| dc.description.abstract | Due to the development of technology and the popularity of financial services, more and more banks are bringing technology into the services offered by their organizations. Although technology brings convenience, it also brings risk. In Taiwan, the first hacking of a bank ATM system in the history occurred in 2016, with a total loss of over NT$80 million. In 2017, hackers successfully hacked Far Eastern International Commercial Bank′s international remittance system, SWIFT, and transferred NT$1.8 billion in remittances overseas. Banking is an ancient industry with a long history. To face the digital transformation, can traditional financial executives understand the risks brought about by information technology?
This study compares and analyzes the information security systems of the financial industry in Taiwan with other financial centers (e.g., the United States, Hong Kong, the United Kingdom, Australia) through the analysis of national regulations and the publications of various international organizations. In addition, the study explains the internal audit best practices of various international organizations, and through case summaries analyzes the information security-related penalties announced by the Financial Supervisory Commission, the financial authority in Taiwan, and the major events and related news, to understand from internal auditor′s point of view whether the occurrence of events is due to system or regulations deficiencies. The study also compares the penalized cases with the best practices to identify where the audit function could be improved.
The results of this study show that the CFI issued by the Hong Kong authority, HKMA, is most comprehensive information security regulation, while the other major financial centers generally lack systematic requirements and do not have relevant requirements for internal auditing. The domestic authority does not even have a specific law on information security in the financial industry. The improvement of information operations of the organization should be emphasized both systematically and institutionally, and the audit operations related to information operations of the internal audit function should be conducted by professional information internal auditors, and emphasis should also be placed on confirming whether the system of control measures has been established. | en_US |