Orig­i­nal source pub­li­ca­tion: Capeça, G. e F. de Sá-Soares (2015). Audi­to­ria do Alin­hamento entre Sis­temas de Infor­mação e o Negó­cio. Actas da 15.ª Con­fer­ên­cia da Asso­ci­ação Por­tuguesa de Sis­temas de Infor­mação—CAPSI 2015. Lis­boa (Por­tu­gal).

Infor­ma­tion Sys­tems and Busi­ness Align­ment Audit

Gilberto Capeça and Fil­ipe de Sá-Soares

Cen­ter ALGO­RITMI, Uni­ver­sity of Minho, Por­tu­gal

1. Introduction

Infor­ma­tion sys­tems (IS) are now cru­cial tools for the suc­cess of orga­ni­za­tions. As the use of infor­ma­tion tech­nol­ogy (IT) inten­si­fies, as orga­ni­za­tions com­pare them­selves in terms of per­for­mance and as IT efforts and invest­ments come under greater scrutiny, the con­cern to ensure that the appli­ca­tion of IT is aligned with the orga­ni­za­tion’s busi­ness becomes increas­ingly rel­e­vant.

In order for orga­ni­za­tions to achieve align­ment between IS and the busi­ness, they have to artic­u­late aspects such as the busi­ness strat­egy, the IS strat­egy and the tech­no­log­i­cal and orga­ni­za­tional infra­struc­tures [Croateau and Begeron 2001]. Although there are many stud­ies in the lit­er­a­ture that reveal the cen­tral­ity of align­ment for orga­ni­za­tions (cf. [Chan et al. 2006], [Kap­pel­man et al. 2013] and [Luft­man and Derk­sen 2012]) and point to crit­i­cal fac­tors for achiev­ing it (cf. [Camp­bell et al. 2005] and [Teo and Ang 1999]), there are also dif­fer­ent pro­pos­als for assess­ing the align­ment between IS and the busi­ness of orga­ni­za­tions, with dif­fer­ent emphases and var­ied method­olog­i­cal approaches (cf. [Belfo and Sousa 2012], [Chan and Reich 2007], [Kearns and Led­erer 2003], [Sab­her­wal and Chan 2001] and [Tan and Gallupe 2006]).

Given that the pur­suit of align­ment requires a con­tin­u­ous process of adjust­ments between the busi­ness and the appli­ca­tion of IT, embod­ied in dia­logues, nego­ti­a­tions and deci­sions between agents from the busi­ness areas and agents from the IS area (IS func­tion), we argue that the activ­i­ties of IS gov­er­nance and IS man­age­ment are pre­con­di­tions for the pur­suit of align­ment by orga­ni­za­tions. Con­se­quently, assess­ing the degree of align­ment will ini­tially involve assess­ing the qual­ity of these two activ­i­ties. The for­mal­iza­tion of this assess­ment could take the form of an audit.

This paper out­lines an audit pro­ce­dure that aims to eval­u­ate IS gov­er­nance and man­age­ment activ­i­ties from the per­spec­tive of align­ment between the appli­ca­tion of IT and the orga­ni­za­tion’s busi­ness.

Method­olog­i­cally, this pro­ce­dure was out­lined through a case study car­ried out in a cen­tral bank­ing insti­tu­tion. Struc­turally, the work is orga­nized as fol­lows: after this intro­duc­tion, the con­cept of align­ment is reviewed, gov­er­nance and infor­ma­tion sys­tems man­age­ment activ­i­ties are put into per­spec­tive, fol­lowed by a descrip­tion of the study car­ried out. Sub­se­quently, the results of the study are pre­sented, the rec­om­men­da­tions derived are listed and a set of final con­sid­er­a­tions is pre­sented.

2. Alignment between Information System and Business

The align­ment between the infor­ma­tion sys­tem and the busi­ness is one of the recur­ring themes in the infor­ma­tion sys­tems lit­er­a­ture. Since the emer­gence of inter­est in this sub­ject, pre­cip­i­tated by the recog­ni­tion that many orga­ni­za­tions made when they real­ized that they were not devel­op­ing infor­ma­tion sys­tems that sup­ported their busi­ness strate­gies, sev­eral authors have looked at this issue, accom­pa­nied by con­tin­ued inter­est on the part of IS man­agers who, year after year, point to the search for align­ment between the appli­ca­tion of IT and the busi­ness as one of their cen­tral con­cerns (cf. [Kap­pel­man et al. 2014]).

