Evaluation of the Impact and Effectiveness of Information Technology Governance in the National Regulator for Compulsory Specifications (NRCS)
Lourens Johannes Erasmus1, Alfred Malasele Sekhula2
Abstract: Corporate governance has received a lot of attention over the last few years. Major factors contributing to this are a number of major corporate fraud cases and the introduction of new regulations, such as the Sarbanes-Oxley Act in 2002 for American companies and the King II report for South Africa. The attention to corporate governance also leads to attention to information technology (IT) governance because IT plays a vital role in supporting business processes. Information technology governance is a subset discipline of corporate governance, focusing on information and technology and its performance and risk management. Information technology governance is essential to ensure that the National Regulator for Compulsory Specifications (NRCS) gets expected return on investment. Information technology (IT) governance is all about the implementation of processes, structures and mechanisms that enable business to realise value from IT investment. The main objective of this study was to evaluate the impact and effectiveness of IT governance in NRCS. The researcher’s aim was: to examine the effectiveness of IT controls implemented on the NRCS IT systems; the enforcement of IT policies; the alignment of the IT department with business; and accountability of IT management. This study was conducted using a qualitative research design – specifically case study as a research method. A case study allowed the researcher to gather information through interview questions and observation of the target population, which comprises NRCS management, IT personnel and systems. To conclude the study, the researcher has identified factors prohibiting the NRCS IT department to enforce and implement IT governance for NRCS to realise return on investment they made on IT infrastructure. The inferences may be drawn that effectiveness of IT governance can be achieved by training management and IT personnel in IT governance, using approved IT policies and aligning IT strategy with a business strategy.
Keywords: Corporate Governance; Performance Management; Risk Management; Information Service Provider
Organisations worldwide use information technology (IT) during daily operations (O’Brien, 2013). Most leading business no longer view their IT function strictly as a back-office utility or low value information service provider. Instead, they see its potential as a process optimiser and an enabler of new services and products for the organisation (Haseley & Brucker, 2012). This is evident in NRCS – during the past three years, NRCS has invested R5 million on purchasing a new IT infrastructure, and management expected to see an improved and efficient business process resulting from these IT systems (Mckeen & Smith, 2014). According to Van Grembergen and De Haes (2012), IT governance was developed to make the IT value measurable. Van Grembergen and De Haes (2012) define IT governance as “an organisational capacity exercised by board, executive management and IT management to control the performance and implementation of IT strategy and this ensures the fusion of business and IT”.
Corporate governance is of paramount importance to an organisation and is almost important as its primary business plan (King III Committee, 2012). When executed effectively, it can prevent corporate scandals, fraud, and the civil and criminal liability of the company. It enhances a company’s image in the public eye as a self-policing company that is responsible and worthy of shareholder and debtholder capital (Van Grembergen & De Haes, 2012). According to the King III report (2012), corporate governance is the responsibility of the board of directors to ensure that it is implemented and enforced in the organisation. Companies are governed within the framework of the laws and regulations of the country in which they operate. In South Africa, corporate governance was institutionalised by the publication of the first King report on corporate governance in 1994. In 2002, the King II report was published by the King Committee, and in September 2009, the new King III report was unveiled in response to the new Companies Act 71 of 2008 (ITGI, 2012). The management of NRCS has invested around R20 million in IT infrastructure in 2013 to automate all core business processes and grow business; but at this stage, external and internal customers are facing the problem of unavailability of IT systems, and internally, some accounting fraud has also occurred without any trace. Without IT systems, NRCS will not be in a position to generate revenue, because all service offerings rely on the availability of IT systems. As stated in the King III report of 2009, the IT risks need to be well governed – in the case of NRCS, it is evident that if IT risks are not well governed, the implementation of IT governance is not well implemented. Information technology (IT) systems in NRCS should support business and be aligned to NRCS’s business strategy.
