Running Head: IT STRATEGY ASSESSMENT
Redesigning an Assurance Firm’s IT Strategy Assessment Methodology
A. P. Brandes (S3190153)
a.brandes@student.rug.nlMaster Thesis
MSc Business Administration: Change Management Faculty of Economics and Business
University of Groningen
Thesis Format: Academic Problem Solving Date of Submission: 18.06.2020
Word Count: 18872
Supervisor: Dr. H. C. Bruns
Second Assessor: Dr. I. Maris-de Bresser
IT STRATEGY ASSESSMENT
2 Abstract
TrustAssure (a pseudonym) is a global assurance firm that seeks to improve the quality and consistency of its IT strategy assessments. IT auditors at TrustAssure evaluate their client’s IT strategies according to their own experience and intuition, which is problematic with respect to the service quality and consistency that clients experience. This academic problem solving study combines a review of academic literature with qualitative data from interviews with IT auditors at TrustAssure to develop a practical solution for the firm. The results suggest that TrustAssure requires a twofold solution. The solution needs to distinguish between guidance for the assessment of financial statement audit clients’
IT strategies and guidance for how TrustAssure can roll out IT strategy audits and advisory services for clients for whom TrustAssure does not audit their financial statements. In addition, results showed that the redesign of TrustAssure’s IT strategy assessment methodology would need to leave significant room for professional discretion, as it is one of the most important strengths of IT auditors to use professional judgment in performing their assessments. The proposed solution comprises two frames of reference and a guide for the use of relevant theoretical models, which shall guide IT auditors in using an effective and uniform approach. The expectation is that implementing the redesigned methodology will significantly improve the quality and consistency of TrustAssure’s IT strategy assessments.
Keywords: IT strategy, IT audit, assurance, advisory services, standardization, discretion
IT STRATEGY ASSESSMENT
3
Table of Contents
Redesigning an Assurance Firm’s IT Strategy Assessment Methodology ... 4
Literature Review ... 6
The Determinants of IT Strategy Quality ... 6
The Standardization/Discretion Trade-Off in the Professional Services Sector ... 14
Method ... 16
Participants & Design ... 16
Procedure ... 17
Data Analysis ... 18
Results ... 19
Channel 1... 19
Channel 2... 23
Standardization vs. Discretion ... 24
Discussion ... 27
Problem Solution ... 27
Theoretical Implications ... 34
Practical Implications ... 35
Limitations of the Study ... 35
Conclusion ... 36
References ... 37
Appendix ... 42
IT STRATEGY ASSESSMENT
4
Redesigning an Assurance Firm’s IT Strategy Assessment Methodology
Nowadays, information technology (IT) is recognized as a key corporate resource, crucial to an organization’s ability to transform information into value. Competitive markets pressure companies to increase their investments in IT, to make efficient use of new information systems, and to remain digitally agile in response to changes in the environment (Verhoef et al., 2019; Weill, Subramani, &
Broadbent, 2002). Hence, it is now as important as ever for organizations to have a high-quality IT strategy. While the business strategy specifies the mission, the objectives, and the plan for business operations, the IT strategy specifies these elements regarding to the use of IT (Lai, Zhao, & Wang, 2007). The role of IT auditors in assessing the quality of an IT strategy and the risks associated with it has also become highly relevant. IT auditors provide assurance to organizations that face substantial complexity in strategic decision-making processes regarding IT investments (Senft & Gallegos, 2008).
Considering the key role of IT strategies for organizations, it is vital that auditors provide their clients with well-informed and reliable assessment services. What is the best approach for the evaluation of a firm’s IT strategy?
TrustAssure (a pseudonym) is a global professional services provider, which inter alia offers technology risk assurance to its clients. This function entails that client firms hire TrustAssure to assess the risks in their IT environment and evaluate whether the client manages these risks effectively. One of the tasks that TrustAssure’s IT auditors perform is assessing their clients’ IT strategy and providing recommendations for improvements in case they perceive any risks. This includes requesting an IT roadmap or year plan from clients, evaluating a client’s business and IT alignment, and discussing other content aspects of the strategy. At TrustAssure, most IT strategy assessments happen within the context of financial statement audits, but auditors can also perform them as separate advisory projects.
Employees working within the IT audit function at TrustAssure fall into four roles (increasing in authority): staff, senior staff, manager, and senior manager. As strategy-related assignments are complex; they require expertise and work experience. For this reason, conversations about IT strategies are the responsibility of managers and senior managers at TrustAssure.
According to TrustAssure’s IT auditors in the Netherlands, their current IT strategy assessment
methodology is not formally defined. As a result, different auditors use different approaches and then
deliver distinct outputs to clients. This is problematic, as it is TrustAssure’s aim to provide reliable,
consistent, and in-depth IT audit services to its clients. Nonetheless, the individual approaches also have
positive implications: Using professional discretion in determining how they assess an IT strategy allows
auditors to go into more depth when assessing areas of the IT strategy, which they perceive as
particularly relevant for a certain client or in which they personally have the most expertise. As a result,
different audit methodologies seem to have a negative impact on the consistency of audit services that
clients experience, however, they may have a positive impact on the IT auditors’ diligence in the
assessment of certain elements. For the purpose of fostering clients’ trust in their IT strategies and the
IT STRATEGY ASSESSMENT
5
effective realization of their plans, TrustAssure pursues the opportunity of improving its IT strategy assessment methodology. In addition, the company seeks to find an optimal balance between standardization and professional discretion in their IT strategy assessments, so that IT auditors can continue to provide in-depth assessments, while also adhering to a more consistent methodology.
Two streams of scholarly literature are relevant for TrustAssure’s problem. First, it would be valuable to investigate which elements of an IT strategy an auditor should examine to make a reliable and effective evaluation of an IT strategy’s quality and risks. Literature on the determinants of IT strategy quality discusses several elements that IT auditors can assess independently of a specific organization’s market segment or strategic choices. For instance, an IT strategy’s quality is higher if it aligns with the general business strategy (Henderson & Venkatraman, 1993), if it includes a well- planned project portfolio (Alonso, Verdún, & Caro, 2010), and if it is supported by suitable IT governance (De Haes & van Grembergen, 2006). TrustAssure requires a common IT strategy assessment framework, which is why the literature on the design, constituents and setup of IT strategies is more relevant than any considerations about individual strategic decisions, such as ‘make or buy’. One overarching framework for all clients should serve to assess the determinants of IT strategy quality that concern the setup, design, or constituents of IT strategies, which makes this literature stream particularly suitable to the problem at hand.