Con­fronted with fail­ures to obtain busi­ness ben­e­fits from the appli­ca­tion of IT and the busi­ness and tech­no­log­i­cal risks that orga­ni­za­tions face, the search for align­ment between the infor­ma­tion sys­tem and the busi­ness is a defense mech­a­nism for the orga­ni­za­tion itself, i.e. it is believed that greater and bet­ter IT sup­port for the busi­ness will boost more robust orga­ni­za­tional per­for­mance, which will strengthen the orga­ni­za­tion’s com­pet­i­tive posi­tion in the mar­ket. This will lead the orga­ni­za­tion to achieve suc­ces­sive, albeit tem­po­rary, bal­ances between its inter­nal envi­ron­ment and its sur­round­ings.

To achieve this state of con­ver­gence between IT and the busi­ness, it is nat­ural for orga­ni­za­tions to pur­sue greater inte­gra­tion between spe­cific processes in each of the two domains involved - the infor­ma­tion sys­tem and the busi­ness, for exam­ple by inten­si­fy­ing inte­gra­tion between the IS plan­ning process and the orga­ni­za­tion’s strate­gic gov­er­nance process [Pitassi and Leitão 2002, p. 79] or by con­verg­ing the IS func­tion’s actions with the strate­gic inter­ests of the entire orga­ni­za­tion [Calle Jr. and Kan­ter 1998, p. 1].

The search for align­ment between the infor­ma­tion sys­tem and the busi­ness is based on a man­age­ment process involv­ing the var­i­ous busi­ness units, guided by the orga­ni­za­tion’s objec­tives. This process rests upon the for­mu­la­tion of objec­tives and the imple­men­ta­tion of actions that result in greater or bet­ter IT sup­port for the busi­ness. To do this, it is nec­es­sary to take into account fac­tors exter­nal to the orga­ni­za­tion, imposed on it by its envi­ron­ment, and fac­tors inter­nal to the orga­ni­za­tion. The fac­tors that con­di­tion the suc­cess of the orga­ni­za­tion in achiev­ing align­ment include human, infor­ma­tional and orga­ni­za­tional cap­i­tal, using the cat­e­go­riza­tion pro­posed by Kaplan and Nor­ton [2006]. The human cap­i­tal cat­e­gory includes aspects relat­ing to the tal­ent, qual­i­fi­ca­tions, expe­ri­ence and knowl­edge of the orga­ni­za­tion’s employ­ees, as agents in the align­ment process. The infor­ma­tion cap­i­tal cat­e­gory includes aspects related to IT infra­struc­tures, IT plat­forms, com­puter appli­ca­tions and infor­ma­tion, as struc­tural lim­iters and enhancers of the infor­ma­tion sys­tem in the align­ment process. Finally, the orga­ni­za­tional cap­i­tal cat­e­gory includes aspects relat­ing to orga­ni­za­tional cul­ture and lead­er­ship, as struc­tural lim­iters and enablers of the busi­ness in the align­ment process.

Align­ment between the infor­ma­tion sys­tem and the busi­ness can be under­stood as the har­mo­nious appli­ca­tion of IT with the strat­egy, objec­tives and needs of the busi­ness, in an appro­pri­ate and timely man­ner. In order to achieve align­ment between the appli­ca­tion of IT and the busi­ness, the orga­ni­za­tion will engage in a con­tin­u­ous process of adjust­ments with the aim of achiev­ing inter­con­nec­tion between the busi­ness objec­tives and strate­gies and the IS objec­tives and strate­gies [Affeldt and Vanti 2009].

It should be noted, how­ever, that it is not enough for the appli­ca­tion of IT to be aligned with the busi­ness, it is impor­tant for the busi­ness to under­stand the impor­tance and use­ful­ness of IT in sup­port­ing the achieve­ment of its objec­tives. In fact, this is a dis­tinc­tion in terms of what could be called the degree of qual­ity of align­ment: an orga­ni­za­tion can apply its IT per­fectly in line with its busi­ness, but at the same time under­use the poten­tial of IT to sup­port busi­ness strat­egy and processes.

