notably 3 (13%) of the banks reported no risk register.

FIGURE 2

0% 10% 20% 30% 40% 50%

Percentage of Responding Banks

No Risk Register

General

Complete/Correct

Most Complete/Correct

Completeness and Correctness of the Content of Risk register

Completeness Correctness

As regulated by the Standards for the Professional Practice of Internal Auditing,

the purpose, authority, and responsibility of the internal audit activity should be

formally defined in a charter (IIA 2004a). To get an indication of how clearly RBIA

activities are defined, banks were asked whether it is been clearly defined in the audit

charter or work manual that internal auditor should audit and assure the adequacy and

effectiveness of risk management and control system in Question 5. As shown in

Figure 3, a large majority of banks (70%) reported RBIA activities are been clearly

defined in the audit charter, while only 1 bank reported no definition of any RBIA

activities in audit charter or work manual.


10/40

-6-

FIGURE 3

0% 10% 20% 30% 40% 50% 60% 70% 80%

Percentage of Responding Bank

Not Defined

General

Clear

Very Clear

Definition of RBIA Activity in Audit Charter

To see the extent of audit activities that are risk-based, we asked banks a series of

questions concerning audit planning. Question 8.2 asked respondents the proportion

of Engagement plan that are based on annual risk assessment. Except 3 missing data,

approximately 12 of 21 (57.1%) respondents expressing that less than 40% of

Engagement plan are based on annual risk assessment. We also inquired about the

proportion of annual audit plan that is based on each business units risk character and

that the priority of audit activities is determined on risk assessment in Question 8.3

and 8.4. As Figure 4 demonstrates, the percentage drops to about 50% for

approximately 61%-100% of annual audit plan to each business unit that is risk-based,

while 42% of banks indicated less than 40% of annual audit plan that is risk-based.

The annual audit plan on the priority of audit activities shows the same outcome, with

50% and 38% respectively for about 61%-100% and less than 40%.

Question 9.5 asked banks to rank the allocation of internal audit resources on

each of audit activities. Figure 5 presents the percentage of responding banks that

expressed none, a few, few, regular, many, great many about each audit activities. A

great many of internal audit resources were allocated to internal control audit, with

92% of responding banks expressing many to great many of audit resources.


11/40

-7-

FIGURE 4

0%

5%

10%

15%

20%

25%

30%35%

40%

Percentageof

RespondingBank

s

0-20% 21%-40% 41%-60% 61%-80% 81%-100%

Proportion of Audit Plan

Proportion of Audit Plan that is Risk-based

Engagement

Business Unit

Audit Priority

Financial, operational and information system audits are also audit activities that

have been allocated of most audit resources for the respondents, with 54%, 55% and

51%, respectively, indicating many to great many audit resources. Risk management

and special projects and others audits are the next two audit activities, with 46% and

41%, respectively, expressing many to great many of resources for each activity. The

activity of least allocation is corporate governance audit, where only 34% of

responding banks that allocate many to great many of audit resources.

FIGURE 5

4%8%

33%

46%

8%

0%0%8%

63 %

29 %

4%8%

38 %

25 %

21 %

4%8%

33%

38%

17%

0%0%

50%

38%

13%

4%

17%

42%

21%

13%

8%

8%

42%

33%

8%

0%

20%

40%

60%

80%

100%

Pcao

Rep

n

Ba

Financial Internal

Controls

Risk Mgt. Operational Info rmation

system

Corporate

Governance

Special

Projects and

Others

Allocation of Internal Audit Resources

None A Few Few Regular Many Great Many


12/40

-8-

RBIA is all about providing an opinion on whether risks are being properly

managed (IIA 2003; Griffiths 2006). Question 9.4 asked banks to indicate how

frequency internal auditors would evaluate the adequacy and effectiveness of control

of following issues based on results of risk assessment. As Figure 6 presented, most of

banks evaluation on the issues always based on risk assessment results.

FIGURE 6

0%

20%

40%

60%

80%

Percentageof

RespondingBanks

Rarely Regular Sometimes Always

Internal Audit's Evaluation based on Risk Assessment Reliability andIntegrity of Financial

and Operational

Information

Effectiveness andEfficiency of

Operations

Safeguarding of

Assets

Compliances with

Laws, Regulations

and Contracts

The frequency that chief internal auditor is reported to the board of directors has

important impacts on RBIA. Question 10.2 asked banks the frequency chief internal

auditor is reported to the board of directors regarding banks significant risk exposures

and controls. Figure 7 presented that a large majority of banks (88%) responded

regular to frequently report to the board of directors.

FIGURE 7

0%

10%

20%

30%

40%

50%

Percentageof

RespondingBanks

None Seldom Regular Frequently

Frequency of Reporting to the Board of Directors


13/40

-9-

Question 13 asked responding banks to specify their concerns regarding RBIA

usage. As shown in Figure 8, the greatest concern is lack of proper tool to identify

risks, with 14 of 24 responding banks. Lack of experience is the next greatest concern

to the banks, with 12 of banks. Lack of relevant principles or guidelines is also issue

of some concern for the respondents, with 7 responding banks. The item of least

concern is lack of relevant knowledge. Other concern specify by the responding banks

is the difficulty of present risk-based concept to internal auditors.

