题名

物聯網環境下企業風險管理與內部控制稽核機制之研究

并列篇名

Enterprise Risk Management and Auditing Mechanism of Internal Control for IoT Governance

DOI

10.6188/JEB.201906_21(1).0003

作者

張碩毅(She-I Chang);張麗敏(Li-Min Chang);萬貴然(Grand Wan);廖展群(Jhan-Cyun Liao)

关键词

物聯網 ; 企業風險管理 ; IT治理 ; 內部控制 ; 稽核機制 ; Internet of Things (IoT) ; enterprise risk management ; IT governance ; auditing mechanism ; internal control

期刊名称

電子商務學報

卷期/出版年月

21卷1期(2019 / 06 / 01)

页次

77 - 119

内容语文

繁體中文
中文摘要

本研究目的為發展物聯網環境下企業風險管理與內部控制稽核機制。在質性研究法及Gowin's Vee知識地圖的基礎下,首先透過文獻探討的方式整理物聯網環境風險因子與內部控制稽核項目;各類風險因子與稽核項目,在企業交叉風險及COSO內部控制整合框架的對應下產生問卷雛型,並透過德爾菲專家問卷的訪談來修正問卷。其次,本研究運用國際內部稽核協會(IIA)所建立的三道防線及能力成熟度整合模型(CMMI)之概念,來進一步發展稽核流程與評估方法。最後,本研究以三家公司來進行個案實證,以驗證所產出的稽核機制被運用在企業內部控制稽核的可行性。本研究成果可貢獻於學術界強化質性研究知識,與實務界在物聯網環境下實施企業風險管理與內部控制稽核之參考。
英文摘要

