| 摘要: | 企業組織依賴資訊系統的程度與日俱增,隨著企業營運規模逐漸擴大,資訊主機及網路設備數量也隨著增加且更加複雜,因此也造成了近年來在國內外陸續發生許多資訊舞弊案件,不但造成企業的經濟損失,甚至會影響企業的聲譽及造成社會大眾的負面印象。大部份的資訊舞弊案件都是利用企業的內部控制缺乏完善的規劃而產生的內控疏失,加上透過電腦運算及網路傳遞快速,傳統的稽核人員對於查弊及補救的應變時間已經無法應付。本研究將以個案公司為例,先透過訪談相關資訊及稽核人員了解現況及問題所在,並收集整理相關法規及文獻資料,探討如何利用SIEM系統來協助資訊及稽核人員來做好組織的資訊內控與稽核,利用導入SIEM系統實際蒐集到企業運行的初級資料為主,次級資料為輔,以進行資料之蒐集、分析與整理,在導入後再針對上述人員進行訪談,以了解導入後是否對於個案公司的內控與稽核有實質的助益,以及需要後續多加注意之事項。本研究所進行對企業運用電腦稽核技術來改善內控稽核制度之實證研究結果,期能提供給欲導入相關系統的企業界及稽核人員一個參考的方向以及需注意的事項,以提昇查核品質及降低資訊安全風險並強化內部控制。消極方面包括預防舞弊,確保資產、財務資訊的可靠性及真實性等,積極方面則包括提高組織的經營績效、降低企業的營運風險及提昇有限資源的使用效率等。Enterprises increasingly rely on the information systems for daily operation. As the scale of business grows, the numbers of IT servers and network equipments have also increased and become more complicated. Therefore, lots of IT fraud cases occur in recent years worldwide. And, these frauds not only cause economic loss but also affected the reputation of the enterprises, negatively impacting enterprise impression among the community. Most of IT fraud cases take advantage of the deficiency of internal control. Given the computing capability and the fast pace of the network, auditing staffs are unable to cope with the frauds and come up with timely remedies.This study uses the case company as an example. Through interviews with relevant IT professionals and auditing staffs to understand the current situation and the problems first and the collections of related regulations and documents later, the study has discussed how to use SIEM systems to help IT professionals and auditing staffs to do the internal control and auditing on the information of the organizations well. Using the actually collected primary data from the business operation that has imported SIEM systems to the organizations as the base and the secondary data as supplements, the data collection, analysis and sorting are conducted. Besides, after importing SIEM systems to the organizations, there are interviews with the people mentioned above in order to know whether it really has essential contribution to the internal control and auditing of the case company. In addition, it also points out careful matters that are needed to be followed up afterwards. This study has conducted the analysis of the results in the improvements of the internal control and auditing systems of the enterprises by using the computer auditing techniques and it is expected that it can provide relevant IT professionals and auditing staffs a direction of the reference and the matters needed to be watched in order to enhance the quality of the auditing, lower the risks of the information security and strengthen the internal control. On the passive side, it includes fraud prevention, asset assurance, the reliability and the authenticity of the financial information, etc. On the aggressive side, it includes the improvements on the operating performance of the organization, the reduction of the operational risks and the increase of the use efficiency of limited resources, etc. |