3. Problem Statement
The National Regulator for Compulsory Specifications (NRCS) started using their own network in September 2013, and for the first six months, the new IT infrastructure did not perform as expected: systems where shutting down or rebooting unnecessarily and some accounting fraud occurred without a trace (Mercure Whitepaper, 2014). These problems motivated NRCS management to call for IT governance evaluation to ensure that the IT infrastructure meets the organisational goals (Asogan, 2013). The National Regulator for Compulsory Specifications (NRCS) needs to be aware of the level of IT governance implemented in their organisation because it influences the overall performance of the organisation (Grembergen & De Haes, 2012). According to the King III report (2012), organisations are required to report on organisational IT infrastructure in the yearly integrated report. Evaluation of NRCS IT governance is therefore crucial because it will outline the level of IT governance implemented, risks that IT infrastructure pose to business, and will also aid management to complete an integrated report. The purpose of this study was to evaluate the impact and effectiveness of IT governance in NRCS.
This study is motivated by the constant increase of government organisations that are failing the IT Audit in South Africa. This study also contributes by helping South African government institutes to identify the level of IT governance implemented on their IT systems. The researcher believes that using NRCS as a case study will also help this organisation to get a clear IT audit because all issues of IT governance in NRCS were identified during the study. This project is beneficial to NRCS and its IT personnel, CEOs, and board of directors. It will give management a clear overview of the level of IT governance implemented and the associated risks. Information technology (IT) governance is a new concept and research done on this subject is limited; therefore, this study will significantly contribute to exciting literature and will help to generalise the findings on IT governance research.
The aim of this research project was to evaluate the level of IT governance implemented in an organisation, specifically focusing on NRCS.
6. Objectives
The main objectives of the study were:
to assess the IT governance framework implemented in NRCS;
to evaluate the IT strategy and business strategy relationship in NRCS;
to analyse the impact of IT governance in NRCS.
The focus of this research was on the following area: IT governance, alignment of IT and business, and compliance. The following are the main research questions:
Why is there a challenge in implementing IT governance in NRCS?;
Is NRCS’s IT strategy and business strategy aligned?;
Which IT governance framework is implemented by NRCS?
IT governance or Enterprise IT governance is the organisational capacity exercised by the board, executive management and IT management to control the performance and implementation of IT strategy, and in this way, ensure the fusion of business and IT (Van Grembergen & De Haes, 2012).
IT Audit is the evaluation of management control within IT infrastructure. It determines if information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve organisational goals or objectives (Auditor General Office, 2011).
Strategy is the totality of choices that provide an overall orientation for future enterprise developments (Hoogervorst, 2012). It is the direction and scope of an organisation over the long term which achieves advantage for the organisation through its configuration of resources within a challenging environment to meet the needs of markets and to fulfil stakeholder expectations (Smith, McKeen & Singh, 2012).
IT security is the process of implementing measures and systems designed to securely protect and safeguard information (SANS, 2014).
Control Objectives for Information and Related Technology (COBIT) is an IT governance framework created by Isaca for IT management and IT governance. It was established in 1996 and divided into four areas, namely planning and organisation, acquisition and implementation, deployment and support, and monitoring (Isaca, 2012).
Information Technology Infrastructure Library (ITIL) is a set of practices for IT service management that focuses on aligning IT services with the needs of business. Information Technology Infrastructure Library (ITIL) describes processes, procedures, tasks and checklists which are not organisationally specific, but can be applied by an organisation for establishing integration with organisations strategy, delivering value, and maintaining a minimum level of competency (Best Management Practice, 2013).
Capability Maturity Model Integration (CMMI) addresses steps in software development, and the main aim is to improve predictability, efficiency and control of complex software development process within organisations (SEI, 2010).
9. Literature Review
The following information is presented as follows:
9.1. Information Technology (IT) Strategy of the National Regulator for Compulsory Specifications (NRCS)
According to Smith et al. (2012), many organisations are questioning the value of IT strategies, because over the years, IT has been seen as a costly department to an organisation and managers are unable to measure the value it provides to business. Technology now pervades all areas of business; however, many organisations find that the substitution of labour by technology is replacing variable costs with fix costs (Smith et al., 2012). According to the CEO of NRCS, an IT department is costly to an organisation (Asogan, 2013). Therefore, the need to ensure value from IT investments and making it easily measurable is crucial. To achieve this, IT strategy must be aligned with business strategy. Strategy is the totality of choices that provide an overall orientation for future enterprise developments (Hoogervorst, 2012). Information technology strategy is a subset of the enterprise strategy and thus concerns choices pertinent to the development of IT within the organisation.