Align­ment has emerged as a key fac­tor for the suc­cess of orga­ni­za­tions in a highly dynamic envi­ron­ment, as IT must enable them to do the right thing (effec­tive­ness) and in the best pos­si­ble way (effi­ciency) [Luft­man 2000]. In order to achieve this align­ment, Hen­der­son and Venka­tra­man [1993] pro­posed a model for adjust­ing four fun­da­men­tal aspects: busi­ness strat­egy, IT strat­egy, orga­ni­za­tional infra­struc­ture and processes and IT infra­struc­ture and processes.

Busi­ness strat­egy involves a moment of for­mu­la­tion (choice of com­pet­i­tive approach, prod­ucts and mar­kets) and a moment of imple­men­ta­tion (deci­sions about the struc­ture and capa­bil­i­ties that will exe­cute those choices). Sim­i­larly, IT strat­egy must involve choices about the types of infor­ma­tion tech­nol­ogy to employ and their means of use and acqui­si­tion (for­mu­la­tion) and deci­sions about how the IT infra­struc­ture should be con­fig­ured and man­aged (imple­men­ta­tion).

These four aspects are aligned along two dimen­sions, as shown in Fig­ure 1:

• Strate­gic Adjust­ment - between the inter­nal and exter­nal domains.

• Func­tional Inte­gra­tion - between the busi­ness and infor­ma­tion sys­tems domains.

Fig­ure 1: Hen­der­son and Venka­tra­man [1993] Align­ment Model

As already noted, align­ment between the appli­ca­tion of IT and the busi­ness is not an event, but a con­tin­u­ous process of adap­ta­tion and trans­for­ma­tion [Hen­der­son and Venka­tra­man 1993]. Achiev­ing it requires a change, often sub­stan­tial, in man­age­ment think­ing about the role of IT in the orga­ni­za­tion, as well as an under­stand­ing of IS strat­egy and its impor­tance in both sup­port­ing and dri­ving busi­ness strat­egy deci­sions.

If we look at the inter­re­la­tion­ships between the busi­ness and the infor­ma­tion sys­tem, in terms of their strate­gies, processes, resources and agents, in order to achieve the much sought-after align­ment between the infor­ma­tion sys­tem and the busi­ness, then we can con­sider that the gov­er­nance of the orga­ni­za­tion’s infor­ma­tion sys­tem is a fun­da­men­tal pre­req­ui­site for the suc­cess of any ini­tia­tives aimed at improv­ing that con­ver­gence between IT and the busi­ness. As the search for this con­ver­gence is an ongo­ing process, then it is equally pos­si­ble to argue about the impor­tance of infor­ma­tion sys­tems man­age­ment in achiev­ing align­ment, which is always imper­fect and unfin­ished.

3. Information Systems Governance and Management

Infor­ma­tion sys­tems gov­er­nance is a rel­a­tively recent con­cept in the lit­er­a­ture, but one that is gain­ing rel­e­vance both in acad­e­mia and among pro­fes­sion­als. Faced with the poten­tial appli­ca­tion of IT in all or almost all orga­ni­za­tional areas and the trans­for­ma­tion of the role of IT from mere admin­is­tra­tive tools to strate­gic instru­ments [Hen­der­son and Vanka­tra­man 1993], many com­pa­nies and gov­ern­ment agen­cies have moved towards the imple­men­ta­tion of IS gov­er­nance in order to achieve the fusion between busi­ness and IT and obtain the involve­ment of senior man­age­ment in IS issues [Haes and Van Grem­ber­gen 2009].

Although orga­ni­za­tions man­age many assets (peo­ple, money, facil­i­ties, etc.), per­haps infor­ma­tion and the tech­nolo­gies that col­lect, store, process and dis­sem­i­nate it are among the assets that cause them the most per­plex­ity and pose the great­est chal­lenges. If, on the one hand, busi­nesses demand ever more rapid change, sys­tems, once imple­mented, remain rel­a­tively rigid. Often, IT imple­men­ta­tions involve imme­di­ate and ongo­ing invest­ments, in pur­suit of results that can be dif­fi­cult to pre­dict and real­iza­tion not always sat­is­fac­tory. These uncer­tain­ties and com­plex­i­ties cause many man­agers to abdi­cate respon­si­bil­ity for ensur­ing that the orga­ni­za­tion’s employ­ees use IT effec­tively [Weill and Ross 2004].

