Loading...
|
Please use this identifier to cite or link to this item:
https://nccur.lib.nccu.edu.tw/handle/140.119/118753
|
| Title: | 銀行業關鍵查核事項之決策─以IT風險為例
The decision making of key audit matters in banking industry: focusing on IT risk |
| Authors: | 陳亮宇
Chen, Liang-Yu |
| Contributors: | 馬秀如
陳亮宇
Chen, Liang-Yu |
| Keywords: | 關鍵查核事項
銀行業
資訊科技風險
決策品質
Key audit matters
Banking industry
IT risk
Quality of decision-making |
| Date: | 2018 |
| Issue Date: | 2018-07-19 17:24:30 (UTC+8) |
| Abstract: | 國際組織革新審計規範,要求會計師透過揭露受查企業的關鍵查核事項(Key Audit Matters,簡稱KAM),使每份查核報告有所不同,提升其價值。
目前,企業面臨的經營環境與以往不同,資訊科技(Information Technology,簡稱IT)風險提高,企業中的銀行業尤然,惟銀行過去適用的風險管理框架似已不足支應。因此,銀行查核會計師於KAM中納入與IT風險相關之事項,提高溝通的品質,似理所當然。然而,實際情況果真如此?
過去探討KAM的研究,固然為數不少,但結論不一,有者認為KAM有用,有者卻發現其無用。前者研究使用之KAM充滿理想性,與真實情況有落差,所作「KAM有價值」之結論,不足為奇;後者研究使用真實KAM,惟真實KAM缺失甚多,若以其作為探討標的,研究限制過大。因此,本研究歸納國內外共73份會計師查核報告及4起發生IT損失的事項,分析KAM之揭露情形,指出其可改善的方向。
本研究發現:查核本國銀行的會計師將IT風險事項納入KAM者,不及外國銀行的查核會計師。查核本國銀行的會計師,即使係將IT風險事項納入KAM者,其報告之品質不及查核外國銀行會計師。該等KAM決策可改善之處,有:在關注IT風險對受查者影響重大之層面時,應以影響深且廣泛的IT控制為主,某個財務報表項目僅係受IT控制影響的層面之一;將KAM索引至受查者相關揭露時,應考量相關揭露對預期使用者了解IT風險之攸關性;提醒預期使用者注意IT風險事項之關鍵層面時,應明確指出關鍵層面為何,避免敘述過度空泛;說明會計師作成的KAM決策時,應確實幫助使用者深入洞察其理由;應將KAM連結至受查者特定情況,或說明會計師之主要考量,以凸顯該KAM客製化程度。
International organizations have reformed the auditing standards and required auditors to disclose the key auditing matters (KAM) to make each audit report different and enhance its value.
At present, the information technology (IT) risks faced by enterprises keep rising, especially in the banking industry. The framework of risk management used by banks in the past seems to be insufficient. Therefore, it seems natural for auditors to include IT-related issues in KAM and improve the quality of communication. However, what about the actual situations?
In the past, there were tons of studies about KAM, but the conclusions were so different. Some of them found KAM useful, while others found it useless. The KAMs used in the former studies were too ideal, so that there was a gap between the actual situations and their conclusions. The latter studies used real KAMs. But there were many deficiencies in real KAMs; it is too restrictive to use them for the study. Therefore, this study analyzed the disclosures of KAMs in 73 audit reports at home and abroad as well as 4 cases to point out how they can be improved.
This study found that: the proportion of domestic auditors who incorporate IT risk-related matters into KAM is less than that of foreign ones. Even though those matters related to IT risks are already included in KAM, the quality of communication of domestic auditors’ is still not as good as that of foreign ones. Those decisions of KAM can be improved in the following ways. When focusing on the impact points of IT risks, auditors should put more emphasis on the IT controls which cause deeper and more extensive impacts than components of the financial statement. When making a reference to related disclosures, auditors should consider whether it can provide relevance to users for helping them to understand IT risks. When reminding users to pay attention to the key aspects of the IT risks, auditors should avoid vague and general narratives and clearly point out the key aspects. When providing users insights of decisions of KAM, auditors should indeed help users to go deep into the reasons. When linking the KAM to the specific circumstances of the client, or when referring to the auditors’ principal considerations, auditors should enhance the degree of customization of the KAM. |
| Reference: | 一、中文文獻
陳志誠、林淑瓊、李興漢、許派立,2009,資訊資產分類與風險評鑑之研究:以銀行業為例,資訊管理學報,第16卷第3期:55-84。
張大成,2002,新版巴賽爾協定:過去、現在與未來,存款保險資訊季刊,第16卷第2期,87-132。
張修齊,2003,從新巴塞爾資本協定看作業風險管理,台灣金融財季刊,第4輯第1期,55-77。
黃明達、曾淑惠,2003,以ISO27001為基礎評估銀行業的資訊安全環境,資訊管理展望,第5卷第2期,31-50。
黃國源、方順逸,2017,台灣首次適用「關鍵查核事項」之探討,貨幣觀測與信用評等,第127期,51-64。
聞美晴,2015,資訊安全管理系統ISO27001:2013與ISO27001:2005差異說明,金融聯合徵信,第26期,20-24。
樊國楨,2002,資通安全專輯之五:資訊安全風險管理,台北市:行政院國家實驗研究院科學資料中心。
二、英文文獻
Allen, L., & T. G. Bali. 2007. Cyclicality in Catastrophic and Operational Risk Measurements. Journal of Banking and Finance. 31 (4): 1191-1235.