9.2. Information Technology (IT) Governance
According to the King III report (2012), a South African framework on corporate governance states that for an organisational investment in IT to deliver full value, it is recognised that IT has to be fully aligned with business strategies and direction, key risks have to be identified and controlled, and legislative and regulatory compliance demonstrated. Information technology (IT) governance covers this and more, and considering recent corporate failures and scandals, enjoys a higher profile today than ever before. Information technology (IT) governance is not a one-time exercise of something achieved by a mandate or setting of rules. It requires a commitment from the top of the organisation to instil a better way of dealing with the management and control of IT (Van Grembergen & De Haes, 2012). Information technology (IT) governance is an ongoing activity that requires a continuous improvement mentality and responsiveness to the fast-changing IT environment. Information technology (IT) governance can be integrated within a wider enterprise governance approach and supports the increasing legal and regulatory requirements of corporate governance (Van Grembergen & De Haes, 2009). An IT governance Special Interest Group researched factors contributing to the need of IT governance in an organisation and found the following to be the most important factors: there is a general lack of accountability and not enough shared ownership and clarity of responsibilities for IT services and projects; communication between customers (IT users) and providers has to improve and be based on joint accountability for IT initiatives; there is a potentially widening gap between what the IT departments think the business requires and what the business thinks the IT department is able to deliver; and organisations need to obtain a better understanding of the value delivered by IT, both internally and from external suppliers (King Report III, 2012).
The third report on corporate governance in South Africa became necessary because of the new Companies Act 71 of 2008 and the changes in international governance trends. This report, referred to as the King III report, was compiled by the King Committee with the help of sub-committees (Sticker, 2010). The King III report is the only South African legislature and regulation that addresses the issues of IT governance, business rescue, and fundamental and affected transactions.
9.4. Core Competencies of Information Technology (IT) Governance
Information technology (IT) governance concerns the integration of skills, knowledge and technology to provide unified and integrated attention on IT development, such as establishing IT strategic initiatives, the development of IT architecture for guiding IT system design, the design of IT systems, the portfolio of subsequent IT projects for implementing design, and the implementation of IT projects (Hoogervorst, 2012). Hoogervorst further defined IT governance as the organisational competence for continuously exercising guiding authority over IT strategy and architecture development, and the subsequent design, implementation and operation of IT systems. The three most important competencies for IT governance that cover the IT governance domain in a unified manner and that must be retained in-house are (Lewis & Millar, 2012): IT strategy and architecture (conceptual, design-focused); IT project portfolio management (financial, administrative); and IT program management (execution, implementation).
9.5. Information Technology (IT) Governance Audit
Hall and Singleton (2010) state that an IT audit is associated with auditors who use technical skills and knowledge to audit through the computer system, or provide audit services where processes or data or both are embedded in technologies. Information technology (IT) audits are risk-based, much like internal and external audits. According to Hall and Singleton (2010), the scope of IT audit has been increasing to include more depth of systems and width – tools like Computer-Assisted Audit Tools and Techniques (CAATTs) allow IT auditors to review an audit trail in electronic forms which is invisible to human. Another developing concept in IT audit is the emergence of IT governance as a subset of corporate governance. Information technology (IT) internal controls at a governance level involve ensuring that effective IT management and security principles, policies and processes with appropriate compliance measurement tools are in place to assess and measure those controls (AGO, 2011; Cartlidge, 2010). Effective IT governance controls require an active audit committee that goes beyond just financial reporting issues and reviews a wide range of enterprise issues, including IT matters.
