Hi Group 1, add or modify your content in this page by Sunday Oct 11 at 2359.
[will be delete later]
Dear all,
I have some suggestion for doing this chapter
For the post method:
1. Create the topic (Please dont duplicate the topic)
2. Give a number to your paragraph
2. Write down your id
3. Post your paragraph under the topic
4. Give the reference (if any)

For restructure the whole chapter,
Each topics may have more than 1 groupmate to do, so I suggest to vote which paragraph should we use in final version.

Here is the example:
What is IT Governance?
1. [g1-1111]
reference (if any)

2. [g1-2222]
reference (if any)

Suggest to use: 2 [g1-0000], 1[g1-3333]

Please comment my suggestion. Thanks. [g1-6880] Wing

Dear all,
please be informed that the following topic already appear on chapter 2:
What is Management control?
What is IT Governance?
Purpose of IT Governance
Objectives of IT Governance
Process of IT Governance:
IT Governance Framework:
The Advantages of IT Governance

​ I not sure, we can use those topic in chapter 4. Anyone have ideas?

Thanks, Amy [g1-0800]

Content Table


Content Table | Management Control of IT Function | What is IT Governance | Why is IT Governance Important | What Governance Arrangements Work Best | Governance Mechanisms | IT governance | Control Architecture | | Control Architecture [Continuous] | Valuation Methods | The Organizational Control Process | | Why Control Process is important? | IT Audit Function | | | | IT Governance Defined | Why is IT governance important? | Alignment of business and IT | Governance versus management | The Origin of IT Governance | A framework for IT Service Management (ITSM) | Improving IT Governance | | Five IT Governance areas | Key issues un implementing a successful IT Governance framework | Ten Principles of IT Governance | IT Governance - Developing a successful Governance Strategy | Interest Topic : IT Auditor | GOVERNANCE, RISK, AND COMPLIANCE SERVICE MANAGEMENT | Why IT governance | | IT Governance - Developing a successful Governance Strategy

Management Control of IT Function

There are 3 aspects of control:
  1. Control Architecture
  2. Control Process
  3. Audit Function

Control Architecture

There are 2 approaches:
  1. Cost-center approach
    • Unallocated cost-center
    • Allocated cost-center
  2. Profit-center approach

Free IT Services

  • Unallocated Cost Center - IT service is considered as a free resource to the users.

  • User requests of IT services can be stimulated.
  • Earier to promote new IT service and testing new IT service with users
  • It is easier to sell IT services because the controversy is avoided.
  • Administrative cost is lower because both IT staffs and users are not required to consume large amount of resources to calculate, discuss and compromise the charges involved for each request.
  • The users consider IT as free resources and they may submit any request without serious consideration. Thus, users would change their requests frequently and many requested systems may not be useful.
  • IT resource allocation decisions may become politicized as there is no charge out system. Thus, it would be faced with limited resources such as staff and budget.
  • Lack of competitive pressures and external measurement of performance would lead permitting the hiding of operational inefficiency.

Charge Out IT Services

  • Allocated Cost Center - IT services may be charged out at cost. The total cost of IT services are charged back to the service requester or consumer.
  • Profit Center - IT services may be charged out at cost plus a profit margin. The IT function may be allowed to have a flexible budget and an systematic way to price its services. Thus, the IT services would be charged out at market prices and the IT business venture is expected to earn a targeted profit by investment.

  • Costs can be assigned clearly to those who consume and benefit from the IT services.
  • Wasteful use of IT resources can be reduced because users will compare the benefits with the costs. So, unprofitable use would be eliminated.
  • IT budgeting process becomes more business driven so it will encourage IT function to improve their service and increase their efficiency.

  • The users may prefer not to raise the requests in order to save the charge. Thus, user requests may be discouraged.
  • Administrative cost is expensive because both IT staffs and users are required to consume large amount of resources to calculate, discuss and compromise the charges involved for each request.
  • Complaints may be received by users as costs are unpredictable and unstable.

We use ruling for IT make the investment, change project and service to hand over. Lengthen, rule including system can give us manage tool we need to solve a lot of lasting problems in IT.
There is no single definition that IT rules. Search and reveal it shows different things to different persons fast once in the internet network.
  • Rule, used for, describe how the course of the cost it will be decision money. It includes priority and reason making the investment. It includes controlling after spending like the budget and competence of authorizing.
  • Rule and use describing a lot of different respects of IT change. At the low level, it is used for describing project management and control sometimes. Often it is used for describing that manages and controls the file of a project even more. It is used for guaranteeing IT changes the requirements for rule of the course to promise. It includes the arrangement of IT personnel sometimes. Rule and adjust good IT and exchange expenditure changing and expenditure with the business.
  • Ruled and used and described management and control of IT service too. Serve one grade of protocols (SLAs) Used for confirming the services at all levels that can accept to the business, then serve using in order to control as a foundation. It is so easy that the business get to rule and guarantee fixed daily problem and support are adjusted.
[**g1-4171** ]


What is IT Governance

Weill and Ross define IT governance as, "Specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT." If desirable behavior involves independent business units, IT investment decisions will be with the unit heads. If desirable behavior involves an enterprise-wide view of the customer with a single point-of-contact, then central IT control works best.

Why is IT Governance Important

  • Financial payoffs
  • IT is expensive
  • IT is pervasive
  • New technologies
  • IT governance is critical to learning about IT value
  • Not just technical - integration and buy-in from business leaders is needed for success
  • Senior executives have limited bandwidth, especially at large institutions, so they can't do it all
  • Governance patterns depend on desired behaviors
    • Top revenue growth - decentralized to promote customer responsiveness and innovation
    • Profit - centralized to promote sharing, reuse and efficient asset utilization
    • Multiple performance goals - blended centralized and decentralized governance

Two decision domains are not explain inside the lecture note

  • Business application needs - specifying the business need for purchased and internally developed IT applications
  • IT investment and prioritization - choosing what initiatives to fund and how much to spend

What Governance Arrangements Work Best

  • Monarchies work well when profit is a priority.
  • Feudal or business monarchy arrangements might work best when growth is a priority.
  • Federal arrangements can work well for input into all IT decisions. Avoid federal arrangement for all decisions since it's difficult to balance the center with the business unit needs.
  • Duopoly arrangements work well for IT principles, investment decisions and buiness application needs. Duopolies also work best when asset utilization is a priority.

Governance Mechanisms

Governance is implemented using the following mechanisms.
Decision-Making Structures
Organizational units and roles responsible for making IT decisions, such as committees, executive teams, and business/IT relationship managers.
  • Executive or senior management committees
  • IT leadership committee
  • Process teams with IT members
  • Business/IT relationship managers
  • IT council of IT and business executives
  • Architecture committee
  • Capital improvement committee
Alignments Processes
Formal processes for ensuring that daily behaviors are consistent with policies and provide input back to decisions. These include IT investment proposal and evaluation processes, architectural exception processes, service-level agreements, chargeback, and metrics.

  • Tracking of IT projects and resources consumed
  • Service-level agreements
  • Formally tracking business value of IT
  • Chargeback arrangements
Communications Approaches
Announcements, advocates, channels, and education efforts that disseminate IT governance principles and policies and outcomes of IT decision-making processes.

  • Work with managers that don't follow the rules
  • Senior management announcements
  • Office of CIO or IT governance
  • Web-based portals and intranets for IT
Mechanisms should be:
  • Simple: Unambiguously define the responsibility or objective for a specific person or group
  • Transparent: A formal process that's clear to those that are affected by or want to challenge decisions.
  • Suitable: Engage individuals best positioned to make given decisions.
  • Mechanisms do not work in isolation. The impact of governance depends on interactions among mechanisms.
Principles for Establishing a Set of Effective Mechanisms
  • Use all three types: decision-making structures, alignment process and communication approaches.
  • Limit decision-making structures. Too many structures leads to contradictions and disconnections. In large enterprises, decision-making responsibilities should be disseminated using alignment mechanisms, not decision-making structures.
  • Provide for overlapping membership in decision-making structures. Input is needed from business and technology to avoid disconnect between IT and business decisions.
  • Implement mechanisms at multiple levels of the organization. Architecture and IT budget process often provide the connection between enterprise governance and business unit governance in large organizations.
  • Clarify accountability. Management objectives and metrics will help reduce confusion over who is responsible for what.

FROM IT Governance. 2004 written by Peter Weill and Jeanne Ross


IT governance

According some research large firms invest 40% resources on IT [1]. So IT has become an important element. The enterprise leaders want to manage the IT resources better and ensure that the IT decisions consider business goals and objects. IT governance ensures that the key decisions are consistent with corporate values, strategies and IT related decisions match the company objects. The firm can maintain its operations and implement strategies to enable the company to run better.
The IT governance is related to the company governance. The company governance affects its financial condition directly. So the IT governance is very important to its finance [2].

IT Governance Mechanisms
It has been mentioned that the IT governance ensures the IT decision which is consistent with the company vision and business goals. Before making these IT decisions, the firms need to develop IT governance mechanisms.
There are 3 IT governance mechanisms.

5 Decision Domains

IT Principles, IT Architecture, IT infrastructure, Business application, IT Investment



These mechanisms provide firms with the coordination, control and trust that are needed to manage and utilize their IT related resources.

In conclusion, IT governance is used to help enterprise leaders to support the firm’s goal and mission. The governance also helps the firm executive to understand the employees. The enterprise leaders ensure that IT is effectively managed.

Example of Decision domain

IT Principles :
Benchmarked lowest total cost of ownership
Architectural integrity
Consistent, flexible infrastructure
Rapid deployment of new applications
Measured, improving, and communicated value and responsiveness

IT Architecture:
An integrated set of technical choices

IT Infrastructure Strategies:
Strategies for the base foundation, centrally coordinated services, e. g., network, shared data, etc.

Business Application:
specifying the needs for purchased or internally developed systems

IT Investment and prioritization:
Decisions about how much and where to invest in IT including project approvals and justification techniques.

1. http://gbr.pepperdine.edu/053/itmatters.html
2. http://www.slideshare.net/eitake/it-governance-1447351


FROM Canada-What_is_IT_Governance

Control Architecture

1. [g1-0800]

Function can actually be established as an unallocated cost center, allocated cost center or allocated profit center.
Establishing the IT function as an unallocated cost center is the commonly-used approach. IT is considered as a free resource to the users.
The advantages of this approach are as follows:
  • User requests can be stimulated.
  • It is easier for IT staff is promote their services because the controversy over the IT charge-out process is avoided.
  • Both IT staff and users need not consume large amount of resources to calculate, discuss and compromise the charges involved for each requests and jobs.
The disadvantages of this approach are as follows:
  • The users consider IT as free resources and they may submit any request without serious consideration. Based on my experience, users change their requests frequently and a lot of requested systems are not used finally.
  • Faced with limited staff or financial resources, IT resource allocation decisions may become politicized as there is no charge out system.
  • The unallocated cost center approach also insulates the IT department from competitive pressures and external measurement of performance, permitting the hiding of operational inefficiencies.