Second, academic publications on the trade-off between standardization and specialization may prove useful for TrustAssure’s goal of improving their IT strategy assessment methodology. After defining the main building blocks of an effective IT strategy, it is necessary to determine the appropriate degree of standardization for TrustAssure’s assessments. Nerland and Karseth (2015) argue that professional services organizations need some standardization, as it enables them to “ground professional practice in shared knowledge” (p. 17). Nonetheless, the authors also recognize that a high degree of standardization can negatively affect the service quality by limiting professional discretion.
Another disadvantage of work standardization is that it decreases employees’ psychological empowerment, or in other words, their intrinsic task motivation (Luoh, Tsaur, & Tang, 2014). In order to find the right balance between standardization and discretion, as well as the appropriate content and procedures for TrustAssure’s IT strategy assessments, a more thorough investigation into their current approaches and preferences for assessing IT strategies is needed.
This academic problem solving master thesis investigates how TrustAssure can improve its IT
strategy assessments in terms of service quality and consistency. The aim of this study is to provide
TrustAssure with a theory-based, useful solution that describes how the firm can improve its IT strategy
assessments. Using a design science approach, this study integrates insights from a review of academic
literature with primary qualitative data from interviews with IT auditors at TrustAssure. Specifically,
this study aims to enhance our understanding of 1) the elements that are relevant for assessing the quality
of an IT strategy and 2) the appropriate degree of standardization in IT strategy assessments. The
proposed solution for TrustAssure encompasses two frames of reference that provide guidelines to IT
IT STRATEGY ASSESSMENT
6
auditors for assessing IT strategies from two different perspectives: a risk assessment perspective and a quality assessment/advisory perspective. In addition, the frame of reference for the advisory perspective is extended by a model guide that informs IT auditors about the theoretical foundations and models that are relevant to their assessments. The solution provides a common ground for IT strategy assessments, while it also leaves substantial room for IT auditors to adapt their own methods to a specific client. All in all, the recommendations are likely to improve the quality and consistency of TrustAssure’s IT strategy assessments, which is why TrustAssure would be well-advised to implement them.
Literature Review
This literature review comprises two main parts: the characteristics that determine IT strategy quality and the trade-off between standardization and discretion. First, I review the literature on factors that characterize high IT strategy quality and low risks from an audit perspective. As this study is practitioner-oriented, the literature review focuses on suitable models and instruments that can contribute to a scientific foundation for TrustAssure’s IT strategy assessment methodology. The selection of models is not exhaustive, but rather a compilation of the topics central to understanding IT strategy quality and thus valuable for a common framework for TrustAssure’s IT auditors. The second part of the literature review concerns the body of literature about the standardization-discretion trade- off in the professional services sector. Reviewing academic publications on this issue will serve to gain insight into the trade-off between adhering to a common predetermined assessment procedure and using individual approaches based on professional judgment.
The Determinants of IT Strategy Quality
The purpose of an IT strategy is to guide the organization and its members in the acquisition,
deployment, and management of IT towards the fulfillment of organizational goals (Senft & Gallegos,
2008). Another definition for the term IT strategy is that it offers “a roadmap for operating plans and a
framework for evaluating technology investments" (Senft, Gallegos, & Davis, 2013, p. 209). An IT
strategy can have strong implications for the risks associated with an organization’s IT environment,
which makes it a topic of interest for IT auditors. In many companies – and especially in small and
medium enterprises (SMEs) – information technology has a traditional supportive function, in which its
primary purpose is to improve the effectiveness of other business functions (Bharadwaj, 2000; De
Freitas, Ferreira, Coutinho, & Irigaray, 2013; Levy & Powell, 2000). Often, managers view information
technology as an enabler or asset to their firm’s business goals, while only a few perceive it as necessary
to fully integrate it with their business model. The traditional approach is rather directive: The
organization’s director or board of directors creates a business strategy and consequently decides how
to use IT to increase the effectiveness and efficiency of other business processes. In this scenario, they
rarely include IT executives in strategic planning activities for the business, or they involve them too
IT STRATEGY ASSESSMENT
7
little and too late (Teo & King, 1997). This approach carries an important risk with it. It makes it difficult for the business to achieve a good alignment with IT, as the role of IT is specified in a top-down manner, as opposed to using reciprocal communication (Joia & Souza, 2009).
Over the past decades, the role of IT has been shifting from the traditional supportive function towards a more integrated and strategic part of the business (Henderson & Venkatraman, 1993; Huang
& Hu, 2007). As Keen (1996) states: “Business choices should obviously drive technical decisions, but technical decisions increasingly affect business options, too” (p. 140). An inclusive approach that combines business and IT trajectory planning is more beneficial for organizations and their strategic alignment (Brodbeck & Hoppen, 2003; Chan, Huff, Barclay, & Copeland, 1997; De Haes, 2007; De Haes & Van Grembergen, 2009; Joia & Souza, 2009; Kearns & Sabwerhal, 2007; Teo & King, 1997).
Such collaboration reduces the risk of information asymmetries, as IT executives are informed about the business strategy, business executives learn about the IT strategy, and both sides can provide valuable input for each other’s trajectory planning process. Henderson and Venkatraman (1993) argue that maintaining a high-quality IT strategy requires both business and IT executives to review the strategy periodically and adapt it if necessary. In a study of executives from Fortune 1,000 U.S. organizations, Luftman and Brier (1999) found that the participants perceived the characteristic ‘IT involved in strategy development’ as the second most significant enabler of business and IT alignment, right after ‘Senior executive support for IT’. Therefore, it is crucial that there exist effective communication channels between corporate senior management and IT executives (e.g. CEO and CIO) and that the enterprise architecture facilitates decision making, control, and transparency.
