Determinants of Effective Information Technology Governance

Determinants of EffectiveInformation Technology Governanceija_458 1..26

Colin Ferguson,1 Peter Green,2 Ravi Vaswani2 andGang (Henry) Wu1

1The University of Melbourne, Melbourne, VIC, Australia2The University of Queensland, Brisbane, QLD, Australia

This study examines relations between the overall level ofeffective information technology (IT) governance and fivecommonly advocated individual mechanisms of IT governance.It extends the examination of individual IT governancemechanisms to include a wider number of mechanisms, justifiesthe mechanisms investigated via agency theory, seeks torelate these mechanisms specifically to a perceived overall levelof effective IT governance in organizations, and attempts tomitigate the problems of limited generalizability and selectionbias by employing a survey and generalized sampling researchmethodology. The results from a survey of professional auditorsreveal significant positive relations between the overall level ofeffective IT governance and three IT governance mechanisms:IT steering committees, senior management involvement inIT, and corporate performance measurement systems. Ex-postsensitivity analyses reveal that the primary findings arequalitatively similar across internal auditors and externalauditors, as well as information systems auditors (IS) andnon-IS auditors.

Key words: IT governance, IS management and control, ITsteering committee, CIO position, IT balanced scorecard

SUMMARY

Recent corporate collapses have brought theattention of academics and practitioners toinformation technology (IT) and its impact onbusiness value. An important part of the corporategovernance mechanism is IT governance, which isa structure of relationships and processes to directand control the enterprise in order to achieve theenterprise’s goals. IT governance adds value to the

enterprise while balancing risk versus return overIT and its processes. Prior research has providedlittle insight into the relationship between variousIT governance mechanisms and effective ITgovernance.

In this paper, we examine relationships betweenthe overall level of effective IT governance andfive commonly advocated individual mechanismsof IT governance: (1) IT steering committee,(2) centralization of IT decision-making control,(3) involvement of senior management in IT,(4) position of the IT function within theorganization, and (5) corporate performance

Correspondence to: Dr Henry Wu, The University of Melbourne,Vic 3010, Australia. Email: [email protected]

International Journal of Auditing doi:10.1111/j.1099-1123.2012.00458.xInt. J. Audit. ••: ••–•• (2012)

ISSN 1090-6738© 2012 Blackwell Publishing Ltd

measurement system. A web-based questionnairewas developed and administered to the professionalmembers of the Information Systems Audit andControl Association (ISACA) – Australia and theInstitute of Internal Auditors (IIA) – Australia.

Our results suggest that the overall level ofeffective IT governance is influenced significantlyby three IT governance mechanisms: (1) IT steeringcommittees, (2) involvement of senior managementin IT, and (3) corporate performance measurementsystem. In addition, our ex-post sensitivityanalyses discover that the primary findings arerobust across internal auditors and externalauditors, as well as information systems auditors(IS) versus non-IS auditors.

This paper contributes to the auditing literaturein several ways. First, it becomes the first empiricalstudy to investigate which IT governancemechanisms contribute to an increased level ofoverall effective IT governance. Second, it developsa single measure which effectively allows forthe assessment of IT governance mechanismsacross a range of dimensions. Third, it providesempirical support for the implementation ofcorporate performance measurement systems as amechanism for achieving higher levels of effectiveIT governance. Fourth, it mitigates the issues ofexternal validity and selection bias by adopting asurvey and a generalized sampling methodology.

INTRODUCTION

The recent corporate collapses, such as EBSInternational, Opes Prime, Petters GroupWorldwide and Société Générale, have broughtabout renewed scrutiny into corporate governancemechanisms and the effectiveness of thesemechanisms. Given the pervasiveness ofinformation technology (IT) in many organizations,the examination of corporate governancemechanisms also includes IT governancemechanisms. IT governance is defined as ‘astructure of relationships and processes to directand control the enterprise in order to achieve theenterprise’s goals by adding value while balancingrisk versus return over IT and its processes’ (ISACA,2002: 5).

The importance of IT to business functions iswell documented (McLean & Soden, 1977; Nolan,1982; Brancheau & Wetherbe, 1987; Dixon & John,1989; Niederman, Brancheau & Wetherbe, 1991;Davenport, 1993; Earl, 1993). IT, for so long havingbeen considered an enabler of an organization’s

strategy, is now viewed as an integral part ofan organization’s strategy in facilitating theexploitation of information-based competitiveadvantage to maximize benefits, capitalize onopportunities, and promote organizational growth(Raghunathan & Raghunathan, 1990). In thisregard, IT has progressed from being a separatefunction marginalized from the rest of theorganization to an increasingly critical function inmany organizations. As IT becomes an increasinglycritical function in organizations, the need foreffective governance of decisions, policies, andexpenditures made in this area also becomes morecritical.

The fundamental role of IT in corporate businessprocesses results in organizational dependency onIT (Gelinas, Sutton & Fedorowicz, 2004). Auditorsneed to assess the effectiveness of IT controls as partof their audit assessments of the organization’sinternal control systems, confirming the importanceof IT governance to the auditing profession(Shleifer & Vishny, 1997; Arens, Elder & Beasley,2006; Bonner, 2008; IFAC, 2009; Stoel, Havelka &Merhout, 2012). In this study, IT governance iseffective if it is perceived to contribute positively tothe level of overall corporate governance withinan organization. Effective IT governance will helpmitigate within-firm fraud that was the basis ofsome of the notable corporate collapses (KPMG,2010). IT governance reduces fraud by identifyingvarious business risks and legal risks, by improvingkey internal control areas, and by predictingmaterial accounting misstatements (IFAC, 2002;Kranacher, Riley & Wells, 2010; Dechow et al.,2011), Indeed, such a situation would be moreconsistent with the term ‘information systems (IS)governance’, with IT governance representing asubset of IS governance. However, consistent withthe existing literature, the use of the term ‘ITgovernance’ within this study is synonymous withthat of IS governance.

In this paper, we define IT governance as astructure of relationships and processes to directand control the enterprise in order to achievethe enterprise’s goals.1 In light of increasedpublic awareness, professional bodies such as theInformation Systems Audit and Control Association(ISACA) have undertaken a number of steps toprovide guidance in the implementation of effectiveIT governance (ISACA, 2002). The approach takenby ISACA appears to be largely based upon twoconcepts. The first concept relates to increasingthe awareness of issues and concepts relating to

2 C. Ferguson et al.

Int. J. Audit. ••: ••–•• (2012)© 2012 Blackwell Publishing Ltd

IT governance in the public domain. The secondconcept involves the provision of guidelines andthe identification of best-practice IT governancemechanisms. Interestingly, the effectiveness ofthese best-practice mechanisms in improving ITgovernance is largely based upon conceptualarguments. As such, it becomes important toascertain if these best-practice mechanisms doimpact upon the level of IT governance. This studyaddresses this issue by examining the views ofauditors as to the effectiveness of these mechanismsin increasing overall IT governance. In line withthis argument, this study explores the followingresearch question: What mechanisms are perceivedto positively influence the overall level of effectiveIT governance within organizations?

The work reported in this paper differentiatesitself from previous studies in the IT governancearea in that it utilizes the insightful findings fromprior studies; it extends the examination ofindividual IT governance mechanisms to includea wider number of mechanisms; it justifies themechanisms investigated via the theoretical basisof agency theory; it seeks to relate thesemechanisms specifically to a perceived overalllevel of effective IT governance in organizations;and it attempts to mitigate the problems of limitedgeneralizability and selection bias, as highlightedin the results of prior studies, by employinga survey and generalized sampling researchmethodology.

The paper proceeds as follows. The next sectionprovides a review of related studies in the ITgovernance and IS management and controlliteratures. We follow this with the developmentof a theoretical framework for the formulation ofthe study’s hypotheses. The research method isthen described followed by the analysis and results.The paper concludes with the limitations of thestudy, directions for future research and a summarydiscussion of the study’s contributions.

THEORY AND RELATED WORK ON ITGOVERNANCE MECHANISMS

Agency theory, corporate governance, andIT governance

Agency theory applies to the agency relationship(‘principal-agent’) that comes into being when oneparty (the principal) delegates work to another party(the agent) who performs that work (Eisenhardt,1989). Berle and Means (1932) first pointed out

the implications for a firm’s shareholder wealth-maximization objective of the separation ofmanagement and control. Specifically, as Peirsonet al. (1990) explain, the effective control thatshareholders can exert over management is minimalbecause of factors such as the inability ofshareholders to observe directly undesirablepractices by management. Therefore, there is apossibility of management pursuing objectivesmore in its own interests than in the interests ofshareholders – ‘agency loss’ (Jensen & Meckling,1976). Accordingly, the principal-agent relationshipgives rise to what are called ‘agency costs’. Asprincipals are aware of the possibility that managers(agents) may transfer wealth to themselves,principals have an incentive to limit the extentof such behavior. Accordingly, Peirson et al. (1990)go on to explain that principals will attempt tomonitor the behavior of managers with the aimof discouraging such practices and institutemechanisms (e.g., contracts) designed to bond theinterests of agents to those of the principal. The totalagency costs are the sum of the costs of monitoringand bonding plus agency loss. The value of thecompany to its shareholders is reduced by anamount equal to its agency costs. Accordingly,principals tread a fine line in determining the extentof bonding and monitoring costs to incur whileminimizing the effect of the resulting agency costson the firm’s value.

Fama (1980) makes the argument that there is anefficient market for managerial labour whichensures that managers are rewarded on the basisof their performances as perceived by the market.As such, decisions by managers that result in atransfer of wealth from the company to themselveswill result in their future salary prospects (theirmarket value) being reduced. Accordingly, Fama(1980) argued that agency losses attributable tothe principal-agent relationship are likely to besmall. While this situation may be the case onaverage across firms around the world, therehave been some spectacular exceptions in recentyears (e.g., EBS International, Opes Prime, PettersGroup Worldwide, and Société Générale). Theseexceptions gave rise to an increased focus oncorporate governance – ‘the framework of rules,relationships, systems, and processes within andby which authority is exercised and controlledin corporations’ (Owen, 2003: 33). Moreover,these exceptions were so spectacular as to causepoliticians and regulators around the world toimplement legislation (such as Sarbanes-Oxley and

Determinants of Effective Information Technology Governance 3


CLERP 9) and regulations (such as the Principles ofGood Corporate Governance from the AustralianStock Exchange) requiring companies to establishmechanisms aimed at reducing agency losses.

As IT escalates in terms of importance andpervasiveness in the operations of firms, it isinexorably tied to specific mechanisms that areprescribed for good corporate governance, mostnotably, a sound system of internal controls.Accordingly, effective IT governance – the decisionrights and accountability framework forencouraging desirable behavior in the use of IT(Weill & Ross, 2004) and ensuring that IT goals andobjectives are realized in an efficient and effectivemanner (ITGI, 2002a) – is a critical underpinningfor a system of good corporate governance thatminimizes agency losses for a firm. Indeed, the aimof this paper then is to determine those bondingand monitoring mechanisms for the governance ofIT in a firm that appear to contribute effectively andefficiently to producing an overall high level ofeffective IT governance.

Related IT governance studies

Much of the early literature explored IT governanceby adopting a holistic approach (Sambamurthy& Zmud, 1999; Peterson, O’Callaghan & Ribbers,2000; Sohal & Fitzpatrick, 2002; Weill & Woodham,2002), with the primary focus of such studiesrelating to the configurations and/or modes of ITgovernance (Sambamurthy & Zmud, 1999; Petersonet al., 2000; Weill & Woodham, 2002). For example,Sambamurthy and Zmud (1999) examine therelationship between organizational contingencyfactors and the mode of IT governance through casestudies of eight firms in the United States. They findthat a firm’s IT governance arrangements are theoutcome of specific interaction patterns.

