Information technology audit: systems alignment and effectiveness measures

Nicho, Mathew

January 2008

Information technology audit has proven to be a relatively new, less researched and rapidly expanding field among large, medium and even small businesses (commercial and non-commercial organisations). The implementation rate has grown rapidly and presents a huge growth market for audit consultants due to the need for transparency and compliance with regulation (for example: Sarbanes Oxley Act) and the need to be competitive in the marketplace. The audit process is being conducted mainly by consultants following a traditional process but using different proprietary approaches and mostly done manually. The purpose of this study is to present a scientific method to attach a purely measurement focus to the auditing process so as to provide an auditing as well as a quantitative outcome of the performance to the various IS entities that are audited using a novel automated method that can save organisations considerable resources in terms of time, cost and effort. The nature of the topic directed the researcher to three domains of information system (IS) namely studies on IS measurement, IT governance and software engineering. These areas provided information on the nature of IS measurement and the models used; the process of auditing/measurement and the corresponding frameworks used; the principles and methodology of measurement of IS entities; and measurement models used both in the software engineering and information systems domain. The review of the literature gave rise to the research question and the COBIT-GQM (Control Objectives for Information Technology Audit) – Goal Question Metrics) model. The research question that had emerged out of the four propositions “How can an IT audit or governance framework be used to measure the effectiveness of IS entities in a scientific manner using customised and goal oriented metrics” along with the nature of data sought (positivist), guided the researcher to qualitative research using multiple case studies to test the theoretical model (grounded theory) that had emerged out of the literature review. The theoretical model was automated (with a front end interface and a back-end database) and initially tested for usability issues. Then the common COBIT control objective that was obtained through an initial survey was entered into the database along with a set of questions and metrics (developed by the researcher by following the given GQM guidelines). This application that was demonstrated, and given for evaluation in four organisations gave rise to expected and surprising results. While the respondents expressed their desire to incorporate a customised and goal oriented measurement perspective to their IT audit/performance functions, that would save them time, effort and cost, numerous suggestions were provided that need to be incorporated into the model to make it fully functional. Notable among them are the need to embed a multiple contextual qualifying layer, incorporating benchmarking feature to the model, and the need to link this with the maturity model. These were incorporated into the model and a comprehensive model incorporating all the suggestions was created. The qualitative case study method being used here more to evaluate a theory, provided a sound base for future studies to generate hypothesis that can be evaluated using quantitative survey methods for the model to be generalised. IT auditing being a relatively new, less researched, conventional and high growth oriented field, the use of an innovative, comprehensive, automated and scientific method of audit and measurement method will satisfy the implied need for organisations to incorporate the diverse audit/measurement/ control/standards into one comprehensive method and this research is a major step in this direction. Since the new model is comprehensive and can be automated organisations can economise in terms of time, cost and effort. Irrespective of the nature of economic cycle the need for economising in terms of cost, time and effort is universal for all organisations.