9.6 Leadership in Information Technology (IT) Governance
According to Grant, Hackney and Edgar (2010), business professionals play a very important role in ensuring that organisational goals are met: they plan, lead and control organisational resources. The everchanging business world today presents modern managers from all sectors with more diverse and far-reaching challenges than ever before. Grant et al. (2010) and Hoogervorst (2012) state that given the turbulence, uncertainty and changeability of today’s world, a reconfiguration of and a differing mindset to yesteryear are required. Managers should change the way they used to do things and start engaging all employees, see change rather than stability as the norm, and create visions and values that encourage a truly collaborative workplace (Grant et al., 2010). There are many differing theories, models and frameworks that have been developed around leadership, IT/IS leadership and governance included. Ultimately, it is a responsibility of the board of directors to ensure that IT along with other critical activities are governed adequately. According to the King III report (2012), the board should be responsible for IT governance.
The purpose of the research was to establish and evaluate the level of IT governance implemented and to outline the associated risks posed by IT governance in NRCS. This research is qualitative: a case study was used in this study, because a case study is “a type of qualitative research in which in-depth data gathering relative to a single individual, program, or event for the purpose of learning more about an unknown or poorly understood situation” (Luftman & Kempaiah, 2010). According to Neuman (2011), qualitative research is a means of exploring and understanding the meaning that individuals or groups ascribe to a social or human problem. The data collected in this type of study are normally collected in participants’ settings (White, 2013). In this study, the focus was only on one organisation; hence, a qualitative research design is more appropriate for the study as it allows in-depth data collection and understanding of IT governance.
10.1. Study Area
The National Regulator for Compulsory Specifications (NRCS) is a regulatory body in South Africa with offices situated in Pretoria, Durban, Bloemfontein, Port Elizabeth, and Cape Town. This study was conducted in Pretoria, at the head office of NRCS because all tools and IT systems necessary for data collection are in Pretoria.
The National Regulator for Compulsory Specifications (NRCS) was used as a case study to complete this research. The National Regulator for Compulsory Specifications (NRCS) employs approximately 300 employees. The target population for this study comprised of six (6) IT personnel; twenty (20) managers from all the departments; and IT systems. Hundred percent (100%) of the target population were used as the main source of data (Neuman, 2011).
10.3. Sample, Sampling Methods, and Sample Size
This research was a qualitative study; therefore, the sample for this study comprised of twenty-six (26) participants, which was the total population selected for this study. Purposive sampling was used to select this population. Purposive sampling represents a group of different non-probability sampling techniques, and is also known as judgmental, selective or subjective sampling (Leedy & Ormrod, 2014). The sample consisted of individuals who have knowledge of what IT systems are installed within the organisation and for what reason. Furthermore, they run this organisation and get first-hand information regarding any issues or improvement of finances. This means they can tell if the organisation is getting return on investment (ROI) from IT systems or not.
The data were collected through the following methods:
Interviews: open-ended questions were developed and sent to participants before individual interviews. Interview questions were structured so that they enabled the researcher to evaluate the level of IT governance, and also to gather more information concerning the performance of IT systems, whether they are getting ROI from IT systems or not.
System audit: IT systems performance and configurations were evaluated to confirm if they met the requirements of an adopted IT governance framework.
The data were analysed using the following technique:
Categorisation: data were grouped into groups (Leedy & Ormrod, 2014).
Interpretation: all data were interpreted and presented in an unambiguous format – this started during the data collection (Leedy & Ormrod, 2014).
All participates were allowed to remain anonymous or to use pseudonyms so that their responses cannot be traced back to them. Fellow participants should anyway not see individual responses (Neuman, 2011). Participation in this study was voluntary and therefore all participates had the right to withdraw from this research at any time without stating reasons. No IP addresses and passwords of the IT systems were revealed as they might compromise the security of IT assets (Israel, 2014).
In the study, the researcher aimed to evaluate IT governance in NRCS. The role of IT governance in an organisation is to ensure that IT strategy and business strategy are aligned. Information technology (IT) governance should be part of the overall corporate governance process, procedures and policies established to provide decisions of and direction to the IT services and resources, including considerations regarding risks, compliance and performance. There are many IT governance frameworks that have been developed – such as COBIT, ITIL and CMM – to help with implementation of a good IT governance in an organisation. The National Regulator for Compulsory Specifications (NRCS) has adopted COBIT and ITIL as the IT governance framework. Proper implementation of the IT governance framework results in efficient and effective management of IT resources and overall improvement of business performance.