The adop­tion of IT in the orga­ni­za­tion is rec­og­nized as a com­plex process that involves plan­ning, eval­u­at­ing the cost/ben­e­fit gen­er­ated by the sys­tem and adapt­ing it to the orga­ni­za­tional real­ity. In fact, this adop­tion is a process of change that encom­passes not only the tech­no­log­i­cal envi­ron­ment, but also the tech­ni­cal envi­ron­ment, human resources and the entire struc­ture of the orga­ni­za­tion [Pas­cutti et al. 2009].

Ulti­mately, IS gov­er­nance is the respon­si­bil­ity of the orga­ni­za­tion’s exec­u­tive team, and respon­si­bil­i­ties for this activ­ity are often assigned to a com­mit­tee made up of top, line and IS exec­u­tives, in order to bring together the dif­fer­ent per­spec­tives and sen­si­tiv­i­ties held by the busi­ness and IT play­ers.

IS gov­er­nance pro­vides lead­er­ship, orga­ni­za­tional struc­ture and process ori­en­ta­tion to ensure that the orga­ni­za­tion’s IS func­tion under­stands and sup­ports the orga­ni­za­tion’s strate­gies and objec­tives. The impor­tance of this activ­ity thus derives from the way it deals with the main busi­ness issues and their rela­tion­ship with infor­ma­tion sys­tems, the pro­tec­tion of strate­gic infor­ma­tion sys­tems and the guide­lines it estab­lishes for the IS man­age­ment activ­ity [Buckby et al. 2005].

It is impor­tant to empha­size the dis­tinc­tion between the IS gov­er­nance activ­ity and the IS man­age­ment activ­ity, as we some­times come across visions in which these two activ­i­ties are under­stood as syn­ony­mous or, in the inces­sant search for the new buzz­word, the gov­er­nance activ­ity is pre­sented as the new for­mula which, by enhanc­ing the ben­e­fits and elim­i­nat­ing the dif­fi­cul­ties of the man­age­ment activ­ity, will solve all the prob­lems faced by IS man­agers.

While IS man­age­ment focuses on the effi­cient and effec­tive deliv­ery of IS ser­vices and prod­ucts and the man­age­ment of IS oper­a­tions, IS gov­er­nance faces the dual demands of con­tribut­ing to cur­rent busi­ness oper­a­tions and per­for­mance and trans­form­ing and posi­tion­ing IT to meet future busi­ness chal­lenges [Peter­son 2003].

This dif­fer­en­ti­a­tion between IS gov­er­nance and IS man­age­ment has been explic­itly rec­og­nized by the most recent ver­sion of the COBIT bench­mark (COBIT 5), in which IS gov­er­nance ensures that the needs, con­di­tions and options of stake­hold­ers are ana­lyzed to for­mu­late bal­anced and agreed objec­tives to be achieved, set­ting direc­tion through pri­or­i­ti­za­tion and deci­sion-mak­ing [ISACA 2012]. In addi­tion, gov­er­nance also ensures the mon­i­tor­ing and com­pli­ance of the direc­tion and objec­tives pre­vi­ously estab­lished. In turn, IS man­age­ment is respon­si­ble for plan­ning and exe­cut­ing IT-related ini­tia­tives, align­ing them accord­ing to the direc­tives received.

This dis­tinc­tion between IS gov­er­nance and man­age­ment is directly reflected in the model pro­posed by COBIT, which sub­di­vides IT-related prac­tices and activ­i­ties into two main domains, with gov­er­nance asso­ci­ated with the analy­sis, direc­tion and mon­i­tor­ing of ini­tia­tives related to infor­ma­tion sys­tems, and man­age­ment asso­ci­ated with the plan­ning, con­struc­tion, exe­cu­tion and mon­i­tor­ing of the infor­ma­tion sys­tems them­selves, as illus­trated in Fig­ure 2.

