基于COSO&COBIT的企业信息化风险治理研究
|
摘要
企业信息化建设能为企业管理质量、经营效益的提高带来质的飞跃。通过信息化来获得比较竞争优势,得到越来越多的企业的认同。然而在信息化建设过程中,伴随着巨大的风险,如果忽视或放任随之而来的风险,必然会给企业带来巨大的损失。因此,人们需要理性的而非经验性的面对高风险和高失败率的企业信息化。信息化作为企业可持续发展战略之一,必须把企业信息化风险治理提高到企业风险治理的高度。
作者在研读大量文献之后,发现从风险角度进行企业信息化治理的理论研究并不多。在实践中,我国的企业信息化大多数是以项目为驱动,而非目标驱动,缺乏长远的战略规划。我国对企业信息化风险控制的理论研究和实践探索还处于起步阶段。
2004年美国反对虚假财务报告委员会(COSO)正式发布了《企业风险管理——整体框架》(ERMF),该框架将内部控制框架纳入其中,企业借此转向一个更加全面的风险管理过程。另一方面,信息及相关技术控制目标(COBIT)是国际上目前普遍采用的IT治理框架,它为企业信息化提供了一套权威的且是全球通用的公认标准,其目的是规范并提高IT治理水平、有效防范控制风险及增加信息技术价值等等。
文章在总结国内外企业风险控制研究现状的基础上,以财务风险为视角,以COSO的《企业风险管理——整体框架》和COBIT为理论平台,以COBIT划分的四个域对应的34个IT处理过程及其对应的详细控制目标和ERMF提到的企业风险管理八个相互关联的构成要素为基础,建立企业信息化风险控制模型,分析企业信息化后对财务风险的影响。其次,在理论研究的基础上,把得到的ERMF和COBIT的风险控制模型,应用于“基于ERMF & COBIT风险分析辅助系统”。最后,对理论研究和实践的研究结果做出总结。
Enterprise informatization construction brings a qualitative leap for the quality of enterprise management and the economic benefits . More and more enterprises believed that through the Enterprise informatization construction to obtain the comparison competitive advantages of enterprises . However, in the information construction process, accompanied by huge risks. if the subsequent risk be neglected or indulged , and it will bring great loss. Therefore, people need to rational rather than empirical face to the Enterprise informatization construction process which with the high risk and failure rate.
After the study of abundant literatures , found that, in the theory research there are seldom fruit from the angle of risk management for enterprise informationization. In practice, most of the enterprise informationization in our country is the project for drive, rather than the goal driven, lack of long-term strategic planning. Our enterprise informationization risk control to the theoretical study and practice is still in the initial stage.
In 2004,By the organizing committee of National Commission on Fraudulent Financial Reporting,called COSO(Committee of Sponsoring Organizations), officially released the enterprise risk management framework - (ERMF). The framework of(with) internal control framework, will help enterprise to turn into a more comprehensive risk management process. On the other hand, Control Objectives for Information and related Technology (COBIT) is now widely used in international management framework, It provides a set of authority and the universal accepted standards for enterprise informatization. Its purpose is to regulate and improve IT management level, effectively preventing the risk control and increase value of information technology, etc.
Based on the summary of domestic and international enterprise risk control and the present research on financial risk, ERMF and COBIT as the theoretical platform, based on COBIT divided to four fields of 34 IT process and its corresponding detailed control target and the enterprise risk management ERMF mentioned in eight interrelated elements, enterprise informationization risk control model of enterprise informatization will be constructed, the financial risks after impact will be analyzed. Secondly, in theory, on basis of the research of the ERMF COBIT and risk control model, and applied it to "ERMF & COBIT risk analysis based on auxiliary system". Finally, get the theoretical study and practical research results.