FIGURE 8

0

2

4

6

8

10

12

14

Numberof

RespondingBanks

Lack ofrelevant

Knowledge

Lack ofExperience

Lack ofProper Tool

to Identify

Risks

Lack ofRelevant

Principles or

Guidelines

Others

Banks' Concern About Executing RBIA


14/40

-10-

Chapter 3 Literature Review and Hypothesis Development

In 1999, the Institute of Internal Auditors (IIA) promulgated a new

definition of internal auditing which identifying an assurance and consulting role for

internal audit, highlighting the changing focus and the expansion scope of internal

auditing into risk management, corporate governance, and adding value2

(The IIA,

2004;Walker et al. 2003; Jenny 2004). The new definition emphasize that internal

audit function can add value to the organization in terms of risk management and

corporate governance, and RBIA is an approach that can help to meet these

requirements (IIA 2003). This approach is consistent with Turnbulls broader

approach to internal control as Turnbull implies that high level, risk-based internal

audit functions are a sine qua non (Fraser and Henry 2007).

Empirical research has investigated the existence or extent of internal auditing

from risk or governance perspectives. Goodwin-Stewart and Kent (2006) use an

agency framework to explore firm characteristics associated with the existence of

internal audit function from risk management, control and governance perspectives.

He argues that internal auditing is either to be a complementary or substitution

mechanism aligns with other risk management and governance mechanisms, and that

survey evidence indicates a significant association between the use of internal

auditing and a commitment to strong risk management and firm size, however, the

results reveal a mixed support for the corporate governance factors.

Using an agency cost framework, Carey, et al.(2000) examined demand for both

internal and external auditing by family business with two agency proxies which are:

2 In 1999, the Institute of Internal Auditors (IIA) approved the new definition of internal auditing as:

an independent, objective assurance and consulting activity designed to add value and improve an

organizations operations. It helps an organization accomplish its objectives by bringing a systematic,disciplined approach to evaluate and improve the effectiveness of risk management, control, and

governance process.


15/40

-11-

(1) the proportion of nonfamily management, and (2) the proportion of nonfamily

representation on the board of directors. They found that the two agency cost proxies

are associated with demand for external audit, but do not explain the demand for

internal audit. Carcello, et al. (2005) examines factors associated with U.S. public

companies investment in internal auditing, and the result indicates that total internal

audit budgets (in-house plus outsourced portions) are related to factors associated

with company risk, e.g. company size, complexity and leverage.

3.1 Risk Management

The separation of ownership and management functions and the presence of

information asymmetry introduce the possibility of principal-agent conflicts (Haniffa

and Hudaib 2006), it also incurs risks to stakeholders in the organization

(management, shareholders, creditors, etc.) (Spira and Page 2003). Those agency

conflicts, agency costs and risks are now managed within the corporate governance

framework through accountability mechanisms, such as internal control and audit.

(Haniffa and Hudaib 2006; Spira and Page 2003). Stakeholders now compete to

participate in corporate governance to seek power in organizations by asserting their

own conceptions of risk and how it should be managed, and a focus on risk

management has become central to this competition since it defines the accountability

of the management of the organization (Spira and Page 2003). This is consistent with

Hay and Knechels (2004) argument that the demand for auditing is a function of the

set of risks faced by individual stakeholders in an organization and the set of control

mechanisms available for mitigating those risks. Therefore, internal auditing's risk

management orientation has given the audit function increased credibility across the

enterprise and greater acceptance by management (Beumer 2006). Drawing from the

preceding discussion, the following hypothesis is therefore proposed:


16/40

-12-

H1: The use of RBIA is positively associated with the level of risk confronting

with the stakeholders.

The objective of RBIA is to provide independent assurance to the board that

there is a sound of risk management framework within the organization, and risks that

may affect the organisations business objectives and strategies are been identified,

managed and reduced to a level that is acceptable to the board (IIA 2003) . One

indication of risk management framework is the existence of a separate committee or

group, comprised of directors and managers (Goodwin-Stewart and Kent 2006) to

develop risk management development policy. The preceding discussion is reflected

in following hypothesis:

H2: The use of RBIA is positively associated with the existence of a risk

management committee.

3.2 Internal Control

As organizations grow in size and complexity, effective risk management

becomes increasingly problematic (Fraser and Henry 2007). Previous study for

demand of internal auditing linked to the cost vs. benefit from undertaking monitoring

(Carcello et al. 2005; Goodwin-Stewart and Kent 2006). Carcello, et al. (2005) asserts

that increased organizational complexity would result in greater risk and companies

facing higher risk will increase their organizational monitoring. In addition, from

transaction cost perspective, larger firms have opportunities to gain economies of

scale from investment in the fixed costs of internal auditing (Carey et al. 2000; Carey

et al. 2006). From preceding discussion, the following hypotheses are therefore

proposed:

H3a: The use of RBIA is positively associated with a banks size.

H3b: The use of RBIA is positively associated with the complexity of a bank.


17/40

-13-

Recently, Taiwanese authorities have urged for financial reforms, many domestic

banks are merged into one large financial holding company. Based on preceding

discussion, we would expect that as the financial holding company is larger in size

and more complicated, it would be more likely to use RBIA and request its subsidiary

to use RBIA for monitoring of risk management. Therefore, this study tests whether

domestic banks that are a subsidiary of financial holding companies are more likely to

use RBIA. The preceding discussion is reflected in following hypothesis:

H3c: The use of RBIA is positively associated with a bank that is a subsidiary of

a financial holding company.

3.3 Corporate Governance

IIA (2005) in their submission to the Turnbull Review Group, requested that

boards should be responsible for determining acceptable risks and for managing them.

While board members have ultimate responsibility for risk management and internal

control, they require assurance that risks throughout the organization have been

identified, assessed and managed (Fraser and Henry 2007). Hence, internal auditings

risk-based orientation would be a key component for such assurance. Haniffa and

Hudaib (2006) indicates that board size affects the extent of monitoring and

controlling. As a small board may be seen to be more effective, we would expect a

higher percentage of RBIA may be used. However, as bigger boards seems to be more

symbolic rather than being a part of the management process (Hermalin and Weisbach,

2000; Haniffa and Hudaib 2006; Chen 2003), they would require internal audit

activities to be more risk orientation, as a substitute mechanism. From preceding

discussion, we test whether the use of RBIA is associated with board size, but do not

predict a direction:

H4: The use of RBIA is significantly associated with the board size.


