Questions: What do you think were the critical factors that fueled the need for IT governance? In what ways did ISO affect the standards for network security?
Each answer should be in atleast 200 words. Need 1 apa 6th edition reference for 1 answer.
Don't use plagiarized sources. Get Your Custom Essay on
Discussion Question – Need 3 answers for 1 question
Just from $13/Page
Managing and Using Information Systems:
A Strategic Approach – Seventh Edition
Keri Pearlson, Carol Saunders,
and Dennis Galletta
© Copyright 2020
John Wiley & Sons, Inc.
Chapter 9
Governance of the Information
Systems Organization
Chapter 9
Governance of the Information Systems Organization
2
Learning Objectives
Understand how governance structures define how decisions are made
Describe governance based on organization structure, decision rights, and control
Discuss examples and strategies for implementation.
© 2020 John Wiley & Sons, Inc.
3
Intel’s Transformation
Huge performance improvements between 2013 and 2014 and between 2016 and 2018
Was it due to a spending increase?
Intel’s evolution
1992: Centralized IT
2003: Protect Era – lockdown (SOX & virus)
2009: Protect to Enable Era (BYOD pressure)
2016: “Unite” solution (integrates functions into one platform)
© 2020 John Wiley & Sons, Inc.
4
No, it was due to a spending decrease, not an increase.
They focused on protecting to enable, not just locking down
4
Intel Reached Level 3:
Developing programs and delivering services
Contributing business value
Transforming the firm
Previously: categorized problems as “business” or “IT”
Now: Integrated solutions are the only way
© 2020 John Wiley & Sons, Inc.
5
IT Governance
Governance (in business) is all about making decisions that
Define expectations,
Grant authority, or
Ensure performance.
Empowerment and monitoring will help align behavior with business goals.
Empowerment: granting the right to make decisions.
Monitoring: evaluating performance.
© 2020 John Wiley & Sons, Inc.
6
A decision right is an important organizational design variable since it indicates who in the organization has the responsibility to initiate, supply
information for, approve, implement, and control various types of decisions.
6
IT Governance
IT governance focuses on how decision rights can be distributed differently to facilitate three possible modes of decision making:
centralized,
decentralized, or
hybrid
Organizational structure plays a major role.
© 2020 John Wiley & Sons, Inc.
7
Four Perspectives
Traditional – Centralized vs decentralized
Accountability and allocation of decision rights
Ecosystem
Control structures from legislation
© 2020 John Wiley & Sons, Inc.
8
Centralized vs. Decentralized Organizational Structures
Centralized – bring together all staff, hardware, software, data, and processing into a single location.
Decentralized – the components in the centralized structure are scattered in different locations to address local business needs.
Federalism – a hybrid of centralized and decentralized structures.
© 2020 John Wiley & Sons, Inc.
9
9
Organizational continuum
10
Federalism
Most companies would like to achieve the advantages of both centralization and decentralization.
Leads to federalism
Distributes, power, hardware, software, data and personnel
Between a central IS group and IS in business units
A hybrid approach
Some decisions centralized; some decentralized
© 2020 John Wiley & Sons, Inc.
11
11
Federal IT
© 2020 John Wiley & Sons, Inc.
12
12
Figure 9.4 IT Accountability and Decision Rights Mismatches
Accountability
Low High
Decision Rights High Technocentric Gap
Danger of overspending on IT creating an oversupply
IT assets may not be utilized to meet business demand
Business group frustration with IT group Strategic Norm (Level 3 balance)
IT is viewed as competent
IT is viewed as strategic to business
Low Support Norm (Level 1 balance)
Works for organizations where IT is viewed as a support function
Focus is on business efficiency Business Gap
Cost considerations dominate IT decision
IT assets may not utilize internal competencies to meet business demand
IT group frustration with business group
© 2020 John Wiley & Sons, Inc.
13
Figure 9.5 Five major categories of IT decisions.
Category Description Examples of Affected IS Activities
IT Principles How to determine IT assets that are needed Participating in setting strategic direction
IT Architecture How to structure IT assets Establishing architecture and standards
IT Infrastructure Strategies How to build IT assets Managing Internet and network services; data; human resources; mobile computing
Business Application Needs How to acquire, implement and maintain IT (insource or outsource) Developing and maintaining information systems
IT Investment and Prioritization How much to invest and where to invest in IT assets Anticipating new technologies
© 2020 John Wiley & Sons, Inc.
14
Political Archetypes (Weill & Ross)
Archetypes label the combinations of people who either provide information or have key IT decision rights
Business monarchy, IT monarchy, feudal, federal, IT duopoly, and anarchy.
Decisions can be made at several levels in the organization (Figure 9.6).
Enterprise-wide, business unit, and region/group within a business unit.
© 2020 John Wiley & Sons, Inc.
15
For each decision category, the organization adopts an archetype as the means to obtain inputs for decisions and to assign responsibility for them.
15
Political Archetypes
Organizations vary widely in their archetypes selected
The duopoly is used by the largest portion (36%) of organizations for IT principles decisions.
IT monarchy is the most popular for IT architecture (73%) and infrastructure decisions (59%).
Steering committees are a popular approach
They include key stakeholders
They can be formed at different levels:
Higher level (focus on CIO effectiveness)
Lower level (focus on details of various projects)
© 2020 John Wiley & Sons, Inc.