Fig­ure 2: Rela­tion­ship between COBIT 5 Domains
Adapted from ISACA [2012, p. 32]

IS gov­er­nance is based on a struc­ture of rela­tion­ships and processes to direct and con­trol IT in order to achieve the orga­ni­za­tion’s goals by adding value. To this end, IS gov­er­nance aims to answer the fol­low­ing ques­tions [Weil and Ross 2004]:

• Do IT capa­bil­i­ties improve the orga­ni­za­tion’s com­pet­i­tive­ness?

• Do all man­agers in the orga­ni­za­tion rec­og­nize their respon­si­bil­i­ties for the effec­tive man­age­ment and use of IT, or do they assume that this is only an IS prob­lem?

• Do IT invest­ments in the orga­ni­za­tion aim to meet strate­gic objec­tives or does the orga­ni­za­tion waste resources and invest­ments by only meet­ing tac­ti­cal ini­tia­tives and oper­a­tional needs?

Since IS gov­er­nance aims to know the value and strate­gic impor­tance of IT in the orga­ni­za­tion, to ensure that IT can sup­port its oper­a­tions and to ensure that it can imple­ment the nec­es­sary strate­gies in the face of the orga­ni­za­tion’s future growth and expan­sion, IS gov­er­nance best prac­tices should ensure that IT expec­ta­tions are met and the risks inher­ent to IT are min­i­mized [ISACA 2012].

In this way, the effec­tive use of IT and the inte­gra­tion between its strat­egy and the busi­ness strat­egy go beyond the idea of IT as sim­ple tools for process automa­tion and pro­duc­tiv­ity. The path to the suc­cess­ful appli­ca­tion of IT in the orga­ni­za­tion is no longer related solely to the hard­ware and soft­ware used, or to the IS devel­op­ment meth­ods adopted, but to the degree to which the appli­ca­tion of IT is aligned with the strat­egy and char­ac­ter­is­tics of the orga­ni­za­tion and its orga­ni­za­tional struc­ture [Lau­rindo et al. 2001, p. 161].

Although the impor­tance of align­ment between the appli­ca­tion of IT and the busi­ness is widely rec­og­nized both in the lit­er­a­ture and in IS prac­tice, assess­ing how well an orga­ni­za­tion pur­sues or achieves this align­ment raises inter­est­ing chal­lenges. The assump­tions made in this paper are that good IS gov­er­nance, together with good IS man­age­ment, are nec­es­sary con­di­tions for achiev­ing align­ment between the infor­ma­tion sys­tem and the busi­ness. It is there­fore argued that the first step in gaug­ing the degree of align­ment is to eval­u­ate the two activ­i­ties related to the infor­ma­tion sys­tem - gov­er­nance and man­age­ment. If it is found that these activ­i­ties are of suf­fi­cient qual­ity, then atten­tion can be focused on the pro­ce­dure for mea­sur­ing the spe­cific degree of align­ment and, at the same time, the aspects that need to be improved in order to inten­sify the con­ver­gence between the appli­ca­tion of IT and the busi­ness can be pointed out. If these two activ­i­ties are found to be lack­ing in qual­ity, then the search for align­ment will require a prior review and read­just­ment of these activ­i­ties.

Based on the above, the aim of this work was to out­line an audit pro­ce­dure (as a for­mal, inde­pen­dent and sus­tained eval­u­a­tion process) based on the eval­u­a­tion of IS gov­er­nance and man­age­ment activ­i­ties as a prior step to assess­ing the degree of align­ment between an orga­ni­za­tion’s infor­ma­tion sys­tem and its busi­ness.

4. Study Description

In order to pro­pose and exper­i­ment with the audit­ing pro­ce­dure for IS gov­er­nance and man­age­ment activ­i­ties, the case study research method was used. The unit of analy­sis was a cen­tral bank, which, for con­fi­den­tial­ity rea­sons, will be referred to in this study as NSC.

The NSC is the cen­tral bank of a coun­try located in Africa. Its orga­ni­za­tional struc­ture con­sists of a Board of Direc­tors, six busi­ness units and six sup­port units, includ­ing the Infor­ma­tion Sys­tems and Tech­nol­ogy Depart­ment (ISTD). ISTD is respon­si­ble for pro­pos­ing and pro­mot­ing poli­cies and solu­tions in the field of Infor­ma­tion Sys­tems and Tech­nol­ogy to sup­port the Bank’s activ­ity, effi­ciently pro­vid­ing ser­vices for the design, imple­men­ta­tion, oper­a­tion and main­te­nance of the infra­struc­tures inher­ent to them.