18/40

-14-

In banking industry, information asymmetry problem is relatively higher among

external bank stockholders, including institutional investors as they have little control

over bank managers (Zeckhauser and Pound 1990; Ross 1989). Meanwhile, Pound

(1988) and Cebenoyan et al. (1999) suggest that because of contractual clauses

specifying what types of investments institutional investors must hold, they have less

ability to diversify risks and stronger incentives to monitor individual investments.

Therefore, we would expect that when institutional investors shareholdings are

proportionately higher, they will be more likely to ensure that internal auditing

focuses its resources on the banks business and strategic risks. The preceding

discussion is reflected in following hypothesis:

H5: The use of RBIA is positively associated with the level of shareholdings held

by institutional shareholders.

Internal auditing plays an important role in organizational governance by

monitoring organizational risks and assessing controls (IIARF 2003). Previous study

argues that internal audit is a substitute mechanism for monitoring by directors

(Anderson et al.1993), however, Goodwin-Stewart and Kent (2006) argues that

information asymmetry problems exist between executive and independent directors,

internal auditing is more likely to be a complementary mechanism among other

corporate governance mechanism. Since independent directors lack of day-to-day

business involvement, they may not have enough information, moreover, they also

may concern about his or her personal exposure if management commits fraud or

some other scandal erupts related to the organization (i.e., reputation risk) (Knechel

and Willekens 2006). Internal auditings risk-based orientation would be a key

component for such information risk assurance. The preceding discussion is reflected

in following hypothesis:

H6: The use of RBIA is positively associated with the proportion of independent


19/40

-15-

board members on the board of directors3.

3.4 Technical Competence

The IIAs standard 1210 on proficiency of the auditor requires that the internal

auditors possess the knowledge, skills and other competencies needed to perform their

responsibilities (IIA 2004a; Dessalegn Getie and Aderajew Wondim 2007).

Internal auditors are potentially important providers of independent evaluations

of the organizations risk management and internal control system (assurance),

eventually combined with more practice-oriented management assistance (consulting)

in this area (Sarens and De Beelde 2006). Following Turnbull and Position Statement

(IIA 2004b), internal auditors are being expected to be increasingly prominent in

ERM but concerns have been expressed about expertise (Fraser and Henry 2007).

This new role has led internal auditors to internal expertise that requires different

technical competence and in-depth understanding of risk that some internal audit may

not possess, for example, the appropriate qualifications and experience; including the

necessary specialized skills (e.g. risk management and system design), industry

specializations as industry-specific factors influenced the risk appetite of the business

and technological expertise (Spira and Page 2003; Spekle et al. 2007; Carey et al.

2006; Fraser and Henry 2007). This situation could have potentially serious

consequences as an internal audit function which has been allocated a prominent role

in the assessment of the appropriateness of risk management but which lacks the

necessary expertise could be a weak link in the risk management chain (Fraser and

Henry 2007).

Over the last decade, the cost of finding, recruiting and keeping appropriately

qualified staff has become increasingly more difficult and expensive (Martin et al.

3 In Taiwan, members of the board of directors contain directors and supervisors.


20/40

-16-

2000). In terms of cost-benefit perspective, the organizations economic

principle/agent seeks to adopt governance structures that match their control needs in

a cost-effective way, thus may consider the benefits and drawbacks of adopting RBIA

while lacking of technical competence internal auditors. Consequently, the propensity

for banks to use RBIA is more likely to be high when internal auditors are

technologically competent in this area. Based on the preceding discussion, the

following hypothesis is therefore proposed:

H7: The use of RBIA is positively associated with the internal auditors technical

competence.


21/40

-17-

Chapter 4 Method

4.1 Data Collection and Sample

The present study combined data collected from the corporate annual report and

a survey of domestic banks. Data that are extracted from the banks annual report

contains information regarding the disclosures of the banks risk management,

corporate governance structure and ownership of shareholdings, based on fiscal year

ends from 1 January 2006 to 31 December 2006. A survey was developed to gather

information on the degree of RBIA employed by the bank, the existence of risk

management committee and internal auditors technical competence.

As the questionnaires were to be sent out via mail, initial versions were drafted

and tested by three non-specialists to eliminate misunderstanding due to wording and

technical terms. After the initial alteration, a further test was conducted by two

specialists. With minor modifications, the final questionnaire was mailed to chief

internal auditors in January, 2008, with a letter explaining the purpose of the survey

and assuring that the response would be treated in a strictly confidential manner. A

reminder phone call was made two weeks later.

The population from which our sample is drawn consists of all of the 39

domestic banks that are under operation and regulated by the Financial Supervisory

Commission of the Executive Yuan. Of the 39 surveys mailed, 24 responses were

received, generating a response rate of 61.54 per cent. Of all the 24 responses, there

were no unusable responses; hence, the final usable response rate was also 61.54 per

cent.

4.2 Non-response Bias

To assess whether non-respondents (n=15) differed significantly from usable

responding banks (n=24), the present paper compared the scores of responding banks


22/40

-18-

on total assets and net income before tax to those of the non-respondents. We use

Levenes test and Independent Sample T test to examine the Homogeneity of

variances and Equality of Means, respectively. The results indicate that there were no

significant differences between the two groups on these variables. Thus, there have no

indications of non-response bias (see table 1 for further details).

4.3 Measurement of Variables

The dependent variable is the percentage of RBIA employed by the bank (RBIA).