More recent studies of IT governance haveexplored individual mechanisms and theirinfluence on establishing an overall level ofeffective IT governance within organizations. Forexample, Weill and Ross (2004) surveyed ChiefInformation Officers (CIOs) from 256 enterprises inthe United States and identified 15 of the mostcommon IT governance mechanisms. Amongstthem were a senior management committee (cf. ITsteering committee2), an IT executive committee,an architecture committee, etc. However, theirstudy did not relate these mechanisms to the overalllevel of IT governance in the organization. Ali andGreen (2007) investigated individual governance

mechanisms in public sector organizations. Theyfound that an effective IT steering committeeand a communication system that effectivelydisseminated policies and procedures both had asignificant positive influence on the perceivedoverall level of effective IT governance. However,their work was limited to public sectororganizations only. Bowen, Cheung and Rohde(2007) conducted an in-depth case study into oneorganization’s attempts to implement an effectiveIT governance system. Responses to questions inthe interview protocol indicated that moreeffective IT governance performance outcomeswere associated with a shared understanding ofbusiness and IT objectives; active involvement of ITsteering committees; a balance of business and ITrepresentatives in IT decisions; and comprehensiveand well-communicated IT strategies and policies.While this work lends good insight into thephenomenon of effective IT governance, its resultsare limited to the context of one organization.

De Haes and Van Grembergen (2008)investigated specifically the link between ITgovernance and business/IT alignment. Througha set of multiple research methods consisting ofpilot case research, Delphi research, benchmarkresearch, and extreme case research, theyconcluded that organizations with more mature ITgovernance practices were likely to obtain a higherdegree of business/IT alignment maturity. Again,their conclusion is limited to the context of theparticipants/organizations involved in the researchmethods employed. Finally, Robb and Parent(2008) investigated IT governance at two financialmutuals – one in Australia and the other in Canada.They used a case study methodology. They foundthat, as opposed to the Australian cooperativeapproach where directors, managers, auditors, andservice providers all appear to work together toachieve good governance of the IT function, theCanadian coercive approach was more reliant onthe ability of the CIO to devise organizationalarrangements – structures, processes, and staffing –to successfully manage the interdependencies.However, again, while providing useful insight,their findings are limited to the context of the twocase studies reported.

The efficacy of IT governance on fraudexamination has been documented by priorresearch (e.g., Hall & Singleton, 2005; Hopwood,Leiner & Young, 2008; Albrecht et al., 2010). Theincreased adoption of IT in business practice isclosely related with some risks, including legal risk,



IT infrastructure risk, IT application risk and ITbusiness process risk (IFAC, 2002). As a stronggovernance mechanism, IT governance is essentialfor enterprises to detect fraud by reducing suchrisks (Cohen, Krishnamoorthy & Wright, 2002;Kotb & Roberts, 2011). Specifically, IT governancecan manage and improve control activities in an ITenvironment. The integrity of digital information isenhanced when IT governance monitors and testsvarious areas pertaining to IT risks. An IT steeringcommittee, together with senior management anda performance measurement team, examines thefollowing key control areas to prevent fraud: (1) IToperations, (2) data management systems, (3) newsoftware development, (4) systems maintenance,(5) backup, (6) electronic commerce, and (7) controlover computer operations (Kranacher et al.,2010). From an auditor’s perspective, a solid ITgovernance mechanism facilitates audit riskassessments, and identifies fraud and irregularitiesduring audit planning (Bedard & Johnstone, 2004).Such a mechanism is also directly relevant toseveral prevailing categories of fraud, such as theftof cash using electronic funds transfer (EFT) ortheft of IT assets (KPMG, 2010).

Specific mechanisms of this study

We will now justify the individual IT governancemechanisms studied in this work.

IT steering committee

The practitioner literature advocates the use of an ITsteering committee as an effective IT governancemechanism (IT Governance Institute, 2002a, 2002b).Indeed, the existence and effective operation of thiscommittee, particularly in its planning and businessalignment responsibilities, are fundamental to suchmodern governance frameworks such as CobiT5.0 (ISACA, 2011). Critical to the contribution ofthis mechanism to effective IT governance is thatsuch a committee must have representation frombusiness and IT executives, senior managementrepresentation, report to senior management,and have regular meetings. Such a constitutedcommittee mitigates agency losses by providingincentives to employees to act in the mannerrequired by the organization with regard to the ITsystems, and it monitors that the organization’s ITplans and objectives are being achieved.

Prior literature suggests empirical support for theimplementation of an IT steering committee, with

representation from both business and IT functions,is associated with several positive IS outcomes.These effects include effective coordination andintegration of IS planning activities (Gupta &Raghunathan, 1989; Raghunathan & Raghunathan,1989; Bowen et al., 2007; De Haes & VanGrembergen, 2008), advanced IS budget andplanning practices (Doll & Torkzadeh, 1987), andincreased managerial support and funding (Doll &Torkzadeh, 1987; Torkzadeh & Xia, 1992).

Another study of the effects of IT steeringcommittees (Karimi et al., 2000) departs from thestudies highlighted above in that it exploresthe effects of these committees and their roleson the overall level of IT management withinfirms. The results of this US study provide apositive relationship between the presence androles of IT steering committees and the levelof IT management sophistication. Given thatthe concepts associated with IT managementsophistication bear considerable similarity to ITgovernance concepts, the Karimi et al. (2000) studyprovides empirical support for the effectiveness ofIT steering committees in raising overall ITgovernance. The approach adopted by this studyin examining IT steering committees is similarto that of Karimi et al. (2000). However, this studydiffers from the prior study in several ways.First, this study selects auditors rather than ITexecutives to participate in the survey. In lightof their professional training, it is expected thatauditors would be more aware of the conceptsrelating to governance issues and its mechanisms,and as such, provide a better assessment of theeffectiveness of these mechanisms. Second, thisstudy adopts a more direct measure in assessingthe effectiveness of IT steering committees inrelation to IT governance given that the dependentfactor measured is perceptions of effective ITgovernance.

Centralization of IT decision-making control

The issue of centralization is well documented inthe early IS management and control literature andit predominantly entails three separate focal points:control, physical location, and function (King,1983).

In addressing the issue of control, King (1983)suggests that by placing decision-making authoritywithin centralized management, an organizationis better able to ensure the quality of systemsmanagement and maintain organizational integrity



in operations that are dependent on computing.However, King (1983) only provides conceptualsupport for centralizing IT decision-makingcontrol in improving IT governance. Agency lossesare mitigated significantly by centrally controllinglarge expenditures such as IT resource acquisitionsbecause these large expenditures can be easilymonitored. Accordingly, this study empiricallyexamines the relationship between centralized ITdecision-making control and IT governance.

Involvement of senior management in IT

Prior literature has consistently emphasized theimportance of senior management support andinvolvement for the success of any organizationalactivity (Rockart & Scott-Morton, 1984; Jackson,1986; Raghunathan & Raghunathan, 1990; Luftman,Papp & Brier, 1999; Bowen et al., 2007). A study byLuftman et al. (1999), involving a questionnairesurvey of 500 business and IT executives with theobjectives of determining enablers and inhibitorsto the alignment of business and IT strategies,revealed that senior management support for ITwas considered to be the most important enablerof business and IT alignment. Given that a criticalaspect of IT governance revolves around thealignment of business and IT strategy (De Haes &Van Grembergen, 2008), the findings of the studyreflect the importance of senior executive supportfor IT in the implementation of effective ITgovernance.

Despite providing empirical support for theincorporation of senior management involvementin IT as a mechanism for effective IT governance,the focus adopted by these prior studies differsfrom that of this study. This study is concernedwith the impact of senior management support inIT on the overall level of effective IT governancerather than a particular aspect of IT governance(e.g. planning, or alignment of IT and businessstrategies). The importance of the involvementof senior management in the operational useof IT in a company is fundamental to suchgovernance frameworks as CobiT 5.0 (ISACA,2011). Moreover, senior management in anorganization provides the incentives to employeesto act in a particular manner. Accordingly, agencytheory would suggest that agency losses wouldbe minimized by the bonding influence of thesupport and involvement of senior managementin IT activities.

Position of the IT function

The position of the Chief Information Officer(CIO) or other senior IS executives within theorganizational hierarchy provides an indicationof the power of the IT function within theorganization. The effectiveness of the IT function inlight of IT governance is based on the strategicinfluence of the CIO/senior IT executive withinthe organization (e.g., Robb & Parent, 2008). Thisauthority is often based on the distance betweenthe CIO/senior IT executive and the ChiefExecutive Officer (CEO), with a shorter distancebetween the two suggesting more influence forthe IT function. Support for examining thereporting relationship as a measure of the formalorganizational level of authority associated withthe CIO/senior IT executive position is providedby prior research (Benjamin, Dickinson & Rockart,1985; Raghunathan & Raghunathan, 1989;Applegate & Elam, 1992; Robb & Parent, 2008).

Prior studies provide empirical supporthighlighting an increasing trend toward a shorterrelationship between CIO/senior IT executives andthe CEO (Benjamin et al., 1985; Raghunathan &Raghunathan, 1989; Applegate & Elam, 1992). Thesestudies suggest that the positioning of the ITfunction within an organization, if placed amongstthe higher levels of the organizational hierarchy,renders sufficient influence to the IT function,allowing it potentially to impact positively upon thelevels of IT governance within an organization.However, the evidence provided only suggests thatthe IT function can improve overall IT governancebut does not provide any indication whether thisinfluence is actually effective in increasing overall ITgovernance. By contrast, Zarrella (2005) reports theKPMG survey finding that more and more CIOs arereporting to Chief Financial Officers (CFOs). Suchan organizational strategy would mitigate agencylosses by allowing strict monitoring of expenditureon high profile (high cost) IT projects. This studydiffers from prior literature on this topic in thatit examines the effectiveness of a highly placedIT function on the overall level of effective ITgovernance.

Corporate performance measurement system

Miller and Israel (2002) tell us that performancemeasurement systems present management witha means to help improve governance andaccountability for various stakeholders. Since the



mid-1990s, conventional business managementliterature has advocated the use of a balancedscorecard (BSC). The literature suggests that thisperformance management system should alloworganizations to drive their strategies onmeasurement and follow-up (Kaplan & Norton,1992).

In light of the development of the BSC in the1990s and the support for it in other disciplines, theIS literature has advocated the use of a balanced ITscorecard (Willcocks, 1994; Van Grembergen & VanBruggen, 1997; Van der Zee & De Jong, 1999). Giventhat the concept of a balanced IT scorecard isrelatively new, there is little published literatureassociated with the balanced IT scorecard (e.g., VanGrembergen & Van Bruggen, 1997; Van der Zee& De Jong, 1999; Stewart & Mohamed, 2001).Moreover, the approach taken by such authors (VanGrembergen & Van Bruggen, 1997; Van der Zee &De Jong, 1999) tends to focus on the developmentof a framework for the effective implementation ofsuch a scorecard. The use of such a performancemeasurement system for IT operations would besupported by agency theory as a mechanism toreduce agency losses through clear monitoring ofthe IT operations. Only most recently, however, hasany empirical evidence of the influence of theuse of the IT balanced scorecard on effectiveIT governance levels been forthcoming (Ali &Green, 2007; Bowen et al., 2007; De Haes & VanGrembergen, 2008). However, these findings arelimited to their contextual settings. Indeed, CobiT5.0 (ISACA, 2011) recommends the use of aperformance measurement regime such as thebalanced IT scorecard. However, it provides noevidence that the balanced IT scorecard doesindeed lead to effective overall IT governance. Thework reported here examines empirically the use ofcorporate performance measurement systems as asignificant influence on effective IT governance.

HYPOTHESIS DEVELOPMENT

The overall model of the study is depicted inFigure 1.

IT steering committee

Weber (1999) suggests that improper planning inthe information systems function undermines thecontrols that safeguard the assets and resources ofthe firm. In view of the criticality of proper

planning, Weber (1999) asserts that the IT steeringcommittee should have ultimate responsibility forIS planning. This view is supported in part byprior empirical studies that provide evidence thatthe presence of IT steering committees haspositive impacts on the quality of IS planning(Gupta & Raghunathan, 1989), planning processes(Doll & Torkzadeh, 1987; Earl, 1989), planningeffectiveness (Premkumar & King, 1992), andalignment of business and IT strategy (McKeen &Guimaraes, 1985; De Haes & Van Grembergen,2008).