Research Method

Diversity of research topics in ITG

Research result in the recently ITG, most part on ITG frameworks such as centralized, decentralized, hybrid or federal for effective management of IT resources, show the way which organizations select ITG forms based on how they locate decision making authority for principal IT activities, business use of IT asset, project management, and the design of specific IT infrastructures, most of all the long term planning in the business to achieve these factor such as the structure of corporate governance, government regulations and policies, global and local market competition, organizational culture, and organizational IT competence.

Case study and methodology ITG Number_of_papers_published_by_research_methodology.JPG

IT Governance Tools from Cobit, ITIL to ISO27001

This comparison taken from paper IT Governance: Reviewing 17 IT Governance Tools and Analyzing, realize in the Case of Novozymes A/S by Michael Holm Larsen. Most of the standard/framework could be used at no cost. The IT Governance Classification of some tool to work on different process by different methodology in this example case.

1. Research the business evaluation criteria
2. Learn the business problem domain
3. Identification the problem
4. Apply a suit methodology to achieve decision making
5. Implement to Problem Solution
6. Iteration of the above process

Methodology for 3 major processes:
Decision-Making Processes

SAS70 is an auditing standard designed to enable an independent auditor to evaluate and issue an opinion on a service organization’s controls. Statement on Auditing Standards, No. 70 (SAS70) for Service Organizations, is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A SAS70 audit (www.sas70.com) is widely recognized, because it represents that a service organization has been through an in-depth audit by an independent accounting and auditing firm of their control activities, which generally include controls over information technology and related processes. Organizations must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. Control objectives and control activities should also be organized in a manner that allows the user auditor and user organization to identify which controls support the assertions in the user organization’s financial statements, e.g. existence, occurrence, completeness, valuation, etc.
Control Objectives for Information and Related Technology (COBIT) has been developed as a generally applicable and accepted standard for good Information Technology (IT) security and control practices (Lainhart 2000). The tools include: (1) Performance Measurement elements, i.e. outcome measures and performance drivers for all IT processes, (2) A list of Critical Success Factors (CSF) that provides succinct, non-technical best practices for each IT process, and (3) Maturity Models to assist in benchmarking and decision-making for capability improvements.
IT Governance Review
Weill & Ross (2004) suggest that an IT Governance review contains the following activities (1) Mapping the organizations current governance with the tools of a Governance Design Framework (GDF) and a Governance Arrangements Matrix (GAM). (2) Comparing the GDF and GAM, (3) Auditing IT Governance Mechanisms, (4) Designing the To-Be Governance Structure, (5) Transform to the To-Be version of the GDF and GAM of the organization, and focus on communicating, teaching, convincing, refining, and measuring the success of IT Governance. Alternative mechanisms for design of IT Governance scenarios are proposed by Meyer (2004).
IT Governance Assessment
Weill & Ross (2004:119) suggest a framework for assessing IT Governance Performance. As IT Governance is defined as specifying the decision rights and accountability framework to encourage desirable behaviour in IT usage (Weill & Ross 2004), governance performance must then be assessed as how well the governance arrangements encourage desirable behaviours, i.e. how well the organisation achieves it’s desired performance goals. Hence, the framework proposes that IT Governance should address five important factors, which are: enterprise setting, governance arrangements, governance awareness, governance performance, and financial performance.
IT Governance Checklist
Damianides (2005) suggests a checklist for IT Governance containing a set of 44 diagnostic questions. For each of the questions the extent to with the it relates to (a) IT Value Delivery, (b) IT Strategic Alignment, (c), Risk Management, and/or (d) Performance, is specified. The questionnaire contains 3 subgroups, i.e. to uncover IT issues, to find out how management addresses the IT issue, and to self-assessment of IT Governance practice with regard to the board and management.
IT Governance Assessment Process (ITGAP) Model
Peterson (2004) suggests a four stage process for assessing IT Governance. The Process contain the following steps (1) describe and assess IT Governance value drivers, (2) describe and assess the differentiation of IT decision making authority for the portfolio of IT activities, (3) describe and assess the capabilities of IT Governance, and (4) describe and assess IT value realisation.
IT Service CMM
IT Service CMM is a maturity growth model aimed at IT Service providers (Niessink 2003). IT Service CMM is a development of the CMM for software development and incorporates similar maturity stages. Moreover, the IT Service CMM originates from the efforts to develop a quality improvement framework in order for service organisations to improve service quality (Niessink & van Vliet 1998). The model does not measure the maturity of individual services, projects or organisational units. Rather, the model measures the maturity of the whole service organisation covering the service delivery process, i.e. including all activities involved in creating the result for the customer, starting from identifying the needs of the customer until evaluation the delivered services (Niessink et al. 2005). The model is delimited from covering the development of new services.

Core Business Processes

Information Technology Infrastructure Library (ITIL) is the world-wide de facto standard in Service Management. ITIL provides a comprehensive, consistent volume of best practices drawn from the collective experience of thousands of IT practitioners around the world. ITIL focuses on critical business processes and disciplines needed for delivering high-quality services. Out of the ITIL framework, the British Standard BS15000 has emerged. BS15000 is the world’s first standard for managing IT services. All activity is classified under two broad umbrellas, i.e. Service Management and Service Delivery. This approach defines IT quality as the level of alignment between IT services and actual business needs. As a result, organizations can mature their best practices without regard to specific technologies.
The Capability Maturity Model (CMM) is a methodology used to develop and refine an organization’s software development process. The model describes a five-level evolutionary path of increasingly organized and systematically more mature processes. CMM was developed and is promoted by the Software Engineering Institute (SEI), a research and development center sponsored by the U.S. Department of Defense (DoD). The CMM suggests 5 Maturity Levels of Software Processes (Mathiassen & Sørensen 1996), i.e. the initial, repeatable, defined, managed and optimizing level. CMM is through the years developed further integrating the different activities, i.e. CMM Ingetration (CMMI). Whereas CMM is based on the classical waterfall model, CMMI is addressing iterative development and is being more resultoriented.
IT Audit
Sisco (2002) argues that an IT review should contain three main areas to focus the evaluation, i.e.:
(1) Technology: identifying capability to meet company needs, stability, capacity and scalability, security, and risks.
(2) IT organization: expertise and depth needed to support the business needs, management, morale, capacity, and risks.
(3) IT processes: change management, software licenses, project management, policies and procedures regarding technology, and tracking and measuring performance. As a technology organization has many functional parts, a quantification of the IT organisational structure will include (Sisco 2002):
(a) Infrastructure. Networks, i.e. LAN, WAN, and desktop support.
(b) Business applications. Research & development, and support, including installation services, professional services, help desk, computercenter operations, technology assets, business processes and procedures.

IT Due Diligence
Sisco (2002b) states that the due diligence objective needs to be clearly defined. Sisco (2002b) suggests that an IT due diligence plan should be broken down to seven parts, i.e.:
(1) Current IT operation,
(2) Risks and risk avoidance plans,
(3) Financial plan (expected cost and budget to continue operation),
(4) Capital investment requirements,
(5) Leverage opportunities and recommended plans,
(6) Transition plan,
(7) The due diligence report.

Support Processes

ISO 17799
The ISO 17799 or the counterpart of British Standard BS 7799 is a standard for information security including a comprehensive set of controls and best practices in information security. The standard is intended to serve as a single reference point for identifying a range of controls needed for most situations where information systems are used in industry and commerce. Compliance with ISO 17799 and BS7799 ensures that an organisation has established a certain compliance level for each of the ten categories covered (Ma & Pearson 2005), i.e. security policy, security organisation, asset classification and control, personnel security, physical and environmental security, communications and operations management, access control, systems development and maintenance, business continuity management, and compliance (ISO 2000, BS 2002).
The SysTrust service is an assurance service that was jointly developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). It is designed to increase the comfort of management, customers, and business partners with systems that support a business or particular activity (Pacini et al. 2000). In a SysTrust engagement (McPhie 2000), the practitioner evaluates and tests whether or not a specific system is reliable when measured against three essential principles: availability, security, and integrity.
Application Services Library (ASL) is a collection of best practice guidance for managing application development and maintenance. It is the public domain standard for application management, separate from the IT Infrastructure Library (ITIL), but linked to it in terms of adherence to standards for managing processes and providing a coherent, rigorous, public domain set of guidance (Bastiaens 2004, van der Pols 2004). ASL is a part of the IT Service Management (ITSM) Library. ASL recognises three types of control, i.e. functional, application and technical control. Where InformationTechnology Infrastructure Library (ITIL) is a generally accepted standard for organizing technical management, the Application Services Library (ASL) offers a framework for the organization of application management (Meijer 2003).
PRINCE, which stands for Projects IN Controlled Environments, is a project management method covering the organisation, management and control of projects. PRINCE was first developed as a UK Government standard for IT project management. Since its introduction, PRINCE has become widely used in both the public and private sectors and is now the UK’s de facto standard for project management. Although PRINCE was originally developed for the needs of IT projects, the method has also been used on many non-IT projects. The latest version of the method, PRINCE2, is designed to incorporate the requirements of existing users and to enhance the method owards a generic, best practice approach for the management of all types of projects (OGC 2005).
The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation enacted to protect shareholders and the general public from accounting errors and fraudulent practices in the organization (SOX 2002). The legislation not only affects the financial side of corporations, but also affects the IT departments whose job is to store a corporation’s electronic records. The Sarbanes-Oxley Act states that all business records (Alles et al. 2004), including electronic records and electronic messages, must be saved for not less than five years. The consequences for non-compliance are fines, imprisonment, or both. Hence, Sarbanes-Oxley compliance induces significant implications for the IT function (Moore & Swartz 2003). The Sarbanes-Oxley requirements are increasingly integrated with enterprise risk management initiatives (Beasley et a. 2004, Sammer 2004).
Ref: Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS-35’02)
0-7695-1435-9/02 $17.00 © 2002 IEEE
Ref:Proceedings of the 39th Hawaii International Conference on System Sciences - 2006



Why ITG Important?

Information Technology Governance is the media between Corporate Governance and IT support, ITG set of the work to help business solve the long term Corporate planning, such as Research process, learn business domain, Methodology tools, adaptations and the ITG Frameworks development.

Many of this thing a determine by the buy and make domain problem, cost and profit, allocation and unallocation problem, the main objective make corporate growing without the traditional limited boundary.
In the following we get some example to analysis:


Strategic IT Alignment
Strategic IT alignment ensures that IT services and investments meet business objectives that are outcomes of strategic planning. Information technology is “aligned” when IT management allocates resources and undertakes projects in coordination with the bureaus’ strategic plans and business objectives and the City’s strategic vision. Strategic IT alignment is only possible when bureaus have strategic plans and specific business objectives in place.