This variable is derived from a single question: percentage of internal audit activities

that are considered to be risk-based.

The independent variables used in the analyses are summarized in Table 3 and

explained below:

Risk ManagementPrevious research has used a set of risk and risk management measures that

reflect the organizations own assessment of risk and risk management efforts. This

study adopts the same risk measures to Knechel and Willekens (2006) where six areas

of risk and related risk management practice are measured. We use annual report to

evaluate risk management information disclosed by the bank to compute the six

separate risk management measures. Each risk management measure is computed on a

five-item scale where one point is added for disclose each of the five information

regarding a specific area of risk and risk management. As no companies scored the

maximum score (5) on each risk variable, each risk measure is scaled by its own

maximum score actually observed, e.g. a company with a score of three for a measure

where the maximum observed value across all companies was four was scaled to 0.75.

The six separate risk management measures are as following:

RISK 1 A score from 1 to 5, scaled by the maximum value in the sample, reflecting


23/40

-19-

the extent of disclosures aboutfinancial risk and risk management.


the extent of disclosures about compliance risk and risk management.


the extent of disclosures about environmental and safety risk and risk

management.


the extent of disclosures about technology risk and risk management.


the extent of disclosures about internal process risk and risk management.


the extent of disclosures about change management risk and risk

management.

In addition, since financial characteristics reflect company risk and ability to pay

for monitoring, company in weak financial condition would try to mitigate their

heightened risk through enhanced monitoring by internal audit (Carcello et al. 2005).

Consequently, we include the following financial proxy in the analysis that is most

concerned in banking industry:

NPL Ratio of Non-Performing Loan.

One additional variable is included in the model based on the hypothesis:

RMC Dummy variable = 1 if the bank has a risk management committee, zero

otherwise.

Internal ControlLNINTEST Natural log of net interest revenue.

FORBNH Foreign branches divided by total branches (if there are no foreign

branches, this variable equals 0).


24/40

-20-

FHC Dummy variable =1 if the bank is a subsidiary of financial holding

company; zero otherwise.

Corporate GovernmentBODNR Total number of members on the Board of Directors

4.

INSOWN Percentage of shareholdings held by institutional shareholders.

NONEXD Percentage of non-executive directors and supervisors on the board of

directors

Technical CompetenceThe questionnaire contains 7 items that were measured on a five-point scale, and

designed to acquire different aspects of technical competence of the internal auditors

(Q7.1~Q7.7). Confirmatory factor analysis conveys that five of these items load on a

single factor. Therefore, we combine these items by calculating the mean of the five

items to obtain a single score for technical competence (see table 2 for further details).

The correlations of the other two items with the factor were too low and we dropped

these items from the analysis. The Cronbachs alpha coefficient for TECHCOM is

0.836.

TECHCOM A score measured by computing the mean of five questionnaires,

representing the extent of technical competence of internal auditors in

the internal audit department.

4.4 Model

We use a Tobit model in our analyses, which is a regression technique suited to

analyse limited (censored) dependent variables (Tufano 1996; Spekle et al. 2007):

RBIA= bo + b1RISK1 + b2RISK2 + b3RISK3 + b4RISK4 + b5RISK5 +

b6RISK6 + b7NPL+ b8RMC + b9LNINTEST + b10FORBNH +

4 In Taiwan, members of the board of directors contain directors and supervisors ; therefore, this paper

investigates the proportion of non-executive directors and supervisors


25/40

-21-

b11FHC + b12BODNR + b13INSOWN + b14NONEXD +

b15TECHCOM + e

Where:

RBIA Percentage of RBIA employed by the bank

RISK 1 The extent of disclosures about financial risk and risk

management

RISK 2 The extent of disclosures about compliance risk and risk

management

RISK 3 The extent of disclosures about environmental and safety

risk and risk management

RISK 4 The extent of disclosures about technology risk and riskmanagement

RISK 5 The extent of disclosures about internal process risk and

risk management

RISK 6 The extent of disclosures about change management risk

and risk management

NPL Ratio of Non-Performing Loan

RMC Dummy variable = 1 if the bank has a risk management

committee, zero otherwise

LNINTEST Natural log of net interest revenue

FORBNH Percentage of foreign branches on total branches

FHC Dummy variable =1 if the bank is a subsidiary of a financial

holding company; zero otherwise

BODNR Total number of members on the Board of Directors

INSOWN Percentage of shareholdings held by institutional

shareholders

NONEXD Percentage of non-executive directors and supervisors on

the board of directors

TECHCOM A score measured by computing the mean of five

questionnaires, representing the extent of technical

competence of internal auditors in the internal audit

department

Since tobit regression is used to test the hypotheses, assumptions of

multicollinearity, independence of error terms and heteroskedasicity are also tested.


26/40

-22-

The Pearson Correlation Matrix and Variance Inflation Factor (VIF) are used to test

the multicollinearity assumption, while an analysis of residuals and the plots of the

studentised residuals against predicted values are conducted to test for independence

of error terms and heteroskedasicity.

TABLE 1

Results of Levenes Test and Independent Sample T Test

Levenes Test Independent Sample T Test

Variables F-statistics p-value t-value p-value

Assets 6.562 0.015* -1.164 0.258

Net Income before Tax 0.180 0.673 -1.480 0.147

Note: Significant at the 0.05 level.

TABLE 2

Composition and Reliability of Variables

ItemsComponent

Loading

Understanding of COSOs ERM (Q7.1) Understanding of risk management framework that are

established for Basel II (Q7.2)

knowledge of information technology risk and controls (Q7.3) proportion auditing related certificates holders (Q7.6)

proportion of risk management related certificates holders (Q7.7)Cronbachs alpha: 0.836.