Reflecting the role of the IT steering committeein controlling the resources of the organization,Earl (1989) posits that one of the primary roles ofIT steering committees is that of creating policiesand procedures associated with IT control. Byundertaking this role, the IT steering committee ineffect provides organization-wide policies for theimplementation of controls and procedures relatingto the use of IT. In this manner, the promulgationof uniform controls reduces the likelihood ofpotential loopholes within the technology domainthat would otherwise allow for the adverseexploitation of an organization’s resources. Hence,

H1: The existence of an IT steering committee isperceived to positively influence the level ofeffective IT governance.

Centralization of IT decision-making control

The centralization of IT decision-making controlimpacts upon senior management’s ability toexercise control over the IT function and as suchinfluences the level of effective IT governancewithin an organization.

IT Steering Committee

Effective IT

Governance

Involvement of Senior Management in IT

Position of IT Function

Corporate PerformanceMeasurement System

Centralization of IT Decision-Making Control

H1

H2

H3

H4

H5

Figure 1: Determinants of effective IT governance.



In centralizing IT decision-making control,organizations place the authority for such decisionsupon departments (IT department) or committees(IT steering committee) that collectively possessthe relevant skills and expertise in the IT domainto ensure better decision making. Aside fromthe competency of these decision-making units,there are several other benefits associated withsuch practices. First, the representation of seniormanagement within these units helps ensurethat organizational goals and objectives areconsidered in the decision-making process.Second, centralized decision making results in theimplementation of uniform controls and practicesacross the organization and as such ‘allows formanagement to control adherence to organizationstandards’ (King, 1983: 338). The promulgationof uniform controls reduces the likelihood ofpotential loopholes within the technology domainthat would otherwise allow for the adverseexploitation of an organization’s resources. Third,by explicitly assigning these responsibilities,accountability is provided within the organizationfor such decisions. The assignment of formalresponsibility ensures that the respective partiesare aware of their responsibilities and helpsto ensure thorough decision making in light ofbeing able to be identified and held accountablefor poor decisions. In light of these reasons, itis expected that more effective IT governance isprovided within a centralized decision makingstructure, relative to a decentralized structure.Thus,

H2: Centralization of IT decision-making controlis perceived to positively influence the level ofeffective IT governance.

Involvement of senior management in IT

The IS literature has emphasized consistently theimportance of top management support andinvolvement for the success of any organizationactivity (Jackson, 1986; Raghunathan &Raghunathan, 1990; Rockart & Scott-Morton, 1984).For example, Meador, Guyote and Keen (1984)found senior management involvement to be themost important factor in the project approvalprocess. The salience of this factor in the ITgovernance context has been highlighted byLuftman et al. (1999), whereby senior managementsupport for IT was found to be considered the mostimportant enabler of business and IT alignment.

Furthermore, this factor, involvement of seniormanagement in IT, underlies the entire set ofrecommended processes in CobiT 4.1 (2007).

The involvement of senior management in ITprovides management with an enhancedunderstanding of the IT domain, and as suchallows management to better identify and addressany potential weaknesses. The latter issue arisesfrom the fact that, in view of the power andinfluence associated with its position, seniormanagement can easily implement incentives toredress the sub-optimal activities. Jackson (1986)provides support for this position by positingthat one of the reasons for top managementinvolvement is that such involvement makes easierthe implementation of organization-wide controlsand policies. Moreover, the increased awarenessof senior management in IT also allows formanagement to identify further possibilities forexploiting IT in line with business objectives, aswell as to champion projects and policies thatcontribute to better IT governance (Ali & Green,2007; Bowen et al., 2007). Thus the involvement ofsenior management in IT is expected to improvethe overall level of effective IT governance withinthe organization. Accordingly,

H3: Involvement of senior management in IT isperceived to positively influence the level ofeffective IT governance.

Position of the IT function withinthe organization

The ability of the IT function’s position within theorganization to act as an IT governance mechanismis based on the ability and influence associated withthe hierarchical position adopted by the IT function.In the context of this study, the IT function isrepresented by the senior IT executive/CIO, withthe associated levels of authority based on thenumber of levels between them and the CEO. PriorIS research provides support for examining thereporting relationship as a measure of the formalorganizational level of authority associated with theCIO/senior IT executive position (Rousseau, 1978;Hambrick, 1981; Benjamin et al., 1985; Raghunathan& Raghunathan, 1989; Applegate & Elam, 1992).Thus,

H4: A highly positioned IT function within theorganization is perceived to positively influencethe level of effective IT governance.



Corporate performance measurement system

Hardy (2002) posits that an integral part inimplementing effective IT governance is throughthe use of a performance management systemincorporating a set of metrics to providemanagement with a regular and accurate view ofhow IT is performing for current operations andnew projects. In this regard, recent IS literature hasadvocated the use of a balanced IT scorecard(CobiT 4.1, 2007; Van Grembergen & Van Bruggen,1997; Van der Zee & De Jong, 1999). Advocates ofthe balanced IT scorecard suggest that the benefitsof this approach are that it goes beyond thetraditional financial evaluation methods andextends them to include measures relating tocustomer satisfaction, internal processes, and theability to innovate. In doing so, the balanced ITscorecard helps to drive the organization towardsoptimum use of IT (ISACF, 2003).

Furthermore, Van Grembergen (2000: 42) statesthat the balanced IT scorecard ‘provides the boardwith crucial control measures on IT expenses,user satisfaction, efficiency of development andoperations, expertise of IT staff and may comparethese measures with benchmarking figures’.Accordingly,

H5: The implementation of a corporateperformance measurement system is perceivedto positively influence the level of effective ITgovernance.

RESEARCH METHOD

In order to examine the five hypotheses forwardedin this study, a web-based questionnaire wasdeveloped and implemented. The questionnairewas developed purposefully to be compact,requiring 8–15 minutes to complete, in order toencourage a higher response rate and the completeattention of the respondent. The survey consistedof 33 items in total, with ten items collectingdemographic and other background information.The whole questionnaire is attached as AppendixA. To ensure the development of reliable andvalid measures, we employed well-establishedmethods of instrument development. A pre-test was conducted involving four academicswith extensive backgrounds in the audit andinformation systems discipline, and one IS auditor.These participants were chosen on a convenience

basis and were selected to ensure a balance ofexpertise in regard to the administration ofquestionnaires and awareness of IT governanceconcepts. Based on their feedback, the scope andwording of the items were improved, and an initialonline questionnaire was developed for pilottesting. Pilot testing of the questionnaire wasundertaken using a randomly selected sample ofsix academics and six postgraduate students withaudit and information systems backgrounds. Pilottesting was carried out individually and permissionwas sought to observe and manually record theindividual responses as the survey was undertaken.Manual recording was undertaken in order toverify that the database was recording theresponses accurately. Based on feedback providedduring pilot testing, amendments were made toimprove the clarity of a single item and the layoutof the survey.

Sample selection

Members of the Information Systems Audit andControl Association (ISACA) – Australia and theInstitute of Internal Auditors (IIA) – Australia,were selected to participate in the study. Theirprofessional qualifications and experience in theimplementation of IS control mechanisms, andtheir awareness and familiarity with the actualimplementation and/or concepts associated withIT governance mechanisms made these peopleparticularly suitable for this study.

Specification of the model and factors

The study’s hypotheses consider the influence ofthe various IT governance mechanisms on the levelof effective IT governance within organizations.In testing the hypotheses, this study measuresthe effectiveness of these mechanisms (i.e. theindependent factors) as perceived by auditors.Effective IT governance (i.e. the dependent factor)is measured by perceived effectiveness, as datarelating to objective measures of effectiveness inthis context are unobtainable. Such an approach toexamining the research issue has been validatedwithin the IS literature, where the use of perceivedmeasures of organizational factors have beenincorporated in several prior information systemsstudies (e.g., Blanton, Watson & Moody, 1992;Grover et al., 1993; Goodhue & Thompson, 1995),as well as audit committee research (e.g., Shleifer& Vishny, 1997; Larcker & Richardson, 2004),



The study’s model is formally defined as follows:

EFFECT STEERCOM CENTRALINVOLVE POSITIONCORPS

= + ++ ++

� β ββ ββ

1 2

3 4

5 YYS + ε

where:EFFECT = perceived overall level of effective ITgovernanceSTEERCOM = IT steering committeeCENTRAL = centralization of IT decision-makingcontrolINVOLVE = involvement of senior management inITPOSITION = position of IT function within theorganizationCORPSYS = corporate performance measurementsysteme = error term

Twenty-three items, adapted to the IT context,were used to measure the six factors included inthe research model. Where possible, measureswere adapted from previous research. However,because of a lack of adequate measurement scales,it was necessary to develop and refine somemeasures specifically for this study. Appendix Bsummarizes the origins of scale items used inthe questionnaire. With the exception of a singleitem (Position1), all responses relating to theindependent factors are measured on a seven-point Likert scale ranging from ‘Not at all’ to ‘To agreat extent’ (Position1 asks for the number ofreporting levels separating the IT head and theCEO). In consideration of the possibility that someof the mechanisms may not be relevant to thecontext of some organizations, a ‘not applicable’response value was included for all items relatingto the independent factors. For the two itemsrelating to the dependent factor (EFFECT),responses were measured on a seven-point Likertscale ranging from ‘Strongly disagree’ to ‘Stronglyagree’.

A series of items were included to collect generaldata. This data included demographic data. Inthe demographics, respondents supplied theirprofessional background (i.e. IS auditor/non-ISauditor; internal auditor/external auditor), theirlevel of experience (measured in years), andtheir familiarity with the concepts and/orimplementation of IT governance mechanisms,and organization on which the responses wereprovided.3

Data collection

The data were collected at the end of 2003. Thistiming was relevant for the question of ITgovernance effectiveness in organizations asauditors were highly sensitized to the majorcorporate failures of Enron, WorldCom and, inAustralia, HIH and OneTel. In particular, they werewell aware of Justice Stewart’s major finding in theHIH Royal Commission that it occurred principallydue to a ‘lack of stewardship’. Due to the increasedimportance of information technology on corporategovernance and business performance, our controlsetting provides a relevant setting to test theresearch questions, and it is still timely in thecurrent commercial environment.

A total of 650 ISACA and IIA members werecontacted by their respective professionalorganizations via email to invite and encouragethem to participate in an online survey. The emailcontained an invitational message containingbackground information to the study, the closingdate and the URL to the survey’s website. In linewith the principles for conducting web surveysproposed by Dillman (2000), we ended up with atotal sample of 80 usable responses (representing anoverall response rate of 12.3%). This response rate issimilar to or better than the response rates of similarrecent studies in audit and information technology(see, for example, IIA, 2009; Stoel et al., 2012).

Table 1, Panel A presents a summary of thecharacteristics of the respondents and Table 1,Panel B presents a summary of the characteristicsof the organizations that were used as the basis fortheir responses. The respondents comprised 66(82.5%) internal auditors and 14 (17.5%) externalauditors, of which 33 (41.25%) classified themselvesas IS auditors. On average, each respondent had11.4 years of audit experience with 3.91 years ofIS audit experience. In addition, the averagerespondent considered him/herself to be fairlyfamiliar with the implementation (or concepts) ofIT governance (mean = 5.48).

The final sample covered a range of industriesand organization sizes but was largely populatedby government agencies (n = 44, 55%) and largeorganizations (n = 43, 53.75%).

RESULTS AND DISCUSSION

Preliminary analyses: factor analysis

Validation of the instrument was performed in twophases in an approach similar to Karimi et al.



(2000): an exploratory factor analysis (EFA) to seeif the dimensions of the different IT governancemechanisms could be uniquely identified, and aconfirmatory factor analysis (CFA), where theremaining items loaded on the resulting factorsonly. In the EFA, items with poor or ambiguousfactor loadings were deleted from subsequentanalysis. Item deletion is based on Nunnally (1978)who suggests that a general rule of thumb inassessing construct validity is that individual itemsshould have a factor loading of at least 0.6 on theirhypothesized construct for convergent validity;and less than 0.3 loading on all other constructs fordiscriminant validity.

Based on Kaiser’s criterion, an examination of thescree plot, and an inspection of the eigenvalues(Tabachnick & Fidell, 1996; Hair et al., 1998; Coakes& Steed, 2003), six factors were finally extractedfrom the EFA. Based on the six-factor extraction,three items (Central5, Involve4, Involve5) werefound to have loadings greater than 0.3 on more

than one factor. These items were subsequentlydeleted and the analysis was re-run. This stage ofthe analysis resulted in the extraction of six factors.The factor loadings for the six-factor solution areshown in Table 2 and indicates that requirementsfor convergent and discriminant validity have beenmet.