16
Figure 9.6 IT governance archetypes
© 2020 John Wiley & Sons, Inc.
17
There is no best arrangement for the allocation of decision rights.
The most appropriate arrangement depends on a number of factors, including the type of performance indicator.
17
Emergent Governance:
Platform-Based Governance
Challenge a “top down” approach
Digital ecosystems can grow up all around you
Self-interested, self-organizing, autonomous sets of technologies from different sources
Firms find opportunities to exploit new technologies that were not anticipated
Good examples:
Google Maps
YouTube
© 2020 John Wiley & Sons, Inc.
18
Another Interesting Example
Electronic Health Record
Can connect to perhaps planned sources:
Pharmacy
Lab
Insurance Company
And can connect to unplanned sources:
Banks – for payment
Tax authority – for matching deductions
Smartphone apps – for many purposes
© 2020 John Wiley & Sons, Inc.
19
How to Govern in this case?
Might be difficult to impossible!
Consumerization leads people to demand more and more over time
The systems might simply emerge and evolve
No one entity can plan these systems in their entirety
© 2020 John Wiley & Sons, Inc.
20
Summary of Three Governance Frameworks
Governance Framework Main Concept Possible Best Practice
Centralization-Decentralization Decisions can be made by a central authority or by autonomous individuals or groups in an organization. A hybrid, Federal approach
Decision Archetypes Specifying patterns based upon allocating decision rights and accountability. Tailor the archetype to the situation
Digital Ecosystems Members of the ecosystem contribute their strengths, giving the whole ecosystem a complete set of capabilities. Build flexibility and adaptability into governance.
© 2020 John Wiley & Sons, Inc.
21
A Fourth – Out of a Firm’s Control:
Legislation
22
© 2020 John Wiley & Sons, Inc.
Sarbanes-Oxley Act (SoX) (2002)
To increase regulatory visibility and accountability of public companies and their financial health
All companies subject to the SEC are subject to SoX.
CEOs and CFOs must personally certify and be accountable for their firm’s financial records and accounting.
Firms must provide real-time disclosures of any events that may affect a firm’s stock price or financial performance.
20 year jail term is the alternative.
IT departments play a major role in ensuring the accuracy of financial data.
© 2020 John Wiley & Sons, Inc.
23
23
IT Control and Sarbanes-Oxley
In 2004 and 2005, IT departments began to
Identify controls,
Determine design effectiveness, and
Test to validate operation of controls
© 2020 John Wiley & Sons, Inc.
24
24
IT Control and Sarbanes-Oxley
Five IT control weaknesses are repeatedly uncovered by auditors:
Failure to segregate duties within applications, and failure to set up new accounts and terminate old ones in a timely manner
Lack of proper oversight for making application changes, including appointing a person to make a change and another to perform quality assurance on it
Inadequate review of audit logs to not only ensure that systems were running smoothly but that there also was an audit log of the audit log
Failure to identify abnormal transactions in a timely manner
Lack of understanding of key system configurations
© 2020 John Wiley & Sons, Inc.
25
Frameworks for Implementing SoX
COSO – Committee of Sponsoring Organzations of the Treadway Commission.
Created three control objectives for management and auditors that focused on dealing with risks to internal control
Operations –maintain and improve operating effectiveness; protect the firm’s assets
Compliance –with relevant laws and regulations.
Financial reporting –in accordance with GAAP
© 2020 John Wiley & Sons, Inc.
26
26
Control Components
Five essential control components were created to make sure a company is meeting its objectives:
Control environment (culture of the firm)
Assessment of most critical risks to internal controls
Control processes that outline important processes and guidelines
Communication of those procedures
Monitoring of internal controls by management
© 2020 John Wiley & Sons, Inc.
27
Frameworks (continued)
COBIT (Control Objectives for Information and Related Technology)
IT governance framework that is consistent with COSO controls.
Issued in 1996 by Information Systems Audit & Control Association (ISACA)
A company must
Determine the processes/risks to be managed.
Set up control objectives and KPIs (key performance indicators)
Develop activities to reach the KPIs
Advantages – well-suited to organizations focused on risk management and mitigation, and very detailed.
Disadvantages – costly and time consuming
© 2020 John Wiley & Sons, Inc.
28
28
IS and the Implementation of SoX Compliance
The IS department and CIO are involved with the implementation of SoX.
Section 404 deals with management’s assessment of internal controls.
Six tactics that CIOs can use in working with auditors, CFOs, and CEOs (Fig. 9.8):
Knowledge building (Build a knowledge base)
Knowledge deployment (Disseminate knowledge to management.)
Innovation directive (Organize for implementing SoX)
Mobilization (Persuade players and subsidiaries to cooperate)
Standardization (Negotiate agreements, build rules)
Subsidy (Fund the costs)
A CIO’s ability to employ these various tactics depends upon his/her power (relating to the SoX implementation).
© 2020 John Wiley & Sons, Inc.
29
The CIO needs to acquire and manage the considerable IT resources to make SoX compliance a reality.
29
Managing and Using Information Systems:
A Strategic Approach – Seventh Edition
Keri Pearlson, Carol Saunders,
and Dennis Galletta
© Copyright 2020
John Wiley & Sons, Inc.
Chapter 9
Governance of the Information
Systems Organization