0.900

0.859

0.779

0.925

0.921


27/40

-23-

TABLE 3

Definition of Variables Used in the Model

Variables Definition Expected sign

Dependent Variable

RBIA Percentage of internal audit activities that are

considered to be risk-based.

Independent Variables

Risk Management Variables

Risk 1 A score from 1 to 5, scaled by the maximum value in

the sample, reflecting the extent of disclosures about

financial risk and risk management.

+



compliance risk and risk management.

+



environmental and safety risk and risk management.

+



technology risk and risk management.

+



internal process risk and risk management.

+



change managementrisk and risk management.

+

NPL Ratio of Non-Performing Loan. +

RMC Dummy variable = 1 if the bank has a risk

management committee, zero otherwise.

+

Internal Control Variables

LNINTEST Natural log of net interest revenue +

FORBNH Percentage of foreign branches on total branches +

FHC Dummy variable =1 if the bank is a subsidiary of a

financial holding company; zero otherwise.

+

Corporate Governance Variables

BODNR Total number of members on the Board of Directors. ?

INSOWN Percentage of shareholdings held by institutional

shareholders.

+

NONEXD Percentage of non-executive directors and

supervisors on the board of directors.

+

Technical Competence Variable

TECHCOM A score measured by computing the mean of five

questionnaires, representing the extent of technical

competence of internal auditors in the internal auditdepartment.

+


28/40

-24-

Chapter 5 Results

5.1 Descriptive Statistics

Table 4 presents descriptive statistics for the dependent and independent

variables in the model. Start from independent variable in Panel A, the 24 responding

samples have conducted moderate RBIA, with a mean RBIA about 0.5833 reflecting

58.33% of internal auditing activities are risk-oriented. The risk management

disclosure scores could be divided into two groups. Standardized risk management

scores 0.7708 and 0.7292 for financial risk management and compliance risk

management respectively, comparatively higher than that for the rest of four risk

management, ranging from 0.375 for change management risk management to 0.4563

for internal process risk management. The percentage of foreign branches on total

branches ranges from 0 to 0.2727, with a mean of 0.0377. For corporate government

variables, Panel A indicates that, on average, 12.5313 per cent of shareholdings held

by institutional shareholders. Technical competence of internal auditors in the internal

auditing department ranges from 2 to 4.2, with a mean score of 2.7667.

Panel B shows that of the 24 respondent banks, 79.2 per cent have a risk

management committee. Panel B also shows that 45.8 per cent of banks in the sample

are under controlled by a financial holding company.

5.2 Univariate Results

We report further descriptive statistics for the banks in the sample, breaking the

sample on the 25th percentile and the 75th percentile of the degree of RBIA where

banks engage in infrequent RBIA (RBIA30 percent), some RBIA (RBIA between

30 and 70 percent), and extensive RBIA (RBIA exceeding 70 percent). Table 5 reports

a t-test of the differences in the means of these groups and a nonparametric Wilcoxon

signed-rank test of the differences between the distributions.


29/40

-25-

The univariate analysis of means represents that banks employing infrequent

RBIA are hardly distinguishable from those employing moderate levels of RBIA,

apart from the percentage of non-executive directors and supervisors on the board of

directors (as predicted). The Wilcoxon signed-rank test reports the same result.

Banks employing extensive RBIA differ from those employing moderate level of

RBIA along a variety of factors. They disclose less about internal processrisk and risk

management (contrary to the predictions) and have fewer board members. The

percentage of non-executive directors and supervisors on the board of directors is

higher. Finally, technical competence of internal auditors in the internal audit

department is higher as anticipated.

Finally, we examine whether banks employing intensive RBIA distinguishable

from those employing infrequent of RBIA. Three factors are significant differs:

disclosure about internal process risk and risk management, percentage of

non-executive directors and supervisors on the board of directors and technical

competence of internal auditors in the internal audit department.

5.3 Assumption Test Results

Table 6 presents the correlation matrix for the dependent and continuous

independent variables. TECHCOM is significantly associated with the degree of

RBIA ( r.546, p0.01). The highest correlation for the independent variables is

-0.404 between RISK1 and NONEXD. In addition, table 7 reports VIF values for the

continuous independent variables. FORBNH has the highest VIF value of 4.521. The

correlation matrix and VIF values present that multicollinearity is not a problem5. The

Durbin-Watson value (2.250) and the plots of the residuals indicate no problems of

independence of error terms and heteroskedasicity.

5 Multicollinearity problem exists when the correlation exceeded 0.80 and VIF values exceeds 10.


30/40

-26-

5.4 Regression Results

The results of the tobit regression are shown in Table 6. This model identifies

factors that are associated with a banks use of risk-basked internal auditing. The

model is significant atp0.000 with an Adjusted R2of 0.944.

As expected, all of our risk and risk management variables are significant. Risk 1,

Risk 2 and Risk 4 are positive and significant, consistent with hypothesis 1. Risk 3,

Risk 5 and Risk 6 are significant but negative. The three variables that are significant

and positive support our hypothesis that banks that are more sensitive to risks, are

more likely to employ higher percentage of RBIA. Moreover, NPL is positively and

significantly associated with RBIA, also supporting Hypothesis 1, this reflects that

banks with higher NPL levels appear to be more risk-based in internal auditing

activities so as to mitigate their higher agency costs. The use of RBIA is significantly

positively associated with the existence of a risk management committee. The finding

support Hypothesis 2 and suggests that banks with an integrated risk management

framework are more likely to have a higher percentage of RBIA.