作者在研读大量文献之后,发现从风险角度进行企业信息化治理的理论研究并不多。在实践中,我国的企业信息化大多数是以项目为驱动,而非目标驱动,缺乏长远的战略规划。我国对企业信息化风险控制的理论研究和实践探索还处于起步阶段。
2004年美国反对虚假财务报告委员会(COSO)正式发布了《企业风险管理——整体框架》(ERMF),该框架将内部控制框架纳入其中,企业借此转向一个更加全面的风险管理过程。另一方面,信息及相关技术控制目标(COBIT)是国际上目前普遍采用的IT治理框架,它为企业信息化提供了一套权威的且是全球通用的公认标准,其目的是规范并提高IT治理水平、有效防范控制风险及增加信息技术价值等等。
文章在总结国内外企业风险控制研究现状的基础上,以财务风险为视角,以COSO的《企业风险管理——整体框架》和COBIT为理论平台,以COBIT划分的四个域对应的34个IT处理过程及其对应的详细控制目标和ERMF提到的企业风险管理八个相互关联的构成要素为基础,建立企业信息化风险控制模型,分析企业信息化后对财务风险的影响。其次,在理论研究的基础上,把得到的ERMF和COBIT的风险控制模型,应用于“基于ERMF & COBIT风险分析辅助系统”。最后,对理论研究和实践的研究结果做出总结。
Enterprise informatization construction brings a qualitative leap for the quality of enterprise management and the economic benefits . More and more enterprises believed that through the Enterprise informatization construction to obtain the comparison competitive advantages of enterprises . However, in the information construction process, accompanied by huge risks. if the subsequent risk be neglected or indulged , and it will bring great loss. Therefore, people need to rational rather than empirical face to the Enterprise informatization construction process which with the high risk and failure rate.
After the study of abundant literatures , found that, in the theory research there are seldom fruit from the angle of risk management for enterprise informationization. In practice, most of the enterprise informationization in our country is the project for drive, rather than the goal driven, lack of long-term strategic planning. Our enterprise informationization risk control to the theoretical study and practice is still in the initial stage.
In 2004,By the organizing committee of National Commission on Fraudulent Financial Reporting,called COSO(Committee of Sponsoring Organizations), officially released the enterprise risk management framework - (ERMF). The framework of(with) internal control framework, will help enterprise to turn into a more comprehensive risk management process. On the other hand, Control Objectives for Information and related Technology (COBIT) is now widely used in international management framework, It provides a set of authority and the universal accepted standards for enterprise informatization. Its purpose is to regulate and improve IT management level, effectively preventing the risk control and increase value of information technology, etc.
Based on the summary of domestic and international enterprise risk control and the present research on financial risk, ERMF and COBIT as the theoretical platform, based on COBIT divided to four fields of 34 IT process and its corresponding detailed control target and the enterprise risk management ERMF mentioned in eight interrelated elements, enterprise informationization risk control model of enterprise informatization will be constructed, the financial risks after impact will be analyzed. Secondly, in theory, on basis of the research of the ERMF COBIT and risk control model, and applied it to "ERMF & COBIT risk analysis based on auxiliary system". Finally, get the theoretical study and practical research results.
