以COBIT 5觀點探討ERP系統風險管理機制

Development of an Enterprise Resource Planning System Risk Management Mechanism Based on COBIT 5

本研究以電腦稽核協會於2012 年所發布的資訊科技與資訊系統控制架構──COBIT 5 為基礎，建構出一套適用於企業資源規劃系統的風險管理機制。本研究運用Gowin's Vee (Gowin 1981)模型建立本研究流程。在理論端，本研究透過文獻探討方式，藉由蒐集與編碼相關文獻，建構出ERP 系統風險管理機制之雛型。透過德爾菲法執行兩回合的專家問卷，進行內容效度和一致性的檢定以完成本研究機制之修正，修正後之COBIT 5 為基礎的ERP 系統風險管理機制具有4 構面、52 項風險因子及針對風險因子的125 項控制項目。在實證端本研究以個案研究，透過與個案公司的深度訪談，驗證本研究機制之有效性。本研究結果，能協助企業藉由風險辨識、評估、回應、監督與修正等完成整個風險管理的程序，快速找出潛在的風險因子並採取控制措施，提供企業一個便利且有效的ERP 系統風險管理工具。

The present research investigates the possible ERP system risk factors based on COBIT 5 released by ISACA for information technology and information system control architecture in 2012. Gowin's Vee (Gowin 1981) is adopted as the main research strategy in this study. First, on theoretical development , this study collects and codes relevant literatures; then, the prototype of ERP systems risk management mechanism is formed through literature review. A two-round Delphi expert questionnaire is then adopted to revise the prototype of the risk management mechanism via optimizing content validity ratio and consistency test. The finalized establishment of the Mechanism of ERP systems risk management consists of 4 dimensions, 52 risk factors, and 125 control items. Finally, this study adopts a case study method, conducting an in-depth interview with a case company and assessing the validity of the research results on the practical side. The findings of this study add to enterprise risk management process consisting of the steps of identification, assessment, response, and monitoring and revision to provide enterprises a convenient, quick, and suitable ERP systemrisk management tool.