12. Findings of the Literature Review
The findings are presented as follows:
There is a low alignment maturity between business strategy and IT strategy, and this is one of the main reasons why enterprises fail to exploit the full potential of their IT investment.
The IT strategy of NRCS was written by the chief information officer independently, which results in non-alignment with business strategy. Both IT strategy and business strategy should be derived collaboratively by the entire executive team, including the chief information officer.
The IT governance should be part of the overall corporate process: this will ensure that IT governance receives the required support from management.
The third report on corporate governance in South Africa published in 2009, is the first King Report to address IT governance for South African organisations. Before, companies were not disclosing anything on IT governance, but since 2009, all companies registered on Johannesburg Stock Exchange have been required to report on IT governance.
There was a lack of accountability in South African public entities, including NRCS, regarding the champion of IT governance.
COBIT and ITIL are commonly implemented IT governance frameworks in the public entity and private organisations. Both COBIT and ITIL are the two IT governance frameworks that the Auditor General of South Africa use to audit IT governance in government entities.
Sound IT governance in organisations should help organisations to improve performance.
13. Findings from the Interviews
Twenty-six participants were interviewed and the following findings emerged from these interviews:
Eighty-eight percent (88%) of the participants revealed that they do not have sufficient knowledge of IT governance. The lack of IT governance knowledge from managers means that NRCS will continue to under budget for IT projects and will fail to leverage IT systems. Information Technology (IT) governance focuses on adding value through effective investments in IT. Managers therefore need to be knowledgeable to make correct decisions on IT investment.
Ninety-six percent (96%) of participants confirmed that lack of IT governance training, impacting implementation of IT governance negatively in NRCS. Without training, NRCS management and IT personnel will not improve their knowledge on IT governance and will not feel confident to talk about IT governance, which may result in IT governance projects being put on hold indefinitely.
Seventy-seven percent (77%) of participants revealed that NRCS does not have an IT governance champion. An IT governance champion will ensure that IT governance, as part of corporate governance, is adequately addressed. In NRCS no one is taking accountability of inadequate implementation of IT governance, and it will remain the same if a champion is not appointed.
Ninety-two percent (92%) of the participants revealed that NRCS does not have an approved IT governance policy. Without this policy, the NRCS IT department will not know what policies, plans and procedures should be implemented to manage the IT department well. An IT governance policy establishes the IT governance structure and its associated procedures, roles and responsibilities as a critical component of the overall IT management framework, which guides the management, implementation and monitoring of IT investment of NRCS.
Eighty-eight percent (88%) of participants confirmed that NRCS does not have IT systems to support the implementation of IT governance. Implementation of IT governance is cumbersome and requires the IT systems to automate some of these processes. Without the proper IT systems in place, the implementation may be substandard and may fail to meet the business requirements.
All (100%) of the participants revealed that NRCS does not have an approved IT strategy and confirmed that a business strategy is in place. The implementation of an IT strategy is critical to organisations’ business success and key to sustaining competitive advantage. Without an IT strategy, NRCS will experience many difficulties in meeting customer needs.
Eighty-one percent (81%) of the participants revealed that NRCS communicates its strategies to employees. Effectively communicating the IT strategy to employees is vital to ensure that each member of staff is involved and understands the organisational goals, where long-term plans will lead the organisation in the future, and how the IT department intends to get there. NRCS employees do not understand the IT strategy, hence the reason why some projects are declared fruitless expenditure. When people understand the reason why the project is implemented, it is easy to support the project and ensure that its implementation is successful.
Seventy-three percent (73%) of the participants revealed that NRCS information department is not integrated with the rest of the NRCS business units. The integration of the IT department with the rest of business is vital as it will enable the IT department to easily get feedback on time from the business related to IT services and to plan improvement accordingly.
Ninety-two percent (92%) of the participants confirmed that the NRCS information department has implemented the fruitless project. Fruitless project is an indication of the lack of IT governance in NRCS and that the information department does not help NRCS to improve business. The objective of the IT department at NRCS is to be a business enabler, not a business obstacle.
