Requirements for software tooling for integrated IT GRC practices -- A study into the Dutch banking sector

Requirements for software tooling for integrated IT GRC practices

-- A study into the Dutch banking sector

Author Hajo de Groot

Student no. S1369318

Date Oktober 2008

Rijksuniversiteit Groningen Atos Consulting

Faculteit economie en bedrijfskunde Line of business: Financial service MSc Business Administration Centre of excellence: IT leadership Specialization Business & ICT

1st Supervisor C.M. Elsenga 1st Supervisor D. van Burk 2nd Supervisor E.J. Stokking 2nd Supervisor F. Giesing

Preface

Before you lies the result of my graduation project for my Master in Business Administration with a specialization in Business & ICT on the University of Groningen in The Netherlands. Atos Consulting in Utrecht provided me the

opportunity and means to perform my graduation project of which this thesis is the result.

A lot of effort has been spent by various people whom I would like to express my appreciation to via this way. I would like to thank my supervisors at both the

University of Groningen and Atos Consulting. Mrs. Elsenga of my University who in particular provided me with insights on the processes of writing a thesis. Mr. Van Burk and Mr. Giesing from Atos Consulting who in particular could place all my thoughts and ideas back in their rightful context.

Next to that, I would like to thank all interviewees who participated in my research as well as all respondents to my survey.

Finally, I would like to thank all other people that have contributed to this thesis in one way or another including my family, friends and colleagues from Atos

Consulting.

Management summary

This research aims to develop a scorecard for software tools that support integrated IT GRC processes. The scorecard is meant as a tool for management to scrutinize and distinguish between these software products, thereby creating an understanding of the market for these software tools.

Integrated governance, risk management and compliance management (GRC) is an emerging concept in the business environment. The approach is centred on the premise that similarities exist between the three separate fields and seeks to create synergies by approaching them via a single holistic approach. With the increasing complexity of today’s firms and business environment such an approach may help to increase transparency, mitigate risks and improve efficiency and ultimately business performance by integrating or aligning these three disciplines. For the IT function there is a dual role to be fulfilled in this domain. Not only can it provide a consistent platform for enterprise GRC activities, it has to address its own GRC activities as well. The latter is also referred to as IT GRC. Software vendors have recognized this new concept and a first generation of software tools have been spawned for this purpose. What functionalities should be present in such a software tool is up to the current day a subject of ambiguity. These facts combined have prompted the following research question:

What are the fundamental requirements for an integrated IT GRC software tool?

An exploratory research was conducted to answer the research question. A theoretical background was constructed to investigate the fundamentals of IT governance, IT risk management and IT compliance management. The ITGI IT governance framework, the COSO ERM framework and generic steps for IT compliance respectively were used for this purpose. These fundamentals were then used as input for field research conducted at four major banks in The Netherlands. Here, the current situation and future requirements with respect to IT GRC software tools were identified. Put together, these two sources were responsible for the scorecard with functionalities to be present in a (future) IT GRC software tool if it is to carry that label. With this scorecard, an answer to the main research question was provided. An attempt to provide an initial verification of this scorecard was also undertaken. This attempt yielded some promising results.

Overall, the research yielded mixed results. On a theoretical level, the three fields should fit together as risk management is part of governance and compliance

tool. A solid groundwork consists of documentation and mapping of the various policies, processes, risks and controls. With this performance management is possible in the widest sense of the word: risk analyses, risk exposure, performance

measurement, control testing and risk and compliance reporting. Disadvantages of (a single) software tool named included: hard to interpret results, scalability, inflexibility and current tooling maturity.

Based on the theoretical background and the field research the following scorecard with meta groups of functionality was constructed for IT GRC software tools, cf. table 1. The complete and detailed version of the scorecard can be found in the conclusions section on page 92.

