Towards the development of a COBIT 5-driven IT audit framework

Asmah, Alexander Ekow

11 March 2020

In recent years, given the increased investments in Information Technology (IT), and its pervasive usage in business environment, the need to ensure that IT decisions are in the interest of shareholders led practitioners and researchers to focus on Enterprise Governance of IT (EGIT). EGIT involves implementing mechanisms that ensure that IT risks are duly mitigated, and that the IT investments are yielding the expected returns for enterprise owners. For the mechanisms to work as intended, there is the need for regular auditing; however, past literature and practitioner reports have confirmed that auditors do not audit governance mechanisms to the expectation of shareholders. Within the Ghanaian Financial services sector, failures in EGIT resulted in the collapse of several organisations which made stakeholders question the role played by auditors. The purpose of this study was to examine EGIT from the perspective of the auditor, develop an audit framework based on COBIT 5 and understand how auditors can be 'critical partners’ to ensure EGIT effectiveness. To provide a better understanding of the EGIT phenomenon, a theoretical framework based on the integration of six theoretical perspectives was presented to provide a holistic view of EGIT and how auditors can add value. The theoretical framework argued in line with organisational theorists that to achieve positive outcomes, governance mechanisms must be implemented in a coherent whole and analysed as a configuration. As such the study adopted the configurational theory to analyse the coherence of the governance mechanisms. Based on the theoretical framework and the configurational theory, a conceptual framework was developed to guide the research. The thesis proposed that the greater the level of coherence among the governance mechanisms, the higher the level of EGIT effectiveness, and that the audit of EGIT will improve the maturity of the governance mechanisms and its coherence. The pragmatic philosophic stance was adopted, utilising qualitative and quantitative methods to answer the research question. The Peffers, Tuunanen, Rothenberger, & Chatterjee, (2008) design science research methodology guided the identification of the problem and the development of an artefact that can aid IT auditors by providing them with an adequate scope for EGIT audits and reduce the audit detection risks. An Exploratory Focus Group (EFG) and a Confirmatory Focus Group (CFG) were employed in the development of the artefact. In addition, a survey instrument was utilised to gather data about the governance maturity of the case organisations prior to and after the usage of the artefact. Cluster analysis based on the concept of 'coherence as a gestalt’ produced cluster solutions revealing the nature of the configuration that resulted in positive outcomes. Post-Hoc analysis was used in the summative evaluation of the artefact to measure the statistically significant changes that occurred in the governance maturity after the use of the artefact. The findings revealed that regular auditing of EGIT mechanisms can lead to significant improvement in several governance mechanisms as postulated. It also revealed that to attain positive outcomes, there is the need for a coherent implementation of governance mechanisms with emphasis on technology which can be the driving force in a fast-changing environment. This result was contrary to existing literature about EGIT that suggested the overarching importance of leadership to drive change in the attainment of EGIT objectives. The findings show that with the right systems and technologies, IT can provide decision makers with timely information that would increase the utility of the decisions. The study makes significant contributions to knowledge by providing insights into EGIT and IT auditing which is an under-researched area. One key theoretical contribution was the integrative theoretical framework that provides theoretical underpinnings to EGIT, which has previously been studied descriptively and provides a holistic view of the complex phenomenon. The study also confirms the configurational theory and advances knowledge by proving that in the context of EGIT, the combination of the various mechanisms does influence the whole and the outcomes. Concerning the contribution to practice, the study resulted in the development of an IT auditing artefact that is based on COBIT 5, a widely accepted industry framework for EGIT, and contextualised with the regulatory needs of the Ghanaian Financial Services sector. With this tool, IT auditors can develop an audit plan that provides assurance of key governance areas and so reduce the audit risk of not detecting a non-existence or weak control in an organisation’s EGIT practices. The tool can be used by regulatory auditors who were complicit in the EGIT failures that occurred in the sector to provide adequate supervision. Further discussion on the theoretical, practical and methodological contributions are set out in this thesis along with the limitations of the study and recommendations for future research.

information system

Modeling a systems-based framework for effective IT auditing and assurance for less regulatory environments