引文
[1]《企业内部控制基本规范》财政部证监会审计署银监会保监会2008.5
[2]方红星,王宏译,企业风险管理——整合框架,(美)COSO制定发布,东北财经大学出版社2005.7
[3]肖荣,企业信息化风险控制研究,同济大学博士学位论文2005.12
[4]严晖,风险导向内部审计整合框架研究,中国财政经济出版社,2004.12
[5]杜美杰,信息系统与会计内部控制,清华大学出版社,2004.7
[6]胡克瑾,IT审计,电子工业出版社,2004.11
[7]张蕾,IT环境下基于风险管理的企业内部控制研究,天津财经大学硕士学位论文,2004
[8]王欣,我国企业信息化风险剖析——模型与案例研究,首都经济贸易大学硕士学位论文,2007
[9]徐立春,纺织企业信息化风险评估与控制,华东大学硕士学位论文,2004
[10]孙亚英,企业信息化风险及其对策的研究,西安工程科技学院硕士学位论文,2003
[11]夏兆敏,IT控制及其在公司组织架构中的应用研究,山东大学硕士学位论文2006
[12]萨班斯—奥克斯利法案指南:信息技术风险及控制常见问题解答,甫翰中国,2006
[13]涂伟,张金隆,企业IT控制中的风险识别与规避,统计与决策,2008.4
[14]廖哲爱,李宁清,浅谈电算化会计信息系统内部控制中存在文体及对策》企业家天地(理论版) 2001.11
[15]郝晓玲,胡克瑾,邓少灵,COBIT在企业信息资源管理中的应用,情报科学,2002.8
[16]苗连琦,COBIT:加强会计信息系统的内部控制与审计的一个不可或缺的工具,中国管理信息化,2008.6
[17]张元,张华玲,COBIT在信息系统内部控制中的应用探讨,中国电力教育,2007
[18]金彧昉,李若山,徐明磊,COSO报告下的内部控制新发展——从中航油事件看企业风险管理,会计研究,2005.2
[19]汪家常,刘路冰,ERP理念透视与会计思维变革,管理世界,2002.12
[20]朱荣恩,应唯,吴承刚,邓福贤,关于企业内部会计控制应用效果的问卷调查,会计研究,2004.10
[21]胡晓明,基于ERM的企业IS内部控制要素构建及思考,南京财经大学学报,2008.3
[22]涂伟,IT控制:公司控制体系中的IT视角,当代经济2007.7(上)
[23]董美霞,财务报告内部控制报告内涵及对我国的启示,财会通讯(综合) 2008.8
[24]潘莹,梅莉,博弈分析视角下内部控制与公司控制的结合,财会月刊(理论)2008.8
[25]方春生,王立彦,林小驰,林景艺,冯博,SOX法案、内控制度与财务信息可靠性——基于中国石化第一手数据的调查研究,审计研究,2008.1
[26]张安明,从美国财务危机看COSO报告,会计研究2002.8
[27]伏磊,电信运营上IT内控技术支撑平台,计算机安全,2007.4
[28]张凌欣,胡克瑾,基于COBIT4.1的IT控制成熟度定量评价方法,情报杂志,2008.8
[29]叶陈刚,翟健勇,公司内部控制体系探析——来自中国网通的案例,财会通讯2008.4
[30]胡道沭,强化IT审计防范信息化建设风险,现代信息技术,2003.4
[31]www,intosaiitaudit.ore?
[32]邓少灵,企业1T审计的框架,中国审计,2002.I
[33]郝晓玲,信息系统审计的体系框架初探,同济大学学报:社会科学版.2003,14(5).
[34]信息产业部,信息系统工程监理暂行规定[2002]570号文
[35]DeLone,William D.and McLean,Ephraim R.The DeLone and McLean Model of Information Systems Success:A Ten-Year Update,Journal of Management Information Systems,V01.19 No.4,Spring 2003 PP.9-30
[36]Narcyz Roztocki and Heinz Roland Weistroffer,Using Activity-Based Costing for Evaluating Information Technology Related Investments in Emerging Economies:A Framework,Proceedings ofthe Tenth Americas Conference on Information Systems,New York,New York,August 2004
[37]Philippe F Riel.Justifying information technology projects,Industrial Management.Norcross:Jul/Aug 1998.VoL40,lss.4;pg.22,6 pgs
[38]Marc J Epstein.Adriana Rejc.Measuring the payoffs of IT investments.CMA Management.Hamilton:Dec 2004/Jan 2005.V01.78,lss.8;Pg.20,5 Pgs
[39]obert Moeller,“Sarbanes-Oxley and the New Internal Auditing Rules”,Wiley/ Jossey-Bass,2004.1
[40]Cohen,DanielA,Aiyesha Dey,Thomas Z.Lys,“The Effect of the Sarbanes-OxleyAct on Earnings Management:What has changed?”,Working paper,Northwest University,2003
[41]IT Governance Institute,“COBIT 3rd Edition Control Objectives”,2000.7
[42]Ron Weber,“Information Systems Control andAudit”,Prentice Hall.Inc.,1999
[43]Victor Bennett、Bob Cancilla,IT responses to Sarbanes-Oxley,www.ibm.com,2005.12.15