IT GRC software tool scorecard (functionality meta groups ) IT policy mapping

IT risk identification and analysis IT process mapping

IT control mapping

IT control testing & self assessment IT control monitoring

IT performance management Reporting capabilities

Policy management

Technical control solutions

Table 1: IT GRC software tool scorecard

Table of content

2.1MOTIVATION AND RELEVANCE 8

2.2PROBLEM DEFINITION 10

2.2.1 RESEARCH OBJECTIVE 10

2.2.2 MAIN RESEARCH QUESTION 11

2.2.3 CONCEPTUAL MODEL 11

2.2.4 RESEARCH SUB QUESTIONS 12

2.2.5 RESEARCH SCOPE AND CONSTRAINTS 13

2.2.6 RESEARCH METHOD 14

H3 IT GRC IN THEORY – THEORETICAL BACKGROUND 18

3.1INTRODUCTION 18

3.1.1 IT FOR INTEGRATED GRC OR INTEGRATED IT GRC 18

3.1.2 SOFTWARE TOOLS FOR BUSINESS PROCESSES 19

3.2ITGOVERNANCE 21

3.2.1 ENTERPRISE AND CORPORATE GOVERNANCE 21

3.2.2 THE ITGI IT GOVERNANCE FRAMEWORK 23

3.2.3 ADDITIONAL INSIGHTS 29

3.3ITRISK MANAGEMENT 31

3.3.1 RISK, RISK TYPOLOGY AND RISK MANAGEMENT 31

3.3.2 THE COSO ERM FRAMEWORK 35

3.3.3 INTERNAL CONTROL AND IT 40

3.4ITCOMPLIANCE MANAGEMENT 42

3.4.1 COMPLIANCE AND COMPLIANCE MANAGEMENT 42

3.4.2 CONNECTING COMPLIANCE AND IT CONTROL 46

3.4.3 SOFTWARE TOOLS FOR IT GRC PROCESSES 51

H4 IT GRC IN PRACTICE – INTERVIEW RESULTS 53

4.1IT GOVERNANCE RESULTS 53

4.1.1 INTEGRATION OF IT GOVERNANCE WITH ENTERPRISE GOVERNANCE 53

4.1.2 THE ITGI FRAMEWORK 54

4.1.3 ADDITIONAL RESULTS 56

4.2IT GOVERNANCE CONCLUSIONS 59

4.2.1 WHAT DOES IT GOVERNANCE ENTAIL WITH RESPECT TO IT GRC? 59

4.3ITRISK MANAGEMENT RESULTS 62

4.3.1 RISK MANAGEMENT: ENTERPRISE, OPERATIONAL AND INFORMATION 62

4.3.2 THE COSO ERM FRAMEWORK 63

4.3.3 CURRENT TOOLING 66

4.4IT RISK MANAGEMENT CONCLUSIONS 68

4.4.1 WHAT DOES IT RISK MANAGEMENT ENTAIL WITH RESPECT TO IT GRC? 68

4.4.2 IT GRC SOFTWARE TOOL REQUIREMENTS 69

4.5IT COMPLIANCE MANAGEMENT RESULTS 74

4.5.1 THE CONTEXT OF IT COMPLIANCE MANAGEMENT 74

4.5.2 ORGANIZATION AND PROCESSES OF IT COMPLIANCE MANAGEMENT 75

4.5.3 CURRENT TOOLING 78

4.6IT COMPLIANCE MANAGEMENT CONCLUSIONS 80

4.6.1 WHAT DOES IT COMPLIANCE MANAGEMENT ENTAIL WITH RESPECT TO IT GRC? 80

4.6.2 IT GRC SOFTWARE TOOL REQUIREMENTS 81

4.7INTEGRATED ITGRC RESULTS 83

4.7.1 ORGANIZATION AND PROCESSES 83

4.7.2 TOOLING 84

H5 FINAL CONCLUSIONS – AN IT GRC SCORECARD 86

5.1SUMMARY OF CURRENT SITUATION 86

5.2FINAL CONCLUSIONS FOR INTEGRATED ITGRC 88

5.2.1 ORGANIZATION AND PROCESSES 88

5.2.2 THE INTEGRATED IT GRC SOFTWARE TOOL SCORECARD 90

5.3INITIAL VERIFICATION OF ITGRC SOFTWARE SCORECARD 93 5.4LIMITATIONS AND RECOMMENDATIONS FOR FUTURE RESEARCH 96

REFERENCES 98

H1 Introduction

In January 2007, TJX Companies announced that credit card data of over 45, 7 million of its customers were compromised by hackers. The apparel and home fashions department store had at that point unwittingly been under attack from hackers for close to two years. According to the Wall Street Journali, investigators now believe that hackers pointed a telescope-shaped antenna toward a TJX store in St. Paul, US-MN, and used a laptop computer to decode data streaming through the air between hand-held price-checking devices, cash registers and the store's computers. This helped them hack into the central database of TJX. The TJX hackers also got personal information such as driver's license numbers, military identification and Social Security numbers of 451,000 customers, data that could be used for identity theft. During the investigation, it was concluded that the retailer's wireless network had less security than many people have on their home networks.

Estimates of what TJX’s security breach has cost in terms of consultants, security upgrades, attorney fees and added marketing to reassure customers surpass the $1 billion. One set figure that is publicly known is the fine that was imposed on TJX by VISA for not complying with their detailed standard for dealing with credit cards and credit card data, PCI/DSS (payment card industry / data security standard) and

amounted to $880.000. Could the security breach have been prevented if TJX had complied with the PCI/DSS standard? It would seem that an affirmative answer would have to be given in response to this question.

Many other stories of failure to comply with laws and regulations and breakdowns of internal controls have dominated the news over the recent years. The likes of for instance Barings, WorldCom, Parmalat, Ahold and more recently Société Générale have all brought to light different examples of the increased struggle of firms to comply with rules and regulations, maintain integrity and pursue overall sound corporate governanceii.

Many rules and regulations have been imposed on firms in the aftermath of some of these corporate scandals and the subsequent public outcry they sparked. TJX is an example of where internal control over IT is on the interface with these compliance issues. Although many rules and regulations do not hold explicit rules for IT and IT control in practice their impact on IT is significant nonethelessiii. Some examples of this kind of regulations include the Basel capital accord (Basel II), Dutch privacy laws and the Dutch regulation for organization and control (ROB).

It is here where the focus of this research lies. The combination of IT and compliance is a topic that has received growing attention in the business world. Yet current academic thought on this topic is less developed. From the TJX example, it has become clear that non-compliance with rules and regulations can have far-reaching consequences. IT compliance issues, and general compliance issues for that matter,

i

Wall Street Journal article accessed on 26-07-2008 and available via

http://online.wsj.com/article_email/article_print/SB117824446226991797.html

ii

The latter is usually just referred to as corporate governance

iii

should therefore not be seen from a non-compliance risk perspective but also as input to a firm to get their internal control and governance practices in order. It is this broader interpretation that will be the main subject of discussion. In correspondence with the context in which this research was carried out, an MSc BA thesis in Business and ICT, another adjustment was made to its scope. With an increasingly complex business environment and the increasing myriad of rules and regulations, how can

automated solutions be deployed to cope with these pressures? What characteristics should such an automated solution exhibit? The banking sector, as one of the most heavily regulated sectors of the economy, will be the sector in which this research will be performed.

The structure of this thesis is as follows. The next chapter will set out the lines for this thesis by explaining the research design. The motivation and relevance of this

research will be elucidated before the full problem definition will be explained by providing the research objective, the main research question, the conceptual model, research sub questions, the research scope and constraints and the research methods. Chapter 3 will then continue to set out the theoretical background. Results of

H2 Research design

2.1 Motivation and relevance

The world of business is evolving in an evermore-rapid pace. As more and more information becomes available to senior management, so do the opportunities for these same managers and other employees to use this information in illegal ways. Lighting examples of this kind of possible misconduct over the recent years can be found in companies such as Enron and WorldCom. These scandals have caused a growing stream of rules and regulations that companies must comply with. It is to be expected that for the near future this trend will only gain momentum even further. Companies across the board have to deal with increasing pressure to be compliant and are looking for efficient ways to do so.

Current observations show us that firms thus far are responding to new regulations in an ad hoc manner (Forrester 2004b and 2007b and Aberdeen Group 2008).

Companies have become more aware of this issue and have started to address it by looking at compliance issues from a different, broader context. Moreover, a new trend can be discerned (OCEG 2007 and Aberdeen Group 2008) where compliance issues can be linked on a corporate level to risk management and corporate governance. The general reasoning follows a pattern along these lines: Compliance brought back to its essence can be seen as just another risk i.e. the risk of non-compliance. This warrants the question that if compliance can be seen as a type of risk, can it be treated in the same way. Does this type of risk exhibit some of the characteristics that can be discerned for traditional types of risks? The reasoning continues by stating that this entirety of risk and compliance management then also needs to be directed from a corporate governance level to ensure that all efforts made are in line with each other. Corporate governance in its own right may also exhibit activities similar to those performed for risk and compliance management, in particular in the field of internal control.

In their article Rikhardsson et al. (2006) find that few academics have focused explicitly on the integration of risk management, compliance and internal control. However Rikhardsson et al. also find that practitioners’ journals have been reporting on these issues for some time now (e.g. Accountancy, Internal Auditor and The information System and Control Journal). At this stage at least one conclusion can already be drawn: These fields share the characteristic of having been a top priority for some years now on board members’ minds. A survey held by PwC (2004) reveals the top four issues in the field of corporate governance in the Financial Service area comprise of ensuring adequacy of internal control, defining risk appetite of the company, ensuring compliance with regulations and identifying emerging areas of risk.

processes strongly dependent on IT and more than a quarter of all companies considers these processes to be completely reliant on IT, cf. chart 1.

