Risk Based Internal Auditing in Taiwanese Banking Industry

Yung-Ming Shiu Assistant Professor Department of Business Administration, National Cheng Kung University, Taiwan Email: yungming@mail.ncku.edu.tw

Mei-Lan Yeh Department of Business Administration, National Cheng Kung University, Taiwan Email: r4795115@mail.ncku.edu.tw

Date: 25 June 2008

CONTENTS
CHAPTER 1 INTRODUCTION 1 1.1 RESEARCH BACKGROUND AND MOTIVATIONS 1.2 PURPOSE OF RESEARCH AND FINDINGS 1.3 STRUCTURE OF THIS STUDY CHAPTER 2 CURRENT USE OF RBIA IN TAIWANESE BANKING INDUSTRY.................................................. 4 CHAPTER 3 LITERATURE REVIEW AND HYPOTHESIS DEVELOPMENT....................................................................... 10 3.1 RISK MANAGEMENT 3.2 INTERNAL CONTROL 3.3 CORPORATE GOVERNANCE 3.4 TECHNICAL COMPETENCE 11 12 13 15 1 2 3

CHAPTER 4 METHOD..................................................................... 17 4.1 DATA COLLECTION AND SAMPLE 4.2 NON-RESPONSE BIAS 4.3 MEASUREMENT OF VARIABLES 4.4 MODEL 17 17 18 20

CHAPTER 5 RESULTS.................................................................. 24 5.1 DESCRIPTIVE STATISTICS 5.2 UNIVARIATE RESULTS 5.3 ASSUMPTION TEST RESULTS 5.4 REGRESSION RESULTS 24 24 25 26

CHAPTER 6 CONCLUSION AND LIMITATION.................................... 32 6.1 CONCLUSION 6.2 LIMITATION 32 33

REFERENCE.................................................................. 34

TABLES
TABLE 1 RESULTS OF LEVENES TEST AND INDEPENDENT SAMPLE T TEST TABLE 2 COMPOSITION AND RELIABILITY OF VARIABLES TABLE 3 DEFINITION OF VARIABLES USED IN THE MODEL TABLE 4 DESCRIPTIVE STATISTICS

22 22 23 27

TABLE 5 FACTORS OF DOMESTIC BANKS SEGMENTED BY DEGREE OF RBIA 28 TABLE 6 CORRELATION MATRIX TABLE 7 VIF VALUE TABLE 8 RESULTS OF TOBIT REGRESSION ANALYSIS 30 31 31

ii

FIGURES

FIGURE 1 USE OF RBIA BY BANKS FIGURE 2 COMPLETENESS AND CORRECTNESS OF THE CONTENT OF RISK REGISTER FIGURE 3 DEFINITION OF RBIA ACTIVITY IN AUDIT CHARTER FIGURE 4 PROPORTION OF AUDIT PLAN THAT IS RISK-BASED FIGURE 5 ALLOCATION OF INTERNAL AUDIT RESOURCES FIGURE 6 INTERNAL AUDITS EVALUATION BASED ON RISK ASSESSMENT FIGURE 7 FREQUENCY OF REPORTING TO THE BOARD OF DIRECTORS FIGURE 8 BANKS CONCERN ABOUT EXECUTING RBIA

5 6 7 7

8 9

iii

Chapter 1 Introduction

1.1 Research Background and Motivations Recent corporate collapses and financial scandals have provoked world-wide concern with corporate governance highlighted apparent failures of accountability (Spira and Page 2003), and subsequent new laws, regulations in response to them (the Sarbanes-Oxley Act, 2002 and SEC rules) provide compelling evidence that internal auditing, serves as part of sound corporate governance framework (Spira and Page 2003), matters and is important. More recently, various releases by the Institute of Internal Auditors (IIA)-UK and Ireland Position Statement on Risk Based Internal Auditing(hereunder refers to RBIA) (IIA 2003) and the Standards for the Professional Practice of Internal Auditing (IIA, 2004) reveal the focal point of internal auditing and the role of this function in organizations has moved from traditional control and compliance orientation to a more risk-based focus (Kippenberger 1999; Walker et al. 2003;IIA, 2003). This is consistent with Turnbulls broader approach to internal control as Turnbull has stated that directors shall adopt a risk-based approach to establish a sound system of internal control and reviewing its effectiveness, and to incorporate risk management and internal control by the company within its normal management and governance processes (FRC 2005). In recent years, banking regulators have changed their examination techniques by placing emphasis on an institutions internal control system and on the way it manages and controls its risks (McCool 2000). In conjunction with the implementation of the New Basel Capital Accord (NBCA), known as Basel II, of which the main goal is to reinforce the risk management system within the banking industry, the Financial Supervisory Commission of the Executive Yuan (the FSC) in -1-

Taiwan has pushed the regulatory authority to build up a risk-based supervisory system and amend related laws and regulations where banks are mandated to conduct more public disclosure of qualitative and quantitative information for finance, business, corporate governance and risk management operation (FSC 2004). The FSC further urges banks to set up a well-arranged risk management mechanism, such as internal control system, risk management mechanism and internal audit function that are mandated by the law Enforcement Regulations for Bank Internal Audit Control System. Furthermore, the risk management strategies and execution quality of the bank will be the focal point of supervision in the future, and face check and balance imposed by market functions. An effective risk management by banks and effective risk-based supervision by regulators are highly dependent both on the implementation of adequate internal control systems and on the competence of internal audit staffs (Katz 1998). In Taiwan, banks operate in an institutional environment where internal auditing is a statutory requirement1. Despite all of the recent attention focused on RBIA, research on the existence or extent of this sector in general in corporations has been scant. Therefore, the purpose of this study aims to investigate the current use of RBIA by Taiwanese banking industry and to identify factors associate with the demand of RBIA among banks. 1.2 Purpose of Research and Findings This study explores factors associate with Taiwanese banks demand of RBIA from perspectives of risk management, internal control, corporate governance and internal auditors technical competence. Using data from a survey of domestic banks

Implementation Rules for Bank Internal Audit and Internal Control System, 2007 modified; Regulations Governing the Implementation of internal control and Audit Systems by Holding Companies, 2005 modified.

-2-

together with information from corporate annual reports, we find support that the degree of RBIA used by banks is associated with information disclosures about financial, compliance, health and safety, technology, internal process and change management risk management; the existence of a risk management committee; ratio of Non-Performing Loan; the banks size and complexity; board size; proportion of independent board members; the level of shareholdings held by institutional shareholders; and internal auditors technical competence. 1.3 Structure of This Study The paper is structured as follows. The next section discusses current use of RBIA in Taiwanese Banking Industry. The third section describes a literature review and the hypothesis development. Subsequent sections present the method and results. The final section provides discussion, conclusions and limitations of the study, and also suggestions for future research.