Over the past two decades, the concept of business and IT alignment has gradually received more attention and managers as well as researchers now view it as a key objective of IT strategies (Issa-salwe, Ahmed, Aloufi, & Kabir, 2010). Also referred to as strategic alignment, this concept refers to the decisions and actions that managers take to ensure coherence between a firm’s general business model and its use of information technology (Byrd, Lewis, & Bryan, 2006; Chen, 2010; Luftman, 2000;
Luftman & Brier, 1999; Papp, 1999). In 1993, Henderson and Venkatraman (1993) developed the Strategic Alignment Model (SAM; see Figure 1), which is now the theoretical foundation of many academic alignment studies and models that followed (Miyamoto, 2013). The researchers conceptualize strategic alignment as consisting of two building blocks: strategic fit and functional integration (Henderson &Venkatraman, 1993). The first component refers to the notion that strategic choices for the external domain (i.e. the competitive industrial environment) and the internal domain (i.e.
organizational structures and processes) need to align (Henderson & Venkatraman, 1993). The second
component, functional integration, entails that any choices that an organization makes for the business
need to be congruent with those for its information technology. The focal point of their model is that
strategic alignment relies on linkages amongst four strategic domains: the business strategy, the IT
strategy, organizational and infrastructural processes, as well as IT infrastructure and processes. The
researchers emphasize that a change in one domain likely induces changes in other domains, so
IT STRATEGY ASSESSMENT
8
adaptations may be necessary to maintain strategic alignment.
Figure 6. Template for an IT Roadmap (Roadmunk, 2019)
Luftman (2000) extended the SAM by developing the Strategic Alignment Maturity Model (SAMM; see Figure 2), which serves as a measurement framework for assessing an organization’s business and IT alignment maturity. According to Luftman, there are five different levels of alignment maturity, ranging from poor alignment to perfect alignment: 1. initial/ad hoc process; 2. committed process; 3. established focused process; 4. improved/managed process; and 5. optimized process.
Moreover, Luftman’s SAMM focuses on the assessment of 6 distinct alignment maturity sub- dimensions: 1. communications; 2. competency/value measurement; 3. governance; 4. partnership; 5.
scope & architecture; and 6. skills. For instance, in a firm where business and IT personnel communicate,
but fail to understand each other’s positions entirely, the communications maturity level would be 2. In
order to calculate a firm’s total strategic alignment maturity level, one needs to add up the maturity
levels for each of the criteria and then divide the result by five. He states that most companies only have
a strategic alignment maturity of level two, demonstrating that there are significant deficiencies in most
companies’ strategic alignments (Luftman, 2000). After assessing a company’s strategic alignment, the
model also identifies the steps a company can take to reach the next maturity level. For this purpose,
one needs to compare the criteria that the company meets for its current level to those that it does not
yet meet for its desired level of alignment maturity.
IT STRATEGY ASSESSMENT
9
Figure 2. The Strategic Alignment Maturity Model (SAMM; Luftman, 2000)
Two models that many organizations use to design their IT strategies are the IT balanced scorecard (IT BSC; Van Grembergen, 2000; Van Grembergen & Saull, 2001) and the IT roadmap (Lee
& Park, 2005; Phaal, Farrukh, & Probert, 2004; Pham, Pham, & Pham, 2013). The IT BSC (see Figure 3) is an instrument that organizations can use to translate their vision for IT into concrete strategic choices about objectives and related measures (Srivastava, Kogan, & Vasarhelyi, 2001). Just like the
‘traditional’ balanced scorecard method for planning and implementing business strategies (Kaplan &
Norton, 1992), the IT BSC considers four different perspectives. In (re-)developing their IT strategy with the IT BSC, organizations need to spell out specific goals for 1. the contribution of IT to financial outcomes, 2. the influence of IT on the effectiveness and efficiency of business processes, 3. the role of IT in preparing the organization for future challenges and growth, and 4. the value of IT for customers (Van Grembergen, 2000). By considering all four perspectives in the strategic planning process, one can reduce risks of inefficiencies and inconsistencies. A clear understanding of the roles of IT for these different purposes in the business is central to the quality of an IT strategy.
The IT BSC method also prompts organizations to choose reliable measures for the assessment
IT STRATEGY ASSESSMENT
10
of the specified objectives (Van Grembergen, 2000). Tracking an organization’s progress in reaching IT goals makes the execution of the strategy more transparent and it allows for the early detection of risks or aspects that require adaptations. According to Deszca, Cawsey, and Ingols (2015), the integration of measurement and control systems in strategic planning is critical, as they can “clarify expected outcomes and enhance accountability” (p. 278). Hence, when clients already have measures and controls in place, they possess more tangible information about the execution of their IT strategy, which facilitates the IT auditor’s risk assessment. In addition, measurement systems support organizations in adhering to certain product quality or employee performance standards. As the Hawthorne studies have shown, when organizational members are aware of the fact that their work is being monitored, it motivates them to perform better (Mayo, 1933). For this reason, including specific measures in IT strategic plans enhances the quality of an IT strategy and reduces the risks associated with it.
Figure 3. The IT Balanced Scorecard (Van Grembergen, 2000)
Van Grembergen and Saull (2001) developed a maturity model for the evaluation of a firm’s IT
balanced scorecard, which classifies a firm’s quality of IT planning and implementation into five
maturity levels (see Figure 4). One can use the IT BSC maturity model to assess the extent to which
organizations have realized the ideas they specified in the IT BSC. In addition, when an organization’s
IT strategy has a maturity level 2, for example, then one can find recommendations for improvement in
the requirements for maturity level 3. This model emphasizes the importance of a strategic planning and
review process in which organizations define or adapt their objectives for an upcoming period, based on
IT STRATEGY ASSESSMENT
11
their current performance. The combination of the two IT BSC models provides a comprehensive and illustrative technique for assessing the content of a firm’s IT BSC or helping a firm to develop one from the ground up.
Figure 4. Maturity Model for the IT BSC (Van Grembergen & Saull, 2001)
Besides strategic alignment and tangible goals and metrics, there is another crucial determinant of IT strategy quality. Project prioritization is a central element in any effective strategic planning process (Alonso, Verdún, & Caro, 2010). Ideally, business and IT executives jointly discuss the prioritization of IT projects to consider the value, costs and risks of each project, as well as the organization’s capacity to execute them. In this context it is also important that an organization’s IT budget management aligns with its planned IT projects, so that it can avoid financial bottlenecks (Marchewka, 2015). When an organization fails to efficiently prioritize projects, or to appropriately allocate the required resources, it exposes itself to significant economic risks (Drake & Byrd, 2006).
Auditors need to evaluate whether they consider a particular client a going concern, which means that the firm’s financial means can sustain its continuing operations (Cormier, Magnan, & Morard, 1995).
