A Framework for Assessing Organisational IT Governance Risk and Compliance

Ettevõtted on hakanud mõistma, et infotehnoloogias (IT) ei ole vaid tehnilised aspektid. IT haldamiseks on vaja (IT) juhtimist, (IT) riskihaldust ja (IT) vastavust. Klassikalise lähenemise kohaselt on kõigiga eraldiseisvana tegeldud, mis aga ei ole väga efektiivne – äri toodab väärtust ning kõiki protsesse püütakse optimeerida. Probleemi lahenduseks on ärimaailmast üle toodud paradigma „GRC“ (Governance – juhtimine, Risk management –riskihaldus ja Compliance – vastavus), mis need kõik omavahel ühendaks. Käesolev magistritöö esitleb süstemaatilist kirjandusülevaadet IT GRC-teemal ning selle tulemustest koostatud IT GRC raamistikku, mille eesmärgiks on lihtsustada ettevõtete pingutusi oma IT protsesside kohandamisel. Lõppkasutaja abistamiseks on loodud raamistikule ka veebirakendus, mis on abiks raamistiku kasutamisel. Loodud raamistik põhineb teaduslikel artiklitel ning on läbinud ka esmase validatsiooni.Today, enterprises have reached to understanding that Information Technology (IT) is more than just a technical issue. Disciplines such as IT governance, (IT) risk management and (IT) compliance have been established to steer it. Though, there has been some improvements, these domains are usually focused separately in silos, which raises a problem of performance and efficiency, where less business value is created due to complexity of the process flows. In order to cure it, there has been an adoption from business world, referred as “GRC” which covers all the three disciplines of governance, risk management and compliance. The paper conducts a systematic review on the discipline of IT GRC, taking out best practices. Researching what has been done to integrate them and proposing an synthesized framework from the review results. The framework, unifying the disciplines is supposed to ease the adoption of IT GRC in an enterprise, providing a structure to manage the IT and business together, thereby improve business performance. In addition to proposing an IT GRC framework, the paper presents a web application to support the framework adoption. The proposed model is based on the scientifically proven best practices of the state of the art which would give a certainty of its value. The empirical study will help to contribute to improving the effectiveness IT GRC compared to traditional approach which is commonly practiced in enterprises

Managing information security risk using integrated governance risk and compliance.

This paper aims to demonstrate the building blocks of an IT Governance Risk and Compliance (IT GRC) model as well the phased stages of the optimal integration of IT GRC frameworks, standards and model through a longitudinal study. A qualitative longitudinal single case study methodology through multiple open-ended interviews were conducted over a period of four years (July 2012 to November 2015) in a retail financial institution. Our empirical study contributes to both academic research and practice in IT GRC. First, we identified the various building blocks of IT GRC domain from vertical as well as horizontal perspectives. Second, we methodologically demonstrated the gradual metamorphosis of the evolution of an IT GRC from a single ITG framework to multiple IT GRC building blocks. The journey thus throws light on the gradual staged process of attaining maturity in IT GRC by an organization. The resultant IT GRC model thus, guides managerial actions towards a better understanding of the positioning of IT GRC building blocks in an organization through the understanding of the interaction of vertical and horizontal domains. The results of the paper thus enable practitioners and academics to better understand and evaluate IT GRC implementation for effective governance, reduce risk and ensure compliance in organizations

A High-Level Scheme for an Ontology-Based Compliance Framework in Software Development

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Software development market is currently witnessing an increasing demand for software applications conformance with the international regime of GRC for Governance, Risk and Compliance. In this paper, we propose a compliance requirement analysis method for early stages of software development based on a semantically-rich model, where a mapping can be established from legal and regulatory requirements relevant to system context to software system business goals and contexts. The proposed semantic model consists of a number of ontologies each corresponding to a knowledge component within the developed framework of our approach. Each ontology is a thesaurus of concepts in the compliance and risk assessment domain related to system development along with relationships and rules between concepts that compromise the domain knowledge. The main contribution of the work presented in this paper is a case study that demonstrates how description-logic reasoning techniques can be used to simulate legal reasoning requirements employed by legal professions against the description of each ontology

Understanding governance, risk and compliance information systems (GRC IS): the experts view

Although Governance, Risk and Compliance (GRC) is an emerging field of study within the information systems (IS) academic community, the concept behind the acronym has to still be demystified and further investigated. The study investigates GRC systems in depth by (a) reviewing the literature on existing GRC studies, and (b) presenting a field study on views about GRC application by professional experts. The aim of this exploratory study is to understand the aspects and the nature of the GRC system following an enterprise systems approach. The result of this study is a framework of particular GRC characteristics that need to be taken into consideration when these systems are put in place. This framework includes specific areas such as: goals and objectives, purpose of the system, key stakeholders, methodology and requirements prior to implementation, critical success factors and problems/barriers. Further discussion about the issues, the concerns and the diverse views on GRC would assist in developing an agenda for the future research on the GRC field

DO GOOD CORPORATE GOVERNANCE (GCG) AND INTEGRATED CORPORATE GOVERNANCE (ICG) IMPROVE PERFORMANCE AND REDUCE FRAUD IN INDONESIAN PUBLIC BANKING?