The NSC, as a cen­tral bank, is respon­si­ble for reg­u­lat­ing and super­vis­ing finan­cial insti­tu­tions in its coun­try. As a reg­u­la­tory and super­vi­sory bank, and since the num­ber of finan­cial insti­tu­tions in the coun­try has grown in recent years, to ful­fill its role effec­tively, and since there has been a great deal of invest­ment in terms of IT by those insti­tu­tions, there has been a need for the NSC also to invest in IT. Thus, in recent years, at the direc­tion of the Cen­tral Gov­ern­ment, the NSC has invested heav­ily in IT in order to make its busi­ness oper­a­tions more effec­tive, secure and faster, to strengthen its role as super­vi­sor of the Finan­cial Sys­tem and to mod­ern­ize its admin­is­tra­tion.

To this end, in order to assess whether the invest­ments made in IT are sup­port­ing its objec­tives, i.e., to ensure that IT is being applied in such a way as to sup­port the orga­ni­za­tion’s objec­tives, the NSC’s Board of Direc­tors decided to carry out an audit of its infor­ma­tion sys­tems. It was within the scope of this audit that this study was car­ried out and in which a pro­ce­dure was designed and applied to assess the pre­con­di­tions for align­ment between the appli­ca­tion of IT and the NSC’s oper­a­tions (busi­ness). To ensure that IT has been designed and is being applied to sup­port the orga­ni­za­tion’s objec­tives, the audit set out to ver­ify the fol­low­ing con­di­tions at the NSC Bank:

1. Exis­tence of a struc­ture respon­si­ble for IS gov­er­nance and

2. Exis­tence of a struc­ture respon­si­ble for the IS func­tion in the orga­ni­za­tion, i.e., for the IS man­age­ment.

In order to carry out the work, it was decided to use COBIT 5 as a bench­mark for good IS gov­er­nance and man­age­ment prac­tices. To do this, a ques­tion­naire was drawn up with closed ques­tions, where the respon­dents had to answer only Yes or No (Y/N) accord­ing to the ques­tions asked, which was sent to man­agers in the orga­ni­za­tion, both in the busi­ness and IS areas. Before the ques­tion­naire was sent to the respon­dents, it was pre-val­i­dated by a group of spe­cial­ists in Infor­ma­tion Sys­tems and Tech­nol­ogy Audit­ing to make sure that the ques­tions were clear and rel­e­vant, and after some changes and improve­ments, the group of spe­cial­ists gave a favor­able opin­ion.

The themes of the ques­tions included in the ques­tion­naire, for­mu­lated based on COBIT 5, are those that the IS gov­er­nance struc­ture is respon­si­ble for ensur­ing and those that IS man­age­ment is respon­si­ble for pro­mot­ing, as shown in Table 1.

Table 1: Anchor Ques­tions on IS Gov­er­nance and Man­age­ment
Adapted from ISACA[2012]

At the start of the work, a for­mal meet­ing was held with staff from the orga­ni­za­tion to gauge their knowl­edge of the IS needs for car­ry­ing out their oper­a­tional activ­i­ties. For the IS area, the first meet­ing was held with the aim of under­stand­ing the struc­ture and func­tions of ISTD. A num­ber of ques­tions were asked, such as: how the depart­ment is orga­nized (i.e. how many areas, how many peo­ple, who it reports to), what objec­tives (strate­gic and oper­a­tional) have been set for the depart­ment, what are the main risks asso­ci­ated with achiev­ing the set objec­tives, what are the main reports it uses to ana­lyze the progress of the activ­ity/busi­ness in rela­tion to the set objec­tives, what are the key processes of the ISTD and what enti­ties does the ISTD depend on to ensure its objec­tives.

For the busi­ness areas, the ques­tions asked were aimed at ascer­tain­ing the main infor­ma­tion sys­tems and tech­nol­ogy that sup­port their activ­i­ties, how ISTD has responded to the areas’ infor­ma­tion sys­tems and tech­nol­ogy needs, among other issues.