Value Delivery
The IT department demonstrates value to the bureaus when it completes projects as specified, on-time, and within budget. The IT department also delivers value by meeting customer expectations for basic IT services such as e-mail and internet access. To deliver value, IT expenditures and the return on IT investments need to be managed and evaluated.

Risk Management
Internal controls and policies enable the IT department to assess and control the many risks related to IT projects.

Resource Management
The IT department needs to manage its resources to optimize resource value. Staff, customers, vendors, hardware, software and relationships are resources that need to be managed.

Performance Measurement
Performance measurement demonstrates how well the IT department accomplishes its objectives and identifies under-performing areas. Performance measurement allows for continual organizational improvement.

Ref: Board Briefing on IT Governance IT Governance Institute

1. Transparency and Accountability
- Improved transparency of IT costs, IT process, IT portfolio (projects and services).
- Clarified decision-making accountabilities and definition of user and provider relationships.

2. Return on Investment/Stakeholder Value
- Improved understanding of overall IT costs and their input to ROI cases.
- Combining focused cost-cutting with an ability to reason for investment.
- Stakeholders allowed to see IT risk/returns.
- Improved contribution to stakeholder returns.
- Enhancement and protection of reputation and image.

3. Opportunities and Partnerships
- Provide route to realise opportunities that might not receive attention or sponsorship.
- Positioning of IT as a business partner (and clarifying what sort of business partner IT is).
- Facilitate joint ventures with other companies.
- Facilitate more businesslike relationships with key IT partners (vendors and suppliers).
- Achieve a consistent approach to taking risks.
- Enables IT participation in business strategy (which is then reflected in IT strategy) and vice versa.
- Improve responsiveness to market challenges and opportunities.

4. Performance Improvement
- Achieve clear identification of whether an IT service or project supports “business as usual” or is intended to provide future added value.
- Increased transparency will raise the bar for performance, and advertise that the bar should be continuously raised.
- A focus on performance improvement will lead to attainment of best practices.
- Avoid unnecessary expenditures – expenditures are demonstrably matched to business goals.
- Increase ability to benchmark.

5. External Compliance
- Enables an integrated approach to meeting external legal and regulatory requirements


Finance Capital Budgeting decision Similar the IT Function trend to be cost center or profit center can define by Capital Budgeting NPV – Net Present Value concept

In Financial process of allocating or budgeting capital is usually more involved than just deciding whether to buy a particular fixed asset. Determine the nature of a firm’s operations and products for years to come, primarily because fixed asset investments are generally long-lived and not easily reversed once they are made.
Also the most fundamental decision a business must make concerns its product line.
What services will we offer or what will we sell? In what markets will we compete? What new products will we introduce? These questions will require that the firm commit its scarce and valuable capital to certain types of assets. Strategic Asset Allocation

And now business process can be virtual convert to the IT produce, ERP and services, CIO, MIS and IT manager need to more concerned about the organization and develop schemes to price. NPV concept also can apply to IT service, because all IT components also a possible investment, some options are valuable and some not, the essence of successful IT governance
We argued that the goal of management control of IT function is to create value in the business. The IT manager must thus examine a potential IT investment in light of its likely effect on the cost of the firm, and also maintenance and the security issues.

Think about it, as IT department can replace another department in daily business process?


is the most commend decision making analysis, also occur in IT management.
Analysts continue to predict increased growth for the IT outsourcing industry.
As noted previously, Gartner Dataquest has forecasted that the $536 billion worldwide IT services industry will grow through 2007 to reach $707 billion, with a compound annual growth rate of 5.7 percent.3 Similarly, IDC expects the
Ref: Worldwide IT Services Market Forecast, 2002–2007 (Executive Summary).

worldwide IT outsourcing market to grow 7.7 percent a year over the next five years, to reach nearly $100 billion in sales in 2007.
Ref: CNET News.com, October 1, 2003, Report: “Big Blue Still Biggest in IT Outsourcing.”
Major trend in IT outsourcing industry normally base on some standard. One of them called Business Process Outsourcing - Companies are looking at almost every noncore function to determine the feasibility of outsourcing the function to a third party.

Need to decision-making about:
l Human resources
l Procurement
l Finance and accounting
l Call centers
l Claims processing
l Facilities management
l Logistics etc.
All that issue need to handing buy MIS or CIO, to keep the maximum profit and minimum the cost in all IT component.

Ref:InformatIon scIence reference Hershey • New York


Control Architecture [Continuous]

2. [g1-5006]
Cost centre – is a part of the expenditure of the organization, For example A cost center can be a program cost center, a project, Research and Development or an organizational unit such as a department or college.
Cost Centre would bring negative impact on profit. It would be rollback when budgets are cut. [1]

Allocated Cost-Center:
IT cost is allocated or charged out to program cost center, a project, Research and Development or an organizational unit such as a department or college.
Here is a fully-allocated cost model, consistes of three basic steps:
1) Assemble expense, revenue and operationsdata;
2) Assign line item expense accounts
3.) calculate average unitcosts [2]


Figure: Formula for calculate allocation cost

Unallocated Cost-Center
Costs that cannot be directly allocated cost, like program cost center, a project, Research and Development or an organizational unit. All service and administrative are personnel time and free to users. [3]
Video: cost allocation

Profit Centers – is a part of profit directly to corporation, which count on both revenues and costs. Managerial responsibilities can be used in it, because manager has to drive the sales revenue for generating activities like cash inflows and outflows. Profit center management is more challenging than cost center management. Profit centre may separate be organized separately from main office to measure and determine the profit make individual. Also, this can enhance the office relative efficiency and profit while companies are doing comparison. [4]

[1] www.humboldt.edu/~fiscal/frsdef.shtml
[2] http://www.kutc.ku.edu/~kutc/pdffiles/FS5CostAllo.pdf
[3] http://www.dot.state.mn.us/safinance/sa_manual/chapter10.pdf
[4] http://en.wikipedia.org/wiki/Profit_centre

Valuation Methods

Cost -based value:
Income is equal to expensive
It supposes a direct impact of costs on the IPR value. It is based on the analysis of costs used to replace the IPR concerned and also on costs which is invested for development, application, maintance and commercial. The disadvantage is that it is not concerning IPR market indicators, it does not allow establishing a fair relationship between IPR costs and related IPR real market value.
Market-based value:
The market value is determined by multiplying the quoted share price of the company by the number of issued share.
It is dedicated to assess IPR market value by reference to compare of market transactions. It basically consists of assessing prices and profits achieved by third parties in comparable marlet transactions.
Negotiated value:
Both buyer and seller to communication each other and then determine the price for the new services.

The Organizational Control Process


The control process involves collecting the following information, they are a system, process, person, or group of people in order to make necessary decisions. Administrators consider the following four steps to set up control systems:

  • Establish standards to measure performance. Administrator define goals for organizational departments within a strategic plan of organization's overall. Operational terms refer to standards of performance which compare with organizational activities.

  • Measure actual performance. Administrator always review performance measurement's reports. These repoets should be related to the standards set in the first step of the control process. For example, if worker growth is a target, the organization should have a means of gathering and reporting data.

  • Compare performance with the standards. Administrator read the reports or perform their plants, they identify whether actual performance meets, exceeds, or falls short of standards. Typically, performance reports simplify such comparison by placing the performance standards for the reporting period alongside the actual performance for the same period and by computing the variance—that is, the difference between each actual amount and the associated standard.

  • Take corrective actions. When performance does not meet the standards, administrator must determine what changes. In the productivity and quality-centered environment, workers and managers are often allowed to evaluate their own work. After the evaluator determines the cause or causes of deviation, the fourth stepwill be performed. The most effective course may be prescribed by policies or may be best left up to employees' judgment and initiative.


Financial Report Process


This is related to Budgeting and Reporting. The following diagrams shows the flows of input and outputs.

Non-financial Reporting Process

  1. Reports which monitor personnel turnover and training. This control allows timely action on leadership, adequacy of salary levels, workplace climate (morale), and staffs' professional development.
  2. Reports which measure operational service levels. Diagram shown below illustrates the flow clearly.operationMgt.jpg
  3. Reports which are related to systems development projects - provide a critical early warning systems for assessing overall performance. Diagram below illustrates the flow clearly.applicationMgt.jpg

Why Control Process is important?


  1. Control is a primary management responsibility.
  2. Uncontrolled events can be subtle and very damaging.
  3. The firm relies on IT for many control processes.
  4. Law requires control in public corporation.
  5. Controls assist organizations in protecting assets.
  6. Environmental and executive pressure require controls.
  7. Technology introduction requires controlled processes.

Carroll W. Frenzel, “Management of Information Technology”, 3rd edition, Course Technology, 1999

IT Audit Function


The purpose of IT audit
An IT audit is not the same as a financial statement audit. The primary functions of an IT audit are to evaluate the system's efficiency and security protocols, in particular, to evaluate the organization's ability to protect its information assets and properly dispense information to authorized parties. The IT audit focuses on determining risks that are relevant to information assets, and in assessing controls in order to reduce the risks.

Types of IT Audits
1. IT Assessment & Network Security Review: a general assessment of the security processes for the network and all attached computing equipment and to identify computer security best practices.
2. Technological innovation process audit. This audit is to construct a risk profile for existing and new projects. The audit will assess the company's experience in its chosen technologies, as well as its presence in relevant markets, the organization of each project, and the structure of the portion of the industry that deals with this project or product, organization and industry structure.
3. Innovative comparison audit. This audit means conducting an analysis of the innovative abilities of the company being audited, in comparison to its competitors. This requires examination of company's research and development facilities, as well as its track record in actually producing new products.
4. Application Controls Review: evaluation of control objectives of security, privacy, data integrity, effectiveness, and efficiency of the application in conjunction with policies, industry best practices, and federal legislation.
5. Controls Self Assessment: A facilitated assessment to identify the gaps between current policies, procedures, systems, and computer operations requirements and best practices as encouraged by ISC and industry standards. Topics covered IT Control areas including IT Strategy, IT Project Management, Delivery and Support, Physical and Logical Security, Disaster Recovery and Business Contingency Planning, and Privacy.
6. Software License Compliance Review: an assessment of computing workstations to validate that software is properly licensed.

IT Audit Process
1. Planning
2. Studying and Evaluating Controls
3. Testing and Evaluating Controls
4. Reporting
5. Follow-up

IT Audit Process Overview
The auditor need to plan and conduct the audit that ensure in an acceptable level. The following steps which the auditors should be performed to decrease the audit risk

  • _Obtain an Understanding of the Organization and its Environment:_ The understanding of the organization and its environment is used to assess the risk and to set the scope of the audit. The auditor should understand the information on the entity, management, governance, objectives and strategies, and business processes.
  • _Identify Risks that May Result in Material weakness:_ The business risks of organization must be evaluated by the auditor. An organization’s business risks can change due to new personnel, new or restructured information systems, corporate restructuring, and rapid growth to name a few.
  • _Evaluate the Organization’s Response to those Risks:_ Once the auditor has evaluated the organization’s response to the assessed risks, the auditor should then obtain evidence of management’s actions toward those risks. The organization’s response to any business risks will impact the auditor’s assessed level of audit risk.
  • _Assess the Risk of Material Misstatement:_ The auditor assesses the risk of material weakness and determines specific audit procedures that are necessary based on that risk assessment.
  • _Evaluate Results and Issue Audit Report:_ At this level, the auditor determines if the assessments of risks were appropriate and sufficient evidence was obtained enough. The auditor will issue an audit report based on what they findings.