The first factor contains all five items relating tocorporate performance measurement systems andis labeled CORPSYS. The second factor contains allfour items relating to IT steering committees andis labeled STEERCOM. The third factor containsthe three remaining items relating to seniormanagement involvement in IT and is hereafterreferred to as INVOLVE. The remaining four itemsrelating to centralization of IT decision-makingcontrol unexpectedly load onto two separatecomponents. By re-examining the wording of theitems concerned, it appeared that the two itemsstructured along the organizational level load ontothe fourth factor, whereas the other two items

Table 1: Sample characteristics (n = 80)

Panel A: Individual characteristics

Audit background (n) Auditor type (n)

Internal auditor 66 IS auditor 33External auditor 14 Non-IS auditor 47

Response time (Days) CISA qualified (n)

Initial contact 51 Respondents 21First reminder 16Second reminder 13Response rate 12.30%

Experience and familiarity Mean Std. dev.

Audit experience (years) 11.4 6.64IS audit experience (years) 3.91 5.13Familiarity with IT governancea 5.48 1.48

Panel B: Organization characteristics

Industry (n) Firm size ($ revenue) (n)

Chartered firm/Management consulting 5 < $50 Million 17Education 9 $50–$250 Million 20Finance, Banking and Insurance 6 >$250 Million 43Government agencies 44Manufacturing and Processing 0Mining 3Transportation, Communication and Utilities 4Wholesale and retail 5Other 4

a1 = Not at all, 7 = To a great extent



based on the business unit level load onto the fifthfactor. A plausible explanation for the observedsplit in items measuring centralization of ITdecision-making control relates to the ‘newness’ ofthe technology that is used by the organizations.Weber (1999) suggests that, as new informationtechnologies are introduced into the organization,there is a need for central management torelinquish some degree of decision-makingauthority in order to foster innovation anddiffusion of the technologies. More control issubsequently exercised as the technology matures.As such, this view suggests that the centralizationof IT decision making can occur at both levels: thebusiness unit level and the overall organizationallevel. In view of this possibility and the exploratorynature of this study, both factors were retained.Centralization of IT decision-making control atthe organizational level is hereafter referred to asCENTORG, while centralization of IT decision-making control at the business unit level is referredto as CENTUNIT. The sixth factor, POSITION,

contains the single item relating to the position ofthe IT function. The six factors extracted explained80.89% of the variance.

In the second phase, confirmatory factor analysis(CFA) was undertaken. In addition to thisanalysis, reliability calculations (i.e., calculationsof Cronbach’s alpha) were carried out on themeasures and the item factor loadings reassessed.The results of this phase (presented in Table 3)returned a standard coefficient of 0.60 or higher foreach factor thus suggesting that all six factors havean acceptable reliability level (Nunnally, 1978; Hairet al., 1998).

Non-response bias and common method bias

In examining the existence of non-response bias,we adopted Armstrong and Overton’s (1977)method of comparing early and late respondents toassess non-response bias. For this study, responsesthat were received from the initial email contactand prior to the reminder email being sent out are

Table 2: Rotated factor matrix (pattern matrix) – independent factors

Factor (Component)

1 2 3 4 5 6

CORPSYS1 0.791CORPSYS2 0.824CORPSYS3 0.802CORPSYS4 0.927CORPSYS5 0.828STERCOM1 0.856STERCOM2 0.905STERCOM3 0.912STERCOM4 0.792INVOLVE1 -0.815INVOLVE2 -0.725INVOLVE3 -0.842CENTRAL1 0.818CENTRAL2 0.864CENTRAL3 0.809CENTRAL4 0.900POSITION2 0.968

1. Absolute values less than 0.30 were suppressed.2. Results indicate that requirements for convergent and discriminant validity have been met.3. The six factors extracted explained 80% of the variance.STEERCOM = IT steering committeeCENTRAL = Centralization of IT decision-making controlINVOLVE = Involvement of senior management in ITPOSITION = Position of IT function within the organizationCORPSYS = Corporate performance measurement system



classified as early respondents (N = 51). Laterespondents refer to responses that were receivedafter the first email reminder was sent out (N = 29).Results of independent group’s t-tests reveal nosignificant differences exist between both groupsacross all the factors. In addition, Pearson’schi-square tests for relatedness were conducted onkey demographic details (IS auditor or non-ISauditor, internal auditor or external auditor, andorganization size). The Pearson’s chi-square acrossall the examined demographic details is notsignificant and as such this result indicates thatthere are no marked differences between early andlate respondents in relation to the demographicdetails examined.

Common method bias can occur when a surveyinstrument that asks multiple questions around asingle topic causes respondents to answer asequence of questions in the same way to appearconsistent. We used Harman’s single-factor test (asreported in Podsakoff et al., 2003) to examine forcommon method bias. All the items were subject toan exploratory factor analysis (EFA). More than onefactor emerged from the un-rotated factor solution,and more than one factor explained the majorityof the variance, suggesting common method biaswithin our study was not a significant issue.

Ordinary least squares (OLS) regression

In testing the hypotheses, the study conductedmultiple regression analysis using ordinaryleast squares (OLS). OLS regression was used todetermine the impact of a single independentfactor on perceived overall level of effective ITgovernance while holding the other independentfactors constant. Pearson product-moment

correlations were also used to examine the pairwiserelation between each determinant and overalleffective IT governance, and as a further check formulticollinearity between the factors. Based on theresults of the factor analysis, the proposed modelwas re-specified to include the two factors relatingto centralization of IT decision-making control:CENTUNIT and CENTORG. The former reflectscentralization of IT decision-making control at thebusiness unit level, whereas the latter reflectscentralization of IT decision-making control at theorganizational level. The regression model used forhypothesis testing is presented as follows (the otherfactors remain as specified earlier):

EFFECT STEERCOM CENTUNITCENTORG INVOLVEPOSIT

= + ++ ++

α β ββ ββ

1 2

3 4

5 IION CORPSYS+ +β ε6

The scores used in hypothesis testing were thesimple average of the respondents’ responses forthe items that had factor loadings of at least 0.6 ontheir associated factor (Jarvenpaa & Ives, 1991).Table 4 presents a summary of the items includedin the calculation of each factor. For POSITION1,a score of 4 reflected a highly positioned ITfunction within the organization, whereas a scoreof 1 reflected a comparatively lower positioned ITfunction.

Descriptive statistics – OLS regression

An examination of the individual scores calculatedfor the model’s dependent factor EFFECT wasundertaken to examine the perceived overall levelof effective IT governance within the organizationsthat were represented in the sample (see Table 5).

Table 3: Reliability calculations (Cronbach alpha)

Factor Cronbach alpha Factor Cronbach alpha

EFFECT 0.9194 INVOLVE 0.8431STEERCOM 0.9151 POSITION Not Applicable*CENTUNIT 0.6302 CORPSYS 0.9137CENTORG 0.7163

EFFECT = Perceived overall level of effective IT governanceSTEERCOM = IT steering committeeCENTUNIT = Centralization of IT decision-making control at the organizational levelCENTORG = Centralization of IT decision-making control at the business unit levelINVOLVE = Involvement of senior management in ITPOSITION = Position of IT function within the organizationCORPSYS = Corporate performance measurement system



Given that responses to the two items measuringthe EFFECT factor were based on a seven-point Likert scale, individual observations withcalculated scores greater than 5.0 were classified

as high. Observations between 3.0 and 4.9 wereclassified as medium, and observations with scoresbelow 3.0 were classified as low. The results ofthis examination indicate that 31.25% (n = 25) ofrespondents perceived their organization tohave a relatively high overall level of effectiveIT governance. In addition, 41.25% (n = 33) ofrespondents perceived their organization to havea medium level of overall effective IT governance,while 27.50% (n = 22) of respondents perceivedtheir organization to have a low overall level ofeffective IT governance.

The findings of this examination bear somesimilarities with the Guldentops, Van Grembergenand De Haes (2002) study with approximatelytwo-thirds of the sample indicating that they haveless than optimized IT governance. However, amarked difference exists in the proportion oforganizations that have a low overall level ofeffective IT governance. Only 3.7% of respondentsin the Guldentops et al. (2002) study identifiedthemselves as having a relatively low overall levelof effective IT governance, whereas the resultspresented in Table 5 indicate that 27.50% of thepresent study’s respondents have identifiedthemselves as having a relatively low overall levelof effective IT governance.

Results of OLS regression

Given that the sample data comprised 80 cases,this situation provided a ratio of approximately 13cases per factor and hence exceeded the minimumrequirement of at least five cases to one (Hairet al., 1998). Table 6 presents the results of themultivariate analysis incorporating the regressionmodel as specified earlier.

The results provide support for Hypothesis 1which proposes that the existence of an effectiveIT steering committee positively influences thelevel of effective IT governance. The sign for theSTEERCOM coefficient is as hypothesized, withstatistical significance at the five percent level. Thisresult is to be expected given that IT steeringcommittees represent the views of a diverse rangeof managers and as such allow for a realisticassessment of internal strengths and weaknesses.Also, given the authority and influence oftenassociated with such committees, resulting fromsenior user and IT management representationwithin the committees, IT steering committees yieldconsiderable influence in gaining top level support

Table 4: Calculation of factor scores

Factor Calculation of factor score based on:

EFFECT EFFECT1, EFFECT2STEERCOM STERCOM1, STERCOM2,

STERCOM3, STERCOM4CENTUNIT CENTRAL1 CENTRAL2CENTORG CENTRAL3 CENTRAL4INVOLVE INVOLVE1, INVOLVE2, INVOLVE3POSITION POSITION1, POSITION2CORPSYS CORPSYS1, CORPSYS2, CORPSYS3,

CORPSYS4, CORPSYS5

The regression model used for hypothesis testing is:


= + ++ ++

α β ββ ββ

1 2

3 4

5 IION CORPSYS+ +β ε6

EFFECT = Perceived overall level of effectiveIT governance

STEERCOM = IT steering committeeCENTUNIT = Centralization of IT decision-

making control at theorganizational level

CENTORG = Centralization of IT decision-making control at the business unitlevel

INVOLVE = Involvement of seniormanagement in IT

POSITION = Position of IT function within theorganization

CORPSYS = Corporate performancemeasurement system

Table 5: Overall level of effective IT governancewithin organizations

Level Number oforganizations (n)

Proportion ofsample (%)

Low 22 27.50Medium 33 41.25High 25 31.25Total 80 100

Individual score were calculated for the model’sdependent factor EFFECT to examine the perceivedoverall level of effective IT governance within theorganizations.

>5 = High3.0–4.9 = Medium

<3.0 = Low



for the introduction of policies and proceduresdirected at implementing effective IT governance.

Interestingly, the two factors (CENTUNIT andCENTORG) relating to centralized IT decision-making control are not significant at conventionallevels (p = 0.38 and p = 0.519, respectively),although they both report the hypothesized positivesign. Thus, although these results indicate thatcentralization of IT decision-making control at thebusiness unit and organization levels is positivelyrelated to increasing the level of effective ITgovernance, no support is provided for Hypothesis2 at conventional levels.

Support is provided for Hypothesis 3. The resultobtained in relation to the effect of the INVOLVEfactor is statistically significant at the one percentlevel and is in the hypothesized direction. Thisresult suggests that the involvement of seniormanagement generally through their involvementin strategic IT matters, support for operationalsystems within the organization, and the levelof knowledge that they possess about ITopportunities and possibilities within theirorganization as well as their knowledge of ITinnovations developed by their major competitors,

positively influences the level of effective ITgovernance. In particular, senior managementsupport for IT is to be considered the mostimportant enabler of business and IT alignment(Luftman et al., 1999; Bowen et al., 2007). Thisassertion is supported by the IT GovernanceInstitute, and reflected heavily in its CobiT 4.1framework for IT governance processes (ITGovernance Institute, 2001; CobiT 4.1, 2007).