At the same time, in the field we checked, based on the doc­u­men­tary reports that ISTD has drawn up and sent to the Chair­man of the Board of Direc­tors, the min­utes of inter­nal meet­ings in the area, the pro­ce­dures and orga­ni­za­tion man­u­als and sub­stan­tive tests, whether the IS gov­er­nance and man­age­ment prac­tices at NSC were in line with the good prac­tices rec­om­mended by COBIT 5. The sub­stan­tive tests were car­ried out to assess whether the processes and pro­ce­dures for car­ry­ing out activ­i­ties were designed to pre­vent or detect mate­r­ial errors on a reg­u­lar basis.

Obser­va­tion, semi-struc­tured inter­views and doc­u­ment col­lec­tion were used to col­lect the data.

5. Results

Accord­ing to COBIT 5, IS gov­er­nance ensures that the needs, con­di­tions and options of stake­hold­ers are ana­lyzed to deter­mine bal­anced and agreed objec­tives to be achieved, set­ting direc­tion through pri­or­i­ti­za­tion and deci­sion-mak­ing.

The IS gov­er­nance struc­ture should be made up of exec­u­tives, key busi­ness man­agers and the ISTD man­age­ment team, which should meet reg­u­larly to review IT ini­tia­tives and projects and pri­or­i­tize, align and rec­on­cile these projects with the NSC’s busi­ness plans and strate­gic ori­en­ta­tion.
The IS gov­er­nance struc­ture should also be respon­si­ble for ensur­ing that IT per­for­mance is in line with busi­ness expec­ta­tions, with Ser­vice Level Agree­ments (SLA’s) pro­vid­ing a basis for the lev­els and results expected from IT ser­vices.

IS man­age­ment, in turn, plans, cre­ates, exe­cutes and mon­i­tors IT activ­i­ties in line with the direc­tion set by the Board and ema­nat­ing from IS gov­er­nance to achieve orga­ni­za­tional objec­tives [ISACA 2012].

Thus, the orga­ni­za­tion should clearly define an IS gov­er­nance struc­ture, for­mally man­dat­ing and defin­ing its respon­si­bil­i­ties. In turn, this struc­ture should ensure that:

• IS gov­er­nance processes apply to all of the orga­ni­za­tion’s IT;

• It includes senior man­agers, busi­ness man­agers and IS man­agers;

• Its mem­bers are aware of their respon­si­bil­i­ties and reg­u­larly attend the body’s meet­ings;

• The min­utes of the meet­ings of this struc­ture exist and are acces­si­ble to its mem­bers;

• Within this frame­work, strate­gic alter­na­tives for the infor­ma­tion sys­tem are dis­cussed and then the IS strat­egy is for­mu­lated and approved;

• Fol­low­ing its strate­gic deter­mi­na­tions for the infor­ma­tion sys­tem, define and mon­i­tor per­for­mance tar­gets and high-level met­rics, as well as bench­marks for the ser­vice lev­els to be observed by the IT applied;

• Also in con­junc­tion with the strate­gic def­i­n­i­tion, estab­lish the gen­eral pro­grams and bud­gets for the IS func­tion and, at the same time, for the orga­ni­za­tion’s IT.

Hav­ing com­pleted the work it set out to do, the audit did not iden­tify the for­mal and struc­tured involve­ment of the busi­ness areas in IS gov­er­nance. The audit found that there is no IS gov­er­nance struc­ture in place. The IS func­tion reports directly to the Chair­man of the Board of Direc­tors. He in turn presents IT issues to the Board of Direc­tors.

The struc­tured involve­ment of the busi­ness areas in defin­ing the IS strat­egy, pri­or­i­tiz­ing busi­ness projects and mon­i­tor­ing and eval­u­at­ing IT ser­vice lev­els was also not iden­ti­fied.

The audit found no evi­dence of any other for­mal and reg­u­lar meet­ings to dis­cuss IS strat­egy and busi­ness needs involv­ing the bank’s busi­ness areas.
Sim­i­larly, the audit did not iden­tify reg­u­lar for­mal meet­ings held between the busi­ness areas and the IS man­age­ment team to dis­cuss busi­ness needs, and there was no for­mal process in place to involve the ISTD when projects with IT com­po­nents were ini­ti­ated.

