法令遵循考核機制-以銀行業為中心

Abstract

本研究針對銀行業稽核報告制度探討，西元(下同)2018年3月31日為落實法令遵循效能報告及監督方面，增訂金融控股公司及銀行業內部控制及稽核制度實施辦法(以下簡稱銀行內控內稽辦法)第34-1條第1項第10款，有關稽核報告內容應包含「法令遵循單位績效考核」及「全行法令遵循程度之評估意見」，以強化該等報告之效能。因此稽核單位運用稽核方法、確認組織架構、評估稽核單位風險、安排場外監控項目、擬定查核計畫、安排個案查核計畫、執行查核(含實地查核)、與受查單位座談會議、彙整稽核報告書提供給受查單位，另在稽核業務報告時需彙整查核結果並提報董事會，法規要求報告內容要求需增加「法令遵循單位績效考核」及「全行法令遵循程度之評估意見」兩項稽核意見，以提供資訊給董事會瞭解法令遵循單位辦理成效及全行業務法令遵循風險控制程度。 本研究藉由實務上受查單位稽核報告內容，包含業務類別(例如:存匯、消金、理財、信用卡)、內部管理、會計報告等事項，說明查核確認業務控管情形，再由風險類型區分作業風險、法令遵循風險、消費者保護風險等面向，確認並分析不合規範占比及查核發現事項評價，藉此探討評估法令遵循風險方法，作為稽核報告有關「法令遵循單位績效考核」及「全行法令遵循程度之評估意見」之建議，讓董事會能在整體機構風險評估範疇內，充分掌握法令遵循風險程度狀況，進而採行有效指導法令遵循風險管理策略，並負擔決策責任。

This study investigates the audit reporting framework within the banking sector. To strengthen the effectiveness of regulatory compliance reporting and oversight, Article 34-1 of the Implementation Rules of Internal Audit and Internal Control Systems of Financial Holding Companies and Banking Industries was amended on March 31, 2018. This provision aims to enhance the utility and accountability of audit reports by requiring the inclusion of both a “performance evaluation of the compliance unit” and an “assessment opinion regarding the overall level of regulatory compliance across the bank.

Accordingly, the audit unit applies audit methodologies, confirms the organizational structure, assesses risks associated with the audit function, arranges off-site monitoring activities, formulates annual audit plans, develops case-specific audit programs, conducts audits (including on-site inspections), holds meetings with audited units, and compiles audit reports for submission to the audited entities. Furthermore, when presenting audit results, the audit unit must consolidate the findings and report them to the board of directors. In accordance with recent regulatory amendments, audit reports are now required to include two additional audit opinions: a “performance evaluation of the compliance unit” and an “assessment opinion on the overall level of regulatory compliance across the bank.” These additions aim to provide the board with clearer insights into the effectiveness of the compliance unit’s operations and the institution-wide status of compliance risk management.

This study analyzes the content of audit reports from audited units in practice, covering business categories such as deposits and remittances, consumer banking, wealth management, and credit cards, as well as internal management and financial reporting. The audit procedures are used to verify the status of business control implementation. Risks are then categorized into operational risk, regulatory compliance risk, and consumer protection risk. Based on this framework, the study identifies and analyzes the proportion of non-compliant items and evaluates the audit findings. The purpose is to explore methods for assessing regulatory compliance risk and to provide recommendations regarding the inclusion of the “performance evaluation of the compliance unit” and the “assessment opinion on the overall level of regulatory compliance across the bank” in audit reports. These recommendations aim to assist the board of directors in gaining a comprehensive understanding of compliance risk levels within the institution’s overall risk assessment framework, thereby enabling more effective oversight of compliance risk management strategies and fulfillment of their decision-making responsibilities.