-3-

Chapter 2 Current Use of RBIA in Taiwanese Banking Industry

A survey is designed to gather information on the current use of RBIA in banking industry. The questionnaire is developed based on the Standards for the Professional Practice of Internal Auditing (IIA 2004a) and the Implementation Rules for Bank Internal Audit and Internal Control System (FSC 2007), and includes four parts: part one asked about current status of the banks risk management; part two requests for the definition of RBIA activity in audit charter and technical competence of internal auditors; part three investigates the performance of RBIA in related to audit planning, nature of work and communication; and part four inquire about basic information of the banks. Our sample consists of all of the 39 domestic banks, and of the 39 surveys mailed, 24 completed responses were returned for a response rate of 61.54%. Of the 24 survey responses, 13 (54.1%) of the banks report that more than 60% of their internal audit activities are risk oriented. As Figure 1 illustrates, we find that 8 of 24 (33.3%) respondents indicating that they use a relatively high level of RBIA, about 61%-80%, while 6 (25%) of the banks report that about 21%-40% of their internal audit work are risk-based. FIGURE 1

Use of RBIA by Banks

Percentage of RBIA Used
81%-100% 61%-80% 41%-60% 21%-40% 0-20% 0% 5% 10% 15% 20% 25% 30% 35%

Percentage of Responding Banks

-4-

The effectiveness of RBIA derives from a reliable risk register, also a complete risk register will be available for audit planning (Griffiths 2006). Question 1 and 2 asked each bank to identify the completeness and the correctness of the content of its risk register. Of all the 24 responses, there is one missing data on these two questions. As illustrated by Figure 2, a significant percentage reported a complete and correct of the risk register, notably 3 (13%) of the banks reported no risk register. FIGURE 2

Completeness and Correctness of the Content of Risk register

Completeness Most Complete/Correct Complete/Correct General No Risk Register 0% 10% 20% 30% 40% 50% Correctness

Percentage of Responding Banks

As regulated by the Standards for the Professional Practice of Internal Auditing, the purpose, authority, and responsibility of the internal audit activity should be formally defined in a charter (IIA 2004a). To get an indication of how clearly RBIA activities are defined, banks were asked whether it is been clearly defined in the audit charter or work manual that internal auditor should audit and assure the adequacy and effectiveness of risk management and control system in Question 5. As shown in Figure 3, a large majority of banks (70%) reported RBIA activities are been clearly defined in the audit charter, while only 1 bank reported no definition of any RBIA activities in audit charter or work manual.

-5-

FIGURE 3

Definition of RBIA Activity in Audit Charter

Very Clear Clear General Not Defined 0% 10% 20% 30% 40% 50% 60% 70% 80%

Percentage of Responding Bank

To see the extent of audit activities that are risk-based, we asked banks a series of questions concerning audit planning. Question 8.2 asked respondents the proportion of Engagement plan that are based on annual risk assessment. Except 3 missing data, approximately 12 of 21 (57.1%) respondents expressing that less than 40% of Engagement plan are based on annual risk assessment. We also inquired about the proportion of annual audit plan that is based on each business units risk character and that the priority of audit activities is determined on risk assessment in Question 8.3 and 8.4. As Figure 4 demonstrates, the percentage drops to about 50% for approximately 61%-100% of annual audit plan to each business unit that is risk-based, while 42% of banks indicated less than 40% of annual audit plan that is risk-based. The annual audit plan on the priority of audit activities shows the same outcome, with 50% and 38% respectively for about 61%-100% and less than 40%. Question 9.5 asked banks to rank the allocation of internal audit resources on each of audit activities. Figure 5 presents the percentage of responding banks that expressed none, a few, few, regular, many, great many about each audit activities. A great many of internal audit resources were allocated to internal control audit, with 92% of responding banks expressing many to great many of audit resources. -6-

FIGURE 4

Proportion of Audit Plan that is Risk-based

40% 35% 30% 25% 20% 15% 10% 5% 0%

Percentage of Responding Banks

Engagement Business Unit Audit Priority

0-20%

21%-40%

41%-60%

61%-80% 81%-100%

Proportion of Audit Plan

Financial, operational and information system audits are also audit activities that have been allocated of most audit resources for the respondents, with 54%, 55% and 51%, respectively, indicating many to great many audit resources. Risk management and special projects and others audits are the next two audit activities, with 46% and 41%, respectively, expressing many to great many of resources for each activity. The activity of least allocation is corporate governance audit, where only 34% of responding banks that allocate many to great many of audit resources. FIGURE 5

Allocation of Internal Audit Resources

None 100% Percentage of Responding Banks 80% 60% 40% 20% 0%
63% 33% 8% 4% 8% 4% 38% 33% 8% 4% 50% 17% 4% 0% 8% 8%

A Few
8% 29% 46%

Few

Regular
21% 17%

Many
13%

Great Many
13% 21% 8% 33%

25%

38%

38% 42% 42%

8% 0%

Financial

Internal Controls

Risk Mgt. Operational Information Corporate Special system Governance Projects and Others

-7-

RBIA is all about providing an opinion on whether risks are being properly managed (IIA 2003; Griffiths 2006). Question 9.4 asked banks to indicate how frequency internal auditors would evaluate the adequacy and effectiveness of control of following issues based on results of risk assessment. As Figure 6 presented, most of banks evaluation on the issues always based on risk assessment results. FIGURE 6

Internal Audit's Evaluation based on Risk Assessment

Percentage of Responding Banks

80% 60% 40% 20% 0%

Rarely Regular Sometimes Always

Reliability and Integrity of Financial and Operational Information Effectiveness and Efficiency of Operations Safeguarding of Assets Compliances with Laws, Regulations and Contracts

The frequency that chief internal auditor is reported to the board of directors has important impacts on RBIA. Question 10.2 asked banks the frequency chief internal auditor is reported to the board of directors regarding banks significant risk exposures and controls. Figure 7 presented that a large majority of banks (88%) responded regular to frequently report to the board of directors. FIGURE 7

Frequency of Reporting to the Board of Directors

50% 40% 30% 20% 10% 0% None Seldom Regular Frequently

Percentage of Responding Banks

-8-

Question 13 asked responding banks to specify their concerns regarding RBIA usage. As shown in Figure 8, the greatest concern is lack of proper tool to identify risks, with 14 of 24 responding banks. Lack of experience is the next greatest concern to the banks, with 12 of banks. Lack of relevant principles or guidelines is also issue of some concern for the respondents, with 7 responding banks. The item of least concern is lack of relevant knowledge. Other concern specify by the responding banks is the difficulty of present risk-based concept to internal auditors. FIGURE 8