Therefore, it is important to evaluate a client’s project prioritization in an IT strategy assessment. In the third version of the COBIT framework for IT governance, the Information Systems Audit and Control Foundation (ISACF) describes effective project prioritization in the following way:
The objective of prioritizing projects is to identify those projects where quick wins can be
achieved. The best candidates for quick wins are usually those where the gaps are small,
IT STRATEGY ASSESSMENT
12
where the cost of closing the gap is low, where the risk of project failure is low and where the impact on the business benefits will be greatest (ISACF, 2000, p. 101).
In COBIT 2019, the Information Systems Audit and Control Association (ISACA, 2018) maps out the IT governance management practice APO06.02 – ‘Prioritize resource allocation’ (see Figure 6).
ISACA illustrates that project prioritization refers not only to priority ranking, but it also concerns budget allocation, cutoffs, resource allocation/acquisition, establishing a procedure for communicating budget decisions, managing the impacts of budget decisions, as well as obtaining formal consent for budget decisions that negatively impact the business strategy and suggesting solutions. Thus, this model provides guidance on how to assess the quality of a firm’s IT project plans and how to identify associated risks. Furthermore, according to ISACA (2018), two ways of assessing an organization’s project prioritization are determining the extent to which resources align with high-priority initiatives and reviewing past instances of escalated resource-allocations.
Figure 5. COBIT 2019: Management Practice APO06.02 (ISACA, 2018)
To formalize IT strategic plans and the allocation of resources over a specific period,
organizations often create roadmap documents, such as the IT timeline roadmap (see Figure 7). These
types of documents are a popular and widely used method for creating concrete illustrations of the plans
for IT (Lee & Park, 2005; Phaal, Farrukh, & Probert, 2004). IT roadmaps allow an organization to make
its IT strategy tangible and monitorable by allocating time slots and resources to different projects over
time, based on earlier decisions regarding prioritization and allocation (Ilevbare, Probert, & Phaal,
2014). Furthermore, roadmaps can make the overall strategic plan and operations more transparent for
organizational members, as they prepare the organization for actualizing its IT vision and they reveal
potential resource underutilization or overload. For these reasons, such documentations are important
for understanding the quality of an organization’s IT strategy and the execution thereof.
IT STRATEGY ASSESSMENT
13
Figure 6. Template for an IT Roadmap (Roadmunk, 2019)
In sum, the six models in this literature review mention many aspects that are relevant to the quality of an IT strategy: business and IT alignment (Henderson & Venkatraman, 1993), alignment sub- dimensions (Luftman, 2000), balanced scorecard perspectives, objectives, and quality measures (Van Grembergen, 2000), a strategic planning and review process (Van Grembergen & Saull, 2001), project prioritization and resource allocation (ISACA, 2018), as well as documentation (Roadmunk, 2019).
Taken together, these elements form a synergistic collection of IT strategy quality determinants. The models complement each other, as they predominantly present distinct insights and each of them enhances our understanding of the quality and risks of an IT strategy. Although there is some overlap in the content of the models, each one of them has unique practical value.
While the SAM (Henderson & Venkatraman, 1993) and the SAMM (Luftman, 2000) both deal with strategic alignment, the prior adds value through its conceptualization and illustration of strategic alignment and the latter contributes a framework for assessments and gap analyses. Also, while Van Grembergen (2000) presents the IT BSC, Van Grembergen and Saull’s (2001) maturity model enhances its practical value by providing an assessment framework and further implementation guidance.
Furthermore, the models of ISACA (2018) and Roadmunk (2019) overlap regarding their focus on
project prioritization, however, ISACA’s guidance relates to the planning process, while Roadmunk
provides a template for the documentation of IT strategic plans. The reviewed models establish an
overarching theoretical frame that can serve as a foundation for TrustAssure’s IT strategy assessment
methodology. This academic umbrella cannot entirely capture the complexity of IT strategies.
IT STRATEGY ASSESSMENT
14
Notwithstanding, it lays down a constructive basis for the enhancement of TrustAssure’s IT strategy assessments.
The Standardization/Discretion Trade-Off in the Professional Services Sector
In how far should TrustAssure’s IT auditors adhere to the same frameworks and a common assessment procedure, as opposed to letting their own technical expertise and practical experience guide them? The quality of an audit is usually evaluated by its compliance with certain policies, standards and procedures (Gantz, 2014; Pitt, 2014). According to TrustAssure, all IT auditors comply with the policies and ethical principles, however, their use of certain standards and procedures is inconsistent. As Bagshaw and Selwood (2014) argue, “the best way to improve a methodology, and its use in an audit firm, is to get to grips with current standards” (p. 4). However, assessments of IT strategies are less straightforward than audits of financial statements. There are no formal IT strategy standards, but academic literature provides guidelines, such as Luftman’s (2000) above-mentioned strategic alignment maturity criteria. Therefore, it is valuable to investigate the extent to which the adoption of common frameworks and assessment methods could improve the service quality and consistency of TrustAssure’s IT strategy assessments.
The concept of standardization has its roots in Taylor’s (1911) theory of Scientific Management, a view that suggests that routinization is the key for organizations to excel. Specifically, the standardization of organizational operations entails that the variation between employees’ methods decreases, whereby their overall work behavior increases in homogeneity. Organizations can achieve this through the introduction of formal rules, policies and standards, which aim at reducing error potential and increasing organizational effectiveness (Link & Naveh, 2006). In the professional services industry, standardization is frequently contrasted with professional discretion. The latter refers to granting employees the freedom to choose the manner of action for the completion of certain tasks, which allows them to remain flexible in handling unanticipated situations (Nissinboim & Naveh, 2018).
When using discretion, professionals engage in divergent thinking, experimenting, improvising, and sometimes deviation from standard work practices (Link & Nahveh, 2006). Generally, organizations face a trade-off in the extent to which they use standardization and discretion (Nissinboim & Naveh, 2018). The more they instruct their employees to follow certain routines, the less freedom their employees have to shape their own work methods and outputs.
Nevertheless, some authors argue that there is a paradoxical element in this relationship (Link &
Naveh, 2006; Nerland & Karseth, 2015). As standardization involves the formalization of best practices,
it ultimately leads to a more skilled and educated workforce that is better prepared to cope with work
events on an ad hoc basis. Therefore, when employees are accustomed to adhering to guidelines for
quality and efficiency, their established routines and gained experience will allow them to make better
choices when given the opportunity. This means that an increase in standardization could underline the
IT STRATEGY ASSESSMENT
15
benefits of professional discretion, as long as some freedom for individual choices is maintained.