Phases of an IT Audit
The audit process can be broken down into the following audit phases:

1. Addressing the responsibilty

This will allow the auditor to set the scope and objectives of the relationship between the auditor and the organization. The engagement letter should address the responsibility (scope, independence, deliverables), authority (right of access to information), and accountability (auditees’ rights, agreed completion date) of the auditor.

2. Preliminary Review

This phase of the audit allows the auditor to gather organizational information as a basis for creating their audit plan. The preliminary review will identify an organization’s strategy and responsibilities for managing and controlling computer applications. An auditor can provide an in depth overview of an organization’s accounting system to establish which applications are financially significant at this phase. Obtaining general data about the company, identifying financial application areas, and preparing an audit plan can achieve this.

3. Establish Materiality and Assess Risks

In order to plan the audit, a preliminary judgment about materiality and assessment of the client’s business risks are made to set the scope of the audit.

4. Plan the Audit

Proper planning of the audit will ensure the audit is conducted in an effective and efficient manner. When developing the audit plan, the auditor should take into consideration the results of their understanding of the organization and the results of the risk assessment process.

5. Consider Internal Control

An internal control system should be designed and operated to provide reasonable assurance that an organization’s objectives are being achieved in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.
To develop their understanding of internal controls, the auditor should consider information from previous audits, the assessment of inherent risk, judgments about materiality, and the complexity of the organization’s operations and systems.
Once the auditor develops their understanding of an organization’s internal controls, they will be able to assess the level of their control risk (the risk a material weakness will not be prevented or detected by internal controls).

6. Perform Audit Procedures

Audit procedures are developed based on the auditor’s understanding of the organization and its environment. A substantive audit approach is used when auditing an organization’s information system.

7. Issue the Audit Report

Once audit procedures have been performed and results have been evaluated, the auditor will issue either an unqualified or qualified audit report based on their findings.


IT Audit Roles and Responsibilities



The board of directors and senior management are responsible for ensuring that the institution’s system of internal controls operates effectively. One important element of an effective internal control system is an internal audit function that includes adequate IT coverage.
To meet its responsibility of providing an independent audit function with sufficient resources to ensure adequate IT coverage, the board of directors or its audit committee should:

Provide an internal audit function capable of evaluating IT controls,
Engage outside consultants or auditors to perform the internal audit function, or
Use a combination of both methods to ensure that the institution has received adequate IT audit coverage.

An institution’s board of directors may establish an “audit committee” to oversee audit functions and to report on audit matters periodically to the full board of directors. For purposes of this booklet, the term “audit committee” means the committee with audit oversight regardless of the type of financial institution. Audit committee members should have a clear understanding of the importance and necessity of an independent audit function.

The board of directors should ensure that written guidelines for conducting IT audits have been adopted. The board of directors or its audit committee should assign responsibility for the internal audit function to a member of management (hereafter referred to as the “internal audit manager”) who has sufficient audit expertise and is independent of the operations of the business.

The board should give careful thought to the placement of the audit function in relation to the institution's management structure. The board should have confidence that the internal audit staff members will perform their duties with impartiality and not be unduly influenced by senior management and managers of day-to-day operations. Accordingly, the internal audit manager should report directly to the board of directors or its audit committee.

The board or its audit committee is responsible for reviewing and approving audit strategies (including policies and programs), and monitoring the effectiveness of the audit function. The board or its audit committee should be aware of, and understand, significant risks and control issues associated with the institution’s operations, including risks in new products, emerging technologies, information systems, and electronic banking. Control issues and risks associated with reliance on technology can include:
Inappropriate user access to information systems,
Unauthorized disclosure of confidential information,
Unreliable or costly implementation of IT solutions,
Inadequate alignment between IT systems and business objectives,
Inadequate systems for monitoring information processing and transactions,
Ineffective training programs for employees and system users,
Insufficient due diligence in IT vendor selection,
Inadequate segregation of duties,
Incomplete or inadequate audit trails,
Lack of standards and controls for end-user systems,
Ineffective or inadequate business continuity plans, and
Financial losses and loss of reputation related to systems outages.

The board or its audit committee members should seek training to fill any gaps in their knowledge related to IT risks and controls. The board of directors or its audit committee should periodically meet with both internal and external auditors to discuss audit work performed and conclusions reached on IT systems and controls.


The internal audit manager is responsible for implementing board-approved audit directives. The manager oversees the audit function and provides leadership and direction in communicating and monitoring audit policies, practices, programs, and processes. The internal audit manager should establish clear lines of authority and reporting responsibility for all levels of audit personnel and activities. The internal audit manager also should ensure that members of the audit staff possess the necessary independence, experience, education, training, and skills to properly conduct assigned activities.

The internal audit manager should be responsible for internal control risk assessments, audit plans, audit programs, and audit reports associated with IT. Audit management should oversee the staff assigned to perform the internal audit work, should establish policies and procedures to guide the audit staff, and should ensure the staff has the expertise and resources to identify inherent risks and assess the effectiveness of internal controls in the institution’s IT operations.


The primary role of the internal IT audit staff is to assess independently and objectively the controls, reliability, and integrity of the institution’s IT environment. These assessments can help maintain or improve the efficiency and effectiveness of the institution’s IT risk management, internal controls, and corporate governance.

Internal auditors should evaluate IT plans, strategies, policies, and procedures to ensure adequate management oversight. Additionally, they should assess the day-to-day IT controls to ensure that transactions are recorded and processed in compliance with acceptable accounting methods and standards and are in compliance with policies set forth by the board of directors and senior management. Auditors also perform operational audits, including system development audits, to ensure that internal controls are in place, that policies and procedures are effective, and that employees operate in compliance with approved policies. Auditors should identify weaknesses, review management’s plans for addressing those weaknesses, monitor their resolution, and report to the board as necessary on material weaknesses.

Auditors should make recommendations to management about procedures that affect IT controls. In this regard, the board and management should involve the audit department in the development process for major new IT applications. The board and management should develop criteria for determining those projects that need audit involvement. Audit’s role generally entails reviewing the control aspects of new applications, products, conversions, or services throughout their development and implementation. Early IT audit involvement can help ensure that proper controls are in place from inception. However, the auditors should be careful not to compromise, or even appear to compromise, their independence when involved in these projects.


Operating management should formally and effectively respond to IT audit or examination findings and recommendations. The audit procedures should clearly identify the methods for following up on noted audit or control exceptions or weaknesses. Operating management is responsible for correcting the root causes of the audit or control exceptions, not just treating the exceptions themselves. Response times for correcting noted deficiencies should be reasonable and may vary depending on the complexity of the corrective action and the risk of inaction. Auditors should document, report, and track recommendations and outstanding deficiencies. Additionally, auditors should conduct timely follow-up audits to verify the effectiveness of management’s corrective actions for significant deficiencies.


External auditors typically review IT control procedures as part of their overall evaluation of internal controls when providing an opinion on the adequacy of an institution's financial statements. As a rule, external auditors review the general and application controls affecting the recording and safeguarding of assets and the integrity of controls over financial statement preparation and reporting. General controls include the plan of organization and operation, documentation procedures, access to equipment and data files, and other controls affecting overall information systems operations. Application controls relate to specific information systems tasks and provide reasonable assurance that the recording, processing, and reporting of data are properly performed.
External auditors may also review the IT control procedures as part of an outsourcing arrangement in which they are engaged to perform all or part of the duties of the internal audit staff. Such arrangements are discussed in more detail in the “Outsourcing Internal IT Audit” section of this booklet.
The extent of external audit work, including work related to information systems, should be clearly defined in an engagement letter. Such letters should discuss the scope of the audit, the objectives, resource requirements, audit timeframe, and resulting reports. Examiners will typically review the engagement letter, reports, and audit work papers to determine the extent to which they can rely on external audit coverage and reduce their examination scope accordingly.

IT Governance Defined

1. [g1-4939]
Responsibility of the board of directors:
  • Protect shareholder value
  • Ensure risk transparency
  • Make decision of IT investment, opportunity, benefits and risks
  • Align IT with the business
  • Maintance the current operation and prepares for the future
  • Is a part of a global governance structure

IT governance is the same as other governance subjects that is the responsibility of executives and shareholders. It consists of the leadership, organizational structures and processes that ensure the organization’s IT maintance and extends the organization’s strategies and objectives.


IT Governance Defined [Continuous]


We apply governance to IT investments, change projects and service delivery. Extending governance to include the systems themselves can give us the management tool we need to overcome many persistent problems in IT.

IT governance means different things to different people.

  • Governance is used to describe the processes for deciding how money should be spent. It includes prioritisation and justification of investments. It includes controls on spending such as budgets and authorisation levels.

  • Governance is used to describe many different aspects of IT change. At the low level, it is sometimes used to describe project management and control. More often it is used to describe the management and controls of a portfolio of projects. It is used to make sure that IT change processes comply to regulatory requirements. Sometimes it covers the deployment of IT staff. Governance aligns IT change and expenditure to business change and expenditure.

  • Governance is also used to describe the management and control of IT services. Service Level Agreements (SLAs) are used to define levels of service that are acceptable to business, and then used as a basis for monitoring services. Governance makes sure that day-to-day problem fixing and support are aligned to business needs.

We can summarize that IT governance involves the following:

  • Control of the work.
  • Co-ordination between different pieces of work.
  • Measurement of outcome.
  • Compliance with internal policy or regulation.
  • Justification of spending.
  • Accountability and transparency.
  • Connecting with the needs of customers, the broader organisation, and other stakeholders.

IT governance in its various forms achieves this type of management for IT investments, change projects and service delivery. Sometime IT governance don't apply governance to the systems themselves.

Why is IT governance important?

1. [g1-0800]

Most organisations depend critically on the successful deployment of their information and communication systems, to help them delivery efficient and effective operations and to help them achieve the changes they need in order to translate strategic plans into actions. Too often, organisations focus on their IT strategies, policies and budgets, without recognising that without good governance, these are unlikely to be translated into the desired results.