Banks' Concern About Executing RBIA

14 12 10 8 6 4 2 0 Number of Responding Banks

Lack of Lack of Lack of Lack of relevant Experience Proper Tool Relevant Knowledge to Identify Principles or Risks Guidelines

Others

-9-

Chapter 3 Literature Review and Hypothesis Development

In 1999, the Institute of Internal Auditors (IIA) promulgated a new definition of internal auditing which identifying an assurance and consulting role for internal audit, highlighting the changing focus and the expansion scope of internal auditing into risk management, corporate governance, and adding value2 (The IIA, 2004;Walker et al. 2003; Jenny 2004). The new definition emphasize that internal audit function can add value to the organization in terms of risk management and corporate governance, and RBIA is an approach that can help to meet these requirements (IIA 2003). This approach is consistent with Turnbulls broader approach to internal control as Turnbull implies that high level, risk-based internal audit functions are a sine qua non (Fraser and Henry 2007). Empirical research has investigated the existence or extent of internal auditing from risk or governance perspectives. Goodwin-Stewart and Kent (2006) use an agency framework to explore firm characteristics associated with the existence of internal audit function from risk management, control and governance perspectives. He argues that internal auditing is either to be a complementary or substitution mechanism aligns with other risk management and governance mechanisms, and that survey evidence indicates a significant association between the use of internal auditing and a commitment to strong risk management and firm size, however, the results reveal a mixed support for the corporate governance factors. Using an agency cost framework, Carey, et al.(2000) examined demand for both internal and external auditing by family business with two agency proxies which are:

In 1999, the Institute of Internal Auditors (IIA) approved the new definition of internal auditing as: an independent, objective assurance and consulting activity designed to add value and improve an organizations operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance process.

-10-

(1) the proportion of nonfamily management, and (2) the proportion of nonfamily representation on the board of directors. They found that the two agency cost proxies are associated with demand for external audit, but do not explain the demand for internal audit. Carcello, et al. (2005) examines factors associated with U.S. public companies investment in internal auditing, and the result indicates that total internal audit budgets (in-house plus outsourced portions) are related to factors associated with company risk, e.g. company size, complexity and leverage. 3.1 Risk Management The separation of ownership and management functions and the presence of information asymmetry introduce the possibility of principal-agent conflicts (Haniffa and Hudaib 2006), it also incurs risks to stakeholders in the organization (management, shareholders, creditors, etc.) (Spira and Page 2003). Those agency conflicts, agency costs and risks are now managed within the corporate governance framework through accountability mechanisms, such as internal control and audit. (Haniffa and Hudaib 2006; Spira and Page 2003). Stakeholders now compete to participate in corporate governance to seek power in organizations by asserting their own conceptions of risk and how it should be managed, and a focus on risk management has become central to this competition since it defines the accountability of the management of the organization (Spira and Page 2003). This is consistent with Hay and Knechels (2004) argument that the demand for auditing is a function of the set of risks faced by individual stakeholders in an organization and the set of control mechanisms available for mitigating those risks. Therefore, internal auditing's risk management orientation has given the audit function increased credibility across the enterprise and greater acceptance by management (Beumer 2006). Drawing from the preceding discussion, the following hypothesis is therefore proposed:

-11-

H1: The use of RBIA is positively associated with the level of risk confronting with the stakeholders. The objective of RBIA is to provide independent assurance to the board that there is a sound of risk management framework within the organization, and risks that may affect the organisations business objectives and strategies are been identified, managed and reduced to a level that is acceptable to the board (IIA 2003) . One indication of risk management framework is the existence of a separate committee or group, comprised of directors and managers (Goodwin-Stewart and Kent 2006) to develop risk management development policy. The preceding discussion is reflected in following hypothesis: H2: The use of RBIA is positively associated with the existence of a risk management committee. 3.2 Internal Control As organizations grow in size and complexity, effective risk management becomes increasingly problematic (Fraser and Henry 2007). Previous study for demand of internal auditing linked to the cost vs. benefit from undertaking monitoring (Carcello et al. 2005; Goodwin-Stewart and Kent 2006). Carcello, et al. (2005) asserts that increased organizational complexity would result in greater risk and companies facing higher risk will increase their organizational monitoring. In addition, from transaction cost perspective, larger firms have opportunities to gain economies of scale from investment in the fixed costs of internal auditing (Carey et al. 2000; Carey et al. 2006). From preceding discussion, the following hypotheses are therefore proposed: H3a: The use of RBIA is positively associated with a banks size. H3b: The use of RBIA is positively associated with the complexity of a bank.

-12-

Recently, Taiwanese authorities have urged for financial reforms, many domestic banks are merged into one large financial holding company. Based on preceding discussion, we would expect that as the financial holding company is larger in size and more complicated, it would be more likely to use RBIA and request its subsidiary to use RBIA for monitoring of risk management. Therefore, this study tests whether domestic banks that are a subsidiary of financial holding companies are more likely to use RBIA. The preceding discussion is reflected in following hypothesis: H3c: The use of RBIA is positively associated with a bank that is a subsidiary of a financial holding company. 3.3 Corporate Governance IIA (2005) in their submission to the Turnbull Review Group, requested that boards should be responsible for determining acceptable risks and for managing them. While board members have ultimate responsibility for risk management and internal control, they require assurance that risks throughout the organization have been identified, assessed and managed (Fraser and Henry 2007). Hence, internal auditings risk-based orientation would be a key component for such assurance. Haniffa and Hudaib (2006) indicates that board size affects the extent of monitoring and controlling. As a small board may be seen to be more effective, we would expect a higher percentage of RBIA may be used. However, as bigger boards seems to be more symbolic rather than being a part of the management process (Hermalin and Weisbach, 2000; Haniffa and Hudaib 2006; Chen 2003), they would require internal audit activities to be more risk orientation, as a substitute mechanism. From preceding discussion, we test whether the use of RBIA is associated with board size, but do not predict a direction: H4: The use of RBIA is significantly associated with the board size.