Nerland and Karseth (2015) argue that professional services organizations face a challenge in carefully balancing their use of standardization and discretion. They describe the paradoxical effects of standardization for professional services staff in this way:
Standards play a double role in professions. On the one hand, standards are important in the jurisdictional work of the profession as they help to define the competences needed for professional work and thereby allocate responsibilities. In this sense, standards are important to secure spaces for professional discretion. On the other hand, standards may regulate practice in ways that limit the space of action for the professionals in their daily work. The balancing of these two functions of standards is at the core of the knowledge work of the professional associations (p. 17).
There is no universal optimal degree of standardization. The need for standardized measures differs across industries, professions, hierarchical positions, tasks, and projects. For instance, it is important that doctors can use substantial discretion in their work, as every patient is different and it is vital that physicians can tailor medical treatments to specific individuals (Nissinboim & Naveh, 2018).
Conversely, in the manufacturing sector, product standardization is a popular strategy due to its advantages in terms of cost reduction and process efficiency (Gebrekidan, Hoc, & Mukhtar, 2019). On the positive side, research has demonstrated that the standardization of professional services is associated with an increase in service quality, uniformity, reliability, and repeatability (Hickey, 1977;
Kasiri, Cheng, Sambasivan, & Sidin, 2017; Light, Chappell, & Kyberd, 2002). In addition, Ding and Keh (2015) found that clients prefer standardized practices if they hire a professional services provider for reasons of efficiency and functionality, as opposed to reasons of fun and novelty. IT strategies entail critical decisions about strategic directions and high financial investments, which is why efficiency and functionality are likely two of the primary reasons for clients to hire IT auditors. However, a high degree of standardization can also have significant negative effects on the work of IT auditors at TrustAssure.
Broadbent and Laughlin (2002) argue that accounting firms are complex bureaucracies, in which professionals work rather autonomously and have a high status. Therefore, preferences for standardization are rather low in these work settings and an imposition of additional standards may receive little acceptance by personnel. When organizations formalize processes through standards, it creates a basis for quality measurement. The authors note that a combination of standardization with increased monitoring mechanisms may alienate professional services staff, as it individualizes their accountability and their deviations from standard norms become more visible. In congruence with their arguments, researchers have repeatedly found standardization to be negatively associated with intrinsic work motivation and engagement (Hartline, Maxham, & McKee, 2000; Sherman & Smith, 1984).
Furthermore, Broadbent and Laughlin (2002) argue that high standardization of professional services is
often infeasible due to the tacit nature of the knowledge that professionals apply. Indeed, it may be
difficult to create standard procedures for IT strategy assessments, as each client is different: some
IT STRATEGY ASSESSMENT
16
clients may use unfamiliar strategic frameworks and some may not even have a formalized IT strategy yet.
To conclude, in order for professional services firms to take advantage of the benefits of standardization without suffering significantly from its negative implications, they require clear guidelines and the freedom to deviate from them when it creates added value for clients. Formalizing standard methods in work documents can guide professionals in adhering to common methods and recognizing when it is appropriate to use professional discretion (Link & Naveh, 2006; Nerland &
Karseth, 2015). Organizations can use such documents and formal guidelines to teach their employees how to think about certain elements of their work, creating a shared philosophy. As opposed to step-by- step standard procedures, a general set of guidelines requires employees to translate the guidance into practical steps themselves. This option seems particularly suitable for professional services organizations that serve a variety of clients, as professionals can tailor their methods to specific clients when necessary. For instance, this has the advantage that they can go into more depth regarding certain aspects that play a relatively more significant role for a specific client. Besides this review of academic literature, it is valuable to collect primary data from IT auditors at TrustAssure to find the best solution for the improvement of their IT strategy assessments. In the following sections, I present the research approach.
Method
Participants & Design
This study took place during my thesis internship at TrustAssure’s IT audit department in the Netherlands. As the current research intended to help TrustAssure improve its IT strategy assessments, it was important to gain an understanding of IT auditors’ views on the problem and their ideas for potential solutions. For this reason, a qualitative research design was the appropriate approach, as it allows for the collection of detailed descriptions of participants’ perspectives that are nested in real contexts (Miles & Huberman, 2007). In light of restrictions surrounding the COVID-19 pandemic, I selected interviews in the form of video calls via Microsoft Teams as the method for the collection of primary data.
I conducted 15 semi-structured interviews with IT audit managers and senior managers, who work
at different offices in the Netherlands. I chose a semi-structured design in which standard questions
maintained data quality and enabled comparison across interviewees’ answers, while leaving room for
follow-up questions, so that interviewees could elaborate on relevant insights (Young et al., 2018). This
research design was appropriate, as the present study investigates complex procedures, such as
individual differences in the use of professional discretion, which is why it was likely that unforeseen
aspects come to the surface during the data collection process (Cachia & Millward, 2011; Young et al.,
2014). Scholars recognize qualitative research and interviews as valuable data collection methods,
IT STRATEGY ASSESSMENT
17
especially with respect to the use of knowledge and discretion in the professional services sector (e.g.
Holmes & Clark, 2008; Turnhout, Stuiver, Klostermann, Harms, & Leeuwis, 2013).
The interviews lasted for approximately 50 minutes and I conducted them in Dutch, as this is the interviewees’ day-to-day work language. Since colleagues who work in the same office may have some influence on each other’s assessment approaches and opinions, I selected interviewees from multiple different office locations to maintain the independence of individual responses. An overview of the (anonymized) respondents and their roles can be found in Table 1. The sample of 15 interviewees is a result of data saturation; I continued to conduct interviews until I reached a point at which an additional interview would not have added any significant new insights. Fusch and Ness (2015) argue that data saturation is an important determinant of internal validity, as its achievement entails that a researcher has gathered a substantial amount of detailed and nuanced information on a certain subject.
Procedure
My internship supervisor (IT audit manager) provided me with a list of IT audit managers and senior managers whom I could interview about their approaches for auditing IT strategies. In addition, I received access to the company’s internal address book, where I could search for the roles and email addresses of potential interviewees. I set up interview calls with 15 individuals who agreed to take part in the study and had at least one year of experience in auditing IT strategies themselves. I conducted a pilot interview to increase the study’s validity and reliability and to ensure the provision of useful research data (Majid, Othman, Mohamad, Lim, & Yusof, 2017; Omoteso, Patel, & Scott, 2008). After the pilot interview, I learned that ‘IT strategy assessment’ is a more suitable term than ‘IT strategy audit’, as IT auditors at TrustAssure mainly view the IT strategy as an element to discuss with the client during the IT audit for financial statements. As a result, I slightly adapted the interview protocol to ask the respondents how they discuss IT strategies with their clients, as well as the extent to which they evaluate strategies.