Thirty-one percent (31%) of the participants revealed that NRCS has used COBIT and ITIL frameworks to implement IT governance. Even though NRCS has adopted some IT governance framework, the implementation is still lagging behind. The other contributing factor is the issue of lack of IT governance training in NRCS. People need to know and understand the importance of IT governance and the requirement to implement these IT governance frameworks.
Eighty-one percent (81%) of the participants revealed that lack of IT governance framework at NRCS impact negatively on the implementation of IT governance. Even though NRCS has adopted COBIT and ITIL frameworks, the implementation is partial. NRCS needs to have an approved IT governance policy which will outline which specific framework is to be used.
Seventy-seven percent (77%) of the participants revealed that NRCS does not measure IT governance maturity level. Information technology (IT) environment evolves almost every day, and the current organisational systems and processes need to keep abreast of these changes. What organisations have today will not necessarily be relevant after six months; therefore, management needs to constantly evaluate the IT governance to ensure that it is up to date and relevant to NRCS. NRCS management has no information on the IT governance maturity level and this impacts negatively on the budgeting of the IT project related to IT governance.
14. Findings from the Information Technology (IT) Systems Audit
Inadequately documented IT risk register: this risk register did not incorporate the existing controls for operational risks, inherent risk and residual risks, and risk owner and due date for the correction action.
Inadequately documented IT security policy: the policy did not incorporate attributes of IT security, such as ownership of data and management of default accounts.
Inadequate security management: patches and fixes were not done on the servers.
Inadequately documented disaster recovery plan: this plan did not include some critical aspects such as clear identification of contact information of the disaster recovery team and a clear identification of the various resources required for recovery.
Lack of approved IT strategy: the IT strategy is still in draft stage.
Lack of change management enforcement: most of the change management request forms were incomplete and some were not approved, but the logs on the servers revealed that changes were done without approval.
15. Conclusion
The low alignment maturity between business strategy and IT strategy is one of the main reasons why organisations struggle to exploit the full potential of their IT investment. To improve organisational performance, the alignment of IT strategy and business strategy need to be monitored and re-examined. One of the important aspects of re-examination is the consideration of the role IT governance plays in the organisation. Information technology (IT) investments will also be of great value if the IT and business remain aligned. From this research, it was evident that the IT project was not properly managed, which resulted in the business rejecting some of the projects. This happened due to the lack of IT governance and poor alignment of business and IT strategy. The important lesson learnt from this research project is that IT governance implementation is a journey, not a one-off occurrence.
The following recommendations can be made on implementing a good IT governance framework within NRCS and other organisations that are still lagging behind in implementing the IT governance framework:
NRCS should have an approved IT governance policy to ensure that the acquisition, management and use of information technology by NRCS improves productivity and cost-efficiency.
NRCS should ensure that committees are established within NRCS with clear unambiguous terms of reference – committees like an IT-steering committee and an audit-risk committee. These committees will help the board to carry out its IT governance duties.
NRCS should have an approved IT strategy to ensure that the business strategy and IT strategy are aligned. It is a tool to improve IT services and ensure they are delivered as per business requirement.
An IT demand plan should be identified and resourced in the IT strategy and operating plan and budgets.
NRCS needs to enforce change management on all IT systems. Organisations with effective change management meet or exceed project objectives. Change management needs to be improved in NRCS to avoid the business rejecting the project after millions of rands have been spent and ensuring that all projects are on schedule and budget.
NRCS needs to integrate all systems to prevent data from being saved to removable devices for further processing. All systems need to be configured to send notification to authorised people on any activities on finance systems, and logs or audit trails must be safe for at least five years. This will help NRCS in fraud prevention or identifying malicious activities at an early stage.
Even though this research study has been successful, the following limitations were experienced:
Single case: the researcher used only NRCS as a case study to conduct this study and more case studies will have to be conducted before results can be generalised.
Lack of prior research: the lack the prior research on the topic was a limitation of the study. Citing prior research studies was necessary to form the basis of the literature review and to help lay the foundation for understanding the research problem under investigation.
Lack of finance: The researcher would have liked to use an audit software to evaluate the current level of IT governance on current IT systems, but it was impossible as the software was expensive.