If IT is not governed properly, things can go badly wrong. For example
  • Issues and problems are buried and stay buried
  • By the time problems emerge, it is often too late to address them properly, so programmes and projects slip
  • Costs rise beyond what is budgeted, and unless the programme, project or operational capability is protected, it will have to be descoped in order to remain within budget. Even if the budget is increased, the problems caused by the rising costs and slippages may never be solved, so that the resulting programme is weak as well as late.
  • When management confidence is lost the programme may be cut dramatically, to focus on minimal deliverables, then may be gradually rebuilt over time as confidence returns. However, meanwhile the organisation will have suffered.
  • User departments suffer budget freezes until the programme starts to deliver again, so cannot provide alternatives or progress elsewhere
  • Final solutions are often extremely scaled down, or are completely written-off

Key Questions before starting IT governance


Setting Direction:
The articulation of mission, vision, values and purpose. Key questions are: Where are we going? Why are we going there? What IT architecture are we aligning to? How are we getting there? How do we know we are arriving?

Building Commitment:
Involves building organizational commitment to the strategy and the creation of mutual trust, inclusion, and accountability. Key questions are: Why should we make the changes required by the strategy? How can we stay together? How can we work better as a group? What can improve cooperation?

Creating Alignment:
It is all about finding common ground and creating a governance that ensures all critical decisions advance and sustain the strategy. Key questions are: How do we make sure IT resources are maximized to achieve our direction? What are the most critical decisions? How do we clarify decision making to improve it is as effective and efficient as possible? How do we better partner with our customers, vendors, and service providers?

Ref: http://www.itvalueconsulting.com/RiskManagement.html

Is that all company meeds IT governance?


Every organization—large and small, public and private—needs a way to ensure that the IT function sustains the organization’s strategies and objectives. The level of sophistication you apply to IT governance, however, may vary according to size, industry or applicable regulations. In general, the larger and more regulated the organization, the more detailed the IT governance structure should be.

Ref: http://www.cio.com/article/111700/IT_Governance_Definition_and_Solutions

Alignment of business and IT

1. [g1-6880]
IT become a common factor to many company to do their business. Nowadays, most of company are not worry about a technical problem to IT, the real problem is how to alignment of business and IT. To Alignment of business and IT, company should set specific goals before executing:

  • Develop and maintain good and responsive relationships with the business
  • Meet the existing IT requirements of the business
  • Are easily developed and enhanced to meet future business needs, within appropriate time scales and costs
  • Make effective and efficient use of all IT resources
  • Contribute to the improvement of the overall quality of IT service within the imposed cost constraints

IBM is one of company that success in IT governance. They bulit their IT Governance approach, the following figure is their approach:
[1] The four phases of IT/Business Alignment, http://www.cioupdate.com/insights/article.php/3446591/The-Four-Phases-of-ITBusiness-Alignment.htm
[2] IBM IT Governance Approach:Business Performance through IT Execution, http://www.redbooks.ibm.com/redbooks/pdfs/sg247517.pdf

Governance versus management

Many people believe that governance and management are synonymous, but they are not. Governance is about decision making, while management is about making sure that the enterprise’s governance process is executed. In order to frame our perspective on IT
governance, there is a distinction between those processes that are used to define a new process and those processes that are used to produce products, goods, and services from a given business entity.

A governance process, is used to define the chains of responsibility, authority, and communication to empower people, as well as to define the measurement and control mechanisms to enable people to carry out their roles and responsibilities. Thus, a governance activity is intentionally designed to define organizational structures, decision rights, workflow, and authorization points to create a target workflow that optimally uses a business entity’s resources in alignment with the goals and objectives of the business.

A management process is the output from the governance process. Unlike a governance process, a management process implements the specific chain of responsibility, authority, and communication that empowers people to do their day-to-day jobs. The management
process also implements appropriate measurement and control mechanisms that enable practitioners the freedom to carry out their roles and responsibilities without undo interruption by the executive team. These measurement and control mechanisms allow the executive team the ability to monitor the execution of both the governance and management processes remotely, as well as monitor the output quality of the management process in execution. Although subtle, the distinction between these two processes is important to retain. An awareness of this distinction should allow you to identify where these two dissimilar functions
exist within your own businesses.


IT management is focused on the effective and efficient internal supply of IT services and products and the management of present IT operations.
IT governance, in turn, is much broader and concentrates on performing and transforming IT to meet present and future demands of the business and business customers.
This does not undermine the importance and complexity of IT management, but whereas elements of IT management and the supply of IT services and products can be commissioned to an external provider, IT governance is organization specific, and direction and control over IT can not be delegated to the market.


ref .http://servicexen.wordpress.com/2008/06/01/it-governance-vs-corporate-governance-vs-it-management/


What is I.T. Governance?

Base on the ISO385000[1]. That is the international standard for about I.T. control for being Infrastructural & Security framework
Mission of I.T. Governance.
  • IT strategy with the business strategy
  • Meet the strategy and goals put into the enterprise
  • Providing organizational structures that facilitate the implementation of strategy and goals
  • IT control framework be adopted and implemented
  • Measuring Information System performance

Is it suitable for Hong Kong every organization ?

First, we should know that the risk of the information system, and how it influence on the business.Regular, data integrate, confidential encryption & disasters recovery are spend a lot a resource to do, but there has not regular solution a for those. because of it, a company should via a standardized IT governance framework to control the cost.Therefore, it no matter is an large enterprise or small company, but it can according the size of organization to buildup a team to make governance more effective.

How can I convince top management that I.T. governance is needed and How can organization look for the Right Candidate to do Right I.T. governance ?

Nowadays, IT Governance is becoming essential in the enterprise, But how does her to choose right Candidate? How can convince top management to do that? These is good question for us to considering. Most, a company would be like to recruit a person who hold by a certificate like CISA, COBIT or ITIL. It is still a high cost of the business. Except that the top management will consent how to enrich their business value, otherwise they don't like it.
In business side, [6]IT Governance Institute (ITGI) make a framework which call "[5]Val IT". Which is document that provide guideline to make a right chosen. And it cover a three main phase to do, shown as below:
  • Value Governance
  • Portfolio Management
  • Investment Management

According for those, It can helps the I.T. Governance more effective & meet their business goals precisely.
[1] ISO38500
[2] CISA
[5]Val IT
[6]IT Governance Institute (ITGI)


The Origin of IT Governance

ITG focuses on the transparent and efficient management of firm IT resources, aiming to ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives (ITGI,2005). ITG can be characterized by attributes such as transparency, control, effectiveness, and efficiency. These attributes are described from the perspective of two research streams: corporate
governance and IT management, as shown in below figure.
The origin of ITG research

Three model of IT Governance

1. [g1-8900]

Centralized - where corporate management have the crossorganizational IT decisionmaking authority.

Decentralized - where divisional management have IT decision-making authority for their systems, and

Hybrid or Federal - where corporate management has IT infrastructure decision-making authority for the entire organization, and divisional management has authority for their applications and system development.

1. [IT Governance-Based IT Strategy and Management: Literature Review and Future Research Directions] Junghoon Lee
2. [IT Governance:A Critical Review of the Literature] David Musson

Three model of IT Governance [Continuous]

2. [g1-3494]

Traditional approaches to IT management have included centralized, decentralized and federal which also serve as useful labels for IT governance models.

The centralized IT governance model relies on a strong, positive, capable IT steering committee that is able to interact with the board directly, or through a one-step intermediary. All infrastructure proposals emanate from this group and all IT proposals need to gain its backing. It will have substantial delegated authority. It may be chaired by the CEO, another executive director, or a senior business manager. IT risk is one of its key areas of responsibility (along with benefits and strategy) but, as an holistic approach is necessary, this will not mean that a subcommittee is formed. In each of its formal meetings, risk reports will be produced for the board. Urgent risk matters will be dealt with on a pre-arranged basis (chairman and two others, for example), and those risks beyond a specified level will require participation of the full committee. Each segment of the risk portfolio will be the responsibility of an individual, who reports to this committee. In smaller organizations one individual may take responsibility for several of the segments. This committee should have a formal meeting with the board on a regular basis, at least annually.

The decentralized (or fully distributed) IT governance model has, in effect, a full IT steering committee for each division. Each of these steering committees behaves in a similar fashion to the above, except that there will need to be an intermediary role to deal with the board – unless each division has its own board. The intermediary role may be an individual or a small team, which is able to interact with each of the divisional steering committees. It will also need to have excellent channels of communication with the board.

In the federated model, there is some balance between the central authority and the subordinate divisions. Each division will need to accommodate the IT steering committee role, which it can do through an individual, a small team or a formal committee. The central authority will have an IT governance group that includes representation from the divisions as well as those functions that are centrally managed. This IT governance group is the direct channel to the board.

Ref: Strategies for information technology governance, Wim Van Grembergen, Idea Group Publishing, 2004

Key IT Governance Processes
Strategic Planning and Alignment

1. IT steering committee/priority process
l Alignment with business objectives
2. IT strategy and architectural standards
3. IT project tracking
4. Support for strategic enterprise initiatives

IT Operations
1. Applications development
l Project management
l System development life cycle

2. Production support
l Production control and operation
l Job scheduling
l System backups

3. Technical architecture
4. Network design, management and operation
5. Help desk
6. Information security management
7. Business continuity and disaster recovery

Actively design governance

1. IT operating budget
2. IT capital budget
3. IT asset management
4. IT contract management
5. IT resource allocation and planning

Control Frameworks

1. Information management policies
l Corporate—privacy, business process owners, records retention
l IT department—SDLC, security
2. Standards—COBIT, ITIL, ISO, SAS70
3. Practices and procedures
4. System documentation management
5. Quality assurance
6. Regulatory compliance

l Escalation procedures
l Disclosure procedures
7. Contract administration and vendor management

IT governance in full business context
Ref: IBM IT Governance Approach Business Performance through IT Executionh
Ref: http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=18450&TEMPLATE=/ContentManagement/ContentDisplay.cfm


A framework for IT Service Management (ITSM)

ITIL (Information Technology Infrastructure Library) is a set of best practice for governing or managing Information Technology services, developments and operations. It has been developed by United Kingdom’s Office of Government Commerce (OGC) in 1980s and still owned by OGC.

There are five key service lifecycle modules in the ITIL version 3:

  1. Service Strategy
  2. Service Design
  3. Service Transition
  4. Service Operation
  5. Continual Service Improvement

Service Strategy
It is used for providing a clear guidance on planning; design and implementation of services management for an IT organization. It is mainly relied on a market-driven approach. The key topics covered include the markets analysis, business case development, service assets, service value definition and services provider types.

Service Design

The main usage of this module is providing a best practice instruction on the design of IT services, processes, and other aspects of the service management effort. When designing an IT services with ITIL, it is not focused on the technology solely, it is addressed how a planned service solution interacts with the larger business.

Service Transition
It is provided us the guidance on the service design and implementation, make sure that the service will be delivering effectively.

Service Operation
It is provided us the guidance on how can we provide a good and valuable service to our end user or customers in the day-to-day production life. Also, the monitoring of problems and balance between service reliability and cost etc are considered.