To what e xte nt are your busine ss proce sse s de pe nde nt on IT?

8% 19% 51% 15% 8% 0% 10% 20% 30% 40% 50% 60% Our business processes are IT

Our business processes come to a complete standstill without IT

Our critical business processes are largely dependent on IT

Our critical business processes are to some degree dependent on IT

Our critical business processes are not dependent on IT

Chart 1: Business process dependence on IT (Source: Ernst & Young 2006)

Software vendors are responding to the aforementioned and a market for first

generation Governance, Risk and Compliance (GRC) tools has become viable in 2007 (Gartner 2008c). Again, this raises some interesting questions. How do software vendors define the market for GRC? Is it possible to cover a domain with such a broad scope in one technological solution? What are underpinning variables in such a product that make an integrated approach work? Or, in other words, what

characteristics of the separate domains are equivalent to each other to an extent that synergies can be created by using an integrated approach?

Three distinct trends have thus far been described in this paragraph: The claim that governance, risk and compliance issues can be addressed in an integrated fashion, the increase in the importance of technology to business processes, and the fact that software vendors are now claiming that they have the technical solution for this integrated approach. These trends combined then rationalize an in-depth investigation into the subject of the integrated approach to GRC and its supportive tooling. In the present time, there is no structured way to assess these tools and to form of a

judgement of their capabilities. There is a clear gap in the current academic literature in the field for the supply of GRC tools, their characteristics, the demand for these tools and the demand for certain characteristics in these tools. What are the underlying variables that contribute to these needs? This has led to the following management questioniv:

What are the characteristics of GRC tools and the GRC market and how can Atos Consulting seize upon the possibilities of the GRC market?

iv

The management question was devised by Atos Consulting and can as such be seen as a research constraint. Research constraints are the topic of paragraph 2.2.5

From the context in which this research was conducted, an MSc BA thesis in Business & ICT, a final demarcation was observed for the scope of this research. Within the field of GRC tooling already some sub domains have been recognized (Forrester 2007d and Gartner 2007a). GRC for IT functions is one of these sub-domains. IT GRC tooling will be the specific subject of this research. A further motivation and explanation for this choice will be given in paragraph 2.2.5: Research scope and constraints and paragraph 3.1: IT for integrated GRC or integrated IT GRC.

2.2 Problem definition

According to De Leeuw (1996, p85) the problem definition is considered to be the central element of a research design. The problem definition is used to come to an agreement with the clients who commissioned the research and for the internal guidance of the research. An accurate problem definition should at least consist of three parts. First, a clear research objective should be set. This determines for whom the research is conducted, what the final knowledge product should be and why this product is of importance to them. The second part consists of the main research question accompanied by a conceptual model. Here, a main research question is formulated for the research that is in accordance with the research objective. It should be framed in such a way that it is suitable for research. The conceptual model is used to illustrate the main research question but mainly it is used to derive sub research questions from. Next, the research scope and constraints portray to what constraints the research is liable. The research design has then implicitly already narrowed down the number of ways suitable to pursue this research and the final choices with regard to the research methods used are explained here, thereby concluding the problem definition and the research design.

2.2.1 Research objective

From chapter one and chapter 2.1 the initial motives for this research have become clear. A new market has become viable where software tooling is offered to support processes for IT GRC. However, at this point in time it is not clear whether an

integrated IT GRC approach holds any benefits over approaches currently in place for these processes. The same is true for software tooling that can support these

processes. From a practical point of view (i.e. for Atos Consulting), the objective of this research is to generate a knowledge product that can be deployed to hold IT GRC tools against the light. This knowledge product will then also contribute to academic literature on this subject and will provide ample room for future research. The research objective therefore becomes the following:

The objective of this research is to develop a tool that can be deployed to scrutinize IT GRC software tools in the marketplace. This tool is set to enrich academic literature

2.2.2 Main research question

Verschuren and Doorewaard (1995, p61) argue that the main research question should fulfil two requirements. The question should be framed in such a way that it is

efficient and directing. Efficient, in the way that the answer to the question should also contribute to fulfilling the research objective and directing, in the way that the question indicates what kind of knowledge is needed and what kind of material needs to be collected. The kind of knowledge refers to for instance descriptive, explanatory or evaluative knowledge. The description of the kind of material provides a strong indication for the research methodology to be used. This will be elaborated upon in sections 2.2.4 Research sub questions and 2.2.6 Research method.

With this in mind, it is now possible to construct the main research question for this research based on the research objective. The main research question for this research is as follows:

What are the fundamental requirements for an integrated IT GRC software tool?

2.2.3 Conceptual model

In the vision of De Leeuw (1996, p140) a conceptual model should help clarify the main research question and make it operational. It is a pragmatic instrument used to view and order reality and achieves the aforementioned goal by providing the

operational definition of the main research question. The conceptual framework is in this context also sometimes referred to as the conceptual definition.

In accordance with this, the main research question has been made operational and a conceptual model has been compiled, cf. figure 1. The integrated IT GRC software tool scorecard is the focal point in this model (and research). The model then serves as a basis for this research, in particular for the research sub questions, which will be formulated next.

Figure 1: Conceptual model for integrated IT GRC Automation IT governance management IT risk IT compliance Integrated IT GRC in theory Integrated IT GRC demand in practice Integrated IT GRC tool scorecard Integrated IT GRC tool supply

2.2.4 Research sub questions

The first step in answering the main research question involves closely scrutinizing the domain of integrated IT GRC. As this domain is relatively new, no uniform definition of this domain has been composed up to this day. Establishing a clear view of the research subject at hand is a goal in itself but is also essential for the remainder of this research. It will help in relieving any ambiguity with respect to the domain of IT GRC as well as provide input used to answer the main research question. For this purpose, the first research sub question has been subdivided in four investigative questions. Investigative questions take research sub questions and break them down into questions that are more specific. These reveal the specific pieces of information needed to answer the research question (Cooper and Schindler 2003, p75). In this way, they serve as guidance for the data collection process. The first investigate question is meant to shed some light on the added value of using software tooling to support business processes in general and IT GRC processes in particular. The final three investigative questions divide the domain of integrated IT GRC back into their separate fields. This helps identify their specific characteristics that may also

influence an integrated approach. The first research sub questions will be addressed in chapter three and can be formulated as follows:

1 What are the theoretical fundamentals of integrated IT GRC?

1a What does software tooling entail with respect to IT GRC?