-13-

In banking industry, information asymmetry problem is relatively higher among external bank stockholders, including institutional investors as they have little control over bank managers (Zeckhauser and Pound 1990; Ross 1989). Meanwhile, Pound (1988) and Cebenoyan et al. (1999) suggest that because of contractual clauses specifying what types of investments institutional investors must hold, they have less ability to diversify risks and stronger incentives to monitor individual investments. Therefore, we would expect that when institutional investors shareholdings are proportionately higher, they will be more likely to ensure that internal auditing focuses its resources on the banks business and strategic risks. The preceding discussion is reflected in following hypothesis: H5: The use of RBIA is positively associated with the level of shareholdings held by institutional shareholders. Internal auditing plays an important role in organizational governance by monitoring organizational risks and assessing controls (IIARF 2003). Previous study argues that internal audit is a substitute mechanism for monitoring by directors (Anderson et al.1993), however, Goodwin-Stewart and Kent (2006) argues that information asymmetry problems exist between executive and independent directors, internal auditing is more likely to be a complementary mechanism among other corporate governance mechanism. Since independent directors lack of day-to-day business involvement, they may not have enough information, moreover, they also may concern about his or her personal exposure if management commits fraud or some other scandal erupts related to the organization (i.e., reputation risk) (Knechel and Willekens 2006). Internal auditings risk-based orientation would be a key component for such information risk assurance. The preceding discussion is reflected in following hypothesis: H6: The use of RBIA is positively associated with the proportion of independent -14-

board members on the board of directors3. 3.4 Technical Competence The IIAs standard 1210 on proficiency of the auditor requires that the internal auditors possess the knowledge, skills and other competencies needed to perform their responsibilities (IIA 2004a; Dessalegn Getie and Aderajew Wondim 2007). Internal auditors are potentially important providers of independent evaluations of the organizations risk management and internal control system (assurance), eventually combined with more practice-oriented management assistance (consulting) in this area (Sarens and De Beelde 2006). Following Turnbull and Position Statement (IIA 2004b), internal auditors are being expected to be increasingly prominent in ERM but concerns have been expressed about expertise (Fraser and Henry 2007). This new role has led internal auditors to internal expertise that requires different technical competence and in-depth understanding of risk that some internal audit may not possess, for example, the appropriate qualifications and experience; including the necessary specialized skills (e.g. risk management and system design), industry specializations as industry-specific factors influenced the risk appetite of the business and technological expertise (Spira and Page 2003; Spekle et al. 2007; Carey et al. 2006; Fraser and Henry 2007). This situation could have potentially serious consequences as an internal audit function which has been allocated a prominent role in the assessment of the appropriateness of risk management but which lacks the necessary expertise could be a weak link in the risk management chain (Fraser and Henry 2007). Over the last decade, the cost of finding, recruiting and keeping appropriately qualified staff has become increasingly more difficult and expensive (Martin et al.

In Taiwan, members of the board of directors contain directors and supervisors.

-15-

2000). In terms of cost-benefit perspective, the organizations economic principle/agent seeks to adopt governance structures that match their control needs in a cost-effective way, thus may consider the benefits and drawbacks of adopting RBIA while lacking of technical competence internal auditors. Consequently, the propensity for banks to use RBIA is more likely to be high when internal auditors are technologically competent in this area. Based on the preceding discussion, the following hypothesis is therefore proposed: H7: The use of RBIA is positively associated with the internal auditors technical competence.

-16-

Chapter 4 Method

4.1 Data Collection and Sample The present study combined data collected from the corporate annual report and a survey of domestic banks. Data that are extracted from the banks annual report contains information regarding the disclosures of the banks risk management, corporate governance structure and ownership of shareholdings, based on fiscal year ends from 1 January 2006 to 31 December 2006. A survey was developed to gather information on the degree of RBIA employed by the bank, the existence of risk management committee and internal auditors technical competence. As the questionnaires were to be sent out via mail, initial versions were drafted and tested by three non-specialists to eliminate misunderstanding due to wording and technical terms. After the initial alteration, a further test was conducted by two specialists. With minor modifications, the final questionnaire was mailed to chief internal auditors in January, 2008, with a letter explaining the purpose of the survey and assuring that the response would be treated in a strictly confidential manner. A reminder phone call was made two weeks later. The population from which our sample is drawn consists of all of the 39 domestic banks that are under operation and regulated by the Financial Supervisory Commission of the Executive Yuan. Of the 39 surveys mailed, 24 responses were received, generating a response rate of 61.54 per cent. Of all the 24 responses, there were no unusable responses; hence, the final usable response rate was also 61.54 per cent. 4.2 Non-response Bias To assess whether non-respondents (n=15) differed significantly from usable responding banks (n=24), the present paper compared the scores of responding banks -17-

on total assets and net income before tax to those of the non-respondents. We use Levenes test and Independent Sample T test to examine the Homogeneity of variances and Equality of Means, respectively. The results indicate that there were no significant differences between the two groups on these variables. Thus, there have no indications of non-response bias (see table 1 for further details). 4.3 Measurement of Variables The dependent variable is the percentage of RBIA employed by the bank (RBIA). This variable is derived from a single question: percentage of internal audit activities that are considered to be risk-based. The independent variables used in the analyses are summarized in Table 3 and explained below: Risk Management Previous research has used a set of risk and risk management measures that reflect the organizations own assessment of risk and risk management efforts. This study adopts the same risk measures to Knechel and Willekens (2006) where six areas of risk and related risk management practice are measured. We use annual report to evaluate risk management information disclosed by the bank to compute the six separate risk management measures. Each risk management measure is computed on a five-item scale where one point is added for disclose each of the five information regarding a specific area of risk and risk management. As no companies scored the maximum score (5) on each risk variable, each risk measure is scaled by its own maximum score actually observed, e.g. a company with a score of three for a measure where the maximum observed value across all companies was four was scaled to 0.75. The six separate risk management measures are as following: RISK 1 A score from 1 to 5, scaled by the maximum value in the sample, reflecting

-18-

the extent of disclosures about financial risk and risk management. RISK 2 A score from 1 to 5, scaled by the maximum value in the sample, reflecting the extent of disclosures about compliance risk and risk management. RISK 3 A score from 1 to 5, scaled by the maximum value in the sample, reflecting the extent of disclosures about environmental and safety risk and risk management. RISK 4 A score from 1 to 5, scaled by the maximum value in the sample, reflecting the extent of disclosures about technology risk and risk management. RISK 5 A score from 1 to 5, scaled by the maximum value in the sample, reflecting the extent of disclosures about internal process risk and risk management. RISK 6 A score from 1 to 5, scaled by the maximum value in the sample, reflecting the extent of disclosures about change management risk and risk management. In addition, since financial characteristics reflect company risk and ability to pay for monitoring, company in weak financial condition would try to mitigate their heightened risk through enhanced monitoring by internal audit (Carcello et al. 2005). Consequently, we include the following financial proxy in the analysis that is most concerned in banking industry: NPL Ratio of Non-Performing Loan.

One additional variable is included in the model based on the hypothesis: RMC Dummy variable = 1 if the bank has a risk management committee, zero otherwise. Internal Control LNINTEST Natural log of net interest revenue. FORBNH Foreign branches divided by total branches (if there are no foreign branches, this variable equals 0). -19-

FHC

Dummy variable =1 if the bank is a subsidiary of financial holding company; zero otherwise.