Continual Service Improvement
It is provided us the guidance on how can we align and re-align the IT services according to the changing business needs.

external image ITIL%20v3%20Diagram.jpg


1. http://itgovernance.politicalinformation.com/itil.htm
2. http://en.wikipedia.org/wiki/Information_Technology_Infrastructure_Library
3. http://www.itil-itsm-world.com

Leavitt's Diamond

This is a model for analyzing management change Leavitt's Diamond is based on the idea that it is rare for any change to occur in isolation. 4 elements, technology, tasks, people, and the organizational structure, in which they function as four interdependent variables, visualized as the four points of a diamond.

Change at any one point will impact some or all of the others. Thus, a changed task will necessarily affect the people involved in it, the structure in which they work, and the technology that they use. Failure to manage these interdependencies at critical times of change can create problems.

Ref: http://dictionary.bnet.com/definition/leavitt%2527s+diamond.html


Problems with IT governance
added by g1-4909, reference from : http://en.wikipedia.org/wiki/IT_Governance

Is IT governance different from IT management and IT controls? The problem with IT governance is that often it is confused with good management practices and IT control frameworks. ISO 38500 has helped clarify IT governance by describing it as the management system used by directors. In other words, IT governance is about the stewardship of IT resources on behalf of the stakeholders who expect a return from their investment. The directors responsible for this stewardship will look to the management to implement the necessary systems and IT controls. Whilst managing risk and ensuring compliance are essential components of good governance, it is more important to be focused on delivering value and measuring performance.

Nicholas Carr has emerged as a prominent critic of the idea that information technology confers strategic advantage.[5] This line of criticism might imply that significant attention to IT governance is not a worthwhile pursuit for senior corporate leadership. However, Carr also indicates counterbalancing concern for effective IT risk management.

The manifestation of IT governance objectives through detailed process controls (e.g. in the context of project management) is a frequently controversial matter in large scale IT management. See Agile methods. The difficulties in achieving a balance between financial transparency and cost-effective data capture in IT financial management (e.g., to enable chargeback) is a continual topic of discussion in the professional literature[6], [7] and can be seen as a practical limitation to IT governance

Some Reasons why IT governance fails

  • Lack of management participation
  • Lack of clearly defined polices, process instructions, roles and responsibilities
  • A big bang approach to implementing governance
  • Lack of continued people participation
  • Concentrating solely on the quantitative analysis rather than taking a qualitative approach

Source: http://www.expresscomputeronline.com/20090608/expressintelligententerprise02.shtml

IT Governance Decisions

IT Principle : High level statement about how IT is used in the business
IT Architecture
Organizing logic for data, applications, and infrastructure captured in a set of policies, relationships, and technical choices to achieve desired business and technical standardization and integration

Business application needs Specifying the business need for purchased or internally developed IT applications
IT Infrastructure
Centrally coordinated, shared IT services which provide the foundations for the enterprise's IT capability

IT Investment and Prioritization Decisions about how much and where to invest in IT including project approvals and justification techniques.
IT Governance Arrangements
Who has decision or input rights?
Business Monarchy
A group of business executives or individual executives (CxOs). Includes council of senior business executives (may include CIO). Excludes executives acting independently
IT Monarchy
Individuals or groups of IT executives
Business unit leaders, key process owners or their dsignees
C-level executives and business groups; may also include IT executives as additional participants.
IT Duopoly
IT executives and other group (IT liaison structure)
Each individual user

Ref: http://www.anticlue.net/archives/000865.htm

IT Governance Made Simple
To view more about IT governernance, please visit the below link
1. http://www.youtube.com/results?search_query=IT+Governance+Made+Simple&search_type=&aq=f
2. http://en.wikipedia.org/wiki/COBIT


Challenges for IT governance implementation=

All levels of your business are impacted by the adoption of a changed IT governance solution. It is not something that some projects or some organizations do or even that IT does. To be effective at enabling the business to manage risk transparently, and to deliver results aligned with business strategic goals and objectives, your business must subscribe to change at all levels. Change as a result of the IT governance solution will affect top executives to the recent college hires, and the most strategically aligned business units to the support organizations that enable technologies for the business.

Your governance solution establishes a roadmap that guides your projects to successful completion in terms of being strategically aligned with your business and in accordance with established policies and procedures. In addition, execution of your governance solution must verify whether you have selected the right projects and that those projects offer real business
value in the large sense.
Reference: IBM IT Governance Approach Business Performance through IT Execution

Improving IT Governance

The Control Objectives for Information and related Technology (COBIT) framework and its associated family of products from the IT Governance Institute is commonly used as an over-arching process assessment and integrating guide, in conjunction with complementary best-practice frameworks for specific areas of IT such as Enterprise Architecture, Project Management, Software development, Service Management, Portfolio and Value Management, Security Management, Risk Management etc. The underlying basis for this is the comprehensive and detailed coverage of the IT lifecycle from the internal controls perspective in COBIT.

By making a firm commitment to adopting IT Governance, organisations will not only begin to realise the benefits listed earlier, but also earn the acknowledgement of the auditors – especially IT auditors. The simple reason for this is that the IT auditors use the very same COBIT framework when planning and conducting their IT audit. This has been the case since the origins of COBIT over 12 years ago, but it has since evolved to be the de facto IT Governance framework in use by management, users, and auditors today.



Effective IT governance
Design IT governance thoughtfully
There is no default governance and carefully design IT governance for each IT domain

Focus on a few goals, desirable behaviors, and metrics
Good governance requires choices to optimize

Educate executives: IT governance is important
Without top level input, poor decisions are made. Good IT governance helps business executives achieve success

Build transparency into your governance arrangements
More transparency will cause more confidence to company. "No transparency, no trust", CIO, InterAuto

Change IT governance to change behaviors
Shifts need to occur when strategy changes. New arrangements takes time to communicate, implement

Characteristics of high IT governance performers

- More focused strategies
Greater differentiation between customer intimacy, product innovation, or operational excellence

- Clearer business objectives for IT investment
Greater differentiation between supporting new ways of doing business, improving flexibility, or facilitating customer communication

- High level executive participation in IT governance
Greater involvement, impact of CEO, COO, Business Heads, Business Unit CIOs and CFO
Who could accurately describe IT governance arrangements

- Stable IT governance, fewer changes year to year
- Well functioning formal exception processes
- Formal communication methods

REF - http://www.uow.edu.au/~rmacgreg/BUSS951

Five IT Governance areas

  1. Business-IT Strategic Alignment, with a focus on aligning with the business and collaborative solutions. Linking business and IT so they work well together. Typically, the lightning rod is the planning process, and true alignment can occur only when the corporate side of the business communicates effectively with line-of-business leaders and IT leaders about costs, reporting and impacts.
  2. Value Delivery, concentrating on optimizing expenses and providing the value of IT. Making sure that the IT department does what’s necessary to deliver the benefits promised at the beginning of a project or investment. The best way to get a handle on everything is by developing a process to ensure that certain functions are accelerated when the value proposition is growing, and eliminating functions when the value decreases.
  3. Risk Management, addressing the safeguarding of IT assets, disaster recovery and continuity of operations, and risks associated with regulatory compliance.
  4. Resource Management, optimizing knowledge and IT infrastructure. One way to manage resources more effectively is to organize your staff more efficiently—for example, by skills instead of by line of business. This allows organizations to deploy employees to various lines of business on a demand basis.
  5. Performance Measurement, tracking project delivery and monitoring IT services, which provides feedback to the governing body and enables decision making, objective setting, and policy adjustment. Putting structure around measuring business performance. One popular method involves instituting an IT Balanced Scorecard, which examines where IT makes a contribution in terms of achieving business goals, being a responsible user of resources and developing people. It uses both qualitative and quantitative measures to get those answers.

Key issues un implementing a successful IT Governance framework

Every successful framework intended to address the five IT Governance areas, business-IT strategic alignment, value delivery, risk management, resource management and performance measurement, needs to include an organizational component and a technology component.

Ten Principles of IT Governance

  1. Actively design governance - involes senior executives taking the lead and allocating resources, attention, and support to the process. For some enterprises, this will be the first time IT governance is explicitly designed. Often there are mature business governance processes to use as a starting point.
  2. Know when to redesign - rethinking the whole governance structure requires that individuals learn new roles and relationships. Learning takes time. Therefore, governance redesign should be infrequent. A change in governance is required with a change in desirable behavior.
  3. Involve senior managers - firms with more effective IT governance had more senior management involvement. CIOs must be eddectively involved in IT governance for success. Other senior must participate in the committees, the approval process, and performance reviews.
  4. Make choices - good governance requires choices. It is not possible for IT governance to meet every goal, but governance can highlightconflicting goals foe debate. As the number of tradeoffs increases, governance becomes more complex.
  5. Clarify the exception-handling process - exceptions are how enterprises learn. In IT terms, exceptions challenge the status quo, particularly the IT architecture and infrastructure. Some requests for exceptions are frivolous, but most come from a true desire to meet business needs. If the exception proposed by a business unit has value, a change to the IT architecture could benefit the entire enterprise.
  6. Provide the right incentives - a major governance and incentive alignment issue is business unit synergy. If IT governance is designed to encourage business unit synergy, autonomy, or some combination, the incentives of the executives must also be aligned.
  7. Assign ownership and accountability for IT governance - IT governance must have an owner and accountabilities. Ultimately, the board is responsible for all governance, but the board will expect or delegate an individual (probably the CEO or CIO) or group to be accountable for IT governance design, implementation, and performance—similar to the finance committee or CFO being accountable for financial asset governance. In choosing the right person or group, the board, or the CEO as their designate, should consider three issues.
  8. Design governance at multiple organizational levels - in large multi-business unit enterprises it is necessary to consider IT governance at several levels. The starting point is enterprise-wide IT governance driven by a small number of enterprise-wide strategies and goals. Enterprises with separate IT functions in divisions, business units, or geographies require a separate but connected layer of IT governance. JPMorgan Chase has IT governance at the enterprise, division, and business unit level. Usually the demand for synergies increases at the lower levels, whereas the need for autonomy between units is greatest at the top of the organization.
  9. Provide transparency and education - transparency and education often go together—the more education, the more transparency, and vice versa. The more transparency of the governance processes, the more confidence in the governance. The less transparent the governance processes are, the less people follow them. The more special deals are made, the less confidence there is in the process and the more workarounds are used. The less confidence there is in the governance, the less willingness there is to play by rules designed to lead to increased firm-wide performance. Special deals and nontransparent governance set off a downward spiral in governance effectiveness.
  10. Implement common mechanisms across the six key assets - the coordination of the six assets seems blindingly obvious. But just glance back at your six lists of mechanisms and see how well coordinated—and more importantly, how effective—they are. Many enterprises successfully coordinate their six assets within a project but not across the enterprise via governance. In designing IT governance, review the mechanisms used to govern the other key assets and consider broadening their charter (perhaps with a subcommittee) to IT rather than creating a new, independent IT mechanism.