The results provide no support for Hypothesis4 which proposes that a highly positioned ITfunction within the organization positivelyinfluences the level of effective IT governance.Although not statistically significant (p = 0.995),it is surprising that this factor returns a negativecoefficient (although this is marginal at -0.001)given that it was expected that a positiverelationship would exist between a highlypositioned IT function and the level of effective ITgovernance. A possible reason for this outcomecould be the manner in which the relevant surveyitems were worded. It is possible that these items,as they were included in the survey, only capturedthe existence of a shorter reporting relationshipbetween the CEO and the IT head as opposed to the

Table 6: Results of OLS regression

Factor Predictedsign

Unstandardizedcoefficient (B)

Standarderror

Standardizedcoefficient

(Beta)

t-statistic Sig.(2-tailed)

STEERCOM H1 Positive 0.237 0.113 0.206 2.096 0.040*CENTUNIT H2 Positive 0.084 0.095 0.080 0.884 0.380CENTORG H2 Positive 0.084 0.130 0.061 0.649 0.519INVOLVE H3 Positive 0.491 0.127 0.438 3.876 0.000**POSITION H4 Positive -0.001 0.217 -0.001 -0.006 0.995CORPSYS H6 Positive 0.260 0.111 0.250 2.339 0.023*

R2 0.566 Adjusted R2 0.523F-statistic 13.242 Significance 0.000**Durbin-

Watson1.457

MahalanobisDist.

Min:0.470

Max. 16.981

N# 66

#N is reduced as missing cases are deleted listwise (i.e. the whole case is deleted from the analysis)**Significant at the 0.01 level (2-tailed) *Significant at the 0.05 level (2-tailed)Factor descriptions:STEERCOM: IT steering committeeCENTUNIT: Centralization of IT decision-making control at the business unit-levelCENTORG: Centralization of IT decision-making control at the organizational levelINVOLVE: Involvement of senior mamagement in ITPOSITION: Position of IT function within the organizationCORPSYS: Corporate performance measurement system



resultant effects arising from these relationships.In particular, from a cost control perspective, itmight be more effective to have the CIO reportthrough the CFO to the CEO.

The result obtained in relation to the effectof the CORPSYS factor is statistically significantat the five percent level and is in thehypothesized direction, thus providing support forHypothesis 5. This result indicates that the use ofcorporate performance measurement systems thatincorporate a set of metrics to provide managementwith a regular and empirical view of how IT isperforming for current operations and new projects,positively influences the level of effective ITgovernance. As such the results lend empiricalsupport to previous research advocating theincorporation of similar corporate performancemeasurement systems.

In addition, an examination of the standardizedcoefficients for the three statistically significantfactors suggests that INVOLVE (standardizedcoefficient = 0.438), then CORPSYS (standardizedcoefficient = 0.250), and then STEERCOM(standardized coefficient = 0.206) contribute themost toward the overall level of effective ITgovernance.

The model has considerable explanatory powerwith an R2 statistic of 0.566 (adjusted R2 = 0.523).This result indicates that 56.6 percent of the totalvariance of the overall level of effective ITgovernance is explained by the IT governancemechanisms examined (i.e. the six independentfactors). In addition, the F-statistic (F-statistic =13.242, p = 0.00) obtained by the model indicatesthat the model is significant in explaining thevariation in overall level of effective IT governance.The relatively high R2 statistic could be explainedby management and auditor training on relevant ISmanagement and organization practices spanningacross the last three decades (Davis, 1974).

Now we present the regression model again,with the actual regression coefficients inserted:

EFFECT STEERCOMCENTUNIT CENTORGINV

= ++ ++

α 0 2060 080 0 0610 438

.. .. OOLVE POSITION

CORPSYS−

+ +0 001

0 250.

. ε

Ex-post sensitivity analysis

An ex-ante consideration of the population samplehighlighted the possibility of differences inresponses arising from the audit background of the

respondent (internal auditor or external auditor),the type of auditor surveyed (IS auditor or non-ISauditor), and the size of the organization. As such,we undertook additional analyses to determine ifthe primary findings of the hypotheses testingwere robust to distinctive characteristics inherentwithin the sampled population.

We did not run an additional ex-post analysison the type of organization (government vs.non-government) because we believe the threecurrent ex-post tests adequately cover this pointin the following ways. First, the governmentrespondents are overwhelmingly internal auditors.So the result that audit background (internal vs.external auditor) does not drive the primary resultsgives us confidence that government respondentsare not driving the results. Second, to a lesserextent, the result that large firm responses (inwhich most of the government respondents sit) arenot driving the primary results again gives us alevel of confidence that government responseswere not driving the overall results. For thesereasons, we believe our results are robust to thegovernment vs. non-government split.

Internal and external auditors

In testing the robustness of the primary findingsacross internal and external auditors, the studyincorporated dummy factors into the originalregression model to test in an innovative fashionfor differences in the intercept and all slopecoefficients between the two groups. The followingmodel was specified for the additional analysisundertaken:


= + ++ ++

α β ββ ββ

1 2

3 4

5 IION CORPSYS DD STEERCOM D CENTUNITD CENT

E

E E

E

+ ++ ∗ + ∗+ ∗

β ββ ββ

6 7

8 9

10 OORG D INVOLVED POSITIOND CORPSYS

E

E

E

+ ∗+ ∗+ ∗ +

βββ ε

11

12

13

The first six independent factors are as originallyspecified. DE is a dummy factor that takes the valueof 1 for external auditors and 0 for internal auditors,and the last six terms capture differences in theslope coefficient for the six independent factors.The results of this analysis are similar to thatof the primary analysis with STEERCOM andINVOLVE, the only two factors to reportcoefficients at conventional levels of significance



(STEERCOM: b = 0.251, p = 0.028; INVOLVE:b = 0.476, p = 0.001). Conversely, the CORPSYSfactor reported a marginally significant coefficient(b = 0.215, p = 0.093). This indicates that the auditbackground of the respondent does not drive theprimary results.

IS auditors and non-IS auditors

A similar dummy encoding method was used totest for differences between responses of ISauditors and non-IS auditors. The results of thisanalysis are similar to that of the primary analysiswith STEERCOM, INVOLVE, and CORPSYSthe only three factors to report coefficients atconventional levels of significance (STEERCOM:b = 0.225, p = 0.053; INVOLVE: b = 0.479, p = 0.004;CORPSYS: b = 0.391, p = 0.010). The primaryfindings reported are qualitatively similar across ISand non-IS auditors, and the primary results arenot driven by the type of auditor surveyed.

Organization size

In testing the robustness of the primary findingsacross organizations of different sizes, wecompared large firms (annual revenues more thanAUD$250 million) against small (annual revenuesbelow AUD$50 million) and medium (annualrevenues between AUD$50 and $250 million)firms. The results of this analysis revealed that noneof the factors were significant in either stratum. Afurther analysis was also undertaken by re-runningthe primary regression model with a sampleconsisting only of large organizations. The resultsof this analysis also revealed that none of the factorswere significant. A possible explanation for theabsence of any significant findings for this analysisis that the sample, in light of the number ofindependent factors included in the regressionmodel, is insufficient and thus lacks power. Assuch, no statistically significant inferences can bemade in relation to the robustness of the primaryfindings across organizational size.

CONTRIBUTIONS, LIMITATIONS, ANDFUTURE RESEARCH

This study constitutes quantitative empiricalresearch into the relationship between multipleIT governance mechanisms and effective ITgovernance. Moreover, as opposed to qualitativeor normative investigations, this study is one of

a limited number of quantitative empirical piecesto question which IT governance mechanismscontribute toward an increased level of overalleffective IT governance. We find that the use ofIT steering committees, the involvement of seniormanagement in IT, and the use of corporateperformance measurement systems can influencepositively the overall level of effective ITgovernance within an organization.

This study makes a contribution to existingacademic and practitioner research relating to ITgovernance. It presents a single measureaddressing IT governance as a whole, and itpresents a more accurate measurement of theeffectiveness of the IT governance mechanismsexamined. Such a measure effectively allows forthe assessment of these mechanisms across a rangeof dimensions (i.e. planning and organization;acquisition and implementation; delivery andsupport; and monitoring), all of which areimportant processes that contribute towardattaining effective IT governance (COBIT 4.1, 2007;Cobit Steering Committee and the IT GovernanceInstitute, 2000).

This study provides empirical backing forthe implementation of corporate performancemeasurements systems, such as balanced ITscorecards, as a mechanism for achieving higherlevels of effective IT governance. From a practiceviewpoint, the findings also provide guidance toIT practitioners. The findings suggest that for thetype of firms represented in the sampledpopulation, basic IT governance mechanisms thatshould be implemented within organizationsinclude the use of active IT steering committees,the encouragement of senior managementinvolvement in IT, and the use of corporateperformance measurement systems that include aset of metrics capturing various dimensions relatingto the use of IT within the organization. Mostimportantly, we suggest that if these mechanismsare to be effective in raising levels of IT governance,it is important that the usefulness of suchmechanisms be recognized and that they are usedconsistently (Raghunathan & Raghunathan, 1989;Bowen et al., 2007).

The primary limitations of the study flow fromthe small sample size examined. In particular,positive statements about whether the size of theorganization was driving the results could notbe made due to the limited sample size. In lightof this and the large number of governmentagencies within the sample (55% of the total



number of organizations), the external validity ofthe findings is limited. Furthermore, as withall surveys, the results may be sample-specificand/or time-specific. As such the results are notgeneralizable to other time periods, organizationsor countries.

A further limitation of the study is that it reliessolely on a perceptual survey method. As such, thefindings may be biased if there is a wide variancein auditors’ perceptions. However, such a situationis inevitable given the use of a questionnaire andthe unavailability of objective measures. We alsoacknowledge that the study’s consideration of theindividual IT governance mechanisms as separatecomponents within the governance structuremoderates the study’s findings. In practice, thereexist varying degrees of interrelationships betweenthe components. For example, Doll and Torkzadeh(1987) and Raghunathan and Raghunathan (1989)reveal a significant positive relationship betweenthe use of IT steering committees and theinvolvement of senior management. However,such an examination of potential interaction effectsis beyond the scope of the present study and is leftfor future research.

A third limitation of this study is related to therepresentativeness of the sample. The surprise ofa negative coefficient for ‘highly positioned ITfunction’ and ‘the level of effective IT governance’could be as a result of the high percentage ofgovernment respondents. They have been shownto perceive that control of IT and other resourcesare in the hands of politicians and that publicservants have little influence. We agree thatgovernment agencies’ governance, agency, andstakeholder approaches are different from thosein a profit-oriented company; however, our ex-postsensitivity analyses in total give us confidence inthe robustness of our primary results. Moreover,as our data was gathered at the end of 2003, thephenomenon of pushing the IT function (and theposition of the CIO) further away from the CEOand subjugating it to the CFO to ensure tightercontrol has shown itself to be a good explanationof the result. Readers need to be careful ininterpreting the results in this regard.

Our work in this area continues in threeprincipal directions. First, it would be interesting tosee if the results still hold in light of the intensitywith which IT is used within the respectiveorganizations. On an organizational level, thisaspect can be addressed by including a factor tocapture the organization’s IT intensity (Clarkson,

Ferguson & Hall, 2003) or by categorizing firmsaccording to their level of IT usage (Sohal &Fitzpatrick, 2002). Second, given that the modelexplains only 52.3% (adjusted R2 statistic) of thevariance in effective IT governance, a morecomprehensive study including additional ITgovernance mechanisms would be particularlyrelevant. Anecdotal replies to an open-endedquestion on the survey suggest the followingfactors: the implementation of a board committee(like an audit committee) responsible for ITgovernance (e.g., IS strategy committee in Ali &Green, 2007); the extent of implementation of anIT governance framework such as CobiT 4.1; and,the extent of establishment of an organizationalculture of ethical and compliant behavior (e.g.,Weill & Ross, 2004). Finally, it would be useful tosee if the mechanisms supported in this study doactually contribute towards reducing certain typesof undesirable practices within organizations e.g., adecrease of within-firm fraud.