Corporate Government BODNR INSOWN NONEXD Total number of members on the Board of Directors4. Percentage of shareholdings held by institutional shareholders. Percentage of non-executive directors and supervisors on the board of directors Technical Competence The questionnaire contains 7 items that were measured on a five-point scale, and designed to acquire different aspects of technical competence of the internal auditors (Q7.1~Q7.7). Confirmatory factor analysis conveys that five of these items load on a single factor. Therefore, we combine these items by calculating the mean of the five items to obtain a single score for technical competence (see table 2 for further details). The correlations of the other two items with the factor were too low and we dropped these items from the analysis. The Cronbachs alpha coefficient for TECHCOM is 0.836. TECHCOM A score measured by computing the mean of five questionnaires, representing the extent of technical competence of internal auditors in the internal audit department. 4.4 Model We use a Tobit model in our analyses, which is a regression technique suited to analyse limited (censored) dependent variables (Tufano 1996; Spekle et al. 2007): RBIA= bo + b1RISK1 + b2RISK2 + b3RISK3 + b4RISK4 + b5RISK5 + b6RISK6 + b7NPL+ b8RMC + b9LNINTEST + b10FORBNH +

In Taiwan, members of the board of directors contain directors and supervisors ; therefore, this paper investigates the proportion of non-executive directors and supervisors

-20-

b11FHC + b12BODNR + b13INSOWN + b14NONEXD + b15TECHCOM + e Where: RBIA RISK 1 RISK 2 RISK 3 RISK 4 RISK 5 RISK 6 NPL RMC LNINTEST FORBNH FHC BODNR INSOWN NONEXD TECHCOM Percentage of RBIA employed by the bank The extent of disclosures about financial risk and risk management The extent of disclosures about compliance risk and risk management The extent of disclosures about environmental and safety risk and risk management The extent of disclosures about technology risk and risk management The extent of disclosures about internal process risk and risk management The extent of disclosures about change management risk and risk management Ratio of Non-Performing Loan Dummy variable = 1 if the bank has a risk management committee, zero otherwise Natural log of net interest revenue Percentage of foreign branches on total branches Dummy variable =1 if the bank is a subsidiary of a financial holding company; zero otherwise Total number of members on the Board of Directors Percentage of shareholders shareholdings held by institutional

Percentage of non-executive directors and supervisors on the board of directors A score measured by computing the mean of five questionnaires, representing the extent of technical competence of internal auditors in the internal audit department

Since tobit regression is used to test the hypotheses, assumptions of multicollinearity, independence of error terms and heteroskedasicity are also tested. -21-

The Pearson Correlation Matrix and Variance Inflation Factor (VIF) are used to test the multicollinearity assumption, while an analysis of residuals and the plots of the studentised residuals against predicted values are conducted to test for independence of error terms and heteroskedasicity.

TABLE 1 Results of Levenes Test and Independent Sample T Test Levenes Test Variables Assets Net Income before Tax F-statistics 6.562 0.180 p-value 0.015* 0.673 Independent Sample T Test t-value -1.164 -1.480 p-value 0.258 0.147

Note: Significant at the 0.05 level.

TABLE 2 Composition and Reliability of Variables Items Understanding of COSOs ERM (Q7.1) Understanding of risk management framework that are established for Basel II (Q7.2) knowledge of information technology risk and controls (Q7.3) proportion auditing related certificates holders (Q7.6) proportion of risk management related certificates holders (Q7.7) Cronbachs alpha: 0.836. Component Loading 0.900 0.859 0.779 0.925 0.921

-22-

TABLE 3 Definition of Variables Used in the Model Variables Definition Expected sign Dependent Variable RBIA Percentage of internal audit activities that are considered to be risk-based. Independent Variables Risk Management Variables Risk 1 A score from 1 to 5, scaled by the maximum value in + the sample, reflecting the extent of disclosures about financial risk and risk management. Risk 2 A score from 1 to 5, scaled by the maximum value in + the sample, reflecting the extent of disclosures about compliance risk and risk management. Risk 3 A score from 1 to 5, scaled by the maximum value in + the sample, reflecting the extent of disclosures about environmental and safety risk and risk management. Risk 4 A score from 1 to 5, scaled by the maximum value in + the sample, reflecting the extent of disclosures about technology risk and risk management. + Risk 5 A score from 1 to 5, scaled by the maximum value in the sample, reflecting the extent of disclosures about internal process risk and risk management. + Risk 6 A score from 1 to 5, scaled by the maximum value in the sample, reflecting the extent of disclosures about change management risk and risk management. NPL Ratio of Non-Performing Loan. + RMC Dummy variable = 1 if the bank has a risk + management committee, zero otherwise. Internal Control Variables LNINTEST Natural log of net interest revenue + FORBNH Percentage of foreign branches on total branches + FHC Dummy variable =1 if the bank is a subsidiary of a + financial holding company; zero otherwise. Corporate Governance Variables BODNR Total number of members on the Board of Directors. ? INSOWN Percentage of shareholdings held by institutional + shareholders. NONEXD Percentage of non-executive directors and + supervisors on the board of directors. Technical Competence Variable TECHCOM A score measured by computing the mean of five + questionnaires, representing the extent of technical competence of internal auditors in the internal audit department. -23-

Chapter 5 Results
5.1 Descriptive Statistics Table 4 presents descriptive statistics for the dependent and independent variables in the model. Start from independent variable in Panel A, the 24 responding samples have conducted moderate RBIA, with a mean RBIA about 0.5833 reflecting 58.33% of internal auditing activities are risk-oriented. The risk management disclosure scores could be divided into two groups. Standardized risk management scores 0.7708 and 0.7292 for financial risk management and compliance risk management respectively, comparatively higher than that for the rest of four risk management, ranging from 0.375 for change management risk management to 0.4563 for internal process risk management. The percentage of foreign branches on total branches ranges from 0 to 0.2727, with a mean of 0.0377. For corporate government variables, Panel A indicates that, on average, 12.5313 per cent of shareholdings held by institutional shareholders. Technical competence of internal auditors in the internal auditing department ranges from 2 to 4.2, with a mean score of 2.7667. Panel B shows that of the 24 respondent banks, 79.2 per cent have a risk management committee. Panel B also shows that 45.8 per cent of banks in the sample are under controlled by a financial holding company. 5.2 Univariate Results We report further descriptive statistics for the banks in the sample, breaking the sample on the 25th percentile and the 75th percentile of the degree of RBIA where banks engage in infrequent RBIA (RBIA30 percent), some RBIA (RBIA between 30 and 70 percent), and extensive RBIA (RBIA exceeding 70 percent). Table 5 reports a t-test of the differences in the means of these groups and a nonparametric Wilcoxon signed-rank test of the differences between the distributions. -24-