Results for use of RBIA from internal control perspective are mixed. Hypotheses

3a is supported, with the results presenting a positive and significant association

between banks size and the use of RBIA (p0.05). Moreover, as expected, the

complexity of a bank is found to have a positive and significant (p0.01) relationship

with the level of RBIA employed (Hypothesis 3b). However, contrary to our

expectations, the hypothesized impact of whether the bank is a subsidiary of a

financial holding company (FHC) is not associated with the use of RBIA, and hence

Hypothesis 3c is not supported.

Results for the use of RBIA from corporate governance factors are substantially

supported. Board size (BODNR) is found to have a significant and negative

relationship with the level of RBIA employed, thus allowing us to accept Hypothesis


31/40

-27-

4. We observe that INSOWN is significant and positive, consistent with Hypothesis 5.

The result indicates a significant and negative association between NONEXD and the

degree of RBIA. This suggests that banks that have a lower proportion of

non-executive Directors have, on average, use higher percentage of RBIA. Finally,

TECHCOM is also found to have significant and positive coefficient with the degree

of RBIA used, supporting Hypothesis 7.

TABLE 4

Descriptive Statistics

Variable (N=24) Mean S.D. Minimum Maximum

Panel A: Continuous variables

RBIA 0.5833 0.2761 0.1000 0.9000

RISK 1 0.7708 0.0706 0.7500 1.0000

RISK 2 0.7292 0.1021 0.5000 1.0000

RISK 3 0.3958 0.2545 0.0000 1.0000

RISK 4 0.4558 0.2580 0.3300 1.0000

RISK 5 0.4563 0.2387 0.3300 1.0000

RISK 6 0.3750 0.3970 0.0000 1.0000

NPL 2.4938 2.2399 0.2400 10.8300

LNINTEST 15.4814 1.2443 13.0451 17.3089

FORBNH 0.0377 0.0712 0.0000 0.2727

BODNR 16.1667 3.7027 10.0000 23.0000

INSOWN 12.5313 27.2462 0.0000 100.0000

NONEXD 0.6591 0.1691 0.3800 0.9300

TECHCOM 2.7667 0.6767 2.0000 4.2000

Panel B: Dichotomous variables

Yes % No %

RMC 19 79.2 5 20.8

FHC 11 45.8 13 54.2

Notes: See Table 3 for variable definitions.


32/40

- 28 -

TABLE 5

Factors of Domestic Banks Segmented by Degree of RBIA

All variables are defined in Table 3. Banks are partitioned on the 25th percentile and the 75th percentile of pro

30 percent), some RBIA (30 percentRBIA70 percent), and extensive RBIA (RBIA70 percent)). Thon the level of RBIA. Mean and medians are reported. The pairs ofp-values represent the t-tests of the differ

level of the Wilcoxon sign-rank test. P-values less than 0.10 are shown in boldface type.

Factors of Domestic Banks by Level of RBIA Values of D

Infrequent

(30%,N=8)

Some (between

30-70%,N=9)

Extensive

(70%,N=7)Infrequent vs.

SomeSome vs.

Mean Med. Mean Med. Mean Med.t-value

(p-value)

-statistic

(p-value)

t-value

(p-value)

Z

RBIA 0.25 0.30 0.63 0.70 0.90 0.90

RISK 1 0.78 0.75 0.78 0.75 0.75 0.750.083

(0.93)

-0.086

(0.93)

0.875

(0.40)

RISK 2 0.72 0.75 0.72 0.75 0.75 0.75-0.057

(0.96)

-0.130

(0.90)

-0.875

(0.40)

RISK 3 0.44 0.50 0.44 0.50 0.29 0.50-0.057

(0.96)

0.000

(1.00)

1.099

(0.29)

RISK 4 0.50 0.33 0.48 0.33 0.38 0.330.127

(0.90)

-0.131

(0.90)

0.914

(0.38)

RISK 5 0.54 0.33 0.48 0.33 0.33 0.33 0.448(0.66)

-0.340(0.73)

1.842(0.10)

RISK 6 0.44 0.50 0.22 0.00 0.50 0.501.138

(0.27)

-1.166

(0.24)

-1.438

(0.17)


33/40

- 29 -

TABLE 5

Factors of Domestic Banks Segmented by Degree of RBIA

Factors of Domestic Banks by Level of RBIA Values of D

Infrequent

(30%,N=8)

Some (between

30-70%,N=9)

Extensive

(70%,N=7)Infrequent vs.

SomeSome vs.

Mean Med. Mean Med. Mean Med.t-value

(p-value)

-statistic

(p-value)

t-value

(p-value)

Z

NPL 2.32 1.71 3.33 1.99 1.63 1.61-0.810

(0.43)

-0.770

(0.44)

1.369

(0.19)

LNINTEST 15.44 15.60 15.46 15.50 15.55 15.53-0.039

(0.97)

-0.096

(0.92)

-0.125

(0.90)

FORBNH 0.03 0.00 0.02 0.00 0.07 0.020.355

(0.73)

-0.450

(0.65)

-1.214

(0.24)

BODNR 16.50 16.00 17.56 18.00 14.00 13.00-0.604

(0.56)

-0.681

(0.50)

2.035

(0.06)

INSOWN 9.76 0.00 13.19 0.57 14.85 0.00-0.297

(0.77)-0.625

(0.53)

-0.107

(0.92)

NONEXD 0.67 0.74 0.52 0.50 0.82 0.822.193

(0.05)

-1.879

(0.06)

-6.859

(0.00)

TECHCOM 2.38 2.20 2.60 2.40 3.43 3.60-1.065

(0.30)

-0.851

(0.39)

-2.610

(0.02)


