企業資源規劃系統內部控制制度之建構－－以某通訊產業公司為例

A Study of ERP System Internal Control Framework - The Perspective from a Telecommunications Case Company

隨著企業採用企業資源規劃系統的協助作業以及無紙化作業的趨勢下，早期的紙張憑證已經被轉換為電子化的資訊。在此情況下，如何確保資訊系統的資料品質無誤，提供正確資訊供企業進行決策，同時讓會計師在簽證由系統所產生的財務報表時，可以將查核風險降到最低是現階段重要研究課題之ㄧ。本研究第一階段採用紮根理論研究法找尋出資訊系統應有之內部控制作項目的相關變數，以證期局所訂定之「公開發行公司建立內部控制制度處理準則」中的控制規範建構出本研究雛形。再經擁有企業資源規劃系統維護、管理及稽核實務經驗專家們的修正與確認，試圖提出『企業資源規劃系統之資訊循環內部控制要點』。第二階段將以理論端建立之雛型為基礎，以個案研究法驗證，確認本研究提出之控制項目的可用性及有效性。藉由本研究所建構出12個構面共37項控制項目的成果，期望能夠提供一個準則，供稽核人員進行企業資源規劃系統查核時可以針對應控管的內部控制點進行有效查核。而企業在資訊系統管理上，亦可考量本身基礎架構上的限制並搭配本研究之成果，決定有哪些控制點是必要的，有哪些可以被歸納為最好具備，如此一來不只可以降低資訊系統管理上的成本，同時亦可建構完善的資訊系統管理機制。

With the advancement of information technology and the assistance of information systems, such as Enterprise Resource Planning (ERP), which promotes a paperless working environment, companies have gone from paper certificates to the electronic storage of information in the form of corporate resource organization system archives. However, with companies increasingly relying on information technology, how does this ensure that the information contained in information systems will be error-free, so that it can improve policy-making abilities, and at the same time minimize the auditing risk associated with having an accountant certify financial statements generated by ERP? This is an important task that needs to be studied at this juncture. In the first stage of this study, necessary related variables contained in the internal controls of the information system were searched through the discussion and arrangement of relevant documents and by grounded theory. We used the control regulation set by the Securities and Futures Bureau in the “Regulations Governing Establishment of Internal Control Systems by Public Companies,” as a model. With revision and acknowledgment by professionals with actual experience in the maintenance, management and auditing of Enterprise Resource Planning (ERP), we attempt to raise “Critical Points in the Internal Controls of Enterprise Resource Planning (ERP),” to provide auditors with a method to audit the data quality accordingly. The second phase will use a model built upon theories as a basis, relying on the case study method to verify the usefulness and effectiveness of the control entries raised by this study. By constructing 12 elements and a total of 37 critical factors, we hope that the results will provide a standard, which the auditors can effectively use when auditing the internal control points that should be in a corporate resources organization system. This will thereby reduce risks when accountants audit and certify financial statements. When examining their control of the corporate resources organization system, corporations can look to the restrictions of their own basic structure, then look to the results of this study and decide which control points are “Need to do” and which ones can be classified as “Best to have.” In turn, this will reduce the cost of information technology management and concurrently develop a complete system for information technology control.