1b What does IT governance entail with respect to IT GRC?

1c What does IT risk management entail with respect to IT GRC?

1d What does IT compliance management entail with respect to IT GRC?

With the theoretical fundamentals of an integrated approach to IT GRC defined and explained, it becomes possible to investigate to what extent this approach is practiced in today’s business environment, in this research confined to the Dutch banking sectorv.

The second step in identifying fundamental requirements for an integrated IT GRC software tool can now be made. This concerns weighing the theoretical fundament against current GRC practices and against requirements expressed by practitioners for (future) integrated IT GRC software tools. By comparing these answers, parameters from the theoretical background can either be confirmed, rejected or enriched (chapter four).

2 What are requirements the Dutch banking sector has with respect to integrated IT GRC software tools?

2a How are current IT GRC practices being supported by software tools?

2b What are the key characteristics customers are looking for in an

integrated IT GRC software tool?

2c How do the theoretical fundamentals and requirements expressed in

the Dutch banking sector compare?

v

The final step in coming to an answer to the main research question is drawing conclusions from the first two research sub questions. To accomplish this goal, a scorecard is constructed containing all fundamental requirements for an integrated IT GRC software tool (chapter five). To provide some initial insight into the validity of this scorecard a survey was held under IT GRC software tool providers. These providers were asked to what extent the functionalities on the scorecard are indeed supported and which functionalities are lacking. Conclusions from this survey are also portrayed in chapter five.

3 What fundamental requirements can be incorporated on a scorecard for integrated IT GRC software tools?

3a What fundamental requirements can be identified based on a

consolidation of customer demands and the theoretical fundamentals of integrated IT GRC?

3b What are the results of an initial validation test of the integrated IT

GRC software tool requirements scorecard?

2.2.5 Research scope and constraints

The scope of the research is something that is largely at the discretion of the

researcher. Clearly defining the research scope is beneficial to the research because it limits as well as circumscribes the research project. This increases research efficiency and effectiveness respectively. This is all the more important if the field of research is ambiguous, something which is undeniably the case for the field of integrated IT GRC. Scope is therefore something that will remain an issue throughout the remainder of the research.

Some clear demarcations have already been mentioned in chapter one and two up to this point. The focus lies on software tooling for integrated GRC practices. Within this realm, GRC for IT practices has been chosen as a first demarcation. This choice has been made to narrow the scope and to increase its relevance to another constraint, the MSc BA specialization this research was carried out for, Business & ICT. From this same perspective, it would make sense to scrutinize only the tooling that supports IT GRC processes. However, tooling in itself serves no purpose. It is the organizational and process side of integrated IT GRC that can benefit from toolingvi. Therefore, these sides of the IT GRC domain will be involved as well. The scope is narrowed down again by choosing the banking sector in The Netherlands for the practical part of this research. This choice was also prompted by a research constraint discussed shortly, the Atos Consulting line of business this research was conducted for: Financial Service. A final choice was made to include both supply and demand side for integrated IT GRC software tools in this research. This was done to provide a complete overview of this market and to test the developed tool.

Research constraints on the other hand are much less at the discretion of the researcher. They consist of specific limitations and restrictions. Again, some constraints have already been brought up in one way or another but two major constraints are explained in more detail below:

vi

University of Groningen This thesis is the final product of a Master of Science programme in Business Administration, with a specialization in Business & ICT. The master thesis is subject to a number of parameters set by the programme board. Evidently, the research has to have academic relevance. Another constraint is that twenty study credits (ects) have been allocated to the master thesis, which is the equivalent of 560 hours of work or roughly three months. In practice, this amount of time usually proves to be too short. Furthermore, a supervisor is appointed to guide in the process but also to provide input concerning the content of the thesis.

Atos Consulting Atos Consulting is a part of Atos Origin, one of the leading companies in the field of IT service providers in the world. Next to Managed

Operations and System Integration it offers Consulting services for numerous management areas, including IT. One of their lines of business serves the Financial

Services market. This line of business connects with a number of fields of expertise in an organizational matrix structure with IT Leadership being one of the fields of expertise. It is in this unit where the original management question originated and where an internship was offered.

The management question formulated in chapter 2.1 led Atos Consulting to define a pretty definite research question. Their original research question was centred on IT compliance tools but with the advent of the new acronym GRC, the focus was shifted to this subject. An internship was provided for the period of six months but in the end was prolonged to a period of eight months. This time constraint has been leading for this research, not the three-month period set by the University of Groningen. With Financial Services as the relevant line of business, it only seemed to make sense to take this sector as the field to conduct this research in. This was in the end narrowed down to the banking industry in The Netherlands. Atos Consulting also provided their expertise with regard to the content of this research, but this point will be elaborated upon in the next paragraph concerning the research methods.

2.2.6 Research method

With the research questions, conceptual model and the research scope and constraints crystallized out one final issue needs to be addressed. The research method is

concerned with how answers to the main research question should be generated. The research method section will be divided in general methodology choices and specific data collection choices. This section will conclude the problem definition and with that the research design.

Methodology

From the preceding, it is possible to coin the type of research conducted here. The type of research opens up a range of possible research methodologies, as well as excludes others. The final choices in this are based on the research and investigative questions which serve, as explained earlier, as guiding elements for research

methodology and data collection.

crafted that can be used in practice. The final goal of the research residing in the practical side instead of the theoretical side is an important trait of practical research. Second, this research can be defined as exploratory. This is true because this research seeks to find the answer to a (for a large part) open question (De Leeuw 1996, p93). This is also referred to as research that is focused on the development of theory or defined hypotheses. In this case, IT GRC tool requirements can be seen as the defined hypotheses. The novelty of the research topic also implies that the research is

qualitative by nature. After all, no empirical research can be conducted in a field that previously did not exist. Descriptive elements are present as well and can be tracked back to the investigative questions. They serve a role in answering the more complex, exploratory questions (Verschuren en Doorewaard 1995, p66). Exploratory research is a form of research that is commonly used when new knowledge is sought. The

integrated IT GRC approach and supportive software tools indubitably fall in this category.

The abovementioned yields various possibilities with respect to the research methodvii. The following elements were chosen for this research: a desk research, a literature review and field research, including case studiesviii via interviews and a survey. The reason for choosing to conduct a desk research and a literature review is twofold: First, it serves as input for the theoretical background and second, equally important, it serves as a tool to deepen the researcher’s understanding of the problem at hand. Field research was chosen because software tools cannot be seen isolated from the context in which they function (e.g. Orlikowski 1992)ix. Interviews were selected for the demand side (i.e. users) of IT GRC tools because this is a complicated matter and therefore needs to be explained to the participant of the banks, preferably face to face. Another reason is the fact that the Dutch banking sector does not consist of many players rendering the number of interviews to be conducted relatively low. For the supply side (i.e. software providers) of IT GRC tools, more standardized, unambiguous questions could be used. The number of potential participants was also larger. Both facts then favour a survey for this purpose.

