The Role of Boards in Reviewing Information Technology Governance (ITG) as Part of Organizational Control Environment Assessments

IT Governance (ITG) is an important topic as US companies must now monitor ITG under the provisions of the Sarbanes-Oxley Act (2002) (Hoffmann, 2003). Trites (2003) indicates that directors are responsible for strategic planning, internal control structures and business risk. The control environment is defined in Australian Auditing Standard AUS 402 to mean "the overall attitude, awareness and actions of management regarding internal control and its importance to the entity". This paper contributes to the knowledge of ITG by forming an integrated ITG Literature (IIL) which links prior research to four key dimensions of ITG. The paper presents a review of literature on ITG performance measurement systems which assess the ability of organizations to achieve these four ITG dimensions. A revised ITG Dimensions Model offered for consideration. The final contribution of the paper is to propose critical issues Boards should consider as part of their assessment of organizational control environments

Using Control Frameworks to Map Risks in Web 2.0 Applications

Web 2.0 applications are continuously moving into the corporate mainstream. Each new development brings its own threats or new ways to deliver old attacks. The objective of this study is to develop a framework to identify the security issues an organisation is exposed to through Web 2.0 applications, with specific focus on unauthorised access. An extensive literature review was performed to obtain an understanding of the technologies driving Web 2.0 applications. Thereafter, the technologies were mapped against Control Objectives for Information and related Technology and Trust Service Principles and Criteria and associated control objectives relating to security risks. These objectives were used to develop a framework which can be used to identify risks and formulate appropriate internal control measures in any organisation using Web 2.0 applications. Every organisation, technology and application is unique and the safeguards depend on the nature of the organisation, information at stake, degree of vulnerability and risks. A comprehensive security program should include a multi-layer approach comprising of a control framework, combined with a control model considering the control processes in order to identify the appropriate control techniques.Web 2.0, Security risks, Control framework, Control Objectives for Information and related Technology (CobiT), Trust Service Principles and Criteria

Cloud computing governance reference model for cloud service consumers

Cloud computing is changing the way organizations utilize IT resources with a corresponding impact on the role of IT governance. This paper describes proposal of adapting SOA Governance Framework and COBIT 5 framework to govern cloud computing services from cloud consumer perspective. Proposed Cloud computing governance reference model takes into account the structure of SOA Governance Framework. Cloud computing governance reference model serves as a basis for the definition and establishment of Cloud computing governance and defines a set of new or redefined guiding principles, governing processes and governed processes based SOA Governance processes and COBIT 5 governance processes which are fully adapted to cloud computing environment from a cloud service consumer perspective. Proposal of Cloud computing governance reference model is an output of research process according to the Design Science Research Methodology

Transforming Organizations Through the Implementation of Processes, Structures and Relational Mechanisms for Governing IT: A Leadership Role for IS Departments in Institutions of Higher Education in Australia

Over the past decade, IT governance has become a key issue of concern for senior IT decision makers around the world. This exploratory study examines how central IS departments in four institutions of higher education in Australia are transforming organizational attitudes and approaches to governing IT by implementing structural and processes changes and establishing relational mechanisms. This paper will focus particularly on the implementation of IT governance processes in these institutions and examine how internationally recognized standards such as COBIT, ITIL and ISO17799 are being utilized. The study reveals a number of findings in the context of the implementation of IT governance in the higher education environment

ERP implementation methodologies and frameworks: a literature review

Enterprise Resource Planning (ERP) implementation is a complex and vibrant process, one that involves a combination of technological and organizational interactions. Often an ERP implementation project is the single largest IT project that an organization has ever launched and requires a mutual fit of system and organization. Also the concept of an ERP implementation supporting business processes across many different departments is not a generic, rigid and uniform concept and depends on variety of factors. As a result, the issues addressing the ERP implementation process have been one of the major concerns in industry. Therefore ERP implementation receives attention from practitioners and scholars and both, business as well as academic literature is abundant and not always very conclusive or coherent. However, research on ERP systems so far has been mainly focused on diffusion, use and impact issues. Less attention has been given to the methods used during the configuration and the implementation of ERP systems, even though they are commonly used in practice, they still remain largely unexplored and undocumented in Information Systems research. So, the academic relevance of this research is the contribution to the existing body of scientific knowledge. An annotated brief literature review is done in order to evaluate the current state of the existing academic literature. The purpose is to present a systematic overview of relevant ERP implementation methodologies and frameworks as a desire for achieving a better taxonomy of ERP implementation methodologies. This paper is useful to researchers who are interested in ERP implementation methodologies and frameworks. Results will serve as an input for a classification of the existing ERP implementation methodologies and frameworks. Also, this paper aims also at the professional ERP community involved in the process of ERP implementation by promoting a better understanding of ERP implementation methodologies and frameworks, its variety and history

An Exploration of the Implementation and Effectiveness of IT Governance Processes in Institutions of Higher Education in Australia

Over the past decade, IT governance has become a key issue of concern for senior IT decision makers around the world. This exploratory study examined how IT governance is being implemented through a number of processes, structures and relational mechanisms in four leading institutions of higher education in Australia. This paper will focus particularly on the implementation of IT governance processes in these institutions and examine how internationally recognized standards such as COBIT, ITIL and ISO17799 are being utilized in this implementation. The study reveals a number of findings in the context of the implementation of IT governance processes in the higher education environment

IT governance in SMEs: trust or control?

It is believed by many scholars that a small and medium-sized enterprise (SME) cannot be seen through the lens of a large firm. Theories which explain IT governance in large organizations and methodologies used by practitioners can therefore not be extrapolated to SMEs, which have a completely different economic, cultural and managerial environment. SMEs suffer from resource poverty, have less IS experience and need more external support. SMEs largely contribute to the failure of many IS projects. We define an out-sourced information system failure (OISF) as a failure of IT governance in an SME environment and propose a structure for stating propositions derived from both agency theory and theory of trust. The theoretical question addressed in this paper is: how and why do OISFs occur in SMEs? We have chosen a qualitative and positivistic IS case study research strategy based on multiple cases. Eight cases of IS projects were selected. We found that trust is more important than control issues like output-based contracts and structured controls for eliminating opportunistic behaviour in SMEs. We conclude that the world of SMEs is significantly different from that of large companies. This necessitates extra care to be taken on the part of researchers and practitioners when designing artefacts for SMEs