IT Governance - Developing a successful Governance Strategy


There are several ways to develop a successful IT Governance, strategies are as below:

An enterprise wide approach should be adopted
  • The business and IT must work together to define and control requirements.
  • IT will need to develop a control model applicable to all business units/divisions.
  • A committee approach is recommended for setting, agreeing, and monitoring
    direction/policy etc.
  • A shared, cohesive view of IT Governance is needed across the enterprise based on
    a common language.
  • There should be a clear understanding (and approval) by stakeholders of what is
    within the scope of IT Governance.

Top level commitment backed up by clear accountability is a necessity
  • IT Governance needs a mandate and direction from Board/Executive level
    management if it is to succeed in practice.
  • Make sure management responsibilities and accountabilities in the business as well
as IT have been defined.
An agreed IT Governance and control framework is required
  • Although it may generate challenges and pushback, and will require a consensus,
    an agreed framework for defining IT processes and the controls required to manage
    them must be defined for IT Governance to function effectively.
  • The processes for IT Governance need to be integrated with other enterprise wide
    governance practices so that IT Governance does not become just an IT owned
  • The framework needs to be supported by an effective communication and awareness
    campaign so that objectives are understood and the practices are complied with.
  • Incentives should be considered to motivate adherence to the framework.
  • Pay attention to devolved decentralised IT organisations to ensure a good balance
    between centrally driven policy and locally implemented practices.
  • Avoid too much bureaucracy.
Trust needs to be gained for the IT function (in house and/or external)
  • For IT Governance to work the suppliers of IT services and know-how need to be
    seen as professional, expert and aligned to customer requirements. Trust has to be
    developed by whatever means including awareness programmes, joint workshops,
    and the IT Director acting as a bridge between the business and IT.
Measurement systems will ensure objectives are owned and monitored
  • Creation of an IT scorecard will underpin and reinforce achievement of IT
    Governance objectives.
  • Creation of an initial set of measures can be a very good way to raise awareness
    and initiate an IT Governance programme.
  • The measures used must be in business terms and be approved by stakeholders.

Focus on costs
  • It is likely that there will be opportunities to make financial savings as a
    consequence of implementing improved IT Governance. These will help to gain
    support for improvement initiatives.

Reference: IT Governance Developing a Successful Governance Strategy
A Best Practice Guide for Decision Makers in IT

IT Governance Summarized



    • To understand the issues and the strategic importance of IT
    • To ensure that the enterprise can support their operations
    • To realize it can implement the strategies required to extend its activities into the future


    • To ensure that expectations for IT are met and IT risks are mitigated


    • Within broad governance arrangements that cover relationships between the entity's management and its governing body, other owners are providing the structure through which:
    • The entity's overall objectives are set
    • The method of attaining those objectives is outlined
    • The manner in which performance will be monitored is described

IT Governance and Enron
Enron Corporation was an American energy company based in Houston, Texas. Before its bankruptcy in late 2001, Enron is the one of largest electricity, gas and telecommunications companies of the world; it employed approximately 22,000 and revenues of nearly $101 billion in 2000.

Why Enron bankruptcy in 2001?
Insider trading – This is the main reason to cause Enron bankruptcy.
For pursuit of more profits, the companies and its top person hesitate to defy the law, it through insider trading and create some offshore company to avoidance tax and manipulation of stock prices, so as to achieve the purpose of increasing profits.
Finally, the share price fall and losses increase, and bring Enron to insolvency.

Why IT Governance is related to Enron?
For the example of debacles of Enron, organizations are taking a serious look at their information technology groups and questioning the governance models necessary to minimize risks and maximize returns.

IT governance is, in fact, defined as a framework for the leadership, organizational structures and business processes, standards and compliance to these standards, which ensure that the organization’s IT supports and enables the achievement of its strategies and objectives.

Other than Insider trading, one reason cause Enron bankruptcy is may be their imperfect IT governance. It is because some person has much power to control their computer system, they may use computer to do illegal thing such as misappropriation of company funds and tampering with bank records. The lack of adequate transparency and third-party monitoring/auditing is the weakness of IT governance.

At the early time, the people is not quite understand what is IT governance, why it important. But after the incident of Enron; they began to focus on audit and monitoring work. As the information system is also involved in important data, which make more people to concern the information technology audit and IT control. Sarbanes – Oxley Act (which is base on the company financial fraud, bankruptcy problem to draw up legislation and regulations, referred to as "SOX Act" or "Suo Kesi Act."). In the Sarbanes - Oxley Act Section 404 it affected the IT department of information technology strategy, decision making power and increasing the daily operation of the system for resources control and change management control which is ensure that standardized methods and procedures are used for efficient and prompts handling of all changes to controlled IT infrastructure, in order to minimize the impact of change-related incidents upon service quality, and consequently improve the day-to-day operations of the organization.
Except the law, for those problems, some standards can improve IT governance, there are COBIT, ISO 17799 and ITIL. COBIT is strong in IT controls and metrics, ISO 17799 covers IT security quite well and ITIL emphasizes processes, notably those surrounding the IT helpdesk.

In this case, I think Enron can apply COBIT to improve their weakness of IT governance; it is because the COBIT is comprised of 34 high-level control objectives and 318 detailed control objectives that have been designed to help businesses maintain effective control over IT. The standard is very well done and the entire COBIT documentation set is available online including the executive summary, framework, control objectives, audit guidelines, management guidelines and an implementation guide. It has very strong with IT control and auditable especially for third-party auditors, let them easy to know what the problem of this company have and prevent the same problem happen again.


What is IT governance and why is it critical?

What is IT governance?
Information Technology Governance, is a framework and structure around the organizations which align IT strategy with business strategy, in order to ensure that companies are on the right way achieve their strategies and goals, and implementing good system to measure IT’s performance. Also, it makes sure that all stakeholders’ interests are taken into account and that processes provide measurable results. The major focus areas that make up IT governance are Computer Audit, IT Risk management and Information Security Management.


Why is it critical?
Organizations today are subject to many regulations governing data retention, confidential information, financial accountability and recovery from disasters. Therefore, IT Governance is found to be an excellent way to ensure regulatory compliance. It become a part of the Corporate Governance where it focused on information technology (IT) system. It is very critical due to compliance concern, and the acknowledgment that IT projects can easily get out of control and profoundly affect the performance of an organization.

Success factor for effectively implement of IT governance
According to Marianne Broadbent, there are six major factors in order to effectively implement of IT governance.

1) Executive management must be involved in order to make it effective.
2) Transparency must be built in to IT governance
3) Make changes only when desirable behaviors change markedly.
4) Good behaviors must be reinforced and inappropriate behaviors redirected when implement of IT governance
5) Governance requires choices
6) There must be clear exception handling processes, with transparent and rapid escalation processes.

As IT governance become inevitable task when a corporate monitoring their business and internal performance, these six major can make things easier while many corporation put more focus to improve their IT governance system.



Interest Topic : IT Auditor

- Why Consider IT Audit Profession?
- How to become an IT Auditor?
- Career Path


IT Audit in Hong Kong

Case Study : IT Audit Cost Containment

Link : http://www.coalfiresystems.com/docs/IP%20Commerce%20case%20study.pdf



The Governance, Risk, and Compliance (GRC) SMF belongs to the Manage Layer, the foundation of the MOF IT service lifecycle. The following figure shows the place of the GRC SMF within the Manage Layer, as well as the location of the Manage Layer within the IT service lifecycle.

Position of the GRC SMF within the IT service lifecycle

The Governance, Risk, and Compliance SMF provides guidance for integrating GRC activities in the context of processes and activities throughout the IT service lifecycle. This integration makes use of risk management and internal controls present in every SMF to provide consistent ways to make decisions and manage IT activities.
The major processes described in the GRC SMF are:
  • Establishing IT governance.
  • Assessing, monitoring, and controlling risk.
  • Complying with directives.

Establish IT Governance
Governance describes the leadership, decision-making structure, processes, and accountability that determine how an organization gets work done. Governance starts at the top, but it requires participation at every level of the organization. The nature of the decisions made and information passed to other GRC participants is portrayed in Figure 3. As it shows, there are ways for all members of the organization to contribute to successful governance.
Looking at the various groups that pass information across the organization shows that it is helpful to have a common way to communicate about GRC information. This GRC SMF focuses on the mechanisms for connecting these levels using risk management and control activities, which results in better decision making and the establishment of accountability for results.

The governance environment: participants and information types

IT governance can be enhanced through the clarification of objectives, roles, and responsibilities and through the application of risk management across the IT service lifecycle. This ensures that IT is able to understand business strategy and requirements, deliver value to the business while mitigating IT risks, and establish accountability throughout the lifecycle.
In everyday terms, these concepts will be made more concrete by the specific role and activities involved. For example, the IT professional setting up Microsoft® Exchange Server mailboxes will need to know the policies regarding e-mail retention and purging and ensure that these policies are effectively enforced through configuration rules and Group Policy. The IT manager needs to be aware of management’s objectives regarding corporate communications and what regulatory requirements might be involved in order to make sure that appropriate legal opinion is brought to bear so that required policies are developed.
The CIO and other executives must make their determination that their organization’s strategy and any regulation affecting corporate communication is rational and that they have set appropriate direction and policy for the rest of the organization to follow.