Data Collection

Reflecting on possible data sources can be beneficial in two ways. It helps to be goal oriented and it helps to identify the right data sources and research methods (De Leeuw 1996, p99). De Leeuw identifies six possible sources for data collection including documents, media, researchers’ expertise, reality (i.e. the field), simulated reality, and databases. For this research, the first four sources where used. A short description of the data collection based on the six sources concludes this paragraph and chapter.

Initial desk research Some preliminary research was done to refine the research question formulated by Atos Consulting. Internal documentation was browsed, internet sites, newspapers and some specialist journals were scanned (i.e.

vii

For an exhaustive list see De Leeuw (1996) p.94

viii

A case study implies a full-blown investigation into the participating banks with respect to the research objective. This is however not the case, cf. paragraph 2.2.5: research scope and constraints

ix

media) and some discussions were held with Atos consulting supervisors and employees and University of Groningen supervisors (i.e. researchers’ expertise).

Literature research Due to the novelty of the topic, not much academic literature could be found. This problem was solved by looking at fundamental models that underlie the three separate areas of IT GRC. These models include the IT

governance institute (ITGI) framework for IT governance (ITGI 2003), the COSO enterprise risk management framework (COSO 2004) and an overview of generic steps identified for IT compliance management. Another method was deployed to deepen the researcher’s knowledge of the research topic and involved investigating academic literature on how major compliance issues have been dealt with in the recent past (e.g. the Sarbanes-Oxley act of 2002). The more technical issues of this research are solely based on the fieldwork, discussed next.

The fieldwork consisted of two distinct ways of data collection: interviews and a survey.

Interviews To investigate the demand side for integrated IT GRC software tools and to test and complete the list of integrated IT GRC software tool

requirements based on the theoretical background nine interviews have been conducted at three major and one smaller bank in The Netherlands. Together these banks cover roughly 80 percent of the banking market in The Netherlands (NMa 2004) and can as such be seen as representativex for the entire banking sector in The Netherlands. A tenth interview was held with a field expert from Atos Consulting

Managed Operations. To ensure all areas of IT GRC were covered during the interviews participant with different responsibilities were interviewed. Relevant characteristics of the banks and the interviewees have been stylized below in table 2. Worldwide presence has been added as it is an indication for the amount of regulatory pressure the particular bank is under. Ten interviews are believed to provide a

complete overview of the matter, alleviate concerns with respect to biases and provide insights from different angles.

It was also mentioned that no single person, not even for smaller banks, is the sole responsible person for all GRC domains. Consequently, not all interviewees could convey all answers to all questions. The results, portrayed in chapter four, do not always reflect the answers of all ten respondents due to this fact. An n/a as answer was added for this purpose. The input of the field expert has helped to sharper the image of the matter at hand in many areas. However, in this capacity not all interview questions were relevant for this research. This is reflected in the results section where questions only have nine responses instead of ten.

The interviews were semi-structured. This means interviewees were allowed to answer freely to general questions but were also asked to consider specific suggestions. This approach was chosen to make sure all relevant subjects were covered but also a certain form of consistency in the interviews was obtained. A

x

PowerPoint presentation was used as a catalyst for the interviews. This presentation is included in appendix A.

In processing the interview data a few steps were made. First answers were

aggregated for the ITGI and COSO framework as well as for the generic compliance management steps. Second, all data was aggregated for software tools currently in use. This has resulted in overviews of the tooling landscape for the three separate domains. Then, as a final step, remaining noteworthy results were identified and structured via categorical aggregation (Stake 1995). In this way answers reflect interviewee opinions with respect to the developed theoretical background without missing any other noteworthy results.

Various technical control solutions could not be tracked back to the theoretical background as the level of aggregation is too high. Requirements for IT GRC

software tools with respect to technical control solutions are therefore solely based on the data gathered from the interviews.

Characteristic Bank 1 2 3 4 Market share* (%) 22 25 25 5 Number of interviews 2 2 3 2 Interviewee department** IT compliance; Risk management IT direction; IT compliance Operational risk management Information security; Corporate development Worldwide presence Y Y Y N

Table 2: Bank and interviewee characteristics *) Approximation for The Netherlands. Based on NMa (2004) **) Some of the department names have been renamed slightly to reflect responsibilities relevant to this research

H3 IT GRC in theory – Theoretical background

The theoretical background will be divided in four sections. First, an introduction to the field of IT GRC is provided. This introduction consists of a concise discussion on the dual role IT plays in the domain of integrated GRC as well as a discussion on the use of software tools to support business processes in general and IT GRC in

particular. This second part sheds more light on the relevance of the main body of this theoretical background i.e. the remaining three sections. These sections will treat the separate domains of IT governance, IT risk management and IT compliance

respectively. With this research sub question 1 will be answered: 1 What are the theoretical fundamentals of integrated IT GRC?

1a What does software tooling entail with respect to IT GRC?

1b What does IT governance entail with respect to IT GRC?

1c What does IT risk management entail with respect to IT GRC?

1d What does IT compliance management entail with respect to IT GRC?

3.1 Introduction

3.1.1 IT for integrated GRC or integrated IT GRC

With the introduction of new concepts, ideas or acronyms usually a period of

ambiguity has to be overcome before clear and exact definitions can be framed. This is no different for the body of thought on governance, risk and compliance issues. Establishing a definition for GRC does not make a lot of sense at this point in time because simply put, there is none. This problem is partly overcome by providing definitions of the three separate areas discussed below. When the term GRC is practiced usually what is meant are enterprise GRC activities. GRC aims to implement holistic processes that span across all three separate areas and in theory across all functional areas of a firm. However, this final claim is one such area of ambiguity. This is where a distinction can be made for instance between IT having to fulfil its own GRC activities, or integrated IT GRC, and IT supporting other business functions in fulfilling their GRC activities, or IT for integrated GRC. Even though integrated GRC advocates the breakdown of functional silos by using an integrated approach, this does not mean different functional areas should not exist on an organizational level. This explains why even though holistic processes are sought after, it is still possible to home in on a specific functional area, in this case the IT function. This point will re-emerge throughout this research.