Information technology governance

Information technology audit and control

Goal Question Metrics method

Information technology alignment

Information systems measurement

Information technology audit: systems alignment and effectiveness measures

Nicho, Mathew

January 2008

Information technology audit has proven to be a relatively new, less researched and rapidly expanding field among large, medium and even small businesses (commercial and non-commercial organisations). The implementation rate has grown rapidly and presents a huge growth market for audit consultants due to the need for transparency and compliance with regulation (for example: Sarbanes Oxley Act) and the need to be competitive in the marketplace. The audit process is being conducted mainly by consultants following a traditional process but using different proprietary approaches and mostly done manually. The purpose of this study is to present a scientific method to attach a purely measurement focus to the auditing process so as to provide an auditing as well as a quantitative outcome of the performance to the various IS entities that are audited using a novel automated method that can save organisations considerable resources in terms of time, cost and effort. The nature of the topic directed the researcher to three domains of information system (IS) namely studies on IS measurement, IT governance and software engineering. These areas provided information on the nature of IS measurement and the models used; the process of auditing/measurement and the corresponding frameworks used; the principles and methodology of measurement of IS entities; and measurement models used both in the software engineering and information systems domain. The review of the literature gave rise to the research question and the COBIT-GQM (Control Objectives for Information Technology Audit) – Goal Question Metrics) model. The research question that had emerged out of the four propositions “How can an IT audit or governance framework be used to measure the effectiveness of IS entities in a scientific manner using customised and goal oriented metrics” along with the nature of data sought (positivist), guided the researcher to qualitative research using multiple case studies to test the theoretical model (grounded theory) that had emerged out of the literature review. The theoretical model was automated (with a front end interface and a back-end database) and initially tested for usability issues. Then the common COBIT control objective that was obtained through an initial survey was entered into the database along with a set of questions and metrics (developed by the researcher by following the given GQM guidelines). This application that was demonstrated, and given for evaluation in four organisations gave rise to expected and surprising results. While the respondents expressed their desire to incorporate a customised and goal oriented measurement perspective to their IT audit/performance functions, that would save them time, effort and cost, numerous suggestions were provided that need to be incorporated into the model to make it fully functional. Notable among them are the need to embed a multiple contextual qualifying layer, incorporating benchmarking feature to the model, and the need to link this with the maturity model. These were incorporated into the model and a comprehensive model incorporating all the suggestions was created. The qualitative case study method being used here more to evaluate a theory, provided a sound base for future studies to generate hypothesis that can be evaluated using quantitative survey methods for the model to be generalised. IT auditing being a relatively new, less researched, conventional and high growth oriented field, the use of an innovative, comprehensive, automated and scientific method of audit and measurement method will satisfy the implied need for organisations to incorporate the diverse audit/measurement/ control/standards into one comprehensive method and this research is a major step in this direction. Since the new model is comprehensive and can be automated organisations can economise in terms of time, cost and effort. Irrespective of the nature of economic cycle the need for economising in terms of cost, time and effort is universal for all organisations.

Information technology governance

Information technology audit and control

Goal Question Metrics method

Information technology alignment

Information systems measurement

從科技契合歷程探討電子化政府發展的轉型:以台灣跨機關整合服務為例 / The transformation of e-government development: insights from the technology alignment process-case studies of integrated public services in Taiwan