With the respondents’ permission, I recorded all interviews. An interview protocol of the standard questions can be found in Table 2. I maintained a general structure of four themes throughout all interviews and added additional questions ad hoc when I perceived that a respondent had knowledge on a certain topic that would provide significant added value to the data. The initial questions related to the individual experiences of respondents, so I mostly asked probing questions to encourage them to elaborate. An example of a question was: “What does a conversation about an IT strategy look like?”
Later questions were more structured and I followed the interview protocol more closely at that point.
For instance, I asked every interviewee: “When is it important that IT auditors can adapt their own
approach during IT strategy assessments?” The way in which I set up the interviews is roughly based
on research by Sweeney and Pierce (2004), who demonstrated how a semi-structured interview design
can lead to valuable and well-organized qualitative data.
IT STRATEGY ASSESSMENT
18
In the first part of the interviews, I asked about the respondents’ technical background, such as their field of study and prior work experience. I then asked specifically about their experience in auditing IT strategies. In the second part, I invited the respondents to describe their individual approach for assessing a client’s IT strategy in as much detail as possible. Here, I asked them to describe their full work process, starting with the client’s request and ending with the formal completion of the engagement. In the third part, I asked them to reflect on their own approach, for instance, regarding the depth and content of their assessments as well as any inconsistencies that they perceive between their own and their colleagues’ approaches. In the fourth part, I asked for their personal view on the subject of standardization in relation to TrustAssure’s IT strategy assessments. In this context, I encouraged them to lay out which standards or standard procedures they would perceive as beneficial for TrustAssure’s service quality and to reflect on the positive and negative implications for their work.
Data Analysis
I transcribed the interview recordings verbatim and replaced all names with pseudonyms. I then used the ATLAS.ti software to systematically code the collected data based on key themes and patterns.
I used inductive coding to identify the key topics from the literature in the data and I used deductive coding to capture additional relevant patterns in the interviewees’ responses. During this process, I adapted some codes and made them more specific by splitting them up in order to account for the data in a more organized fashion. For instance, I extracted all text segments that related to the independence conflict between audit an advisory services from the code PROB (perceived problems) and created a new code for them, which I labeled ADVI. As a final step, I created code groups for overarching themes.
For example, I assigned every code that related to an IT auditor’s use of a model to a common code group, so I could compare the used models across all interviewees. In using this procedure for analyzing my data, I am following the steps of Turnhout et al. (2013), who also investigated complex work processes and conducted their interviews in a similar manner. Table 3 presents a codebook, including all codes I used to account for the data and example quotes from the interview transcripts.
The most critical insight that emerged from the coding process was that IT auditors’ methods for
assessing IT strategies varied for different types of clients. All interviewees mentioned that their
methods depend on whether the client is a channel 1 or a channel 2 client (see results for explanation),
some mentioned that they distinguish between smaller and bigger clients, and one interviewee
mentioned that he assesses stock market listed clients differently than non-listed ones. The first
distinction appeared to be central to understanding TrustAssure’s IT strategy assessments, which is why
I coded almost every statement that related to assessment content or methods as either CHANNEL1 or
CHANNEL2 to maintain a clear line between them. To analyze and compare the data for these two
different types of clients, I used the query tool in ATLAS.ti and searched for instances in which the code
IT STRATEGY ASSESSMENT
19
CHANNEL1 co-appeared with other codes, as for instance, EVAL (evaluations or feedback for clients).
Then I repeated this process for channel 2.
I documented any patterns I found in the code combinations of both channels, across all interview transcripts. The codes about standardization and discretion did not show any relation to either channel 1 or channel 2, which is why I analyzed these codes on their own. The analysis resulted in the identification of five different perspectives that IT auditors have of how IT strategies should be assessed in channel 1, eleven different content aspects that they assess about IT strategies, as well as nine arguments in favor and eight against the standardization of TrustAssure’s IT strategy assessments.
Results
A central distinction that emerged from the data is that IT auditors’ methods for assessing clients’
IT strategies depend upon whether the client is a channel 1 or a channel 2 client. TrustAssure distinguishes between channel 1 clients, for whom IT auditors perform assurance-related services (mostly in the spectrum of financial statement audits) and channel 2 clients, for whom they perform advisory or non-assurance services. The purpose of IT auditors in channel 1 is to assess the risks that result from a client’s use of information technology and are relevant for financial statements. Auditors may not provide substantial advice to channel 1 clients, as this would damage their independence as an auditor. In channel 2, the specific service depends on the question of the client. Here, auditors can take a more hands-on approach and provide specific advice, as they do not perform annual audits for these clients. In the following sections, I first discuss how IT auditors assess their clients’ IT strategies. I discuss the findings for channel 1 and channel 2 separately, because the services that are performed in the two channels are different and therefore the service quality also depends on different factors.
Consequently, I discuss how IT auditors perceive the need for standardization of IT strategy assessments. The data for channel 1 and channel 2 did not differ in this respect. Therefore, the findings on standardization apply to both channels.
Channel 1
According to the majority of respondents, the relevance of IT strategies in channel 1 is limited to their impact on risks in the client’s IT environment and financial statements, as this would also affect the audit. IT strategy assessments that go beyond this scope are not relevant to the financial statement audit and thus do not form part of the IT auditors’ responsibilities in channel 1. Marc explains why IT auditors can only look at IT strategies from this risk-perspective:
If we talk to the client in the scope of an annual audit, then it falls under the financial
statement budget, which the accountants agreed upon with the client. And the accountants
then determine an amount of hours for IT auditors. And if we dive into that (IT strategies)
it will of course cost much more time and that does not fit into their budget. (…) And they
IT STRATEGY ASSESSMENT
20
do not find it necessary for their audit, that’s why. So, we only have an update conversation with clients to see what the risks are, but you do not have to do any research beyond that.
