Guidelines and related regulations
In 2009, the Institute of Internal Auditors (IIA) adopted the “International Professional Practices Framework” to serve as a comprehensive set of guidelines for internal auditors performing professional duties. The IIA also requested that all member countries and members comply with these guidelines. In response, the Institute of Internal Auditors - Chinese Taiwan has stopped using the professional practices, ethical guidelines, and other related standards originally announced by it.
Risk-based internal auditing system
Since the rapid line-height: 1.2em; of changes in the financial environment, the FSC has promoted the risk-based internal auditing system to implement a graded management system, which allows financial institutions to adjust internal audits flexibly and enhance their capabilities of risk identification as well as assessment in response to business needs. Domestic banks and insurance companies can decide the auditing frequency based on the results of internal risk assessments. Institutions adopting this auditing system shall establish supporting measures, such as an off-site monitoring mechanism, and regularly review the results of risk assessments for internal audits. They are required to possess sufficient qualified audit personnel to focus on significant risks and enhance depth of examinations to improve audit quality.
FAQ for Domestic Banks Adopting Risk-Based Internal Auditing Systems
I. Application criteria
Q1-1:What documents should be provided that “the bank does not show insufficient loan loss provision and reserves based on the most recent financial examination and the most recent CPA-audited and certified financial statements”?
A:
(1)“The bank does not show insufficient loan loss provision and reserves” refers to there being no insufficient loan loss provision and reserves based on the most recent financial examination findings and no retained opinion from the most recent CPA-audited and certified financial statements; or CPA’s audit reports on internal control system has expressed that the institution’s provisions for bad debts are sufficient to cover potential losses.
(2)Banks can provide the related content from the most CPA-audited and certified financial statements or CPA’s audit report on internal control system as evidence.
II. Application documents
Q2-1:Is it adequate for a bank to submit a summarized description of the three lines of defense framework and internal audit systems and operations to reach requirements of the application documents assigned by the FSC?
A:
(1) The three lines of defense in internal control system should include segregation of duties and monitoring operations. The content of internal auditing system shall contain at least the items of the Self-Evaluation Form for Applications to Adopt a Risk-Based Internal Auditing System, as attached to FSC Order Jin-Guan-Jian-Zhi No. 11206000101 dated January 17, 2023.
(2) With regard to the application documents provided, the applying bank shall carefully consider whether the information and explanations provided are sufficient for the Financial Examination Bureau to confirm that the frameworks, operations, and risk assessments adopted by the bank are appropriate, and that its internal auditing system is effective.
Q2-2:Should the Audit Committee/Board of Directors approve all application documents, in addition to agreeing on the adoption of a risk-based internal auditing system?
A:
Pursuant to Section One (Two) of FSC Order Jin-Guan-Jian-Zhi No. 11206000101 dated January 17, 2023, when the application proposal submitted to the Audit Committee and Board of Directors for approval, the relevant application documents should also be submitted for review. Thus, the application documents submitted to the Financial Examination Bureau should have received approval from the bank supervisor or Audit Committee and should be submitted to the Board of Directors for approval. In doing so, the Financial Examination Bureau knows that these application documents approved by the applying bank’s senior management.
Q2-3:Is it sufficient to only list the titles of each report without attaching the actual supervision report in terms of significant operational risk?
A:
Apart from listing the titles of reports, the applying bank should attach important reports relevant to the risk assessments conducted by its audit department. This is to allow the Financial Examination Bureau to assess the effectiveness of the risk assessment and reports of the applying bank. The Financial Examination Bureau may also request the bank to provide supplemental explanations, if necessary.
III.Implemented operations
Q3-1:How should internal audit items required by law and the instructions of the Banking Bureau in conducting audit items with deadlines be incorporated alongside the risk-based internal auditing system?
A:
(1) Apart from the instructions provided by the Banking Bureau for conducting audit items with deadlines, banks shall plan annual audits based on the results of their risk assessments, as well as internal audit items required by law.
(2) When conducting regular reviews of internal audit risk assessment, the bank shall take relevant risk monitoring information and legal requirements into sufficient consideration. Therefore, it should be incorporated this information as important references for its internal audit items and review whether their audit plans should be amended.
Q3-2:Should internal audit quality assessments be conducted as part of a parent organization’s internal audits?
A:
Internal audit quality assessments shall be conducted by the parent organization’s internal audit. However, these assessments are carried out through this method shall still be considered a self-assessment, and the bank’s internal audit department shall commission an external organization to verify their assessment results at least once every five years.
Q3-3:Should a bank adopting a risk-based internal auditing system report to the Financial Examination Bureau for approval in advance or file post-implementation reports if there are subsequent adjustments to its risk-based internal auditing system?
A:
Banks that have adopted a risk-based internal auditing system shall report to the Financial Examination Bureau for future reference if these adjustments constitute a significant change to the methodology, procedures, or overall operation of the system (including changes to audited entities)
Q3-4:Are there any restrictions on the frequency with which banks approved to adopt a risk-based internal auditing system shall conduct internal audits? How should banks allocate the resources to conduct internal audits?
A:
(1) Banks that have obtained approval to adopt a risk-based internal auditing system may determine their own frequency for conducting internal audits based on the results of their risk assessments. However, in order to ensure the effectiveness and quality of these audits, it is recommended that, during the initial implementation, banks gradually adjust their methods and avoid suddenly decreasing the examination frequency to a large extent.
(2) In order to implement risk-focused internal audits, banks adopting a risk-based internal auditing system shall comply with the “Best Practice Principles for Banks Establishing a Risk-Based Internal Auditing System” when establishing mechanisms for regularly reviewing the results of internal risk management audits and monitor the significant risks of audited entities. Therefore, banks must establish appropriate off-site monitoring systems and other supporting measures and ensure that they possess sufficient and apt audit personnel. Thus, they should avoid suddenly and significantly reducing the number of audit personnel, and shall aim to improve audit quality.
Q3-5:What should a bank approved by the FSC to adopt a risk-based internal auditing system do if it fails to submit audit plans for the following year to the Board of Directors for approval before the end of December that year?
A:
The applying bank shall still comply with Article 22 of the “Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries”; it shall submit an audit plan for the following year before the end of this accounting year. However, after completing this reporting, if there are adjustments to the internal audit plan due to the approval of adopting a risk-based internal auditing system, an application should be submitted to the Financial Examination Bureau to make the system available and update the annual audit plan after obtaining approval from the Board of Directors.
Q3-6:Should banks adopting a risk-based internal auditing system apply to the Financial Examination Bureau, FSC, for updating their reporting if they need to amend the annual audit plan due to a regular review of their risk assessment?
A:
Pursuant to Point 14 of “the Best Practice Principles for Banks Establishing a Risk-Based Internal Auditing System”, risk assessment results should be regularly reviewed as part of internal audits to determine whether amendments should be made to the annual audit plan. Thus, when approved by the FSC to adopt a risk-based internal auditing system and already stated under the section “II. Description of Established Plan” of the submission form for their annual audit plan to the competent authorities that “The internal audit shall also determine whether to amend its annual audit plan based on regular risk assessment results in response to the external business environment or internal business development”, banks shall not be required to submit new plans to the Financial Examination Bureau if adjustments to the bank’s audit plan are made in accordance with the risk assessment results. The bank is only required to describe differences between the original audit plan and actual audits implemented, in the Annual Audit Implementation Report submitted before the end of February the following year.
Chinese version is available for this page. Please view the Chinese version.