Assessment Mechanism of Internal Control for Information Technology Governance

• Main Authors: Chang, I-Cheng, 張益誠
• Other Authors: Chang, She-I
• Format: Others
• Language: en_US
• Published: 2011
• Online Access: http://ndltd.ncl.edu.tw/handle/00975428690010937141

博士 === 國立中正大學 === 會計與資訊科技研究所 === 99 === After the Section 404 of the Sarbanes-Oxley Act (SOX) was enacted, more and more publicly listed firms have emphasized the effectiveness of internal control, especially in an information technology environment. However, regulation does not require any specific framework when management assess and report the effectiveness of internal control with respect IT environment. Also, management traditionally perform the assessment of IT control by using qualitative judgment, and such assessment result has been challenged. Hence, this dissertation attempts to present a logical and objective assessment mechanism for appraising the internal control of information technology. This dissertation applies the Gowin's Vee structure to formulate research strategies to gain findings that are both theoretical and methodological. The Gowin's Vee model has a V-shaped structure. The left-hand side of this structure is theoretical end, and methodological end is placed in the right-hand side of this structure. On the theoretical end, this dissertation established an assessment prototype including categories/dimension/items of internal controls on information environment by Grounded theory. This dissertation conducted coding process (open coding, axial coding and selective coding) on relevant contents from 37 academic journal papers and then found out the preliminary assessment prototype containing assessment categories/dimension/items. Moreover, to confirm the content validity of assessment categories/dimension/items selected, the Delphi methodology used in this dissertation. 25 experts invited as panelists and performed three rounds of Delphi questionnaire. There are totally two main assessment categories/11 assessment dimensions/34 assessment items enumerated as well as utilized in the proposed assessment mechanism. On the methodological side of Gowin’s Vee structure, this proposed assessment mechanism verified via a multiple-case study to examine its usability in practice. Two public-listed companies selected as case companies. With regard to the usability of this IT control assessment mechanism, this dissertation adopts five specific features from ISO 9126 framework to validate. This dissertation expected that such a mechanism would be applied by management to reinforce IT control and IT governance in the entity.