The dual role of IT in GRC then consists of the following. As stated, the first issue is the fact that IT serves two purposes in the GRC domain (Forrester 2007d). First, IT provides a consistent platform for enterprise GRC. It provides the fundamental architecture to collaborate and communicate across business areas external to IT. Increasingly, technology is used to gather information from people, business

The second issue relates to IT and the distinction between infrastructure and

applications. This distinction is also depicted in figure 2. Technology infrastructure encompasses all technology that cannot be ascribed to a specific business function. This also explains why the final responsibility for this domain resides with the IT department. For applications, this is a somewhat more complicated matter. The technical functioning and maintenance is provided by IT but the functionality of applications is the responsibility of the business. This is because applications reflect and implement business decisions and not so much technical decisions. It follows that IT GRC covers the infrastructure but only part of the applications.

Figure 2: IT GRC versus Enterprise GRC (Source: Forrester 2007d)

3.1.2 Software tools for business processes

With the focus of this research on software tools to be used for integrated IT GRC, one may wonder why so much attention should be devoted to explaining the

organizational and process sides of the phenomenon. Why not stick to software tools and automation issues in general? Some background knowledge about information technology in general is necessary to answer this question.

IT has gone through several stages before reaching its current state. Early versions of tools to help in decision-making can be characterized as number crunchers such as calculators or statistical programs. Then functionality was added that could find, organize and display decision-relevant data. These are early forms of database

Figure 3 shows the development of organizational applications (Daft 2004, p287). Two trends can be discerned when putting this evolution in perspective. The

applications have become evermore complex and the focus of the tools have shifted to a higher organizational level. Tools are now available to support processes on an operational (i.e. first line; operations), tactical (i.e. decision-making and control) and strategic level (i.e. strategic weapon). Brouwers et al. (2006) come to the same conclusion for specific monitoring and auditing tools.

Figure 3: Evolution of organizational applications (Source: Daft 2004, p.287)

Ultimately, an integrated GRC software tool seeks to incorporate all other software tools on operational and tactical levels to create sustainable advantages on a strategic level. But this daunting task can never be completed if processes are not in place to support this approach. It is here where the answer to the earlier question lies. Software tooling is, as the word suggest, a way to support other functions: It is a tool to support other functions in reaching their targets i.e. it does not serve a purpose of its own. This also implies that no research into software tooling is possible if the processes it

supports are not known.

tooling over a manual approach. Other (dis)advantages are to be identified in the remainder of this research.

This research will now continue by scrutinizing the organizational and process perspectives of the separate fields of IT governance, IT risk management and IT compliance management before attempting to analyze the added value of software tools to support this approach. Fieldwork will be the main source for the latter but the discussion provided above on software tools for general business processes will also be revisited at the end of the theoretical background for specific IT GRC processes. The distinction between organization, process and technology will be adhered to as much as possible.

3.2 IT Governance

The first cornerstone of a GRC tool under discussion is IT governance. The field of IT governance has been under academic discussion since the mid-nineties. It has evolved from being a smaller part under the umbrella of enterprise and corporate governance into a discipline of its own showing little similarities with its overarching counterpart (Hamaker 2003b). The domain is of growing importance to enterprises because IT is becoming critical in supporting and enabling enterprise goals, is growing in strategic importance to the business and because of its increasingly required due diligence relative to the IT implications of mergers and acquisitions (ITGI 2003). In the current day, there is no consensus on what a mature IT governance framework should entail (Simonsson and Johnson 2005) or what the definition of IT governance should be. This chapter will first give a brief overview of relevant developments in the field of enterprise and corporate governance to provide the context in which IT governance is situated. After that, the focus will shift to IT governance to assess what this field entails with respect to IT GRC practices. Research results on IT governance with respect to IT GRC are portrayed in section 4.1: IT governance results, page 53 and section 4.2 IT governance conclusions, page 59

3.2.1 Enterprise and corporate governance

Hamaker (2003a) discerns a contrast between enterprise governance and corporate governance. In her view, corporate governance is a part of enterprise governance where enterprise governance stands for ‘the accountability framework for all

management activities with respect to all stakeholders’. An umbrella analogy illustrates her views, cf. figure 4.

Furthermore, she divides the field of enterprise governance in four areas. To provide a holistic overview of what enterprise governance exists of Hamaker’s main elements are presented below in table 3.

Strategic Planning

and Alignment Operations Financials

Internal Controls Business Operations Facilities Human Resources IT Systems and Processes Data, Records and knowledge Management Communication and Documentation Financial Reporting Debt and Cash Flow Management Asset Management Budget Corporate Governance Risk management Audit Quality Control Security Legal Affairs Integrated Strategic Planning Performance Tracking Value Alignment Market Analysis Enterprise Initiatives Stakeholder Relations

Table 3: Main areas of enterprise government (Source: Hamaker 2003b)

Internal controls are listed as a separate component of governance. When looking at this table one can conclude that the problem domain for this thesis mainly resides within the field of internal controls as it contains (corporate) governance and risk management. This is then also an initial hint that a linkage between governance and risk management exists. This theory will be elaborated upon in the next chapters. Within enterprise governance, the second discipline that relates to IT governance is corporate governance. Corporate governance has moved in and out of fashion just as often as new scandals or crises have hit the markets. After the Wall Street crash of 1929, Berle and Means (1932) wrote their monograph ‘The modern corporation and

private property’ that continues to have a profound influence on the conception of corporate governance in scholarly debates today. The notion of transaction costs was introduced a few years later by Coase (1937). Fifty years later Fama (1980) and Fama and Jensen (1983) were among the first scholars to establish the agency theory as a way of understanding corporate governance: the firm seen as a series of contracts. Major scandals in the first decade of the 21st century, which saw firms such as WorldCom and Enron filing for bankruptcy, sparked governmental interest in

corporate governance as well. These scandals led to one of the quickest approvals and passages of new legislation effecting corporate and enterprise governance in the US: The Sarbanes-Oxley Act of 2002.

on ethics and morality and cite that “the directors of an organization are morally and

ethically responsible to lead the organization effectively and efficiently within the boundaries of rules and regulations”. This definition is interesting as it immediately links the field of governance to compliance issues by mentioning the boundaries of rules and regulations. Other scholars base their approach on the various stakeholders involved. De Bos (2003) states that “The most subjects (…) are within this triangle:

boards of directors, shareholders and supervisors”. This definition appears to be too narrow with respect to the stakeholders. In a world of globalization and increasing cooperation between firms, a whole range of different stakeholders exists. This seems to be in important shortcoming. One of the most widely recognized international proponents of corporate governance, the Organization for Economic Co-operation and Development (OECD) does include stakeholders in general (i.e. economic agents) in their definition. Their definition seems to be accurate and complete and will therefore be used in this paper to coin the term corporate governance. According to the OECD (2006) corporate governance can be described as

“the system by which companies are directed and controlled, and whose structure specifies the distribution of rights and responsibilities between the different

participants of the company, such as the board of directors, shareholders and other economic agents, who maintain some interest in the company. Corporate governance also provides the structure through which the objectives of the company are

established, the means to reach these objectives, as well as the way of doing a follow-up of the company’s performance”

Coming back to enterprise governance, it can be concluded that in figure 4 Hamaker uses the triangle mentioned by De Bos as well as the stakeholders (economic agents) added by the OECD. This adds to the validity of both definitions in this research context.