Ali, M. A., B. Arief, M. Emms, & A. van Moorsel. 2017. Does the online card payment landscape unwittingly facilitate fraud? IEEE Security & Privacy. 15 (2): 78-86.
Chau, J. 2005. Skimming the technical and legal aspects of ISO27001 can give a false sense of security. Computer Fraud & Security. 2005 (9): 8-10.
Chernobai, A. S., S. T. Rachev, & F. J. Fabozzi. 2007. Operational Risk: A Guide to Basel II Capital Requirements, Models, and Analysis. Canada:John Wiley & Sons, Inc.
Christensen, B. E., S. M. Glover, & C. J. Wolfe. 2014. Do Critical Audit Matter Paragraphs in the Audit Report Change Nonprofessional Investors` Decision to Invest? AUDITING: A Journal of Practice & Theory. 33 (4): 71-93.
Cordoş, G. S., & M. T. Fülöpa. 2015. Understanding audit reporting changes: introduction of Key Audit Matters. Accounting & Management Information Systems. 14 (1): 128-152.
Financial Reporting Council. 2015. Extended Auditor’s Reports: A review of experience in the first year. London, UK.
Financial Reporting Council. 2016a. Extended Auditor’s Reports: A Further Review of Experience. London, UK.
Granova, A., & J. Eloff. 2004. Online banking and identity theft: who carries the risk? Computer Fraud & Security. 2004 (11): 7-11.
Gutierrez, E., M. Minutti-Meza, K. W. Tatum, & M. Vulcheva. 2018. Consequences of Adopting an Expanded Auditor`s Report in the United Kingdom. Available at SSRN: https://ssrn.com/abstract=2741174
International Auditing and Assurance Standards Board (IAASB). 2015a. International Standard on Auditing 700 (Revised) Forming an Opinion and Reporting on Financial Statements.
International Auditing and Assurance Standards Board (IAASB). 2015b. International Standard on Auditing 701 Communicating key audit matters in the independent auditor’s report.
Information Systems Audit and Control Association (ISACA). 2009. The Risk IT Framework.
Kachelmeier, S. J., J. J. Schmidt, & K. Valentine. 2018. Do Critical Audit Matter Disclosures Protect Auditors By Forewarning Users of Misstatement Risk? Available at SSRN: https://ssrn.com/abstract=2481284
Kelsey, B., M. M. Doxey, J. H. Grenier, & A. Reffett. 2016. Risk Disclosure Preceding Negative Outcomes: The Effects of Reporting Critical Audit Matters on Judgments of Auditor Liability. The Accounting Review. 91 (5): 1345-1362.
Köhler, A., N. V. Ratzinger-Sakel, & T. Jochen. 2016. The Effects of Key Audit Matters on the Auditor`s Report`s Communicative Value: Experimental Evidence from Investment Professionals and Non-Professional Investors. Available at SSRN: https://ssrn.com/abstract=2838162
Lanzl, S. 2002. Determining worthwhile IT security efforts. Pulp & Paper. 76(1): 25-26.
Lennox, C. S., J. J. Schmidt, & A. Thompson. 2018. Is the Expanded Model of Audit Reporting Informative to Investors? Evidence from the U.K. Available at SSRN: https://ssrn.com/abstract=2619785
Marshall, C. & L. Lisa. 2000. Measuring & Managing Operational Risks in Financial Institutions: Tools, Techniques & Other Resources. New York:John Wiley & Sons, Inc.
Sirois, L. P., J. Bédard, & P. Bera. 2017. The Informational Value of Key Audit Matters in the Auditor’s Report: Evidence from an Eye-tracking Study. Accounting Horizons. Available at SSRN: https://ssrn.com/abstract=2469905 |
| Description: | 碩士
國立政治大學
會計學系
105353008 |
| Source URI: | http://thesis.lib.nccu.edu.tw/record/#G0105353008 |
| Data Type: | thesis |
| DOI: | 10.6814/THE.NCCU.ACCT.029.2018.F07 |
| Appears in Collections: | [會計學系] 學位論文
|
Files in This Item:
There are no files associated with this item.
|
All items in 政大典藏 are protected by copyright, with all rights reserved.
|