The univariate analysis of means represents that banks employing infrequent RBIA are hardly distinguishable from those employing moderate levels of RBIA, apart from the percentage of non-executive directors and supervisors on the board of directors (as predicted). The Wilcoxon signed-rank test reports the same result. Banks employing extensive RBIA differ from those employing moderate level of RBIA along a variety of factors. They disclose less about internal process risk and risk management (contrary to the predictions) and have fewer board members. The percentage of non-executive directors and supervisors on the board of directors is higher. Finally, technical competence of internal auditors in the internal audit department is higher as anticipated. Finally, we examine whether banks employing intensive RBIA distinguishable from those employing infrequent of RBIA. Three factors are significant differs: disclosure about internal process risk and risk management, percentage of non-executive directors and supervisors on the board of directors and technical competence of internal auditors in the internal audit department. 5.3 Assumption Test Results Table 6 presents the correlation matrix for the dependent and continuous independent variables. TECHCOM is significantly associated with the degree of RBIA ( r.546, p0.01). The highest correlation for the independent variables is -0.404 between RISK1 and NONEXD. In addition, table 7 reports VIF values for the continuous independent variables. FORBNH has the highest VIF value of 4.521. The correlation matrix and VIF values present that multicollinearity is not a problem5. The Durbin-Watson value (2.250) and the plots of the residuals indicate no problems of independence of error terms and heteroskedasicity.

Multicollinearity problem exists when the correlation exceeded 0.80 and VIF values exceeds 10.

-25-

5.4 Regression Results The results of the tobit regression are shown in Table 6. This model identifies factors that are associated with a banks use of risk-basked internal auditing. The model is significant at p0.000 with an Adjusted R2of 0.944. As expected, all of our risk and risk management variables are significant. Risk 1, Risk 2 and Risk 4 are positive and significant, consistent with hypothesis 1. Risk 3, Risk 5 and Risk 6 are significant but negative. The three variables that are significant and positive support our hypothesis that banks that are more sensitive to risks, are more likely to employ higher percentage of RBIA. Moreover, NPL is positively and significantly associated with RBIA, also supporting Hypothesis 1, this reflects that banks with higher NPL levels appear to be more risk-based in internal auditing activities so as to mitigate their higher agency costs. The use of RBIA is significantly positively associated with the existence of a risk management committee. The finding support Hypothesis 2 and suggests that banks with an integrated risk management framework are more likely to have a higher percentage of RBIA. Results for use of RBIA from internal control perspective are mixed. Hypotheses 3a is supported, with the results presenting a positive and significant association between banks size and the use of RBIA (p0.05). Moreover, as expected, the complexity of a bank is found to have a positive and significant (p0.01) relationship with the level of RBIA employed (Hypothesis 3b). However, contrary to our expectations, the hypothesized impact of whether the bank is a subsidiary of a financial holding company (FHC) is not associated with the use of RBIA, and hence Hypothesis 3c is not supported. Results for the use of RBIA from corporate governance factors are substantially supported. Board size (BODNR) is found to have a significant and negative relationship with the level of RBIA employed, thus allowing us to accept Hypothesis -26-

4. We observe that INSOWN is significant and positive, consistent with Hypothesis 5. The result indicates a significant and negative association between NONEXD and the degree of RBIA. This suggests that banks that have a lower proportion of non-executive Directors have, on average, use higher percentage of RBIA. Finally, TECHCOM is also found to have significant and positive coefficient with the degree of RBIA used, supporting Hypothesis 7.

TABLE 4 Descriptive Statistics Variable (N=24) Mean S.D. Minimum Maximum

Panel A: Continuous variables RBIA RISK 1 RISK 2 RISK 3 RISK 4 RISK 5 RISK 6 NPL LNINTEST FORBNH BODNR INSOWN NONEXD TECHCOM 0.5833 0.7708 0.7292 0.3958 0.4558 0.4563 0.3750 2.4938 15.4814 0.0377 16.1667 12.5313 0.6591 2.7667 0.2761 0.0706 0.1021 0.2545 0.2580 0.2387 0.3970 2.2399 1.2443 0.0712 3.7027 27.2462 0.1691 0.6767 0.1000 0.7500 0.5000 0.0000 0.3300 0.3300 0.0000 0.2400 13.0451 0.0000 10.0000 0.0000 0.3800 2.0000 0.9000 1.0000 1.0000 1.0000 1.0000 1.0000 1.0000 10.8300 17.3089 0.2727 23.0000 100.0000 0.9300 4.2000

Panel B: Dichotomous variables Yes RMC FHC 19 11 % 79.2 45.8 No 5 13 % 20.8 54.2

Notes: See Table 3 for variable definitions.

-27-

TABLE 5 Factors of Domestic Banks Segmented by Degree of RBIA All variables are defined in Table 3. Banks are partitioned on the 25th percentile and the 75th percentile of proportion of RBIA (infrequent (RBIA 30 percent), some RBIA (30 percentRBIA70 percent), and extensive RBIA (RBIA70 percent)). The table reports factors, conditioned on the level of RBIA. Mean and medians are reported. The pairs of p-values represent the t-tests of the differences of means and the significance level of the Wilcoxon sign-rank test. P-values less than 0.10 are shown in boldface type. Factors of Domestic Banks by Level of RBIA Infrequent (30%, N=8) Mean RBIA RISK 1 RISK 2 RISK 3 RISK 4 RISK 5 RISK 6 0.25 0.78 0.72 0.44 0.50 0.54 0.44 Med. 0.30 0.75 0.75 0.50 0.33 0.33 0.50 Some (between 30-70%, N=9) Mean 0.63 0.78 0.72 0.44 0.48 0.48 0.22 Med. 0.70 0.75 0.75 0.50 0.33 0.33 0.00 Extensive (70%, N=7) Mean 0.90 0.75 0.75 0.29 0.38 0.33 0.50 Med. 0.90 0.75 0.75 0.50 0.33 0.33 0.50 0.083 (0.93) -0.057 (0.96) -0.057 (0.96) 0.127 (0.90) 0.448 (0.66) 1.138 (0.27) -0.086 (0.93) -0.130 (0.90) 0.000 (1.00) -0.131 (0.90) -0.340 (0.73) -1.166 (0.24) 0.875 (0.40) -0.875 (0.40) 1.099 (0.29) 0.914 (0.38) 1.842 (0.10) -1.438 (0.17) -0.882 (0.38) -0.882 (0.38) -1.055 (0.29) -0.544 (0.59) -1.633 (0.10) -1.443 (0.15) 1.000 (0.35) -0.552 (0.60) 1.278 (0.23) 0.943 (0.36) 1.933 (0.09) -0.292 (0.77) -0.935 (0.35) -0.580 (0.56) -1.281 (0.20) -0.663 (0.51) -1.740 (0.08) -0.308 (0.76) Infrequent vs. Some t-value Z-statistic (p-value) (p-value) Values of Differences Some vs. Intensive t-value Z-statistic (p-value) (p-value) Infrequent vs. Intensive t-value Z-statistic (p-value) (p-value)

