The imminent pain points and challenges
TDCC has innovated its business implementation and information technology in recent years, and the relevant internal control regulations have also been gradually aligned with international standards. These factors have drastically impacted the company’s internal audit office in terms of concepts and practices. Therefore, dire transformation is crucial to meet practical needs.
(1) Improving the evaluation methodology of risk assessment
The FSC has required that banks implement the risk-based internal audit system since 2017. As of 2018, the internal audit office has also taken risk assessment as the preliminary work for the following years’ planning for internal self-inspection and internal audit. The office assesses the internal and external variants, the risks caused, the extent influenced, and the likelihood of them happening. Then the office organizes the annual plan based on the assessment result and decides on the audit frequency and scope according to the risk level. However, the existing focus is still on tracking previous abnormal transactions or events for risk assessment, which is slightly inadequate for detecting and preventing fraud.
(2) Eliminating the reliance on standard working papers
As corporate business and processes have been automated, compliance audit and working papers can no longer meet audit needs. The conventional, meticulous audit methodology with exhaustive requirements became a burden for internal auditors and made the audited units over-reliant. Also, the internal audit office, which should have been the third line of defense, was downgraded to the first and second line of defense and was deprived of the exertion of true audit values.
(3) Reducing the errors in audit sampling
According to statistics, type I and type II errors caused by sampling should be avoided. (table 1). Type I errors will result in low-risk events being misjudged with the need for high-risk control. On the other hand, type II mistakes will incur invalid audit due to the risk of incorrect acceptance. The internal audit office, the third line of defense, was confined by its human labor and technical limitations. It still adopted random sampling as the audit approach and could not analyze the whole population. The office had long been faced with the challenges of insufficient sample size or unrepresentative samples.
(4) Developing continuous audit
In conventional audit, besides the manual sampling, audit is conducted after transaction instead of real time. As issues such as corporate governance, risk management, and legal compliance have been valued in Taiwan, the internal audit office consulted domestic and international practices and made efforts to find the tools for “continuous monitoring” which are similar to the first and second line of defense mechanism. In this way, the automated “continuous audit” can elevate the efficiency and effectiveness of audit operation.
II. Learning and implementing data analysis
In order to tackle the previously mentioned predicament and march toward the digital era, the internal audit office initiated the blueprint for digital transformation (diagram 1). It has acquired data analysis to implement digital audit since 2019, turning a new chapter of the transformation.
Source: Research of the internal audit office
Diagram 1: Development blueprint for digital audit from the internal audit office
(1) The initial endeavor: peripherals and business
The focus of big data is not on the amount of the data but on integrating a wide variety of data, which can be analyzed and serve as a reference for business implementation. In the early stage of manual sampling, the internal audit office already employed a wide range of data to join and relate, which was aligned with the fundamental spirit of data analysis. The only ones required were eliminating sampling risk, raising reliability, and analyzing the whole population.
Through the guidance of consultants between 2019 and 2020, the internal audit office first started with peripheral business and systems with structured data, including the “Inquiry Database System” (diagram 2), “Network-Based Data Loss Prevention System” (diagram 3), and “Remittance Operation of Interest from Short-Term Capital as Time Deposit” (diagram 4), which were processed within the major areas of audit.
The results of the analysis showed positive findings. For example, the “Inquiry Database System” revealed the issues of overlapped accounts and reviews; the “Network-Based Data Loss Prevention System” also analyzed the potential risks of employees’ behavior regarding online surfing or email use.
Source: Research of the internal audit office
Diagram 2: Data analysis of the “Inquiry Database System”
Diagram 3: Data analysis of network-based data loss prevention system
Source: Research of the internal audit office
Diagram 4: Remittance Operation of the Interest from Short-Term Capital as Time Deposit
Besides, at the end of 2020, the internal audit office partnered with units from the first line of defense and introduced tools focusing on the “user operational behavior” on “Big Data Analysis Application Platform.” TDCC and the units also co-organized “continuous monitoring” and “continuous audit” (diagram 5). This case will be applied to other systems in 2022.
Source: 2020 big data auditing planning final report.
Diagram 5: Monitoring tools’ functions for user operational behavior
(2) Comprehensive implementation: core systems and business
In the fourth quarter of 2021, with prior experience on analysis, the internal audit office focused on auditing subjects involving risks and started making plans for core business from 2022. Since 2022, the office has started digital audit in the company’s core business, including equity securities, futures, bonds/bills, cross-border custodians, and funds
Source: Research of the internal audit office
Table 2: Digital audit subjects for core business
III. The revolution has not yet concluded, and comrades’ endeavor is still necessary
As the saying goes, “Well begun is half done.” The internal audit office will initiate even more sophisticated digital audit in the core business, and it will still encounter various challenges in terms of analysis in the future.
(1) Ensuring data quality
The office will consider repeatability and continuous use of the analytical model to ensure the quality of analysis and logic. The analytical logic will also be annotated. In addition, standardized data and formats will be required to save the analytical workforce.
(2) Fostering a sufficient number of talents
TDCC is like an abundant treasury housing a wide range of data, all of which are integrated as different types of risk information. Excavating the corresponding risk information targeted on control from this enormous treasury requires personnel with professional data analysis, interpretation, and insight. Therefore, fostering personnel’s capabilities is the crucial task of the internal audit office.
(3) Compliance-based audit and data analysis shall be equally emphasized
Data analysis is not the elixir, after all. After the comparison of a massive amount of data, there might be no striking discrepancy or issues, just as the case “Remittance Operation of the Interest from Short-Term Capital as Time Deposit” shows. In addition, data analysis is not the internal audit office’s only approach to transformation, and it cannot completely replace compliance-based audit. The office can only exert the most significant effect of audit by incorporating both of them.
IV. Conclusion
The internal audit office has already taken the first successful step in data analysis. The office will follow the trend of TDCC’s business transformation; it aims to identify exceptions by analyzing the entire population; it also plans to find potential risks by predicting the near future based on the distant future. The office looks forward to expanding the range of analysis to unstructured data, employing text or image recognition technology, or even introducing intelligent analysis such as AI and machine learning techniques. The office can provide more insightful audit services and create more operating value for TDCC.
