Return to search

Towards the development of a COBIT 5-driven IT audit framework

In recent years, given the increased investments in Information Technology (IT), and its pervasive usage in business environment, the need to ensure that IT decisions are in the interest of shareholders led practitioners and researchers to focus on Enterprise Governance of IT (EGIT). EGIT involves implementing mechanisms that ensure that IT risks are duly mitigated, and that the IT investments are yielding the expected returns for enterprise owners. For the mechanisms to work as intended, there is the need for regular auditing; however, past literature and practitioner reports have confirmed that auditors do not audit governance mechanisms to the expectation of shareholders. Within the Ghanaian Financial services sector, failures in EGIT resulted in the collapse of several organisations which made stakeholders question the role played by auditors. The purpose of this study was to examine EGIT from the perspective of the auditor, develop an audit framework based on COBIT 5 and understand how auditors can be 'critical partners’ to ensure EGIT effectiveness. To provide a better understanding of the EGIT phenomenon, a theoretical framework based on the integration of six theoretical perspectives was presented to provide a holistic view of EGIT and how auditors can add value. The theoretical framework argued in line with organisational theorists that to achieve positive outcomes, governance mechanisms must be implemented in a coherent whole and analysed as a configuration. As such the study adopted the configurational theory to analyse the coherence of the governance mechanisms. Based on the theoretical framework and the configurational theory, a conceptual framework was developed to guide the research. The thesis proposed that the greater the level of coherence among the governance mechanisms, the higher the level of EGIT effectiveness, and that the audit of EGIT will improve the maturity of the governance mechanisms and its coherence. The pragmatic philosophic stance was adopted, utilising qualitative and quantitative methods to answer the research question. The Peffers, Tuunanen, Rothenberger, & Chatterjee, (2008) design science research methodology guided the identification of the problem and the development of an artefact that can aid IT auditors by providing them with an adequate scope for EGIT audits and reduce the audit detection risks. An Exploratory Focus Group (EFG) and a Confirmatory Focus Group (CFG) were employed in the development of the artefact. In addition, a survey instrument was utilised to gather data about the governance maturity of the case organisations prior to and after the usage of the artefact. Cluster analysis based on the concept of 'coherence as a gestalt’ produced cluster solutions revealing the nature of the configuration that resulted in positive outcomes. Post-Hoc analysis was used in the summative evaluation of the artefact to measure the statistically significant changes that occurred in the governance maturity after the use of the artefact. The findings revealed that regular auditing of EGIT mechanisms can lead to significant improvement in several governance mechanisms as postulated. It also revealed that to attain positive outcomes, there is the need for a coherent implementation of governance mechanisms with emphasis on technology which can be the driving force in a fast-changing environment. This result was contrary to existing literature about EGIT that suggested the overarching importance of leadership to drive change in the attainment of EGIT objectives. The findings show that with the right systems and technologies, IT can provide decision makers with timely information that would increase the utility of the decisions. The study makes significant contributions to knowledge by providing insights into EGIT and IT auditing which is an under-researched area. One key theoretical contribution was the integrative theoretical framework that provides theoretical underpinnings to EGIT, which has previously been studied descriptively and provides a holistic view of the complex phenomenon. The study also confirms the configurational theory and advances knowledge by proving that in the context of EGIT, the combination of the various mechanisms does influence the whole and the outcomes. Concerning the contribution to practice, the study resulted in the development of an IT auditing artefact that is based on COBIT 5, a widely accepted industry framework for EGIT, and contextualised with the regulatory needs of the Ghanaian Financial Services sector. With this tool, IT auditors can develop an audit plan that provides assurance of key governance areas and so reduce the audit risk of not detecting a non-existence or weak control in an organisation’s EGIT practices. The tool can be used by regulatory auditors who were complicit in the EGIT failures that occurred in the sector to provide adequate supervision. Further discussion on the theoretical, practical and methodological contributions are set out in this thesis along with the limitations of the study and recommendations for future research.

Identiferoai:union.ndltd.org:netd.ac.za/oai:union.ndltd.org:uct/oai:localhost:11427/31541
Date11 March 2020
CreatorsAsmah, Alexander Ekow
ContributorsKyobe, Michael
PublisherFaculty of Commerce, Department of Information Systems
Source SetsSouth African National ETD Portal
LanguageEnglish
Detected LanguageEnglish
TypeDoctoral Thesis, Doctoral, PhD
Formatapplication/pdf

Page generated in 0.0053 seconds