Tujuan dari penelitian ini adalah untuk menguji apakah penerapan GCG dan ICG meningkatkan kinerja dan mengurangi fraud pada perbankan umum di Indonesia dengan menggunakan Asset Quality sebagai variabel moderasi. Penelitian ini merupakan penelitian kausalitas dengan sampel 27 bank pada periode 2015-2018. GCG dan ICG dinilai menggunakan analisis isi atas pengungkapan yang tersedia dalam laporan tahunan bank. Kinerja diukur dari kinerja saham dan kinerja keuangan. Fraud diukur berdasarkan Beneish M. Score (2009) menggunakan 5 (lima) indeks yang mengukur DSRI, GMI, AQI, SGI, dan TATA. Model Persamaan Struktural Partial-Least Square (PLS-SEM) digunakan dalam pengujian model penelitian. Hasil penelitian ini menunjukkan bahwa GCG berpengaruh positif terhadap Kinerja Saham, dan Kinerja Keuangan serta berpengaruh negatif terhadap Fraud. Sedangkan ICG berpengaruh positif terhadap Kinerja Saham, dan Kinerja Keuangan, namun tidak berpengaruh terhadap Fraud. Variabel kontrol Leverage (Lev) berpengaruh negatif terhadap Kinerja Saham, Capital Adequacy Ratio (CAR) berpengaruh positif terhadap Kinerja Keuangan, dan Loan to Deposit Ratio (LDR) berpengaruh positif terhadap Fraud. Kualitas Aset sebagai variabel pemoderasi dapat memperkuat pengaruh GCG terhadap Kinerja Keuangan dan Fraud. Hal ini juga dapat memperkuat pengaruh ICG terhadap Kinerja Keuangan. Namun variabel pemoderasi Kualitas Aset tidak memperkuat pengaruh GCG terhadap Kinerja Saham, juga tidak memperkuat pengaruh ICG terhadap Kinerja Saham dan Fraud. Pada F-Test, GCG dan ICG secara simultan berpengaruh terhadap Kinerja Saham, Kinerja Keuangan, dan Fraud.   The purpose of this study is to examine whether the implementation of GCG and ICG increase performance and reduce fraud on public banking in Indonesia while using Asset Quality as a moderating variable. This study is a causality study with 27 banks as samples on the period of 2015-2018. GCG and ICG assessed using content analysis on disclosures that are available in the bank's annual report. Performance is measured from stock performance and financial performance. Fraud is measured based on Beneish M. Score (2009) using the 5 (five) indexes measuring DSRI, GMI, AQI, SGI, and TATA. Partial-Least Square Structural Equation Model (PLS-SEM) was used in testing the study model. The result of this study showed that the GCG impact positively on the Stock Performance, and Financial Performance and impact negatively on Fraud. ICG on the other hand impact positively on Stock Performance, and Financial Performance, however, there is no influence against Fraud. The control variable Leverage (Lev) shows a negative influence on Stock Performance, the Capital Adequacy Ratio (CAR) shows a positive influence on Financial Performance, and the Loan to Deposit Ratio (LDR) shows a positive influence on Fraud. Asset Quality as a moderating variable can strengthen the influence of GCG on Financial Performance and Fraud. It can also strengthen the influence of ICG on Financial Performance. However, the moderating variable Asset Quality did not strengthen the influence of GCG on Stock Performance, nor did it strengthen the influence of ICG on Stock Performance and Fraud. In F-Test, GCG and ICG were simultaneously affecting the Stock Performance, Financial Performance, and Fraud

IT controls in the public cloud : success factors for allocation of roles and responsibilities

The rapid adoption of cloud computing by organizations has resulted in the transformation of the roles and responsibilities of staff in managing the information technology (IT) resources (via IT governance controls) that have migrated to the cloud. Hence, the objective of this research is to provide a set of success factors that can assist IT managers to allocate the roles and responsibilities of IT controls appropriately to staff to manage the migrated IT resources. Accordingly, we generated a set of success factors from behavioral and information systems (IS) literature. These success factors were verified using in-depth interviews of executives from the United Arab Emirates (UAE). The empirical intervention suggests that the role allocation is driven predominantly by people’s skills, competencies, organizational strategy, structures, and policies. In addition, the research made clear that the most significant competency and skill for a person allocated to IT controls is to be able to evaluate and manage a cloud service provider, especially in terms of risks, compliance, and security issues related to public cloud technology. The findings of this study not only offer new insights for scholars and practitioners involved in assigning responsibilities but also provide extensions for IT governance framework authorities to align their guidelines to the emerging cloud technology

PENGARUH GOVERNANCE, RISK AND COMPLIANCE (GRC) DAN UKURAN PERUSAHAAN TERHADAP KINERJA KEUANGAN

Penelitian ini bermaksud untuk menguji dampak Governance, Risk, and Compliance (GRC) dan ukuran perusahaan terhadap kinerja keuangan pada perusahaan peraih Top GRC Awards yang terdaftar di Bursa Efek Indonesia (BEI) tahun 2019-2021. Metode penentuan sampel menggunakan purposive sampling. Sampel diperoleh sebanyak 5 perusahaan dengan periode pengamatan selama tiga tahun sehingga didapat 15 data observasi. Teknik analisis data yang digunakan adalah multiple linear regression analysis dengan menggunakan software IBM SPSS. Hasil penelitian ini menunjukkan bahwa GRC (Governance, Risk, and Compliance) dan ukuran perusahaan secara simultan berdampak terhadap kinerja keuangan pada perusahaan peraih penghargaan Top GRC Awards tahun 2019-2021. Secara parsial GRC berdampak positif tidak signifikan terhadap kinerja keuangan, sedangkan ukuran perusahaan memiliki dampak signifikan negatif terhadap kinerja keuangan pada perusahaan peraih penghargaan Top GRC Awards tahun 2019-2021