程麗弘, Cheng, Li hung

Unknown Date

政府組織導入資訊科技後，帶來進步與改變的契機。過去研究從發展階段論探討此議題，多預設科技會依獨立自主的邏輯發展而對社會造成衝擊，因此主要的管理工作是協助社會大眾適應不可逆轉的科技發展。然而，這些學理上的臆測，在田野真實性是愈往發展後期愈下降，造成理論與實務的脫節。本研究從科技與社會研究（Science, Technology and Society, STS）學術脈絡下手，從實務觀察中，致力於挖掘科技和社會間雙向互動、相互形塑的關係；並主張以契合式纏繞(aligned-entanglement) 觀點，探討科技與政府組織相互形塑呈現出轉型的動態歷程。 本研究援引交引纏繞式（entanglement model）互動的模型，加上科技契合(technology alignment)觀點，應用於電子化政府整合型服務之研究，以解釋為何纏繞產生非預期結果，以致走向轉型。因為資訊科技特性需連結兩個以上組織才可讓資訊跨組織流通，所以科技與組織互動的轉型態樣有別於以往單一組織與科技互動的態樣。本研究在分析架構上的貢獻有三：1. 提出以科技契合的交引纏繞歷程觀點探討轉型，修正及補強以交引纏繞歷程觀點來分析轉型，2.開發出探討跨組織科技契合的分析構面，抽離出田野背後的運作邏輯， 3.重新詮釋公共服務的創新擴散，將以往僅探討科技創新與採用的關係，再行深入，把科技設計者從科技創新分離出，成為探討科技設計者、科技創新以及採用的關係， 由此進一步剖析當科技展演無效而發生轉型現象的論述。 本研究根據此看法，採質性多個案研究法來分析台灣電子化政府發展中兩個整合型公共服務，分別是「農產品產銷履歷系統」以及「G2G2B公文電子交換系統」，探討社會/科技集體從萌生到關係穩定化的歷程，或是位移如何發生，由此探知轉型過程。研究發現四種交引纏繞樣態皆有可能導致社會/科技集體的轉型，分別是「科技誤用，對服務真諦不了解」、「科技挪用，妥協下的次佳選擇」、「科技不適用，未立即傳遞的服務」以及「科技不用/科技調適，端視服務內容可被替代程度而定」四個纏繞軌跡的樣態。其共同特點是剛開始科技與跨組織各要素是契合的，雖偶有不契合也多以微調方式修正即可；但是逐漸在各執行面都有一些偏差，在科技展演無效後，科技設計者在權衡情境後所採取的解決方案，進一步呈現出可能的解釋因素，分別是對「科技精神」的了解程度、設計者對環境變化的認知、或科技特性在特定歷史環境不易充分發揮、或是對服務真諦的了解程度等。 本研究提出契合式纏繞觀點，相信這樣的研究成果會深化電子化政府轉型式發展的分析。本研究建議，在無效科技展演後，要預留迴旋空間(leeway)重新開啟科技的詮釋，允許不僅檢討「進度」達成與否，更要檢討「目標」是否合適，如此該社會/科技集體的纏繞式轉型才較不會走偏。 / The implementation of information technology by government entities brings opportunities for progress and change. The conventional wisdom of technology determinism considers the development of e-government as irreversible and the key objective is to assimilate the users to adopt the technology. However, these theoretical speculations tend to lose their explanation power during the later stages of e-government deployment. In other words, there is a mismatch between theory and practice. This study argues that the adoption of technology in governmental organizations is a result of interactions amongst factors such as strategic alignment, IT alignment, IT-structural and process alignment, business alignment, and service alignment. This study illustrates the dynamic entangled process in offering integrated services for e-government and describes the trajectories of this transformation. The aligned-entanglement perspective is then used to provide a better explanation than the punctuated-equilibrium and situated change perspectives. Three main contributions are made by this thesis. First, it proposes a new model to explore governmental organizational transformation. Second, it develops an analytical framework and makes explicit the operation logics of field practice. Thirdly, it re-interprets the diffusion of innovation in public services by incorporating technology designers, the technology itself, and the adopters as distinct actors in the transformation process. Qualitative case study method is used to analyze the implementation of two integrated public e-services in Taiwan: “Agriculture and Food Traceability System” and “G2G2B Electronic Document Exchange System”. The field studies show how the social/technical collective becomes stabilized overtime or how displacement occurs. This paper finds four patterns of displacement: misuse of technology through lack of understanding, the inappropriation of technology, the inapplicability of technology resulting in non-usage, and resistance or adaptation depending on suitability to the adopter’s tasks at hand. The common theme of these patterns is that, while minor misalignment can be fine-tuned in the beginning, these misalignments tend to accumulate through out the execution phases resulting in ineffective performance outcomes. Furthermore, the choices of technology designers to remedy these issues shed light on issues influencing the outcome; namely, misunderstanding of “technology spirit”, designers’ lack of sensitivity to environment change, the poor fit of technology features given its contemporary government context, and lack of understanding on the essence of services. This study proposes aligned-entanglement perspective and enriches the understanding of transformation in e-government development. This study suggests that, upon ineffective performances in technology, one should make leeway in the calibration of the deployment. By assessing the appropriateness of the initial goals in addition to reviewing progress milestones achievement, the social/technical collective is less likely to go down the wrong path in this (transformation) process.

電子化政府

跨組織關係

科技契合歷程

交引纏繞式轉型

公共服務價值

e-government

inter-organizational relationship

technology alignment

entanglement

value of public service