With the context of enterprise and corporate governance explained, the focus of this paper will now turn to the control and direction of IT: IT governance. Hamaker’s classification of enterprise governance (table 3) will be utilized to relate the field of IT governance to enterprise governance. This will increase the understanding of IT governance in relation to enterprise (and therefore corporate) governance. Research results on the interrelatedness between these fields are portrayed in section 4.1.1: Integration of IT governance with enterprise governance, page 53.

3.2.2 The ITGI IT governance framework

To make the link with IT governance this research will take the perspective on enterprise governance provided by the Information Technology Governance Institute (ITGI). The ITGI was founded in 1998 in recognition of the increasing criticality of information technology to enterprise success. Their mission is “to advance

international thinking and standards in directing and controlling an enterprise’s information technology” (ITGI 2003, p1). In their board briefing on IT governance 2nd edition (2003) their main goal is to explain their IT governance framework, which will be addressed shortly, but they also recognize that this framework should match with the overall enterprise governance framework. They conclude that “the need to

integral part of the enterprise rather than something practiced in remote corners or ivory towers” (ITGI 2003, p14). ITGI also endorses the viewpoint of the OECD that more educated and assertive stakeholders are concerned with the management of their interests in the current day. For instance, investors have recognized the value of sound governance and are willing to pay a premium of up to 20% on shares of enterprises that have shown sound governance (McKinsey 2000). This study will now elaborate on the ITGI framework by addressing its subsequent areas shown in figure 5. After that, it will summarize some of the additional recommendations made by ITGI. For this purpose, the remainder of this chapter is mainly based on the work by ITGI (2003). Together, the framework and the additional recommendations will yield initial parameters on which this research can base the analysis of GRC tools.

Figure 5: ITGI IT governance framework (Source: ITGI 2003, p8) IT governance is described by ITGI (2003, p18) as “the responsibility of the board of

directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives”

As can be seen it figure 5, ITGI distinguishes five areas that together capture IT governance. These areas are:

Strategic alignment Value delivery Risk management Resource management Performance measurement

Strategic Alignment (page 54)

Strategic alignment focuses on the question whether an enterprise’s investments in IT is in harmony with its strategic objectives and thus building the capabilities necessary to deliver business value. When placed in the Hamaker’s realm of enterprise

governance it can be linked with the category of strategic planning and alignment. Alignment is a difficult and ongoing process with rapidly and continuously shifting goals but can ultimately be a source for competitive advantage. When IT alignment is mentioned, it is commonly referred to as the alignment between IT strategy and business strategy. However, there is a second dimension to IT alignment that is equally important. With the strategy, operations have to be aligned as well. In other words, IT operations have to be aligned with current enterprise operations. Thus, IT alignment becomes even more difficult when the various enterprise units are

misaligned. Henderson and Venkatraman (1993) and Luftman et al. (1993) have explored this subject in depth and have developed various strategies on how to achieve alignment, cf. figure 6. Broadbent and Weill (1993) have done the same for the banking industry. All of these studies have centred their research on the premise that there has to be alignment for IT and enterprise strategy as well as IT- and enterprise operations.

Figure 6: Strategic Alignment Framework (Source: Luftman et al. 1993) Value Delivery (p55)

alignment within enterprise governance, but more specifically with the sub-category of value alignment. For firms, this usually boils down to factors such as competitive advantage, elapsed time for order/service fulfilment, customer satisfaction, customer wait time, employee productivity and profitability. Even though some of the outcomes might be intangible or at least hard to measure, they have to be managed from both an actual cost- and return on investment perspective. Another important aspect to value delivery is expectations. A common language should be developed between the business and the IT function to manage expectations (also a COSO goal: page 36). A final point that should be stressed is that different strategic contexts need to be addressed with different IT value indicators. This is another reason why indicators have to be developed through business and IT coordination.

Risk management (page 62; as part of COSO ERM approach)

Risk management in the realm of IT governance indicates a focus on IT risks, a concept under the umbrella of enterprise risk. It is derived directly from Hamaker’s sub-category risk management under the header of internal controls. A further insight into risk will be provided in the next section (3.3: IT risk management) but the interrelatedness of the subjects of governance and risk is again demonstrated here by the fact that (IT) risk management is seen as one of the drivers of IT governance. ITGI also explicitly endorses this point of view as they find that in the current day not only financial risk but operational- and systemic risks as well are under much greater attention by firms and regulators alike. Within systemic risk, there is a prominent place for technology risks and information security issues. As an example, ITGI cites research by the bank for international settlements (BIS) in which BIS (1999)finds that

“all major past risk issues studied in the financial industry were caused by

breakdowns in the internal control, oversight and IT”. Within the context of IT, risk management (i.e. IT risk) has an impact on future IT investments in technology, the extent to which IT assets are protected and the level of assurance required.

As IT becomes an increasingly crucial factor in enterprises today, so do IT risks. This signifies that the first step towards dealing with IT risk is to create awareness of the issues in the top management echelons. To accomplish this, the following should at least be made sure of for the management of enterprise risks:

Transparency exists concerning significant risks and taking or risk-avoiding policies of the enterprise are clarified (i.e. determining the appetite for risk),

awareness is created in the board that they hold the final responsibility for risks,

consciousness exists that the system of internal control put in place to manage risk can often generate cost-efficiency,

consciousness exists that a transparent and proactive risk management approach can create competitive advantage,

risk mitigating activities are embedded in the daily operations of the enterprise.

risk management as a process in the operation of the enterprise. In other words, appropriate risk management is not possible without appropriate governance. The steps all resurfaced in one form or another during the research (cf. chapter 4).

Although some further advice is given on what kind of strategies to approach risk are feasible, this section of the board briefing does not go into great depth on the subject. As ITGI has qualified risk management as one of the two drivers behind IT

governance one would have expected this section to be more elaborate. This void will be covered in the next paragraph where IT risk management will be discussed more elaborately (section 3.3 IT risk management).

Resource Management (page 55)

Resource Management covers the allocation of IT resources such as people,

applications, technology, facilities and data. They are allocated to service the needs of the enterprise with respect to IT. It covers areas within the category of operations as well as financials when comparing it to Hamaker’s enterprise governance

classification. Human resources in operations and budget in financials share the most common ground with resource management as meant by ITGI. Resource management has gained in importance over the recent years not in the last place due to increased outsourcing activities.