The aim of this research is to explore the factors influencing enterprise risk management and auditing mechanism of internal control in the internet of things (IoT) environment. Applying a qualitative research approach and following the Gowin's Vee research strategy, firstly, this study reviewed the relevant literature and used the Delphi expert assessment method to identify risk factors as well as auditing items in the IoT environment. Secondly, according to the nature of eight types of intersecting risks and internal control framework of COSO 2013, this study constructed the three lines of defense in effective risk management and internal control mechanism based on the evaluation criteria of Capability Maturity Model Integration (CMMI). Lastly, this research conducted empirical case study from three enterprises to verify that whether the risk factors and auditing mechanism can be effectively used for internal risk control assessment within the corporation. The audit mechanism established in this study and the empirical process of case study can be referenced by academia for enhancing the knowledge of qualitative research, and also by industries as IT governances in the IoT environment.
主题分类 人文學 > 人文學綜合
基礎與應用科學 > 資訊科學
基礎與應用科學 > 統計
社會科學 > 社會科學綜合
参考文献
  1. 李科逸(2013)。國際因應智慧聯網環境重要法制研析-歐盟新近個人資料修法與我國建議。科技法律透析,25(12),41-62。
    連結:
  2. 林育震(2010)。掌控風險-發揮雲端效益。資訊安全通訊,16(4),138-149。
    連結:
  3. 莊祐軒,羅乃維(2013)。物聯網安全的現況與挑戰。資訊安全通訊,19(4),16-29。
    連結:
  4. Akhtaruddin, M.,Ohn, J.(2016).Internal control deficiencies, investment opportunities, and audit fees.International Journal of Accounting and Finance,6(2),127-144.
  5. Amid, A.,Moradi, S.(2013).A Hybrid Evaluation Framework of CMM and COBIT for Improving the Software Development Quality.Journal of Software Engineering and Applications,6(5),280-288.
  6. Anderson, D. J., & Eubanks, G. (2015). Governance and internal control: lLeveraging COSO across the three lines of defense. Retrieved April 27, 2016, from 2016 https://na.theiia.org/standards-guidance/Public%20Documents/2015-Leveraging-COSO-3LOD.pdf
  7. Ayre, C.,Scally, A. J.(2014).Critical values for Lawshe's content validity ratio revisiting the original methods of calculation.Measurement and Evaluation in Counseling and Development,47(1),79-86.
  8. Babar, S.,Mahalle, P.,Stango, A.,Prasad, N.,Prasad, R.(2010).Proposed security model and threat taxonomy for the internet of things (IoT).Proceedings of International Conference on Network Security and ApplicationsIn Recent Trends in Network Security and Applications,Chennai, India:
  9. Baldini, G.,Peirce, T.,Handte, M.,Rotondi, D.,Gusmeroli, S.,Piccione, S.,Copigneaux, B.,Le Gall, F.,Melakessou, F.,Smadja, P.,Serbanati, A.,Stefa, J.(2013).Internet of Things Privacy, Security, and Governance.Internet of things – Converging technologies for smart environments and integrated ecosystems,Aalborg:
  10. Barnaghi, P.,Cousin, P.,Malo, P.,Serrano, M.,Viho, C.(2013).Simpler IoT word (s) of tomorrow, more interoperability challenges to cope today.Internet of things – Converging technologies for smart environments and integrated ecosystems,Aalborg:
  11. Barnaghi, P.,Sheth, A.,Henson, C.(2013).From data to actionable knowledge: big data challenges in the web of things.IEEE Intelligent Systems,28(6),6-11.
  12. Baxter, P.,Jack, S.(2008).Qualitative case study methodology: Study design and implementation for novice researchers.The Qualitative Report,13(4),544-559.
  13. Beasley, M. S.,Clune, R.,Hermanson, D. R.(2005).Enterprise risk management: An empirical analysis of factors associated with the extent of implementation.Journal of Accounting and Public Policy,24(6),521-531.
  14. Bohli, J. M.,Gruschka, N.,Jensen, M.,Iacono, L. L.,Marnau, N.(2013).Security and privacy-enhancing multicloud architectures.IEEE Transactions on Dependable and Secure Computing,10(4),212-224.
  15. Brender, N.,Markov, I.(2013).Risk perception and risk management in cloud computing: Results from a case study of Swiss companies.International Journal of Information Management,33(5),726-733.
  16. BSI. (2013). ISO/IEC 27001:2013. The British Standards Institution. Retrieved November 29, 2016, from http://www.bsigroup.com/en-GB/iso-27001-information-security/ISOIEC-27001-Revision/
  17. Chang, S. I.(2005).An alternative methodology for Delphi-type research in IS key issues studies.International Journal of Management and Enterprise Development,3(1-2),147-168.
  18. Chen, S.,Xu, H.,Liu, D.,Hu, B.,Wang, H.(2014).A vision of IoT: Applications, challenges, and opportunities with China perspective.IEEE Internet of Things Journal,1(4),349-359.
  19. Chen, X. Y.,Jin, Z. G.(2012).Research on key technology and applications for internet of things.Physics Procedia,33(2012),561-566.
  20. Cooper, D. R.,Schindler, P. S.(2001).Business research methods.Glasgow:McGraw-Hill Higher Education.
  21. CSA. (2013). The Notorious Nine: Cloud Computing Top Threats in 2013. Cloud Security Alliance, Retrieved October 12, 2014 from https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
  22. Dalkey, N.,Helmer, O.(1963).An experimental application of the Delphi method to the use of experts.Management Science,9(3),458-467.
  23. De Cremer, D.,Nguyen, B.,Simkin, L.(2016).The integrity challenge of the Internet-of-Things (IoT): On understanding its dark side.Journal of Marketing Management,33(1-2),145-158.