Establish IT governance

Activities: Establish IT Governance
At the activity level, IT governance processes help align IT with the business through the decision-making process used to define actions for achieving strategic goals. This alignment happens through trade-off discussions and decision making. As mentioned before, governance is a management process that defines decision rights, makes sure that risk tolerance has been factored into the decisions, and provides a way to set expectations that can be assessed through a compliance process. Establishing the governance structure and process should be done before decisions need to be made. Doing this will help identify the appropriate business and IT representatives who will jointly make decisions and be held accountable. The results of governance activities ultimately affect how initiatives and technologies are chosen and provide the context for the most prized IT resource—people—to realize opportunities and benefits.
The process to establish IT governance includes the following activities:
  • Setting vision. Setting vision is not window dressing. This activity determines the overall governance structure for IT and creates decision-making power and accountability. The culture of the IT organization will be heavily influenced by the way governance is embraced and put into action.
  • Aligning IT to the business. This activity will also determine the suitability of the fit between overall governance for the organization and IT governance specifically. IT governance will suffer if this coordination is not established.
  • Identifying regulations and standards. Industry-specific regulatory requirements and standards play a critical role in gauging the exactness and rigor required for IT governance. These factors need to be examined and appropriately applied.
  • Creating policy. Getting policy right helps guide performance that delivers results based on expected behaviors and appropriate resource use.
  • The organization is subject to regulatory or other external requirements for governance
  • Management wants a clear understanding of the way IT is run
  • Business management wants to understand the contribution IT makes to business results
Set vision
Key questions:
  • What are the top strategic goals of the business?
  • What level of formality is needed to meet GRC requirements?
  • How is IT value realization measured?
  • How should IT performance be measured?
  • Clear strategic business goals
  • Relevant requirements from applicable standards and regulatory bodies
  • History of organization’s compliance (or non-compliance)
  • Indication of organization’s risk tolerance
  • Internal audit’s recommendations for governance
  • Defined approach for measuring value realization
  • Defined performance indicators
  • Structure of forums for governance activities
  • Governance policies and communication plans
  • General plan for IT risk management
  • Accountability for governance decisions
  • Performance monitoring and metrics
  • Value realization requirements
  • IT governance charter and owner
Best practices:
  • Understandable goals and clear implications require good communication. Give plenty of opportunities to ask questions, restate, and paraphrase.
  • When possible, map IT governance activities to existing business processes for strategy, planning, and decision making.
  • Design the information architecture so that performance monitoring and regulatory compliance monitoring can make use of the same information when possible.
  • For more information about vision setting and strategy alignment, see the MOF Business/IT Alignment Service Management Function.
Align IT to the business
Key questions:
  • Which key stakeholders are needed to make trade-off decisions?
  • Which qualifying and decision- making processes does the business use to determine general initiatives and projects?
  • What is the organization’s approach to risk? What is its culture of compliance to directives?
  • Business-prioritized goals, management directives, and identified owners
  • Legal’s interpretation of regulatory requirements
  • Clear compliance requirements from the perspective of both business and IT
  • Identified participants for various governance meetings (such as steering committees)
  • Coordinated business and IT planning activities
  • Factors to be considered in IT strategic planning
  • Clearly understood roles and responsibilities between business and IT
Best practices:
  • Reduce political turf battles by bringing stakeholders together with a clear process for determining tradeoffs and agreed-upon escalation paths.
  • Business/IT alignment can occur across many levels of an organization; provide a forum for discussion at multiple levels.
  • For more information about vision setting and strategy alignment, see the MOF Business/IT Alignment Service Management Function.
Identify regulations and standards
Key questions:
  • What industry-based standards or regulatory requirements are drivers for the organization?
  • Is there a generally accepted framework (such as COBIT or ISO 20000) that maps well to the organization in terms of both industry and company compliance culture?
  • Business representation of regulatory requirements for the business
  • IT analysis of IT service management frameworks
  • IT capabilities and constraints: skills and technologies
  • A governance framework that represents the least organizational burden for the greatest benefit to efficiency, effectiveness, compliance, and alignment with the business
Best practices:
  • Frameworks are starting points. They provide the core concepts that then require elaboration and application to the realities of the specific organization.
  • A deep understanding of company and industry factors is needed to adapt the framework to the unique considerations of one’s own company.
  • IT professionals have technical knowledge that should be considered when applying the chosen framework so that it is achievable and supportable.
Create policy
Key questions:
  • What are the areas where the company wants to explicitly require desired behaviors?
  • What processes should have specific performance measures defined by policy?
  • What does legal representation say about the proposed policy?
  • Any non-compliance or regulatory issues where the company has fallen short of desired actions
  • Senior managements goals for corporate behavior with implications clearly understood
  • Documented and communicated policy
  • Mapping from policy to control objectives
  • Policy enacted into practice
Best practices:
  • For more information about policy creation and use, see the MOF Policy Service Management Function.
  • Audit provides evidence-based evaluation and recommendations regarding policy enactment and the control environment.
ISACA® - Information Systems Audit and Control Association®
ISACA® is an association serving IT Governance Professionals globally. The association is founded in 1969, with more than 86k constituents in more than 160 countries, covering knowledge, certificates, community of IT-related fields, advocacy and education on information systems assurance, security, enterprise governance of IT, and IT-related risk & compliance. ISCAS® developed and continually updates the COBIT®, Val IT™ and Risk IT frameworks which help IT professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.
ITGI® - IT Governance Institute®
ITGI® is a non-profitable association which provides guidance for the global business community on issues related to the governance of IT assets. The institute was established by ISACA® in 1998 aiming at helping IT delivers value and its risks are mitigated through alignment with enterprise objectives, IT resources and properly managed, IT performance is measured.
ISACA® China HK Chapter
ISACA® China HK Chapter was set up in 1982 with more than 2,000 members. The primary purpose of this chapter is to promote the education of individuals for the improvement and development of their capabilities relating to the auditing of and/or management consulting in the field of information systems audit and control. It covers the following: -

  • To promote the education of, and help expand the knowledge and skills of its members in the interrelated fields of auditing, quality assurance, security, and information systems audit and control;
  • To encourage a free exchange of information systems audit and control, quality assurance, and security techniques, approaches and problem solving by its members;
  • To promote adequate communication to keep members abreast of current events in information systems audit and control, quality assurance, and security fields that can be of benefit to them and their employers, and
  • To communicate to management, auditors, universities and to information systems professionals the importance of establishing controls necessary to ensure the effective organisation and utilisation of information technology resources.

  1. http://technet.microsoft.com/en-us/library/default.aspx
  2. http://www.isaca.org.hk/cms/

Why IT governance

Gain visibility into your investments, initiatives, and resources while empowering the PMO to deliver controlled and predictable execution of projects and programs.


Integrated Demand Management
Capture, catalog, and prioritize all types of demand from strategic projects to service requests in one system of record
Comprehensive IT Portfolio Management
Enables strong governance through comprehensive IT portfolio management (services, projects, programs, ideas, and assets)
Successfully Deliver Projects and Services
Manage multiple project schedules, resources, and costs in CA Clarity PPM and leverage dashboards and reports for complete transparency and visibility


IT Governance - Developing a successful Governance Strategy


IT Governance can be defined as specifying the decision rights and the decision-making mechanisms to foster the desired behavior in the use of IT. To help understand, design, and communicate effective IT governance, a decision rights and accountability framework can be constructed that answers the following questions:
  • What decisions must be made?
  • Who will be making the decision?
  • What information will the person possess?
  • Who is accountable for the decision made?
  • How is the decision outcome measured?
IT Governance should define and implement direction, control, execution, communication and guiding principles involved in the decisions rights framework (1).
The Importance of IT Governance
Historically, the industry has lacked innovative approaches to defining optimum IT and IT outsourcing governance frameworks. A major concern should be to enable business results through information technology as an enabler. Important governance lessons can be learned from companies that have achieved significant value through the effective use of commercial data centers or internal IT operations.

Governance has always been an integral part of IT management. In addition to regulatory compliance, effective businesses have realized that focusing on technology, organizational structure and even process design itself does not deliver business results. Governance is required to implement the processes into the organization. Achieving business results has always been dependant on effective governance linked to effective and efficient execution. Effective Governance overcomes the limitations inherent in any organizational structure.

The Advantages of IT Governance
Some of the advantages of effective governance include the following:

  1. Achieve business objectives by ensuring that each element of the mission and strategy are assigned and managed.
  2. Defining and encouraging desirable behavior in the use of IT and in the execution of IT outsourcing arrangements.
  3. Implementing and integrating the desired business processes into the organization.
  4. Providing stability and overcoming the limitations of organizational structure.
  5. Improving customer relationships and satisfaction, and reducing internal territorial strife by formally integrating the customers, business units, and external IT providers into a holistic IT governance framework with clarity and transparency.
The Benefits of IT Governance
Listed below are some of the management, stockholder, employee, customer and external IT provider and partner benefits.

Management - Management receives benefit from having clearly assigned roles and responsibilities for executing the strategy and a defined and improvable approach to encouraging desirable behavior. Overlapping or unclear governance results in internal friction, "territorial" strife and inefficient service operations.
Stockholders and other Stakeholders - Stockholders and other stakeholders receive benefit by having a clearly defined decision and accountability framework for achieving business objectives. Clarity in who makes decisions, what decisions they can make and how the decisions ought to be made reduces confusion and improves management effectives. According to one study of hundreds of corporations, the companies with effective governance produce more value than companies with ineffective governance. Improved margins can result from eliminating redundancy, overlap and lack of governance clarity.
Employees - Employees benefit by have a clarified decision rights and accountability framework. When there is no confusion regarding who is responsible for what decisions and how the decisions are made, they are happier and can focus their energies on their primary job responsibility. Overlapping or confusing governance can lead to intra company "poaching," competition, and attrition. Employee satisfaction and retention are produced by effective and clear governance. Governance transparency can improve employee retention as well as business results.
Customers - Effective governance enables the customer to influence the management decisions made by their service providers. Governance also enables more effective and efficient service delivery that is responsive to customer and business needs and concerns. Transparency in governance enables customers to know how to influence their service providers when they are dissatisfied or have a desire of a change to services.
External IT Providers and Partners - External IT providers and partners benefit from effective governance by receiving clear direction on the optimum use of IT enabling an effective, efficient and adaptable relationship. Without effective governance, external relationships are typically marked by low value and high "churn." These characteristics lead to high expenses and low returns on investment (2).
There is no one Governance framework that is best for all companies. A preferred approach to governance is to use a structured approach to define what the best framework would be based on the business and IT strategy and the current environment.
The best governance solution could then be defined based on an evaluation of all the potential governance approaches and a selection of the best approach to achieving the desired results given the current situation. Governance should include an approach to exception handling and continuous improvement. Static governance models only work well in stable environments with unchanging business conditions.
Governance in multi sourced environments is a critical success factor for today's complex IT environment. Other frameworks don't address outsourcing. Highly out-sourced or multi sourced environments characterize most companies today. Effective governance of these complex IT environments is vital to value delivery.
COBIT and ITIL are compatible frameworks that can provide contributions to effective governance. COBIT provides an audit framework for IT control objectives frequently leveraged by SOX and other IT auditors. It is an audit framework, written by auditors, for auditors.
The results of a typical audit include a list of control objectives that require remediation. ITIL describes service management best practices for the various IT management control objectives. The planning, design and implementation of service management best practices is a third discipline that typically will rely on inputs from COBIT, ITIL and other sources.
(1, 2) Source: IT Governance. Harvard Business School Press and IBM ITIL Design and Implementation Method.

More info:
There are inititiatives in different countries to foster best practices for IT Governance:
e.g. France, ITGA in the Netherlands part of ITSMF NL or internationally at



IT Governance

IT is a critical corporate asset that requires effective governance. Good IT Governance is recognised as a critical factor in delivering IT
successfully. IT Governance is not “IT management”, the scope of IT governance is organisation wide.

IT governance is about who is entitled to make major decisions, who has
input and who is accountable for implementing those decisions.

IT Governance presides over a significant corporate asset and requires
the same governance rigor as other assets

IT Governance is not about standards and rules – it’s scope extends
across how IT is planned for, how it is delivered and how it is managed on
an ongoing basis

IT Governance is not just the responsibility of IT and requires significant
interaction with the business as well as an understanding of roles and

Tools and techniques providing support for IT governance should not be
viewed in isolation of one another

A common view of IT governance-related information is required to
provide executives with reliable information and consistent information to
make decisions