臺大管理論叢 NTU Management Review VOL.30 NO.2

The Benefits of Disclosing Internal Control Weaknesses: Evidence from Taiwanese Banks 180 Control System of Financial Holding Companies and Banking Industries.” 1,2 Related statements are excerpted below. 3 For the purpose of self-inspecting an internal control system, a financial holding company (including its subsidiary companies) or a banking business would need to require that all of its internal departments and subsidiaries carry out self-inspection, and have its internal audit unit review the self-inspection reports of each department and subsidiary (including its subsidiary companies if it is a financial holding company); such self- inspection, with the reports on the correction of any deficiencies and irregularities discovered in the internal control system by the internal audit unit, shall serve as a basis for the board of directors, president, chief auditor, and chief compliance officer to evaluate the overall efficacy of the internal control system and to issue internal control system statements. (Article 14) According to this article, along with a specific ICW, banks should report “the correction” for that ICW (i.e., one or more measures for remedying the disclosed ICWs should be provided). For instance, an ICW disclosed by Taishin International Bank in its 2006 annual report states that the bank holds concerns that the private information of customers might be illegally leaked through outsourced marketing activities. The related measure to remedy such ICW is for the bank to discontinue outsourcing its marketing activities. Existing studies on ICW disclosures mainly focus on their effect on a firm’s cost of equity or debt. Ogneva et al. (2007) indicates that ICW can pertain to specific accounting issues (e.g., revenue recognition or inventory accounting) or broader control issues (e.g., 1 “Implementation Rules for Bank Internal Audit and Internal Control System” was issued in 2001 and was replaced by “Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries” in 2010. 2 Taiwan also has similar requirements for firms in general industry, stipulated in “Regulations Governing Establishment of Internal Control Systems by Public Companies,” in which Article 14 states that “the internal auditors of a public company shall communicate fully with the audited unit regarding the inspection results of the annual audit items, and shall faithfully disclose in audit reports any defects and irregularities of the internal control systems discovered in [the] assessment.” Nevertheless, the divergence in disclosure practices is considerable. Most firms simply contend that they find no material irregularities of the internal control systems, whereas some firms provide ICW disclosures on an irregular basis. Hence, we focus on data from banks to avoid sample selection bias. 3 In the previous studies (such as Ashbaugh-Skaife et al. (2009) and Dhaliwal et al. (2011), ICWs mandated to SOX 302 or 404 are the internal control weaknesses identified by the management team of the company, and also assured by the certified public accountants. These ICWs are more severe in substance. Comparably, the ICWs in this study reflect the deficiency which banks report in their annual reports. These ICWs may not necessarily result in severe negative consequences.