- 28 -

TABLE 5 Factors of Domestic Banks Segmented by Degree of RBIA

Factors of Domestic Banks by Level of RBIA Infrequent (30%, N=8) Mean NPL LNINTEST FORBNH BODNR INSOWN NONEXD TECHCOM 2.32 15.44 0.03 16.50 9.76 0.67 2.38 Med. 1.71 15.60 0.00 16.00 0.00 0.74 2.20 Some (between 30-70%, N=9) Mean 3.33 15.46 0.02 17.56 13.19 0.52 2.60 Med. 1.99 15.50 0.00 18.00 0.57 0.50 2.40 Extensive (70%, N=7) Mean 1.63 15.55 0.07 14.00 14.85 0.82 3.43 Med. 1.61 15.53 0.02 13.00 0.00 0.82 3.60 Infrequent vs. Some t-value Z-statistic (p-value) (p-value) -0.810 (0.43) -0.039 (0.97) 0.355 (0.73) -0.604 (0.56) -0.297 (0.77) 2.193 (0.05) -1.065 (0.30) -0.770 (0.44) -0.096 (0.92) -0.450 (0.65) -0.681 (0.50) -0.625 (0.53) -1.879 (0.06) -0.851 (0.39)

Values of Differences Some vs. Intensive t-value Z-statistic (p-value) (p-value) 1.369 (0.19) -0.125 (0.90) -1.214 (0.24) 2.035 (0.06) -0.107 (0.92) -6.859 (0.00) -2.610 (0.02) -1.217 (0.22) -0.159 (0.87) -0.829 (0.41) -1.866 (0.06) -0.509 (0.61) -3.339 (0.00) -2.183 (0.03) Infrequent vs. Intensive t-value Z-statistic (p-value) (p-value) 0.996 (0.34) -0.161 (0.87) -0.763 (0.46) 1.352 (0.20) -0.322 (0.75) -2.326 (0.04) -3.660 (0.01) -0.579 (0.56) -0.231 (0.82) -1.381 (0.17) -1.340 (0.18) -0.131 (0.90) -1.858 (0.06) -2.723 (0.01)

- 29 -

TABLE 6 Correlation Matrix RBIA Q11PRO RISK1 RISK2 RISK3 RISK4 RISK5 RISK6 NPL LNINTEST FORBNH BODNR INSOWN NONEXD TECHCOMP RISK1 RISK2 RISK3 RISK4 RISK5 RISK6 NPL LNBODFORBNH INTEST NR INSOWN NONEXD TECHCOMP

-0.093 0.141 -0.304 -0.071 -0.343 0.020 -0.037 0.005 0.161 -0.295 0.092 0.235 0.546***

1.000 0.063 -0.176 0.250 0.276 0.097 -0.146 0.344 0.371 0.152 -0.142 -0.404 -0.212

1.000 -0.087 0.104 0.113 -0.335 -0.044 0.242 0.113 -0.048 0.063 0.000 -0.105

1.000 0.096 0.226 0.081 0.179 0.134 0.124 -0.096 0.182 -0.171 -0.349

1.000 0.209 0.160 -0.221 0.257 0.279 -0.207 0.062 -0.319 -0.225

1.000 -0.056 -0.118 0.111 0.010 -0.008 0.362 -0.259 -0.299

1.000 -0.116 0.356 0.167 -0.177 -0.265 0.051 0.356

1.000 0.034 -0.338 0.082 -0.111 0.014 -0.339 1.000 0.209 -0.351 -0.300 -0.033 -0.191 1.000 -0.313 0.375 -0.085 -0.228 1.000 -0.050 -0.399 0.079 1.000 0.003 -0.289

1.000 0.315 1.000

Notes: *** Correlation is significant at the 0.01 level (two-tailed). See Table 3 for variable definitions.

- 30 -

TABLE 7 VIF Value RISK1 2.993 LNINTEST 4.335 RISK2 2.159 FORBNH 4.521 RISK3 1.636 BODNR 2.094 RISK4 1.629 RISK5 2.679 RISK6 2.601 NPL 2.178 TECHCOMP 3.215

INSOWN 4.120

NONEXD 1.993

TABLE 8 Results of Tobit Regression Analysis Variable (N=24) C RISK1 RISK2 RISK3 RISK4 RISK5 RISK6 NPL RMC LNINTEST FORBNH FHC BODNR INSOWN NONEXD TECHCOM R
2

Expected sign

Coefficient -1.188

S.E. 0.210 0.181 0.106 0.037 0.037 0.051 0.030 0.005 0.025 0.012 0.221 0.031 0.003 0.001 0.062 0.020 Adjusted R
2

z-Statistic -5.654 2.959 4.604 -3.965 3.185 -4.517 -8.968 9.460 13.172 2.073 7.442 0.154 -11.318 6.135 -4.991 19.659 0.944

Prob.* 0.000 0.003 0.000 0.000 0.001 0.000 0.000 0.000 0.000 0.038 0.000 0.878 0.000 0.000 0.000 0.000

+ + + + + + + + + + + ? + + + 0.983 46.129

0.535 0.489 -0.147 0.116 -0.229 -0.269 0.046 0.330 0.026 1.642 0.005 -0.033 0.003 -0.308 0.384

Log likelihood

Notes: *One-tail test where direction predicted, otherwise two-tail. See Table 3 for variable definitions - 31 -

Chapter 6 Conclusion and Limitation

6.1 Conclusion This study aims to investigate current use of RBIA by Taiwanese banks and to explore factors associated with the adoption of RBIA by Taiwanese banking industry. To understand banks demand of RBIA, this study examines whether the use of RBIA varies with factors reflecting banks risk management, internal control, corporate governance and internal auditors technical competence. The models tested in this study find empirical support that banks use a relatively high level of RBIA when disclose more information about financial risk management, compliance risk management, technology risk management and have a higher ratio of Non-Performing Loan. The results support H1 that the level of RBIA employed is positively associated with the banks risk management. However, the results present that the use of RBIA is negatively correlated with information disclosure about environmental and safety risk management, internal process risk management, and change management risk management. Results support H2 that use of RBIA is positively correlated with the existence of a risk management committee. This finding is consistent with findings from prior empirical research investigation voluntary demand for internal auditing

(Goodwin-Stewart and Kent 2006). Results from the present study suggest that a firms risk management framework is highly associated with the role of internal auditing in the firm. Results for H3 are mixed. Our results indicate a significant positive relationship between the level of RBIA used and Banks size, as well as the complexity of the banks. However, no support was found for H3c that the use of RBIA is positively correlated with a bank that is a subsidiary of a financial holding company.