  24. De Haes, S.,Van Grembergen, W.,Debreceny, R. S.(2013).COBIT 5 and Enterprise Governance of Information Technology: Building Blocks and Research Opportunities.Journal of Information Systems,27(1),307-324.
  25. De Oliveira, S. B.,Valle, R.,Mahler, C. F.(2010).A comparative analysis of CMMI software project management by Brazilian, Indian and Chinese companies.Software Quality Journal,18(2),177-194.
  26. Debreceny, R. S.,Gray, G. L.(2013).IT governance and process maturity: A multinational field study.Journal of Information Systems,27(1),157-188.
  27. Del Giudice, M.(2016).Discovering the Internet of Things (IoT) within the business process management: A literature review on technological revitalization.Business Process Management Journal,22(2),263-270.
  28. Domingo, M. C.(2012).An overview of the Internet of Things for people with disabilities.Journal of Network and Computer Applications,35(2),584-596.
  29. Domingo, M. C.(2012).An overview of the internet of underwater things.Journal of Network and Computer Applications,35(6),1879-1890.
  30. Domingo, M. C.(2011).Securing underwater wireless communication networks.IEEE Wireless Communications,18(1),22-28.
  31. Dos Santos, R. P.,De Oliveira, K. M.,Da Silva, W. P.(2009).Evaluating the service quality of software providers appraised in CMM/CMMI.Software Quality Journal,17(3),283-301.
  32. Doughty, K. (2011). The Three Lines of Defence Related to Risk Governance. Retrieved April 27, 2016, from http://www.isaca.org/Journal/archives/2011/Volume-5/Documents/11v5-The-Three-Lines-of-Defence-Related-to-Risk-Governance.pdf
  33. Eisenhardt, K. M.(1989).Building theories from case study research.Academy of Management Review,14(4),532-550.
  34. Everett, C.(2011).A risky business: ISO 31000 and 27005 unwrapped.Computer Fraud & Security,2011(2),5-7.
  35. Feagin, J. R.(Ed.),Orum, A. M.(Ed.),Sjoberg, G.(Ed.)(1991).A case for the case study.Chapel Hill:UNC Press Books.
  36. Feng, M.,Li, C.,McVay, S.(2009).Internal control and management guidance.Journal of Accounting & Economics,48(2-3),190-209.
  37. Fox, R.(2007).Gowin's knowledge vee and the integration of philosophy and methodology: A case study.Journal of Geography in Higher Education,31(2),269-284.
  38. Galliers, R. D.,Leidner, D. E.(2014).Strategic information management: challenges and strategies in managing information systems.New York:Routledge.
  39. Gerring, J.(2006).Case study research: Principles and practices.New York:Cambridge University Press.
  40. Gordon, K. O.,Czekanski, W. A.,DeMeo, J. A.(2016).Assessing the influence of sport security operations on the guest experience: Using the Delphi method to understand practitioner perspectives.Journal of Sport Safety and Security,1(1),1-13.
  41. Gowin, D. B.(1981).Educating.New York:Cornell University Press.
  42. Gubbi, J.,Buyya, R.,Marusic, S.,Palaniswami, M.(2013).Internet of Things (IoT): A vision, architectural elements, and future directions.Future Generation Computer Systems,29(7),1645-1660.
  43. Hair, J. F.,Black, B.,Babin, B.,Anderson, R. E.,Tatham, R. L.(2006).Multivariate data analysis.Upper Saddle River, NJ:Pearson/Prentice Hall.
  44. Hanafin, S.(2004).Review of literature on the Delphi Technique.Dublin:National Children's Office.
  45. Hardy, K.(2014).Enterprise risk management: A guide for government professionals.CA:John Wiley & Sons.
  46. Hill, K. Q.,Fowles, J.(1975).The methodological worth of the Delphi forecasting technique.Technological Forecasting and Social Change,7(2),179-192.
  47. Holden, M. C.,Wedman, J. F.(1993).Future issues of computer-mediated communication: The results of a Delphi study.Educational Technology Research and Development,41(4),5-24.
  48. ISACA(2011).COBIT mapping: Overview of international IT guidance.Rolling Meadows, IL:ISACA.
  49. ISACA(2011).Global status report on the governance of enterprise IT (GEIT)-2011.Rolling Meadows, IL:ISACA.
  50. Kabir, M.,Rusu, L.(2016).IT project development using capability maturity model.Information Resources Management Journal,29(4),35-48.
  51. Kaplan, R. S.,Mikes, A.(2012).Managing risks: A new framework.Harvard Business Review,90(6),48-60.
  52. Kaufmann, P. R.(2016).Integrating factor analysis and the Delphi method in scenario development: A case study of Dalmatia, Croatia.Applied Geography,71,56-68.
  53. Kranz, M.,Roalter, L.,Michahelles, F.(2010).Things that twitter: Social networks and the internet of things.What can the Internet of Things do for the Citizen (CIoT) Workshop at The Eighth International Conference on Pervasive Computing (Pervasive 2010),Helsinki, Finland:
  54. Krishnan, J.(2005).Audit committee quality and internal control: An empirical analysis.The Accounting Review,80(2),649-675.
  55. Lawshe, C. H.(1975).A quantitative approach to content validity.Personnel psychology,28(4),563-575.
  56. Ledesma, R. D.,Valero-Mora, P.(2007).Determining the number of factors to retain in EFA: An easy-to-use computer program for carrying out parallel analysis.Practical Assessment, Research & Evaluation,12(2),1-11.
  57. Madakam, S.,Ramaswamy, R.,Tripathi, S.(2015).Internet of Things (IoT): A literature review.Journal of Computer and Communications,3(5),164-173.