34/40

- 30 -

TABLE 6

Correlation Matrix

RBIA RISK1 RISK2 RISK3 RISK4 RISK5 RISK6 NPL LN-INTEST

FORBNH

Q11PRO

RISK1 -0.093 1.000

RISK2 0.141 0.063 1.000

RISK3 -0.304 -0.176 -0.087 1.000

RISK4 -0.071 0.250 0.104 0.096 1.000

RISK5 -0.343 0.276 0.113 0.226 0.209 1.000

RISK6 0.020 0.097 -0.335 0.081 0.160 -0.056 1.000

NPL -0.037 -0.146 -0.044 0.179 -0.221 -0.118 -0.116 1.000

LNINTEST 0.005 0.344 0.242 0.134 0.257 0.111 0.356 0.034 1.000

FORBNH 0.161 0.371 0.113 0.124 0.279 0.010 0.167 -0.338 0.209 1.000

BODNR -0.295 0.152 -0.048 -0.096 -0.207 -0.008 -0.177 0.082 -0.351 -0.313

INSOWN 0.092 -0.142 0.063 0.182 0.062 0.362 -0.265 -0.111 -0.300 0.375

NONEXD 0.235 -0.404 0.000 -0.171 -0.319 -0.259 0.051 0.014 -0.033 -0.085

TECHCOMP 0.546*** -0.212 -0.105 -0.349 -0.225 -0.299 0.356 -0.339 -0.191 -0.228

Notes:

*** Correlation is significant at the 0.01 level (two-tailed).

See Table 3 for variable definitions.


35/40

- 31 -

TABLE 7

VIF Value

RISK1 RISK2 RISK3 RISK4 RISK5 RISK6 NPL

2.993 2.159 1.636 1.629 2.679 2.601 2.178

LNINTEST FORBNH BODNR INSOWN NONEXD TECHCOMP

4.335 4.521 2.094 4.120 1.993 3.215

TABLE 8

Results of Tobit Regression Analysis

Variable (N=24) Expectedsign

Coefficient S.E. z-Statistic Prob.*

C -1.188 0.210 -5.654 0.000

RISK1 + 0.535 0.181 2.959 0.003

RISK2 + 0.489 0.106 4.604 0.000

RISK3 + -0.147 0.037 -3.965 0.000

RISK4 + 0.116 0.037 3.185 0.001

RISK5 + -0.229 0.051 -4.517 0.000

RISK6 + -0.269 0.030 -8.968 0.000

NPL + 0.046 0.005 9.460 0.000

RMC + 0.330 0.025 13.172 0.000

LNINTEST + 0.026 0.012 2.073 0.038

FORBNH + 1.642 0.221 7.442 0.000

FHC + 0.005 0.031 0.154 0.878

BODNR ? -0.033 0.003 -11.318 0.000

INSOWN + 0.003 0.001 6.135 0.000

NONEXD + -0.308 0.062 -4.991 0.000

TECHCOM + 0.384 0.020 19.659 0.000

R2 0.983 Adjusted R

20.944

Log likelihood 46.129

Notes: *One-tail test where direction predicted, otherwise two-tail.See Table 3 for variable definitions


36/40

- 32 -

Chapter 6 Conclusion and Limitation

6.1 Conclusion

This study aims to investigate current use of RBIA by Taiwanese banks and to

explore factors associated with the adoption of RBIA by Taiwanese banking industry.

To understand banks demand of RBIA, this study examines whether the use of RBIA

varies with factors reflecting banks risk management, internal control, corporate

governance and internal auditors technical competence.

The models tested in this study find empirical support that banks use a relatively

high level of RBIA when disclose more information about financial risk management,

compliance risk management, technology risk management and have a higher ratio of

Non-Performing Loan. The results support H1 that the level of RBIA employed is

positively associated with the banks risk management. However, the results present

that the use of RBIA is negatively correlated with information disclosure about

environmental and safety risk management, internal process risk management, and

change management risk management.

Results support H2 that use of RBIA is positively correlated with the existence of

a risk management committee. This finding is consistent with findings from prior

empirical research investigation voluntary demand for internal auditing

(Goodwin-Stewart and Kent 2006). Results from the present study suggest that a

firms risk management framework is highly associated with the role of internal

auditing in the firm. Results for H3 are mixed. Our results indicate a significant

positive relationship between the level of RBIA used and Banks size, as well as the

complexity of the banks. However, no support was found for H3c that the use of

RBIA is positively correlated with a bank that is a subsidiary of a financial holding

company.


37/40

- 33 -

The findings of this study indicate a significant negative correlation exists

between the level of RBIA employed by a bank and the board size. Our finding

suggests that a small board size seems to be more effective, and is more likely to use

RBIA, as a complementary mechanism. Contrary to our expectations, the percentage

of non-executive directors and supervisors on the board of directors is significant

negative associated with the use of RBIA, the finding indicates that the higher

percentage of independent directors and supervisors on the board presents better

corporate governance, hence may not employ higher percentage of RBIA for

monitoring of risk management, this result presents that the use of RBIA as substitute

mechanism. Finally, the result support the hypotheses that banks use a relatively high

level of RBIA when have a higher percentage of shareholdings held by institutional

shareholders and internal auditors technical competence are higher.

6.2 Limitation

The result of this study should be considered in light of two limitations. First, our

measure of dependent variable- the percentage of RBIA employed by the bank is

derived from questionnaire and subject to subjective judgments of each banks

executive internal auditor, and we rely on the accuracy of these responses. Second,

our sample is relatively small. However, this study surveys all of the 39 domestic

banks in Taiwan; the response rate is relatively high: 61.54% and non-response bias

tests indicate that there is no significant difference between the responding banks and

non-respondents. Future research might expand the sample and to test our hypothesis

in the entire finance industry.


38/40

- 34 -

REFERENCES

Beumer, H. 2006. A Risk- oriented Approach.Internal Auditor63 (1):72-76.