ACKNOWLEDGEMENTS

The authors are indebted to Jenny Stewart (Editor),two anonymous reviewers, participants at seminarsat theAustralian National University, the Universityof New South Wales, the University of Queensland,the Third Asia/Pacific Research Symposium onAccounting Information Systems (Brisbane, June 30,2007), the Australian Institute of Internal Auditors(Queensland), and the Information Systems Auditand ControlAssociation (Queensland) for their veryhelpful comments. This research was supportedin part by an Australian Research Council (ARC)grant involving the University of Queensland andKPMG.

NOTES

1. Our definition is based on that provided byISACA (2002: 5): ‘a structure of relationshipsand processes to direct and control theenterprise in order to achieve the enterprise’sgoals by adding value while balancing riskversus return over IT and its processes.’

2. The definition of an IT steering committee is ahigh-level team of representatives from multipledivisions or functions that is assigned withthe task of linking IT strategy with businessstrategy. It has representatives from businessand IT executives, as well as senior management



representation. It reports to senior management,and holds regular meetings (Nolan, 1982).

3. When reporting the organization on which theresponses were provided, respondents suppliedthe size of the organization (as measured by theannual revenue for the previous fiscal year) andindustry to which the organization belongs.

REFERENCES

Albrecht, W. S., Albrecht, C. O., Albrecht, C. C. &Zimbelman, M. F. (2010), Fraud Examination, 4thedn, Mason, OH: South-Western.

Ali, S. & Green, P. (2007), ‘IT governance mechanismsin public sector organisations: an Australiancontext’, Journal of Global Information Management,Vol. 15, No. 3, pp. 41–63.

Applegate, L. M. & Elam, J. J. (1992), ‘Newinformation systems leaders: a changing role in achanging world’, MIS Quarterly, Vol. 16, No. 4, pp.469–90.

Arens, A., Elder, R. & Beasley, M. (2006), Auditing andAssurance Services: An Integrated Approach, 11th edn,Upper Saddle River, NJ: Prentice-Hall.

Armstrong, J. S. & Overton, T. S. (1977), ‘Estimatingnonresponse bias in mail surveys’, Journal ofMarketing Research, Vol. 14, pp. 396–402.

Bedard, J. C. & Johnstone, K. M. (2004), ‘Earningsmanipulation risk, corporate governance risk, andauditors’ planning and pricing decisions’, TheAccounting Review, Vol. 79, No. 2, pp. 277–304.

Benjamin, R. I., Dickinson, C. Jr. & Rockart, J. F. (1985),‘Changing role of the corporate informationsystems officer’, MIS Quarterly, Vol. 9, No. 3, pp.177–88.

Berle, A. & Means, G. (1932), The Modern Corporationand Private Property, New York: The MacmillanCompany.

Blanton, J. E., Watson, H. J. & Moody, J. W. (1992),‘Toward a better understanding of informationtechnology organization: a comparative casestudy’, MIS Quarterly, Vol. 16, No. 4, pp. 531–55.

Bonner, S. (2008), Judgment and Decision Making inAccounting, Upper Saddle River, NJ: Prentice-Hall.

Bowen, P. L., Cheung, M-Y. D. & Rohde, F. (2007),‘Enhancing IT governance practices: a model andcase study of an organization’s efforts’, InternationalJournal of Accounting Information Systems, Vol. 8,pp. 191–221.

Brancheau, J. & Wetherbe, J. C. (1987), ‘Key issues ininformation systems – 1986’, MIS Quarterly, Vol. 11,No. 1, pp. 23–46.

Clarkson, P., Ferguson, C. & Hall, J. (2003), ‘Auditorconservatism and voluntary disclosure: evidencefrom the Year 2000 systems issues’, Accounting andFinance, Vol. 43, pp. 21–40.

Coakes, S. J. & Steed, L. G. (2003), SPSS Analysiswithout Anguish, Milton, QLD: John Wiley & Sons.

Cobit Steering Committee & The IT GovernanceInstitute (2000), Executive Summary. RollingMeadows, IL.: ISACA. pp. 1–17. Available at:http://www.ISACA.org/execsum.pdf (accessedMay 4, 2003).

CobiT 4.1 (2007), Rolling Meadows, IL: IT GovernanceInstitute.

Cohen, J., Krishnamoorthy, G. & Wright, A. (2002),‘Corporate governance on the audit process’,Contemporary Accounting Research, Vol. 19, No. 4,pp. 573–94.

Davenport, T. H. (1993), Process Innovation,Reengineering Working through InformationTechnology, Boston, MA: Harvard Business SchoolPress.

Davis, G. B. (1974), Management Information Systems:Conceptual Foundations, Structure and Development,Blacklick, OH: McGraw-Hill.

Dechow, P. M., Ge, W., Larson, C. R. & Sloan, R. G.(2011), ‘Predicting material accountingmisstatements’, Contemporary Accounting Research,Vol. 28, No. 1, pp. 17–82.

De Haes, S. & Van Grembergen, W. (2008), ‘Analysingthe relationship between IT governance andbusiness/IT alignment maturity’, Proceedings of the41st Hawaii International Conference on SystemsScience. New York: IEEE.

Dillman, D. A. (2000), Mail and Internet Surveys: TheTailored Design Method, New York: John Wiley &Sons.

Dixon, P. J. & John, D. A. (1989), ‘Technology issuesfacing corporate management in the 1990s’, MISQuarterly, Vol. 13, No. 3, pp. 247–55.

Doll, W. J. & Torkzadeh, G. (1987), ‘The relationshipof MIS steering committees to size of firm andformalisation of MIS planning’, Communications ofthe ACM, Vol. 30, No. 11, pp. 972–8.

Earl, M. J. (1989), Management Strategies forInformation Technology, Englewood Cliffs, NJ:Prentice-Hall.

Earl, M. J. (1993), ‘Experiences in strategic informationsystems planning’, MIS Quarterly, Vol. 17, No. 1,pp. 1–24.

Eisenhardt, K. (1989), ‘Agency theory: an assessmentand review’, Academy of Management Review, Vol. 14,No. 1, pp. 57–74.

Fama, E. (1980), ‘Agency problems and the theory ofthe firm’, Journal of Political Economy, Vol. 88, No. 2,pp. 288–307.

Gelinas, U., Sutton, S. & Fedorowicz, J. (2004), BusinessProcesses and Information Technology, Cincinnati, OH:Thomson Learning.

Goodhue, D. L. & Thompson, P. (1995),‘Task-technology fit and individual performance’,MIS Quarterly, Vol. 19, No. 2, pp. 213–36.

Grover, V., Jeong, S-R., Kettinger, W. J. & Lee, C. C.(1993), ‘The chief information officer: a study ofmanagerial roles’, Journal of Management InformationSystems, Vol. 10, No. 2, pp. 107–30.

Guldentops, E., Van Grembergen, W. & De Haes, S.(2002), ‘Control and governance maturity survey:



establishing a reference benchmark and aself-assessment tool’, ISACA Control, Vol. 6.

Gupta, Y. P. & Raghunathan, T. S. (1989), ‘Impact ofinformation systems (IS) steering committees onIS planning’, Decision Sciences, Vol. 20, No. 4, pp.777–93.

Hair, J. F. Jr., Anderson, R. E., Tatham, R. L. & Black,W. C. (1998), Multivariate Data Analysis, 5th edn,Upper Saddle River, NJ: Prentice-Hall.

Hall, J. A. & Singleton, T. (2005), InformationTechnology Auditing and Assurance, Florence, KY:South-Western.

Hambrick, D. C. (1981), ‘Environment, strategy,and power within top management teams’,Administrative Science Quarterly, Vol. 26, No. 2, pp.253–76.

Hardy, G. (2002), ‘Make sure management and IT areon the same page: implementing an IT governanceframework’, Information Systems Control Journal, Vol.3, pp. 14–16.

Hopwood, W. S., Leiner, J. L. & Young, G. R. (2008),Forensic Accounting, New York: McGraw-Hill.

Information Systems Audit and Control Association(ISACA) (2002), IS Auditing Guideline, IT GovernanceDocument Number 060.020.050, Rolling Meadows,IL: ISACA.

Information Systems Audit and Control Association(ISACA) (2011), COBIT 5: Framework, RollingMeadows, IL: ISACA.

Information Systems Audit and Control Foundation(ISACF) (2003), CISA Review Manual 2003, RollingMeadows, IL: ISACF.

Institute of Internal Auditors (IIA) (2009), 2009 ITAudit Benchmarking Study, Altamonte Springs, FL:IIA.

International Federation of Accountants (IFAC) (2002),E-Business and the Accountant, New York: IFAC.

International Federation of Accountants (IFAC) (2009),International standard on auditing (ISA) 315:Identifying and assessing the risks of materialmisstatement through understanding the entity and itsenvironment, New York: IFAC.

IT Governance Institute (2001), Board Briefing on ITGovernance, Rolling Meadows, IL: IT GovernanceInstitute. Available at: http://www.itgi.org/boardbriefing.pdf (accessed May 4, 2003).

IT Governance Institute (2002a), IT GovernanceExecutive Summary, Rolling Meadows, IL: ITGovernance Institute. Available at: http://www.itgovernance.org/itgovexecsummary.pdf (accessedMay 4, 2003).

IT Governance Institute (2002b), IT Strategy Committee,Rolling Meadows, IL: IT Governance Institute.Available at: http://www.itgovernance.org/itstrategy.pdf (accessed May 4, 2003).

Jackson, I. F. (1986), Corporate Information Management,Englewood Cliffs, NJ: Prentice-Hall.

Jarvenpaa, S. L. & Ives, B. (1991), ‘Executiveinvolvement and participation in the managementof information technology’, MIS Quarterly, Vol. 15,No. 2, pp. 205–27.

Jensen, M. & Meckling, W. (1976), ‘Theory of the firm:managerial behavior, agency costs and ownershipstructure’, Journal of Financial Economics, Vol. 3,pp. 305–60.

Kaplan, R. S. & Norton, D. P. (1992), ‘The balancedscorecard: measures that drive performance’,Harvard Business Review, Vol. 71, pp. 75–85.

Karimi, J., Bhattaacherjee, A., Gupta, Y. P. & Somers, T.M. (2000), ‘The effects of MIS steering committeeson information technology managementsophistication’, Journal of Management InformationSystems, Vol. 17, No. 2, pp. 207–30.

King, J. L. (1983), ‘Centralised versus decentralisedcomputing: organisational considerations andmanagement options’, Computing Surveys, Vol. 15,No. 4, pp. 319–49.

Kotb, A. & Roberts, C. (2011), ‘The impact ofE-business on the audit process: an investigationof the factors leading to change’, InternationalJournal of Auditing, Vol. 15, pp. 150–75.

KPMG (2010), Fraud and Misconduct Survey 2010,Melbourne, Vic: KPMG International.

Kranacher, M., Riley, R. A. Jr., & Wells, J. T. (2010),Forensic Accounting and Fraud Examination, NewYork: Wiley.

Larcker, D. & Richardson, S. (2004), ‘Fees paid to auditfirms, accrual choices, and corporate governance’,Journal of Accounting Research, Vol. 42, No. 3, pp.625–58.

Luftman, J. N., Papp, R. & Brier, T. (1999), ‘Enablersand inhibitors of business-IT alignment’,Communications of AIS, Vol. 1, No. 11, pp. 1–33.

McKeen, J. D. & Guimaraes, T. (1985), ‘Selecting MISprojects by steering committee’, Communications ofthe ACM, Vol. 28, No. 12, pp. 1344–52.

McLean, E. R. & Soden, J. V. (1977), Strategic Planningfor MIS, New York: McGraw-Hill.

Meador, C. L., Guyote, M. J. & Keen, P. G. W. (1984),‘Setting priorities for DSS development’, MISQuarterly, Vol. 8, No. 2, pp. 117–29.

Miller, J. & Israel, E. (2002), ‘KPMG: performancemeasurement must be linked to business strategy’,The Economist Intelligence, 7 May. Available at:http://www.ebusinessforum.com/index.asp?layout=printer_friendlyanddoc_id=5652 (accessedJune 5, 2003).

Niederman, F., Brancheau, J. C. & Wetherbe, J. C.(1991), ‘Information systems management issuesfor the 1990s’, MIS Quarterly, Vol. 15, No. 4, pp.475–500.