[44]Gary StoneBumer,Risk Management Guide for Information Technology Systems,National Institute ofStandards and Technology,2002,Pg 8
[45]IT Governance Institute,Control Objectives for Information and related Technology,IT Governance Institute,2000
[46]Managing information systems for service quality:A study from the other side Pratyush Bharati,DanielBerg.InformationTechnology&People.WestLinn:2003.V01.16, lss.2;Pg.183,20 pgs
[47]Armour,Internal Control:Governance Framework and Business Risk Assessment at Reed Elsevier,Auditing:A Journal of Practice and Theory,(19)Supplement75-81,2001.3
[48]John F Barile.Information Technology Governance in a Risk-Averse World,Chain Store Age.New York:Sep 2004.V01.80,lss.9;pg.A7,l pgs
[49]Marianne Broadbent,Designing Effective IT Governance,Gartner Symposium ITXPO,2003
[50]INTOSAI,Information Technology Audit,INTOSAI
[51]Chitu Okoli,Suzanne D Pawlowski,The Delphi method as a research tool:aN example, design condiserations and applications,Information&Management·Dec 2004.V01.42,Iss.1:pg.1 5
[52]Terry Anthony Byrd.Information technology:Core competencies,and sustained competitive advantage Information Resources Management Journal.Hershey: Apr-Jun 2001.V01.14,Iss.2;pg.27,10 pgs
[53]Holly Sraeel Editor-in—Chief.Taking a Closer Look Into IT Governance Globally,Bank TechnologyNews.NewYork:Novl,2004.、,01.17,lss.11;Pg.8
[54]KPMG,Sarbanes_Oxley section 404:management assessment of internal control and proposed auditing standards,2003.3
[55]Fujitsu Services,IT Governance-The Future of Control,2002
[56]Sally Chan,Mapping COSO and COBIT for Sarbanes_Oxley Compliance,2002
[2]方红星,王宏译,企业风险管理——整合框架,(美)COSO制定发布,东北财经大学出版社2005.7
[3]肖荣,企业信息化风险控制研究,同济大学博士学位论文2005.12
[4]严晖,风险导向内部审计整合框架研究,中国财政经济出版社,2004.12
[5]杜美杰,信息系统与会计内部控制,清华大学出版社,2004.7
[6]胡克瑾,IT审计,电子工业出版社,2004.11
[7]张蕾,IT环境下基于风险管理的企业内部控制研究,天津财经大学硕士学位论文,2004
[8]王欣,我国企业信息化风险剖析——模型与案例研究,首都经济贸易大学硕士学位论文,2007
[9]徐立春,纺织企业信息化风险评估与控制,华东大学硕士学位论文,2004
[10]孙亚英,企业信息化风险及其对策的研究,西安工程科技学院硕士学位论文,2003
[11]夏兆敏,IT控制及其在公司组织架构中的应用研究,山东大学硕士学位论文2006
[12]萨班斯—奥克斯利法案指南:信息技术风险及控制常见问题解答,甫翰中国,2006
[13]涂伟,张金隆,企业IT控制中的风险识别与规避,统计与决策,2008.4
[14]廖哲爱,李宁清,浅谈电算化会计信息系统内部控制中存在文体及对策》企业家天地(理论版) 2001.11
[15]郝晓玲,胡克瑾,邓少灵,COBIT在企业信息资源管理中的应用,情报科学,2002.8
[16]苗连琦,COBIT:加强会计信息系统的内部控制与审计的一个不可或缺的工具,中国管理信息化,2008.6
[17]张元,张华玲,COBIT在信息系统内部控制中的应用探讨,中国电力教育,2007
[18]金彧昉,李若山,徐明磊,COSO报告下的内部控制新发展——从中航油事件看企业风险管理,会计研究,2005.2
[19]汪家常,刘路冰,ERP理念透视与会计思维变革,管理世界,2002.12
[20]朱荣恩,应唯,吴承刚,邓福贤,关于企业内部会计控制应用效果的问卷调查,会计研究,2004.10
[21]胡晓明,基于ERM的企业IS内部控制要素构建及思考,南京财经大学学报,2008.3
[22]涂伟,IT控制:公司控制体系中的IT视角,当代经济2007.7(上)
[23]董美霞,财务报告内部控制报告内涵及对我国的启示,财会通讯(综合) 2008.8
[24]潘莹,梅莉,博弈分析视角下内部控制与公司控制的结合,财会月刊(理论)2008.8
[25]方春生,王立彦,林小驰,林景艺,冯博,SOX法案、内控制度与财务信息可靠性——基于中国石化第一手数据的调查研究,审计研究,2008.1
[26]张安明,从美国财务危机看COSO报告,会计研究2002.8
[27]伏磊,电信运营上IT内控技术支撑平台,计算机安全,2007.4
[28]张凌欣,胡克瑾,基于COBIT4.1的IT控制成熟度定量评价方法,情报杂志,2008.8
[29]叶陈刚,翟健勇,公司内部控制体系探析——来自中国网通的案例,财会通讯2008.4
[30]胡道沭,强化IT审计防范信息化建设风险,现代信息技术,2003.4
[31]www,intosaiitaudit.ore?