Carcello, J. V., D. R. Hermanson, and K. Raghunandan. 2005. Factors Associated with

U.S. Public Companies' Investment in Internal Auditing.Accounting Horizons

19 (2):69-84.

Carey, P., R. Simnett, and G. Tanewski. 2000. Voluntary Demand for Internal and

External Auditing by Family Businesses.Auditing 19 (1):37.

Carey, P., N. Subramaniam, and K. C. W. Ching. 2006. Internal audit outsourcing in

Australia.Accounting & Finance 46 (1):11-30.

Cebenoyan, A. S. Cooperman, E. S. Register, and C. A. 1999. Ownership structure,

charter value, and risk-taking behavior for thrifts. Financial Management28

(1):43-60.

Chen, H.-J. 2003. The Relationship Between Corporate Governance And Risk-Taking

Behavior in Taiwanese Banking Industry. Journal of Risk Management5

(3):363-391.

Dessalegn Getie, M., and Y. Aderajew Wondim. 2007. Internal audit effectiveness: an

Ethiopian public sector case study. Managerial Auditing Journal 22

(5):470-484.

Fraser, I., and W. Henry. 2007. Embedding risk management: structures and

approaches.Managerial Auditing Journal 22 (4):392 - 409.FRC. 2005. Internal Control: Revised Guidance for Directors on the Combined Code.

Financial Reporting Council, London London.

FSC. 2004. Status of Preparation for Implementation of New Basel Capital Accord

(Basel II). the Financial Supervisory Commission of the Executive Yuan

(http://www.banking.gov.tw/ct.asp?xItem=57716&ctNode=701&mp=7 and

http://www.banking.gov.tw/ct.asp?xItem=31509&ctNode=700&mp=7).

. 2007. Implementation Rules for Bank Internal Audit and Internal Control

System. Financial Supervisory Commission of the Executive Yuan.

Goodwin-Stewart, J., and P. Kent. 2006. The use of internal audit by Australian

companies.Managerial Auditing Journal 21 (1):81-101.

Griffiths, D. M. 2006. Risk Based Internal Auditing- An Introduction.

Haniffa, R., and M. Hudaib. 2006. Corporate Governance Structure and Performance

of Malaysian Listed Companies. Journal of Business Finance & Accounting

33 (7-8):1034-1062.

Hay, D., and W. R. Knechel. 2004. Evidence on the Association among Elements of

Control and External Assurance. Working Paper (University of Auckland).

IIA. 2003. Risk Based Internal Auditing, Position Statement. The Institute of Internal


39/40

- 35 -

Auditors UK and IrelandLondon.

. 2004a. The Professional Practices Framework. The Institute of Internal

Auditors.

. 2004b. The Role of Internal Auditing in Enterprise-wide Risk Management,

Position Statement.Institute of Internal Auditors UK and IrelandLondon.

. 2005. Review of the Turnbull guidance on internal control proposals for

updating the guidance consultation paper, September. Institute of Internal

Auditors UK and IrelandLondon.

IIARF. 2003. Research Opportunities in Internal Auditing. Institute of Internal

Auditors Research Foundation Altamonte Springs, FL: IIARF.

Jenny, G. 2004. A comparison of internal audit in the private and public sectors.

Managerial Auditing Journal 19 (5):640 - 650.

Katz, E. M. 1998. Risk-based supervision, internal controls, and the internal audit

function. Bank Accounting & Finance (Euromoney Publications PLC) 11

(4):49.

Kippenberger. 1999. Internal audit and governance: the shift from control to risk. The

Antidote 4 (3):6 - 7.

Knechel, W. R., and M. Willekens. 2006. The Role of Risk Management and

Governance in Determining Audit Demand. Journal of Business Finance &

Accounting 33 (9-10):1344-1367.

Martin, C. L., M. K. Lavine, C. R. Baker, and J. J. O'Leary. 2000. Outsourcing theInternal Audit Function. CPA Journal 70 (2):58.

McCool, T. J. 2000. Risk-Focused Bank Examinations: Regulators of Large Banking

Organizations Face Challenges: GGD-00-48. In GAO Reports: U.S.

Government Accountability Office, 1.

Pound, J. 1988. Proxy Contests and the Efficiency of Shareholder Oversight.Journal

of Financial Economics January/March:237-265.

Ross, S. A. 1989. Institutional Markets, Financial Markets, and Financial Innovation.

Journal of Finance July:541-556.

Sarens, G., and I. De Beelde. 2006. Internal auditors' perception about their role in risk

management: A comparison between US and Belgian companies.Managerial

Auditing Journal 21 (1):63-80.

Spekle, R. F., H. J. van Elten, and A.-M. Kruis. 2007. Sourcing of internal auditing:

An empirical study.Management Accounting Research 18 (1):102-124.

Spira, L. F., and M. Page. 2003. Risk management: The reinvention of internal control

and the changing role of internal audit.Accounting, Auditing & Accountability

Journal 16 (4):640-661.

Tufano, P. 1996. Who Manages Risk? An Empirical Examination of Risk


40/40

Management Practices in the Gold Mining Industry. Journal of Finance 51

(4):1097-1137.

Walker, P. L., W. G. Shenkir, and T. L. Barton. 2003. ERM in practice. Internal

Auditor60 (4):51.

Zeckhauser, R. J., and J. Pound. 1990. Are Large Shareholders Effective Monitors?

An Investigation of Share Ownership and Corporate Performance. in R.G.

Hubbard, Ed., Asymmetric Information Corporate Finance, and Investment

(Chicago, IL, University of Chicago Press):149-180.

Documents

Risk Based Internal Auditing in Taiwanese Banking Industry Yung Ming