Nolan, R. L. (1982), ‘Managing information systemsby committee’, Harvard Business Review, Vol. 60, pp.72–79.

Nunnally, J. (1978), Psychometric Theory, 2nd edn, NewYork: McGraw-Hill.

Owen, N. (2003), The Failure of HIH Insurance: Vol. I.A Corporate Collapse and its Lessons. Canberra:Canberra Publishing and Printing.

Peirson, G., Bird, R., Brown, R. & Howard, P. (1990),Business Finance, 5th edn, Sydney, NSW:McGraw-Hill.



Peterson, R., O’Callaghan, R. & Ribbers, P. M. A.(2000), ‘Information technology governance bydesign: investigating hybrid configurations andintegration mechanisms’, Proceedings of the 21stInternational Conference on Information Systems,Brisbane, Qld: Association for InformationSystems.

Podsakoff, P. M., Scott B., Lee, J. & Podsakoff, N. P.(2003), ‘Common method biases in behaviouralresearch: a critical review of the literature andrecommended remedies’, Journal of AppliedPsychology, Vol. 88, No. 5, pp. 879–903.

Premkumar, G. & King, W. R. (1992), ‘An empiricalassessment of information systems planning androle of information systems in organisations’,Journal of Information Systems, Vol. 9, No. 2, pp.99–125.

Raghunathan, B. & Raghunathan, T. S. (1989), ‘MISsteering committees: their effect on informationsystems planning’, Journal of Information Systems,Vol. 3, No. 2, pp. 104–16.

Raghunathan, B. & Raghunathan, T. S. (1990),‘Planning implications of the information systemsstrategic grid: an empirical investigation’, DecisionSciences, Vol. 21, No. 2, pp. 287–300.

Robb, A. & Parent, M. (2008), ‘Understanding ITgovernance: a case of two financial mutuals’, Journalof Global Information Management, Vol. 17, No. 3, pp.59–77.

Rockart, J. F. & Scott-Morton, M. S. (1984),‘Implications of changes in information technologyfor corporate strategy’, Interfaces, Vol. 14, No. 1,pp. 28–31.

Rousseau, D. M. (1978), ‘Characteristics ofdepartments, positions and individuals: contexts forattitudes and behaviour’, Administrative ScienceQuarterly, Vol. 23, No. 4, pp. 531–40.

Sambamurthy, V. & Zmud, R. W. (1999),‘Arrangements for information technologygovernance: a theory of multiple contingencies’, MISQuarterly, Vol. 23, No. 2, pp. 261–90.

Shleifer, A. & Vishny, R. (1997), ‘A survey of corporategovernance’, Journal of Finance, Vol. 52, No. 2, pp.737–83.

Sohal, A. S. & Fitzpatrick, P. (2002), ‘IT governance andmanagement in large Australian organisations’,International Journal of Production Economics, Vol. 75,pp. 97–112.

Stewart, R. A. & Mohamed, S. (2001), ‘Utilising thebalanced scorecard for IT/IS performanceevaluation in construction’, Construction Innovation,Vol. 1, pp. 147–63.

Stoel, D., Havelka, D. & Merhout, J. W. (2012), ‘Ananalysis of attributes that impact informationtechnology audit quality: A study of IT and financialaudit practitioners’, International Journal ofAccounting Information Systems, Vol. 13, No. 1, pp.60–79.

Tabachnick, B. G. & Fidell, L. S. (1996), UsingMultivariate Statistics, 3rd edn, New York:HarperCollins.

Torkzadeh, G. & Xia, W. (1992), ‘Managingtelecommunications by steering committee’, MISQuarterly, Vol. 16, No. 2, pp. 187–99.

Van der Zee, J. T. M. & De Jong, B. (1999), ‘Alignmentis not enough: integrating business and informationtechnology management with the balancedbusiness scorecard’, Journal of Information Systems,Vol. 16, No. 2, pp. 137–56.

Van Grembergen, W. (2000), ‘The balanced scorecardand IT governance’, ISACA Control, Vol. 5.

Van Grembergen, W. & Van Bruggen, R. (1997),‘Measuring and Improving Corporate InformationTechnology through the Balanced ScorecardTechnique’, Proceedings of the 4th EuropeanConference on the Evaluation of InformationTechnology, Delft.

Weber, R. (1999), Information Systems Control andAudit, Upper Saddle River, NJ: Prentice-Hall.

Weill, P. & Ross, J. (2004), IT Governance: How TopPerformers Manage IT Decision Rights for SuperiorResults, Boston, MA: Harvard Business School Press.

Weill, P. & Woodham, R. (2002), ‘Don’t just lead,govern: implementing effective IT governance’,MIT Sloan Working Paper No. 4237-02,Massachusetts Institute of Technology (MIT) –Sloan School of Management.

Willcocks, L. (1994), Information Management: TheEvaluation of Information Systems Investments,London: Chapman and Hall.

Zarrella, E. (2005), ‘Call for CIO board seats’, TheAustralian Financial Review, 29 September, p. 43.

AUTHOR PROFILES

Colin B. Ferguson is Professor of BusinessInformation Systems in the Department ofAccounting, Faculty of Business and Economics atthe University of Melbourne. He is also a directorof the Centre for Accounting and IndustryPartnerships. He has published widely inprofessional journals as well as in internationallyreviewed academic journals including InternationalJournal of Accounting Information Systems,Information Systems Journal, Accounting Horizons,Accounting and Finance, ABACUS, andCommunications of the Association for InformationSystems.

Peter F. Green is Professor of ElectronicCommerce and Business Information Systemscluster leader in the UQ Business School at theUniversity of Queensland. He has qualificationsin Computer Science, Accounting, and a PhD inCommerce (Information Systems) from theUniversity of Queensland, and is both a Fellow ofthe Institute of Chartered Accountants and a Fellow



of the Australian Computer Society. Peter’spublications have appeared in such internationallyrefereed journals as MIS Quarterly, EuropeanJournal of Information Systems, Information Systems,Journal of the Association for Information Systems,Communications of the Association for InformationSystems, IEEE Transactions on Knowledge & DataEngineering, Data & Knowledge Engineering, andJournal of Database Management.

Ravi Vaswani was a student in the UQ BusinessSchool where he undertook his BCom (Hons)degree. He has work experience as a seniorconsultant with the Risk and Assurance Services of

Ernst & Young, Brisbane. He is now a businessservices manager at Gladstone Ports CorporationLimited.

Gang (Henry) Wu is a lecturer in the DepartmentofAccounting, Faculty of Business and Economics atthe University of Melbourne. He has workexperience as an auditor and technical consultant atPitcher Partners in Melbourne. His work has beenaccepted by peer-reviewed academic journalsincluding Accounting and Finance and leadinginternational conferences such as the AFAANZDoctoral Consortium and the AAA AnnualMeeting.



APP

EN

DIX

A

Surv

eyin

stru

men

t–

(que

stio

nnai

re)

Det

erm

inan

tsof

effe

ctiv

eIT

gove

rnan

ce

Not

atal

l(1

)(2

)(3

)

To

som

eex

tent

(4)

(5)

(6)

To

agr

eat

exte

nt(7

)

Not

appl

icab

le

(8)

Tow

hat

exte

ntar

eyo

ufa

mili

arw

ith

the

impl

emen

tati

on(o

rco

ncep

ts)

ofIT

gove

rnan

cem

echa

nism

s?(9

)To

the

best

ofyo

urkn

owle

dge

,how

man

yre

port

ing

leve

lsse

para

teth

eIT

head

and

CE

O?

(10)

Tow

hat

exte

ntd

oes

the

ITst

eeri

ngco

mm

itte

epr

ovid

est

rate

gic

dir

ecti

onto

ITpr

ojec

tsth

atar

ein

line

wit

hth

est

rate

gic

dir

ecti

ons

ofth

eor

gani

zati

on?

(11)

Tow

hat

exte

ntd

oes

the

ITst

eeri

ngco

mm

itte

epr

ovid

ea

mec

hani

smfo

rco

ord

inat

ing

ITpr

acti

ces?

(12)

Tow

hat

exte

ntd

oes

the

ITst

eeri

ngco

mm

itte

epr

ovid

ele

ader

ship

ind

eriv

ing

bene

fits

from

IT?

(13)

Tow

hat

exte

ntd

oes

the

ITst

eeri

ngco

mm

itte

epr

ovid

ele

ader

ship

inm

anag

ing

IT?

(14)

Tow

hat

exte

ntd

oes

each

orga

niza

tion

alun

itor

func

tion

have

the

auth

orit

yto

mak

eit

sow

nd

ecis

ions

rela

tive

toha

rdw

are

acqu

isit

ions

?(1

5)To

wha

tex

tent

doe

sea

chor

gani

zati

onal

unit

orfu

ncti

onha

veth

eau

thor

ity

tom

ake

its

own

dec

isio

nsre

lati

veto

soft

war

ed

evel

opm

ent?

(16)

Tow

hat

exte

ntis

the

resp

onsi

bilit

yfo

rau

thor

izin

gpo

licie

sw

ith

rega

rdto

stra

tegi

cha

rdw

are

dec

isio

nsm

ade

cent

rally

?(1

7)To

wha

tex

tent

isth

ere

spon

sibi

lity

for

dec

isio

nsre

lati

ngto

the

orga

niza

tion

’sfu

ture

hard

war

eac

quis

itio

nhe

ldce

ntra

lly?

(18)

Tow

hat

exte

ntis

the

resp

onsi

bilit

yfo

rd

ecis

ions

rela

ting

toth

eor

gani

zati

on’s

soft

war

ed

evel

opm

ent

held

cent

rally

?(1

9)To

wha

tex

tent

doe

sse

nior

man

agem

ent

get

invo

lved

inst

rate

gic

mat

ters

rela

ted

toth

eus

eof

ITw

ithi

nth

eor

gani

zati

on,o

utsi

de

ofth

eIT

stee

ring

com

mit

tee?

(20)

Tow

hat

exte

ntis

seni

orm

anag

emen

tkn

owle

dge

able

abou

tIT

oppo

rtun

itie

san

dpo

ssib

iliti

esfo

rth

eor

gani

zati

on?

(21)

Tow

hat

exte

ntis

seni

orm

anag

emen

tkn

owle

dge

able

abou

tIT

inno

vati

ons

that

have

been

dev

elop

edby

maj

orco

mpe

tito

rs?

(22)

Tow

hat

exte

ntd

oes

seni

orm

anag

emen

tof

ten

end

orse

maj

orIT

inve

stm

ents

that

have

not

been

end

orse

dby

trad

itio

nalj

usti

fica

tion

crit

eria

and

proc

edur

es(s

uch

asth

eIT

stee

ring

com

mit

tee)

?(2

3)To

wha

tex

tent

doe

sse

nior

man

agem

ent

pers

onal

lyus

eIT

inre

lati

onto

busi

ness

?(e

.g.,

emai

l)(2

4)To

wha

tex

tent

doe

sth

ese

nior

ITof

fice

rre

port

dir

ectly

tose

nior

man

agem

ent?

(25)

Tow

hat

exte

ntd

oes

your

orga

niza

tion

’sco

rpor

ate

perf

orm

ance

mea

sure

men

tsy

stem

mea

sure

the

deg

ree

tow

hich

the

orga

niza

tion

’sIT

stra

tegy

supp

orts

the

busi

ness

stra

tegy

?(2

6)To

wha

tex

tent

doe

syo

uror

gani

zati

on’s

corp

orat

epe

rfor

man

cem

easu

rem

ent

syst

empr

oduc

ea

conc

ise

mod

elto

assi

stm

anag

ers

intr

acki

ngth

eor

gani

zati

on’s

prog

ress

?(2

7)To

wha

tex

tent

doe

syo

uror

gani

zati

on’s

corp

orat

epe

rfor

man

cem

easu

rem

ent

syst

empr

ovid

em

anag

emen

tw

ith

cont

rolm

easu

res

onIT

expe

nses

?(2

8)To

wha

tex

tent

doe

syo

uror

gani

zati

on’s

corp

orat

epe

rfor

man

cem

easu

rem

ent

syst

empr

ovid

em

anag

emen

tw

ith

cont

rolm

easu

res

onth

eef

fici

ency

ofIT

dev

elop

men

tan

dop

erat

ions

?(2

9)To

wha

tex

tent

doe

syo

uror

gani

zati

on’s

corp

orat

epe

rfor

man

cem

easu

rem

ent

syst

emal

low

for

cont

rolm

easu

res

tobe

com

pare

dw

ith

benc

hmar

king

figu

res

for

ITth

roug

hout

the

busi

ness

oper

atio

ns?