Marc’s explanation shows that the financial accountants determine an amount of hours for IT auditors based on their agreement with a client. From a financial audit perspective, it seems inefficient to assess IT strategies beyond their impact on the audit, as clients do not pay for this. However, it is important that auditors understand the clients’ IT strategy and the inherent risks, so they can select the appropriate audit strategy. Hence, auditors mostly discuss strategies at the beginning of an audit engagement, for the purpose of acquiring an understanding of the client organization and the risks in its IT environment. Internally, TrustAssure’s employees refer to this aim as ‘understand the business’.
However, not all IT auditors assess their clients’ IT strategies, which is also evident in the fact that five potential interviewees declined the interview invitations, arguing that they do not discuss strategies at all. Those that do assess their clients’ IT strategies do so in a rather unstructured manner, based on their individual expertise and intuition.
Joseph states that the differences in colleagues’ approaches lie in the “depth and the aspects that they discuss” in a conversation about IT strategies, while “some do not do it at all”. This was also the picture that emerged from the overall dataset. Most respondents stated that they regularly talk to clients about their IT strategies, usually at the beginning of an audit engagement and for the purpose of understanding the business. However, there were inconsistencies within and between the respondents’
statements. Some argued that it is important to gain an understanding of the client’s IT strategy before conducting the audit, but then added that they do not do this for every client, or only for smaller clients whose IT strategies tend to carry more risks. Moreover, some interviewees specified that they provide recommendations to clients about how they can improve their IT strategies, while others emphasized that they do not consider it their responsibility to do so.
A few even mentioned that they refrain from providing any advice, as it could jeopardize their independence as an auditor. Marc explains why he rarely provides feedback to clients: “Our advisors, they join the client in such projects, they can think along with clients and help them make plans. They also have several methodologies for this. But we do not do that as accountants”. Figure 8 presents an overview of the most prevalent differences in how the interviewees described the role of IT strategies for channel 1 IT audits. Due to the qualitative nature of the data, this figure does not offer a precise representation, but it provides an approximate description of the different perceptions of IT auditors.
The findings support the fundamental assumption of this study, which is that there exist substantial
individual differences in auditors’ methods for discussing IT strategies.
IT STRATEGY ASSESSMENT
21
Figure 8. How IT Auditors Assess IT Strategies in Channel 1
Next to their general views on when and why to discuss IT strategies during an audit, the respondents also differed significantly with respect to the depth and the scope of their conversations about strategies with clients. The time that interviewees spent to discuss IT strategies with smaller clients ranged from 10 minutes to 1.5 hours. Multiple respondents stated that they discuss IT strategies in yearly
‘IT-update conversations’ in which they aim to understand the most important changes in the client’s IT environment. Apart from the IT strategy, other topics that they discuss in these conversations are, for instance, data security, IT governance, system implementations, or changes in applications. Some interviewees explained that when they identify a particular project as particularly important or risky, they usually focus on this project, instead of discussing the IT strategy in general. The time the interviewees spent to discuss the strategies of bigger clients ranged from 0 to 30 hours per year. Some argued that they do not talk on this higher strategic level with bigger clients, because “it (their strategy) already runs like that for years” (Christoph) or “the CIO is in America and we cannot simply make contact to talk about the strategy” (Nathaniel). Others argued that they take more time for these conversations with bigger clients, because bigger clients “document more, they have project plans and strategy plans and then you actually have something to look at” (Marc).
These differences in clients show that a strict one-suits-all standard procedure for assessing IT strategies may not be appropriate. Figure 9 presents an illustration of the content that the respondents usually discussed in a conversation about a client’s IT strategy. The numbers represent the amount of respondents that recalled and mentioned these aspects during their interview, so this figure can only provide an approximate indication of the content that IT auditors really discussed. We can derive from this graph that auditors differ regarding the aspects of IT strategies that they discuss with channel 1
0 2 4 6 8 10 12
Mainly discuss IT strategies with smaller clients
Discuss IT strategies for the purpose of selling additional services Provide feedback on IT strategies Mainly discuss IT strategies in case of
changes
Regularly discuss IT strategies to 'understand the business'
3 5
6 7
12
IT auditors
IT STRATEGY ASSESSMENT
22
clients. Almost all respondents stated that they solicit IT roadmaps or project plans from their clients to identify important risk factors before they have the conversation with the client. In addition, many interviewees perceived strategic alignment as a critical agenda item for such conversations and some mentioned that they know several clients who struggle with this and thus expose themselves to risks.
When reflecting on the order of subjects in Figure 9, one can identify an underlying trend. Risk-related subjects and those that could have the strongest impact on the IT audit were mentioned the most, while those that concern business development or revenue opportunities were mentioned less often. Although respondents perceived IT budget management as an important risk factor, Nathanial and Ian stated that this is a subject that fits better into the scope of the financial accountants’ assessment, as they assess financial information. Considering the context of a channel 1 IT audit, the overall trend seems coherent.
Figure 9. Content Discussed in IT Strategy Conversations
The IT auditors mentioned several elements relevant to the quality of channel 1 IT strategy assessments. First, the data suggests that IT auditors should assess the IT strategies of their clients regularly at the beginning of every annual audit. Also, an IT auditor should update his or her understanding in case of significant changes at the client organization (e.g. if there is a new CIO or IT director). Second, IT strategy assessments should help the IT auditor understand the client’s business and inherent risks in order to determine the appropriate audit procedures and tests. The most important IT strategy quality determinants that auditors should evaluate are those that are most prone to risks and can affect the audit. Therefore, auditors should assess the client’s plans for the business and for IT in terms of project prioritization, resource allocation, and dependencies on skills, products or services.
Moreover, an assessment should also consider influences of strategic (mis-)alignment, IT governance
0 2 4 6 8 10 12 14
IT strategy development/update process IT budget management IT quality measurement and management IT growth and emerging technologies Challenges and risks (incl. impact on audit) Skills, services or tools needed for the IT strategy IT governance Business and IT alignment Business strategy IT project prioritization IT roadmap/plan
3 3
4 6
7 8
10 12
13 13
14
IT auditors
IT STRATEGY ASSESSMENT
23
structures, processes and relational mechanisms and other challenges that may be salient in a client’s IT strategy. Other sources of risks in an IT strategy are new technologies, ineffective quality control, the IT budget, and the lack of a structured process for the development and adaptation of the strategy.
Third, an IT strategy assessment should assess the documentation and information relevant for understanding the client’s IT strategy and the associated risks. Figure 9 presents the most important aspects to consider in an audit, however, the relevance of each aspect may vary for different clients.