18. Suggestions for Research
It is difficult to generalise the results obtained in this study as only one case study was conducted. Therefore, further similar studies on IT governance in South African organisations need to be conducted so as to finalise the result. It is proposed that the following projects be conducted as follow-up studies: An evaluation of the impact and effectiveness of IT governance in South African government departments; A South African public entities framework to measure return of investment generated by IT; The influence of corporate governance on IT governance.
References
Auditor-General’s Singapore. (2011). What is an IT audit? [Online], Available from: http://www.ago.gov.sg/ doc/ r39d.pdf. [Accessed: 25/05/2016].
Cartlidge, A. (2010). An introductory overview of ITIL V3. [Online]. Available from: https://www.best-managementpractice.com/gempdf/itSMFory. [Accessed: 1 March 2016].
Daft, R. (2011). Leadership Experience. 4th Ed. London: Thomson South Western.
Grant, K.; Hackney, R. & Edgar, D. (2010). Strategic Information Systems Management. United Kingdom: Cengage Learning.
Hall, J.A. & Singleton, T. (2010). Information Technology Audit and Assurance. 2nd ed. USA: Thomson.
Haseley, S. & Brucker, J. (2012). New perspectives on healthcare risk management, control and governance. London: McGraw-Hill.
Isaca. (2012). An-introduction. [Online]. Available from: https://www.isaga.org/cobit/ documents/an-introduction.pdf. [Accessed: 29 June 2016).
Israel, M. (2014). Research ethics and integrity for social scientists: Beyond regulatory compliance. 2nd ed. London: Sage.
ITGI. (2012). IT governance global status report 2008. Rolling Meadows. IT Governance Institute. London: Isaca.
King III Committee (2012). King III report. Durban: LexisNexis.
Leedy, P. D. & Ormrod, J. E. (2014). Practical Research Planning and Design. 10th ed. England: Pearson.
Lewis, E. & Millar, G. 2012. The viable governance model: a theoretical model for the corporate governance of IT. Chichester: IGI Global.
Luftman, J. & Kempaiah, R. 2010. An update on business-IT alignment: ‘a line’ has been drawn. MIS Quarterly Executive, 6(3): 165–177.
McKeen, J. D. & Smith, H. A. (2014). IT strategy: issues and practices, 2nd ed. London: Prentice-Hall.
Mercure Whitepaper. (2014). IT governance challenges and best practise. [Online]. Available from: http://www.iworksmarcom.com/MercuryWhitepaper.pdf. [Accessed: 7 May 2016].
Neuman, W. L. (2011). Social research methods: qualitative and quantitative approaches. 7th ed. Boston: Allyn & Bacon.
O’Brien, J. A. (2013). Managing information technology in the business enterprise. 6th Ed. New York: McGraw Hill.
SANS. 2014. IT security resources. [Online]. Available from: http://sans.org/it-security [Accessed 4 March 2016].
SEI. 2010. CMMI for development, Version 1.3. [Online]. Available from: http:// www. sei.cmu.edu/reports/10tr033.pdf. [Accessed: 1 March 2016).
Smith, H. A, McKeen, J. D. & Singh, S. (2012). Developing information technology strategy for business value. Journal of information technology management, 18(1): 49-58.
Stickler, M. (2010). Working towards quality research through good data management practices. [Online]. Available from: http://www.research.psu.edu/training/sari/teaching-support/data-management/documents/20071010.pdf. [Accessed: 13 August 2016].
The Best Management Practice. (2013). [Online]. Available from: http://www.best-management-practice.com [Accessed 10 April 2014].
Van Grembergen, W. & De Haes, S. (2012). Business Strategy and Applications in Enterprise IT Governance. Hershey: Sage.
White, B. (2013). Writing your MBA dissertation. Padstow: Digita.
1 Professor, PhD, University of Limpopo, South Africa, Address: Private Bag x1106 Sovenga 0727, South Africa, E-mail: beyerslourens@gmail.com.
2 University of Limpopo, South Africa, Address: Private Bag x1106 Sovenga 0727, South Africa, Corresponding author: alfred.sekula@ul.ac.za.
AUDA, Vol. 11, no. 2/2019, pp. 26-42