Generally, a distinction is made within IT resource allocation between resources allocated to existing projects, or ongoing operations and new investments. To ensure effective governance of IT operational spending effective control needs to be in place for the cost base: The IT assets and their focus where they are needed most. Benson et

al. (2004) have developed a widely adopted portfolio approach to IT resource

management to tackle this issue. Existing IT services should be aligned and prioritized based on clear service definitions. This should be done for all IT services that support business operations. Related performance metrics together with these definitions should yield business-oriented service level agreements providing a basis for effective oversight and monitoring of both internal and outsourced IT services. In this way, this issue is related to performance measurement (also result section 4.1.2 The ITGI framework, page 55). If IT assets are organized optimally, they will yield the required quality of service through the most cost-effective delivery infrastructure. Not only will this lead to cost savings for the firm it will also render the firm in a better position to take on new IT initiatives; either taking on new technologies or replacing or

updating older (legacy) systems. In other words, portfolio management can (also) contribute to performance measurement and to strategic alignment.

Effective life cycle management of hardware, software licences, service contracts and permanent and contracted human resources is a final element that should be present in the resource management. It is a key success factor to not only obtain the discussed effective IT cost base but also for managing changes, minimising service incidents and assuring a reliable quality of service.

Performance Measurement (page 55)

management can be linked to performance tracking in the category of strategic

planning and alignment as well. Qualifying the subject in this category emphasises its strategic character.

Performance measurement is the factor that allows the other four areas of IT governance to be managed appropriately. It plays a more significant role due to the shift of focus in the way enterprises are competing in the marketplace in the current day. Intangible and hidden assets are turning into competencies that can provide competitive advantage and therefore have to be measured adequately. Traditional financial measurement cannot satisfy this need and balanced scorecards have been devised to take its place.

Balanced Scorecards (BSc) are used to devise operational performance indicators to gain insight into strategic targets. The typical scorecard was introduced by Kaplan and Norton (1996) and contains four perspectives to examine an enterprise’s way of doing business:

Financial perspective: To satisfy our stakeholders, what financial objectives must we accomplish?

Customer perspective: To achieve our financial objectives, what customer needs must we serve?

Internal process perspective: To satisfy our customers and stakeholders, in which internal business processes must we excel?

Learning perspective: To achieve our goals, how must our organisation learn and innovate?

This more holistic view of business operations includes several indicators for intangible items such as level of customer satisfaction, streamlining of internal functions, creation of operational efficiencies and development of staff skill. It is a way of linking long-term strategic action to short-turn actions. The contribution of IT to this process is twofold: it provides the information needed to address the different perspective but it is also an enabler to achieve these same targets. Examples of

applications that fit into the second category are enterprise resource planning tools for the financial perspective, customer relationship management tools for the customer perspective, intranet and workflow tools for the internal process perspective and knowledge management tools for the learning perspective.

So not only does IT contribute to the business BSc in multiple ways, it has become such a critical component of contemporary enterprises that an IT balanced scorecard should exist alongside the business BSc(ITGI 2003, p38). Use of an IT BSc is one of the most effective means to aid the board and management to achieve IT and business alignment. To adapt the business BSc for the IT functions the perspectives of the business BSc have to be redefined. ITGI has constructed a template for an effective IT BSc containing the following perspectives:

Enterprise contribution: How do business executives view the IT department? User orientation: How do users view the IT department?

The objectives of the IT BSc are:

Establish a vehicle for management reporting to the board.

Foster consensus among key stakeholders about IT’s strategic aims. To demonstrate the effectiveness and added value of IT

To communicate about IT’s performance, risks and capabilities.

Figure 7 also depicts the perspectives for the IT BSc and adds cause and effect relationships. With these relationships, it is possible to distinguish between outcome measures (cause) and performance drivers (effect). This can help demonstrate the value IT is delivering to the business. Vision and strategy are the background against which the other perspectives are executed.

Figure 7: IT BSc Template (Source: ITGI 2003, p39)

3.2.3 Additional insights

To round up the section on IT governance this paper will cite five additional remarks made by ITGI that are relevant in the domains of GRC as well as IT governance.

The five areas of IT governance that have been covered in this chapter present a solid base on which to judge governance with respect to GRC tools. However, it is important to stress that these areas are not static in nature. These processes should not have a fixed end-point but rather should be an ongoing routine. There are for instance also exogenous variables in the process. Some of the elements that exert a

A top-down approach for IT governance may provide structures and processes for sound governance, it also provides clarification with respect to accountability. As mentioned earlier, a control framework should be in place to ensure accountability. Several frameworks for IT control that have good practices for control over

information, IT and related risks exist such as CobiT, ITIL or ISO 17799. CobiT was developed by ITGI in collaboration with ISACAxi, a close affiliate of ITGI. CobiT is a leading IT governance tool that uses non-technical language to help organizations focus their information technology in support of overall business objectives. It is compliant with many other control and governance frameworks. Control, and thus accountability issues, will be elaborated upon in section 3.3 and 3.4. These

frameworks also resurface in the research chapter 4.

ITGI also briefly touches on the subject of what it calls regulatory reports and

emerging standards on governance. It introduces the COSO Internal Control –

Integrated Framework as a framework that has been embraced by many private sector and government organizations. It provides a control framework for the entire firm i.e. on a corporate governance level. It has also influenced the development of other frameworks such as CobiT. More recently, the COSO framework has been identified as meeting the framework requirements of section 404 of the Sarbanes-Oxley Actxii. This paper will elaborate on the COSO framework and its successor, the COSO ERM framework, in the next paragraph, which covers the subject of risk.

Finally, stakeholder value has been addressed explicitly and implicitly in the previous section. Ethics and culture however have not been included in the discussion so far but do play a significant role within firms and within the field of governance. For instance, the Open Compliance and Ethics Group (OCEG), which is seen as an authoritative figure in the GRC domain, identifies ethics as a main requisite for GRC. Even though ethics and culture cannot be included in a scorecard for integrated IT GRC software tools, this aspect of GRC is of such influence that it merits this explicit reference.

This chapter has discussed the first pillar of GRC. The broad concepts of enterprise- and corporate governance have been explained before the focus was narrowed to IT governance. To summarize, the overall objective of IT governance is to understand the issues and the strategic importance of IT, so that the enterprise can sustain its operations and implement the strategies required to extend its activities into the future. IT governance aims at ensuring that expectations for IT are met and IT risks are mitigated. For critically dependent IT systems, governance should be effective, transparent and accountable.

xi

The Information System Audit and Control Association. ISACA is the principal association of professionals in information systems audit, control, security and governance in the world.

xii