Fourth, the evaluation of IT strategies should identify why certain plans failed in the past and which risks may persist regarding future plans. In this context, IT auditors should also consider the impact of the client’s IT strategy on the audit, as for example, data migration plans may increase the need for associated tests and constrain the time frame in which auditors can conduct these tests. Fifth, they should document the most relevant findings in TrustAssure’s internal dossier of the client and communicate conclusions about risks and feedback to the client through the management letter and/or the auditor’s report. The data suggests that these five aspects are vital for the enhancement of TrustAssure’s service quality, which is why it is important to include them in a solution for TrustAssure.
Channel 2
The interviewees’ responses converged with respect to how they described the role of IT strategies for channel 2 services. Channel 2 services generally involve specific projects in which clients hire IT audit experts to advise and support the client in achieving a certain goal. Therefore, the interviewees argued that the degree to which they consider the client’s IT strategy depends entirely upon the specific job. Thus, only if a client needs assistance regarding the development of an IT roadmap, the redesign of IT governance structures, or something similar, IT auditors consider it important to assess the client’s IT strategy. Furthermore, an IT strategy audit that is separate from the financial statement audits is not one of TrustAssure’s official service offerings. Only a few of the senior managers, who are already with the firm for a long time, have received a request like this from clients in the past. Drake believes that TrustAssure should pursue this opportunity:
I think it’s too bad that this is actually never the principal question of an audit. I would like it to be, but I think that we, as TrustAssure, are not yet being recognized in the market as a party that gives strategy advice or does strategy audits. (…) Although I think that we are perfectly capable of this, certainly together with our colleagues from the advisory side.
Thus, Drake believes that TrustAssure could perform IT strategy audits for channel 2 clients.
Adding IT strategy audits to its channel 2 service offerings would also be in line with TrustAssure’s
own strategy, as the firm intends to increase its focus on advisory services. As Figure 8 shows, one third
of the respondents already discusses IT strategies with channel 1 clients to spot potential future projects
for which TrustAssure could provide additional services. Kendra argues that if TrustAssure would
include IT strategy advisory services in the description of its role and capabilities (e.g. on its website),
IT STRATEGY ASSESSMENT
24
then it could be an “eye-opener” for clients to become interested in hiring TrustAssure for this purpose.
In addition, Kendra believes that IT auditors would enjoy this type of work:
I think it is not being done often enough now; I think it is not being done at all. This is the reason why it could actually allow people to do new kinds of tasks. So then, instead of the IT audit for the financial statement, they can also do a strategy audit for a change and they might really enjoy this.
As channel 2 services require IT auditors to take a different perspective on IT strategies than channel 1 services do, the respondents also mentioned different service quality requirements for potential IT strategy audit and advisory services. Joseph explained that channel 1 IT strategy assessments finish when auditors provide feedback and recommendations to clients in the management letter or auditor’s report, while in channel 2, they help clients implement certain recommendations. The trigger for a channel 2 IT strategy audit is different, as the client is the one who requests the IT auditor’s help and specifies what is necessary. Therefore, the first determinant of service quality in this context is the extent to which the IT auditor can fulfill the client’s strategy-related request, as for example helping the client improve their strategic alignment. This differs from channel 1 service quality in the sense that IT auditors do not receive requests for strategy assessments from channel 1 clients, but they provide them with the necessary IT assurance services for a financial statement audit. The feedback and recommendations that auditors give to clients in channel 1 are a result of the natural advisory function of an accountant, but it does not go beyond that, as providing advice is not the key objective of IT audit services in channel 1.
The second service quality factor in channel 2 is that IT auditors should assess all information and documentation relevant for the client’s request. For the example of strategic alignment, Anthony mentioned that IT auditors could use the Strategic Alignment Model by Henderson and Venkatraman (1993) as guidance to know what information they should request from a client. Scientific models, maturity assessments, gap analyses, and benchmark data add value to the audit and improve the quality of the advice that auditors can provide to the client. Third, auditors should document the most important findings and provided recommendations in the client’s file. Finally, auditors need to communicate the findings and the advice to the client, whereby it is important that the complexity of the presented information is appropriate considering the client’s expertise. In this context, it is valuable to use visualizations in the output to the client, as it supports the client in understanding the information and it gives the final output a more professional appearance. The data suggests that these four aspects are critical to the service quality of IT strategy audits and advisory services in channel 2, which is why a solution for TrustAssure should incorporate them.
Standardization vs. Discretion
TrustAssure’s IT strategy assessments currently rely on professional discretion, as auditors have
IT STRATEGY ASSESSMENT
25
substantial flexibility in deciding how they approach an IT strategy assessment. All interviewees agreed that an improvement of the quality and consistency of TrustAssure’s IT strategy assessments would require some standardization. They recognized that the current situation in which clients experience significant variations in the assessments and reports of IT auditors is problematic. Drake argued that a standardized methodology would improve the service quality, because it would allow TrustAssure to communicate to IT auditors and potential clients what exactly the service entails. In addition, standardization would improve the consistency of IT auditors’ methods, by providing them with a common philosophy for strategy services. Drake described the positive impact of standardization for TrustAssure in this way:
For instance, if you use a model such as COBIT, the recognizability will be higher, also for the market, and also the internal recognizability. You develop a certain vision together, a certain way of doing things. And then you have the same ideas about it and the same work documents and then you push yourself and others towards a higher level.
Drake’s statement shows that he predicts positive effects of standardization on both the quality and consistency of TrustAssure’s IT strategy services. This was also reflected in the positions of the other respondents, who were unanimously in favor of standardization. The interviewees’ views also converged with respect to the trade-off between standardization and discretion. Specifically, there was a consensus that a more consistent approach is essential, however, there would need to remain sufficient room for discretion and ‘professional judgment’ – a value and practice that characterizes TrustAssure’s personnel. Nathaniel describes his ideal balance between standardization and discretion:
I think this is very important, professional judgment is and remains an essential aspect in our work. This is why the most important essence of TrustAssure is really the people; the people add the value. And you are not only here to strictly follow the rules. The rules have to be there, but within these rules, you have to be able to add your own nuances when necessary. And I think without professional judgment, without giving it your involvement and your own adaptations, the added value of TrustAssure as an accountant would be worth less. It is still good to have certain guidance, so that in case of an IT strategy conversation you could consider these agenda topics. And point 20 on that list may not be suitable for a certain organization, well, then you have to be able to drop it. Yes, point 20 is not important here, but I know what is important instead, so I will do that in addition.