Anomah, Sampson

25 July 2019

Information Technology (IT) has become indispensable in contemporary business processes and in business value creation strategies. Those charged with governance, risk management and compliance are, often, challenged by sophisticated IT oriented decision-making dilemmas due to complex IT use in contemporary business processes. Investors and other stakeholders increasingly expect very rich, reliable and transparent assurance that their interests are safe. Auditors, as a result, are looked upon to expand their role to leverage the functions of those charged with governance and management. IT audit literature, hence, demonstrates existence of several best practices aimed at meeting the increasing demand for more audit and assurance outcomes that bridge the widening audit expectations gaps. In developing countries with less stringent regulatory systems, however, attempts to implement many of these frameworks have proved unsuccessful. Reasons include paucity of guidance in the frameworks and lack of suitable theoretical foundations to resort to for solutions to implementation challenges. Extant literature review reveals scanty research effort by practitioners or academicians in the field in the empirical situation to design a more suitable framework to serve as intervention. In this research an attempt has been made to create an intervention by designing a framework, i.e. an artefact for IT auditing for less regulated business environments. By adductive inference the cybernetics theory of viable systems approach was ingrained as the theoretical foundation from which the variables for the design were extracted. The abduction was based on the diagnostic power and ability to support self-regulation in a less regulatory environment. Action design research (ADR) approach was employed to achieve the research objective. Both qualitative and quantitative techniques were found to be useful for the evaluation and data analysis. At the design phase, a multiple case study method together with workshops were employed to gain insight into the problem and to collect data to support the design process. Four organisations from both public and private sectors in Ghana were selected to participate in the research. At the evaluation stage a survey technique was used to collect data mainly for the validation of construct variables and the refinement of the framework. The questionnaire scale used was 1=Strongly Disagree; 2=Disagree; 3=Somewhat Agree; 4=Agree and 5=Strongly Agree. A total of 136 respondents who included IT audit and Internal audit practitioners, Audit trainees and students, Directors and management staff were involved from four selected organisations. A factor analysis yielded twenty variables extracted from the ingrained theory for the building of a conceptual model which were grouped into six factors or domains. The entire conceptual model was tested with PLS-SEM technique because of the causal relationships that motivated the development of the conceptual hypotheses. A composite reliability used to assess the internal consistency of the model was overall adequate with values greater than 0.7. Similarly, a convergent validity of the model showed that all the variables were above the threshold value of 0.5. Thus, the model and design theory were found to be reliable and valid. Correlation and regression analysis was applied in testing individual hypotheses and the results helped to reorganise the final framework. The study contributed an artefact in the field of IT audit which represents a comprehensive teachable practitioner’s guide for the improvement of the IT audit practice. The framework also serves as guidance to those charged with governance and management in monitoring, self-review and as framework to attain IT audit readiness in less regulatory environments. Implementation challenges are expected to be resolved by reverting to the ingrained theory.

Information System

An investigation of information systems prototyping

Mayhew, P. J.

January 1987

This thesis is concerned with the use of prototyping during the development of information systems. Prototyping is a process which involves early practical demonstration of relevant parts of the desired system. This is carried out with a view to improving both the quality and timeliness of the target system. The quality of an information system is largely determined by its adequacy as a tool for human users. Prototyping serves to enhance the communication between developers and users, and through this to increase the suitability of the resulting information system. An investigation into the traditional phase oriented approach to systems development reveals that in certain circumstances it can result in incorrect or at best disappointing systems. The prototyping approach is examined as a possible alternative. Particular attention is paid to its use with respect to typical characteristics of information systems. This is followed by an investigation into all aspects of prototyping. One aspect, that of the construction of prototypes, is dealt with separately and includes an examination of a variety of tools and techniques. Three of these approaches form part of an experiment in building prototypes. Each method is used to build prototypes of the same system. This provides the opportunity to compare approaches in terms of time, cost, and ease of maintenance, with the existing system. Prototyping is used during the development of a genuine system in a commercial environment. Special consideration is given to both the organisation and the control of prototyping. This project is closely monitored and documented in detail. In conclusion, recommendations are made concerning the use of prototyping during information systems development. Further research areas are also highlighted.

020

Information system prototyping

Patient-held medical records : a thermodynamic perspective

Kirkham, David Andrew

January 1994

No description available.

362.1

Information system

Systems analysis and requirements determination : theory and practice - a longitudinal case study approach

Mouakket, Samar

January 1996

No description available.

658

Information system development

Design for cooperation

Rosenberg, Duska

January 1994

No description available.

620.82

Information system design

Evaluating declarative programming

Clare, A. R.

January 1988

No description available.

005

Information system evaluation

The development and evaluation of a diabetes register and information system

Jones, R. B.

January 1986

No description available.

020

Medical information system

A GIS-compatible, active computer algorithm for American congressional redistricting

Pierce, Todd M.

January 1992

No description available.

910

Geographical information system

Information systems design for the community health services

Catchpole, C. P.

January 1987

This system is concerned with the design and implementation of a community health information system which fulfils some of the local needs of fourteen nursing and para-medical professions in a district health authority, whilst satisfying the statutory requirements of the NHS Korner steering group for those professions. A national survey of community health computer applications, documented in the form of an applications register, shows the need for such a system. A series of general requirements for an informations systems design methodology are identified, together with specific requirements for this problem situation. A number of existing methodologies are reviewed, but none of these were appropriate for this application. Some existing approaches, tools and techniques are used to define a more suitable methodology. It is unreasonable to rely on one single general methodology for all types of application development. There is a need for pragmatism, adaptation and flexibility. In this research, participation in the development stages by those who will eventually use the system was thought desirable. This was achieved by forming a representative design group. Results would seem to show a highly favourable response from users to this participation which contributed to the overall success of the system implemented. A prototype was developed for the chiropody and school nursing staff groups of Darlington health authority, and evaluations show that a significant number of the problems and objectives of those groups have been successfully addressed; the value of community health information has been increased; and information has been successfully fed back to staff and better utilised.

020

Health information system