  58. McGregor, C.,Schiefer, J.(2004).A Web-service based framework for analyzing and measuring business performance.Information Systems and E-Business Management,2(1),89-110.
  59. Mell, P., & Grance, T. (2011). The NIST definition of cloud computing. Retrieved June 10, 2014 from https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-145.pdf
  60. Mihaela, D.,Iulian, S.(2012).Internal control and the impact on corporate governance, in Romanian listed companies.Journal of Eastern Europe Research in Business & Economics,2012,1-10.
  61. Nelson, K.,Clarke, J.,Stoodley, I.,Creagh, T.(2015).Using a capability maturity model to build on the generational approach to student engagement practices.Higher Education Research & Development,34(2),351-367.
  62. Novak, J.(2002).Meaningful learning: The essential factor for conceptual change in limited or inappropriate prepositional hierarchies leading to empowerment of learners.Science Education,86(4),548-571.
  63. Novak, J. D.(1998).Learning, creating, and using knowledge: Concept maps as facilitative tools in schools and corporations.Mahwah, NJ, US:Lawrence Erlbaum Associates Press.
  64. Novak, J. D.,Gowin, D. B.(1984).Learning how to Learn.England:Cambridge University Press.
  65. Ordanini, A.,Rubera, G.(2010).How does the application of an IT service innovation affect firm performance? A theoretical framework and empirical analysis on ecommerce.Information & Management,47(1),60-67.
  66. Parry, V. K. A.,Lind, M. L.(2016).Alignment of Business Strategy and Information Technology Considering Information Technology Governance, Project Portfolio Control, and Risk Management.International Journal of Information Technology Project Management,7(4),21-37.
  67. Pathak, J.(2005).Risk management, internal controls and organizational vulnerabilities.Managerial Auditing Journal,20(6),569-577.
  68. Pereira, R.,Almeida, R.,da Silva, M. M.(2013).How to generalize an information technology case study.Proceedings of the 8th International Conference on Design Science at the Intersection of Physical and Virtual Design (DESRIST 2013),Helsinki, Finland:
  69. Rahimian, F.,Bajaj, A.,Bradley, W.(2016).Estimation of deficiency risk and prioritization of information security controls: A data-centric approach.International Journal of Accounting Information Systems,20,38-64.
  70. Roche, N.,Reddel, H.,Martin, R.,Brusselle, G.,Papi, A.,Thomas, M.,Postma, D.,Thomas, V.,Rand, C.,Chisholm, A.,Price, D.(2014).Quality standards for real-world research. Focus on observational database studies of comparative effectiveness.Annals of the American Thoracic Society,11(2),99-104.
  71. Saripalli, P.,Walters, B.(2010).Quirc: A quantitative impact and risk assessment framework for cloud security.Proceedings of the 2010 IEEE 3rd international conference on cloud computing,Miami, Florida, USA:
  72. Seawright, J.,Gerring, J.(2008).Case selection techniques in case study research a menu of qualitative and quantitative options.Political Research Quarterly,61(2),294-308.
  73. Skinner, R.,Nelson, R. R.,Chin, W. W.,Land, L.(2015).The Delphi method research strategy in studies of information systems.Communications of the Association for Information Systems,37(2),31-63.
  74. Spira, L. F.,Page, M.(2003).Risk management: The reinvention of internal control and the changing role of internal audit.Accounting, Auditing & Accountability Journal,16(4),640-661.
  75. Sutton, S. G.,Khazanchi, D.,Hampton, C.,Arnold, V.(2008).Risk analysis in extended enterprise environments: Identification of critical risk factors in B2B e-commerce relationships.Journal of the Association for Information Systems,9(3-4),151-174.
  76. The Institute of Internal Auditors (2013). The three lines of defense in effective risk management and control: Is your organization positioned for success? Retrieved December 2, 2016, from https://na.theiia.org/news/Pages/The-Three-Lines-of-Defense-in-Effective-Risk-Management-and-Control-Is-Your-Organization-Positioned-for-Success.aspx
  77. Van Grembergen, W.,De Haes, S.(2009).Enterprise governance of information technology: Achieving strategic alignment and value.New York:Springer Science & Business Media.
  78. Weber, R. H.(2010).Internet of Things–New security and privacy challenges.Computer Law & Security Review,26(1),23-30.
  79. Weill, P.,Ross, J. W.(2004).IT governance: How top performers manage IT decision rights for superior results.Harvard Business Press.
  80. Xue, Y.,Liang, H.,Boulton, W. R.(2008).Information technology governance in information technology investment decision processes: The impact of investment characteristics, external environment, and internal context.MIS Quarterly,32(1),67-96.
  81. Yoo, Y.(2010).Computing in everyday life: A call for research on experiential computing.MIS Quarterly,34(2),213-231.
  82. Zhou, H.(2012).The internet of things in the cloud: A middleware perspective.Boca Raton:CRC press.
  83. 江榮倫、廖柏侖(2014)。新興科技風險管控系列-淺談物聯網的安全隱憂與挑戰。勤業眾信聯合會計師事務所企業風險服務,取自 2015 年 6 月 15 日,http://www2.deloitte.com/tw/tc/pages/risk/articles/newsletter-11-43.html/
  84. 花俊傑(2012)。雲端運算安全入門(一):了解雲端之上的安全風險。網管人, 取自 2012 年 10 月 31 日,https://www.netadmin.com.tw/article_content.aspx?sn=1112150006
  85. 科技新報TechNews(2015)。Gartner:2016年使用中的物聯網件數量將達64億。Retrieved April 30, 2016, from http://technews.tw/2015/11/17/gartner-2016-iot/#more-121673
print cancel