- 32 -

The findings of this study indicate a significant negative correlation exists between the level of RBIA employed by a bank and the board size. Our finding suggests that a small board size seems to be more effective, and is more likely to use RBIA, as a complementary mechanism. Contrary to our expectations, the percentage of non-executive directors and supervisors on the board of directors is significant negative associated with the use of RBIA, the finding indicates that the higher percentage of independent directors and supervisors on the board presents better corporate governance, hence may not employ higher percentage of RBIA for monitoring of risk management, this result presents that the use of RBIA as substitute mechanism. Finally, the result support the hypotheses that banks use a relatively high level of RBIA when have a higher percentage of shareholdings held by institutional shareholders and internal auditors technical competence are higher. 6.2 Limitation The result of this study should be considered in light of two limitations. First, our measure of dependent variable- the percentage of RBIA employed by the bank is derived from questionnaire and subject to subjective judgments of each banks executive internal auditor, and we rely on the accuracy of these responses. Second, our sample is relatively small. However, this study surveys all of the 39 domestic banks in Taiwan; the response rate is relatively high: 61.54% and non-response bias tests indicate that there is no significant difference between the responding banks and non-respondents. Future research might expand the sample and to test our hypothesis in the entire finance industry.

- 33 -

REFERENCES
Beumer, H. 2006. A Risk- oriented Approach. Internal Auditor 63 (1):72-76. Carcello, J. V., D. R. Hermanson, and K. Raghunandan. 2005. Factors Associated with U.S. Public Companies' Investment in Internal Auditing. Accounting Horizons 19 (2):69-84. Carey, P., R. Simnett, and G. Tanewski. 2000. Voluntary Demand for Internal and External Auditing by Family Businesses. Auditing 19 (1):37. Carey, P., N. Subramaniam, and K. C. W. Ching. 2006. Internal audit outsourcing in Australia. Accounting & Finance 46 (1):11-30. Cebenoyan, A. S. Cooperman, E. S. Register, and C. A. 1999. Ownership structure, charter value, and risk-taking behavior for thrifts. Financial Management 28 (1):43-60. Chen, H.-J. 2003. The Relationship Between Corporate Governance And Risk-Taking Behavior in Taiwanese Banking Industry. Journal of Risk Management 5 (3):363-391. Dessalegn Getie, M., and Y. Aderajew Wondim. 2007. Internal audit effectiveness: an Ethiopian public sector case study. Managerial Auditing Journal 22 (5):470-484. Fraser, I., and W. Henry. 2007. Embedding risk management: structures and approaches. Managerial Auditing Journal 22 (4):392 - 409. FRC. 2005. Internal Control: Revised Guidance for Directors on the Combined Code. Financial Reporting Council, London London. FSC. 2004. Status of Preparation for Implementation of New Basel Capital Accord (Basel II). the Financial Supervisory Commission of the Executive Yuan (http://www.banking.gov.tw/ct.asp?xItem=57716&ctNode=701&mp=7 and http://www.banking.gov.tw/ct.asp?xItem=31509&ctNode=700&mp=7). . 2007. Implementation Rules for Bank Internal Audit and Internal Control System. Financial Supervisory Commission of the Executive Yuan. Goodwin-Stewart, J., and P. Kent. 2006. The use of internal audit by Australian companies. Managerial Auditing Journal 21 (1):81-101. Griffiths, D. M. 2006. Risk Based Internal Auditing- An Introduction. Haniffa, R., and M. Hudaib. 2006. Corporate Governance Structure and Performance of Malaysian Listed Companies. Journal of Business Finance & Accounting 33 (7-8):1034-1062. Hay, D., and W. R. Knechel. 2004. Evidence on the Association among Elements of Control and External Assurance. Working Paper (University of Auckland). IIA. 2003. Risk Based Internal Auditing, Position Statement. The Institute of Internal - 34 -

Auditors UK and Ireland London. . 2004a. The Professional Practices Framework. The Institute of Internal Auditors. . 2004b. The Role of Internal Auditing in Enterprise-wide Risk Management, Position Statement. Institute of Internal Auditors UK and Ireland London. . 2005. Review of the Turnbull guidance on internal control proposals for updating the guidance consultation paper, September. Institute of Internal Auditors UK and Ireland London. IIARF. 2003. Research Opportunities in Internal Auditing. Institute of Internal Auditors Research Foundation Altamonte Springs, FL: IIARF. Jenny, G. 2004. A comparison of internal audit in the private and public sectors. Managerial Auditing Journal 19 (5):640 - 650. Katz, E. M. 1998. Risk-based supervision, internal controls, and the internal audit function. Bank Accounting & Finance (Euromoney Publications PLC) 11 (4):49. Kippenberger. 1999. Internal audit and governance: the shift from control to risk. The Antidote 4 (3):6 - 7. Knechel, W. R., and M. Willekens. 2006. The Role of Risk Management and Governance in Determining Audit Demand. Journal of Business Finance & Accounting 33 (9-10):1344-1367. Martin, C. L., M. K. Lavine, C. R. Baker, and J. J. O'Leary. 2000. Outsourcing the Internal Audit Function. CPA Journal 70 (2):58. McCool, T. J. 2000. Risk-Focused Bank Examinations: Regulators of Large Banking Organizations Face Challenges: GGD-00-48. In GAO Reports: U.S. Government Accountability Office, 1. Pound, J. 1988. Proxy Contests and the Efficiency of Shareholder Oversight. Journal of Financial Economics January/March:237-265. Ross, S. A. 1989. Institutional Markets, Financial Markets, and Financial Innovation. Journal of Finance July:541-556. Sarens, G., and I. De Beelde. 2006. Internal auditors' perception about their role in risk management: A comparison between US and Belgian companies. Managerial Auditing Journal 21 (1):63-80. Spekle, R. F., H. J. van Elten, and A.-M. Kruis. 2007. Sourcing of internal auditing: An empirical study. Management Accounting Research 18 (1):102-124. Spira, L. F., and M. Page. 2003. Risk management: The reinvention of internal control and the changing role of internal audit. Accounting, Auditing & Accountability Journal 16 (4):640-661. Tufano, P. 1996. Who Manages Risk? An Empirical Examination of Risk - 35 -

Management Practices in the Gold Mining Industry. Journal of Finance 51 (4):1097-1137. Walker, P. L., W. G. Shenkir, and T. L. Barton. 2003. ERM in practice. Internal Auditor 60 (4):51. Zeckhauser, R. J., and J. Pound. 1990. Are Large Shareholders Effective Monitors? An Investigation of Share Ownership and Corporate Performance. in R.G. Hubbard, Ed., Asymmetric Information Corporate Finance, and Investment (Chicago, IL, University of Chicago Press):149-180.

- 36 -