[32]邓少灵,企业1T审计的框架,中国审计,2002.I
[33]郝晓玲,信息系统审计的体系框架初探,同济大学学报:社会科学版.2003,14(5).
[34]信息产业部,信息系统工程监理暂行规定[2002]570号文
[35]DeLone,William D.and McLean,Ephraim R.The DeLone and McLean Model of Information Systems Success:A Ten-Year Update,Journal of Management Information Systems,V01.19 No.4,Spring 2003 PP.9-30
[36]Narcyz Roztocki and Heinz Roland Weistroffer,Using Activity-Based Costing for Evaluating Information Technology Related Investments in Emerging Economies:A Framework,Proceedings ofthe Tenth Americas Conference on Information Systems,New York,New York,August 2004
[37]Philippe F Riel.Justifying information technology projects,Industrial Management.Norcross:Jul/Aug 1998.VoL40,lss.4;pg.22,6 pgs
[38]Marc J Epstein.Adriana Rejc.Measuring the payoffs of IT investments.CMA Management.Hamilton:Dec 2004/Jan 2005.V01.78,lss.8;Pg.20,5 Pgs
[39]obert Moeller,“Sarbanes-Oxley and the New Internal Auditing Rules”,Wiley/ Jossey-Bass,2004.1
[40]Cohen,DanielA,Aiyesha Dey,Thomas Z.Lys,“The Effect of the Sarbanes-OxleyAct on Earnings Management:What has changed?”,Working paper,Northwest University,2003
[41]IT Governance Institute,“COBIT 3rd Edition Control Objectives”,2000.7
[42]Ron Weber,“Information Systems Control andAudit”,Prentice Hall.Inc.,1999
[43]Victor Bennett、Bob Cancilla,IT responses to Sarbanes-Oxley,www.ibm.com,2005.12.15
[44]Gary StoneBumer,Risk Management Guide for Information Technology Systems,National Institute ofStandards and Technology,2002,Pg 8
[45]IT Governance Institute,Control Objectives for Information and related Technology,IT Governance Institute,2000
[46]Managing information systems for service quality:A study from the other side Pratyush Bharati,DanielBerg.InformationTechnology&People.WestLinn:2003.V01.16, lss.2;Pg.183,20 pgs
[47]Armour,Internal Control:Governance Framework and Business Risk Assessment at Reed Elsevier,Auditing:A Journal of Practice and Theory,(19)Supplement75-81,2001.3
[48]John F Barile.Information Technology Governance in a Risk-Averse World,Chain Store Age.New York:Sep 2004.V01.80,lss.9;pg.A7,l pgs
[49]Marianne Broadbent,Designing Effective IT Governance,Gartner Symposium ITXPO,2003
[50]INTOSAI,Information Technology Audit,INTOSAI
[51]Chitu Okoli,Suzanne D Pawlowski,The Delphi method as a research tool:aN example, design condiserations and applications,Information&Management·Dec 2004.V01.42,Iss.1:pg.1 5
[52]Terry Anthony Byrd.Information technology:Core competencies,and sustained competitive advantage Information Resources Management Journal.Hershey: Apr-Jun 2001.V01.14,Iss.2;pg.27,10 pgs
[53]Holly Sraeel Editor-in—Chief.Taking a Closer Look Into IT Governance Globally,Bank TechnologyNews.NewYork:Novl,2004.、,01.17,lss.11;Pg.8
[54]KPMG,Sarbanes_Oxley section 404:management assessment of internal control and proposed auditing standards,2003.3
[55]Fujitsu Services,IT Governance-The Future of Control,2002
[56]Sally Chan,Mapping COSO and COBIT for Sarbanes_Oxley Compliance,2002