APP

EN

DIX

AC

onti

nued

Stro

ngly

disa

gree

(1)

(2)

(3)

(4)

(5)

(6)

Stro

ngly

agre

e(7

)

(30)

Tow

hat

exte

ntd

oyo

uag

ree

wit

hth

efo

llow

ing:

The

curr

ent

ind

ivid

ualI

Tgo

vern

ance

mec

hani

sms

wit

hin

my

orga

niza

tion

’sIT

envi

ronm

ent

has

ala

rge,

posi

tive

impa

cton

the

over

alll

evel

ofef

fect

ive

ITgo

vern

ance

wit

hin

the

orga

niza

tion

?(3

1)To

wha

tex

tent

do

you

agre

ew

ith

the

follo

win

g:Th

ecu

rren

tin

div

idua

lIT

gove

rnan

cem

echa

nism

sw

ithi

nm

yor

gani

zati

onar

ean

impo

rtan

tan

dva

luab

leai

dto

impl

emen

ting

over

alle

ffec

tive

ITgo

vern

ance

wit

hin

the

orga

niza

tion

?(3

2)To

wha

tex

tent

do

you

agre

ew

ith

the

follo

win

g:O

vera

ll,th

eIT

gove

rnan

cem

echa

nism

sof

my

orga

niza

tion

are

impo

rtan

tan

dva

luab

leto

the

corp

orat

ego

vern

ance

ofth

eor

gani

zati

on?

(33

Opt

iona

l)To

the

best

ofyo

urkn

owle

dge

,lis

tth

eTO

P6

mec

hani

sms

(or

fact

ors)

impl

emen

ted

wit

hin

your

orga

niza

tion

(or

clie

ntor

gani

zati

on)

that

cont

ribu

teto

effe

ctiv

eIT

gove

rnan

ce?

For

exam

ple,

thes

eco

uld

rela

teto

the

cont

rol

stru

ctur

e,ro

leof

stra

tegi

cpl

anni

ng,

orsy

stem

ssu

ppor

tw

ithi

nth

eor

gani

zati

on.

Plea

sebe

gin

wit

hth

em

ost

impo

rtan

tm

echa

nism

firs

t.(I

ffe

wer

than

6m

echa

nism

s,le

ave

the

rem

aini

ngen

trie

sem

pty)

.

Nu

mb

er1

Nu

mb

er2

Nu

mb

er3

Nu

mb

er4

Nu

mb

er5

Nu

mb

er6



APP

EN

DIX

BD

escr

ipti

onof

scal

esus

edto

mea

sure

cons

truc

tsin

the

stud

y

Var

iabl

eSc

ale

item

san

dre

spon

sefo

rmat

sN

o.of

item

san

dso

urce

A.

Per

ceiv

edov

eral

lef

fect

ive

ITgo

vern

ance

Q30

Tow

hat

exte

ntd

oyo

uag

ree

wit

hth

efo

llow

ing:

The

curr

ent

ind

ivid

ualI

Tgo

vern

ance

mec

hani

sms

wit

hin

my

orga

niza

tion

’sIT

envi

ronm

ent

has

ala

rge,

posi

tive

impa

cton

the

over

alll

evel

ofef

fect

ive

ITgo

vern

ance

wit

hin

the

orga

niza

tion

.

Two

item

sba

sed

onG

ood

hue

and

Thom

pson

(199

5).

Q31

Tow

hat

exte

ntd

oyo

uag

ree

wit

hth

efo

llow

ing:

The

curr

ent

ind

ivid

ualI

Tgo

vern

ance

mec

hani

sms

wit

hin

my

orga

niza

tion

are

anim

port

ant

and

valu

able

aid

toim

plem

enti

ngov

eral

leff

ecti

veIT

gove

rnan

cew

ithi

nth

eor

gani

zati

on.

1=

Stro

ngly

Dis

agre

e;to

7=

Stro

ngly

Agr

eeB

.IT

stee

rin

gco

mm

itte

eQ

10To

wha

tex

tent

doe

sth

eIT

stee

ring

com

mit

tee

prov

ide

stra

tegi

cd

irec

tion

toIT

proj

ects

that

are

inlin

ew

ith

the

stra

tegi

cd

irec

tion

sof

the

orga

niza

tion

?

Four

item

sba

sed

onK

arim

i,B

hatt

ache

rjee

,Gup

ta,a

ndSo

mer

s(2

000)

Q11

Tow

hat

exte

ntd

oes

the

ITst

eeri

ngco

mm

itte

epr

ovid

ea

mec

hani

smfo

rco

ord

inat

ing

ITpr

acti

ces?

Q12

Tow

hat

exte

ntd

oes

the

ITst

eeri

ngco

mm

itte

epr

ovid

ele

ader

ship

ind

eriv

ing

bene

fits

from

IT?

Q13

Tow

hat

exte

ntd

oes

the

ITst

eeri

ngco

mm

itte

epr

ovid

ele

ader

ship

inm

anag

ing

IT?

1=

Not

atA

ll;to

7=

Toa

Gre

atE

xten

t(N

otA

pplic

able

resp

onse

opti

on=

0)C

.C

entr

aliz

atio

nof

ITd

ecis

ion

-m

akin

gco

ntr

ol

Q14

Tow

hat

exte

ntd

oes

each

orga

niza

tion

alun

itor

func

tion

have

the

auth

orit

yto

mak

eit

sow

nd

ecis

ions

rela

tive

toha

rdw

are

acqu

isit

ions

?Fi

veit

ems;

two

base

don

Gro

ver,

Jeon

g,K

etti

nger

,and

Lee

(199

3)an

dth

eot

her

thre

ed

evel

oped

byth

epr

inci

pal

rese

arch

erQ

15To

wha

tex

tent

doe

sea

chor

gani

zati

onal

unit

orfu

ncti

onha

veth

eau

thor

ity

tom

ake

its

own

dec

isio

nsre

lati

veto

soft

war

ed

evel

opm

ent?

Q16

*To

wha

tex

tent

isth

ere

spon

sibi

lity

for

auth

oris

ing

polic

ies

wit

hre

gard

tost

rate

gic

hard

war

ed

ecis

ions

mad

ece

ntra

lly?

Q17

*To

wha

tex

tent

isth

ere

spon

sibi

lity

for

dec

isio

nsre

lati

ngto

the

orga

niza

tion

’sfu

ture

hard

war

eac

quis

itio

nhe

ldce

ntra

lly?

Q18

*To

wha

tex

tent

isth

ere

spon

sibi

lity

for

dec

isio

nsre

lati

ngto

the

orga

niza

tion

’sso

ftw

are

dev

elop

men

the

ldce

ntra

lly?

1=

Not

atA

ll;to

7=

Toa

Gre

atE

xten

t(N

otA

pplic

able

resp

onse

opti

on=

0)



APP

EN

DIX

BC

onti

nued

Var

iabl

eSc

ale

item

san

dre

spon

sefo

rmat

sN

o.of

item

san

dso

urce

D.

Invo

lvem

ent

ofse

nio

rm

anag

emen

tin

IT

Q19

Tow

hat

exte

ntd

oes

seni

orm

anag

emen

tge

tin

volv

edin

stra

tegi

cm

atte

rsre

late

dto

the

use

ofIT

wit

hin

the

orga

niza

tion

,out

sid

eof

the

ITst

eeri

ngco

mm

itte

e?

Five

item

sba

sed

onJa

rven

paa

and

Ives

(199

1)

Q20

Tow

hat

exte

ntis

seni

orm

anag

emen

tkn

owle

dge

able

abou

tIT

oppo

rtun

itie

san

dpo

ssib

iliti

esfo

rth

eor

gani

zati

on?

Q21

Tow

hat

exte

ntis

seni

orm

anag

emen

tkn

owle

dge

able

abou

tIT

inno

vati

ons

that

have

been

dev

elop

edby

maj

orco

mpe

tito

rs?

Q22

Tow

hat

exte

ntd

oes

seni

orm

anag

emen

tof

ten

end

orse

maj

orIT

inve

stm

ents

that

have

not

been

end

orse

dby

trad

itio

nalj

usti

fica

tion

crit

eria

and

proc

edur

es(s

uch

asth

eIT

stee

ring

com

mit

tee)

?Q

23To

wha

tex

tent

doe

sse

nior

man

agem

ent

pers

onal

lyus

eIT

inre

lati

onto

busi

ness

?(E

.g.,

emai

l)1

=N

otat

All;

to7

=To

aG

reat

Ext

ent

(Not

App

licab

lere

spon

seop

tion

=0)

E.

Pos

itio

nof

ITfu

nct

ion

wit

hin

the

orga

niz

atio

n

Q9

Toth

ebe

stof

your

know

led

ge,h

owm

any

repo

rtin

gle

vels

sepa

rate

the

IThe

adan

dC

EO

?∧R

espo

nse

prov

ided

ina

text

box

Two

item

sba

sed

onJa

rven

paa

and

Ives

(199

1)Q

24To

wha

tex

tent

doe

sth

ese

nior

ITof

fice

rre

port

dir

ectly

tose

nior

man

agem

ent?

1=

Not

atA

ll;to

7=

Toa

Gre

atE

xten

t(N

otA

pplic

able

resp

onse

opti

on=

0)F.

Cor

por

ate

per

form

ance

mea

sure

men

tsy

stem

Q25

Tow

hat

exte

ntd

oes

your

orga

niza

tion

’sco

rpor

ate

perf

orm

ance

mea

sure

men

tsy

stem

mea

sure

the

deg

ree

tow

hich

the

orga

niza

tion

’sIT

stra

tegy

supp

orts

the

busi

ness

stra

tegy

?

Five

item

s;tw

oba

sed

onC

han

and

Ho

(200

0)an

dth

eot

her

thre

ed

evel

oped

byth

epr

inci

palr

esea

rche

rQ

26To

wha

tex

tent

doe

syo

uror

gani

zati

on’s

corp

orat

epe

rfor

man

cem

easu

rem

ent

syst

empr

oduc

ea

conc

ise

mod

elto

assi

stm

anag

ers

intr

acki

ngth

eor

gani

zati

on’s

prog

ress

?Q

27*T

ow

hat

exte

ntd

oes

your

orga

niza

tion

’sco

rpor

ate

perf

orm

ance

mea

sure

men

tsy

stem

prov

ide

man

agem

ent

wit

hco

ntro

lmea

sure

son

ITex

pens

es?

Q28

*To

wha

tex

tent

doe

syo

uror

gani

zati

on’s

corp

orat

epe

rfor

man

cem

easu

rem

ent

syst

empr

ovid

em

anag

emen

tw

ith

cont

rolm

easu

res

onth

eef

fici

ency

ofIT

dev

elop

men

tan

dop

erat

ions

?Q

29*T

ow

hat

exte

ntd

oes

your

orga

niza

tion

’sco

rpor

ate

perf

orm

ance

mea

sure

men

tsy

stem

allo

wfo

rco

ntro

lmea

sure

sto

beco

mpa

red

wit

hbe

nchm

arki

ngfi

gure

sfo

rIT

thro

ugho

utth

ebu

sine

ssop

erat

ions

?1

=N

otat

All;

to7

=To

aG

reat

Ext

ent

(Not

App

licab

lere

spon

seop

tion

=0)

Not

e:E

ach

vari

able

uses

the

sam

em

easu

rem

ent

scal

esac

ross

alli

tsit

ems

(exc

ept

Posi

tion

ofIT

Func

tion

wit

hin

the

Org

aniz

atio

n)∧ R

espo

nses

toth

isit

emw

ere

prov

ided

ina

text

box.

*The

seit

ems

wer

ed

evel

oped

byth

epr

inci

palr

esea

rche

r



Determinants of Effective Information Technology Governance

Documents

Transcript of Determinants of Effective Information Technology Governance