IS man­age­ment is respon­si­ble for plan­ning and exe­cut­ing IS ini­tia­tives, align­ing them with the guide­lines received. Hence, the IS func­tion should:

• Be designed to sup­port orga­ni­za­tional objec­tives;

• Ensure account­abil­ity and the estab­lish­ment of deci­sion-mak­ing poli­cies;

• Have a per­fectly defined staff;

• Ensure that the func­tions of each IS man­ager are defined and doc­u­mented;

• Ensure the exis­tence of met­rics to mea­sure IT per­for­mance (orga­ni­za­tional man­u­als, pro­ce­dures, ser­vice level agree­ments, etc.);

• Mon­i­tor and report on the exe­cu­tion of their bud­get and the sta­tus of IT projects to the IS gov­er­nance struc­ture;

• Ensure the exis­tence of IS pro­ce­dures and ser­vice man­u­als that guide oper­a­tions and oper­a­tors related to the infor­ma­tion sys­tem;

• Ensure that pro­ce­dures and ser­vice man­u­als are reg­u­larly reviewed and updated.

With regard to the IS func­tion, although there was no for­mal IS gov­er­nance struc­ture, it could be seen that the IS func­tion at NSC is for­mally con­sti­tuted and doc­u­mented. Specif­i­cally, evi­dence was found of the for­mal def­i­n­i­tion of IS per­son­nel and the processes related to the IS func­tion, as well as the assign­ment of respon­si­bil­i­ties, roles and rela­tion­ships within the IS func­tion. Infor­ma­tion cir­cu­la­tion, dis­sem­i­na­tion and access poli­cies have also been defined, approved by the Board of Direc­tors and dis­sem­i­nated through­out the orga­ni­za­tion.

The audit noted that poli­cies and pro­ce­dure man­u­als were not doc­u­mented for some IS ser­vices. IS-related tasks were car­ried out based on staff knowl­edge and expe­ri­ence, with­out guid­ance from pro­ce­dure man­u­als or poli­cies, thus cre­at­ing an over-reliance on staff with detailed knowl­edge of these processes. In the event of a depar­ture or absence of key per­son­nel, there was no doc­u­mented guid­ance on how func­tions should be car­ried out.

It was also found that no SLAs have been defined between the ISTD and the busi­ness areas and there was no account­abil­ity indi­ca­tors reported and con­trolled on a reg­u­lar basis. For some IT func­tions and ser­vices, there were no pro­ce­dure man­u­als to pro­vide guid­ance for oper­a­tions and oper­a­tors.

As a sum­mary, Table 2 shows the con­sol­i­dated posi­tions on the themes under­ly­ing the anchor ques­tions pre­vi­ously pre­sented for the NSC bank, indi­cat­ing the degree of sat­is­fac­tion on the part of the insti­tu­tion in the areas of IS gov­er­nance and man­age­ment exam­ined.

Table 2: Sum­mary of NSC Bank’s IS Gov­er­nance and Man­age­ment Assess­ment

6. Recommendations

IT can make a sig­nif­i­cant con­tri­bu­tion to orga­ni­za­tions achiev­ing their objec­tives, but this requires mak­ing IS gov­er­nance more agile and clear in its implan­ta­tion and use, espe­cially with regard to aspects such as bal­anc­ing risks; con­trol­ling costs, peo­ple, con­tracts and the pro­vi­sion of third-party ser­vices; as well as being clear about how deci­sions are made and who makes them [Men­donça et al 2013], mak­ing it clear that there is an align­ment between IT and the busi­ness of orga­ni­za­tions.

In order to over­come the non-con­for­mi­ties found in the audit car­ried out at NSC and to improve the align­ment between the infor­ma­tion sys­tem and the Bank’s busi­ness, based on the eval­u­a­tion pro­ce­dure car­ried out, the fol­low­ing rec­om­men­da­tions have been put for­ward, in the form of tasks that the insti­tu­tion should carry out in the near future:

• Clearly define the IS gov­er­nance struc­ture;

• Draw­ing up and dis­sem­i­nat­ing the for­mal doc­u­ments that man­date and define the respon­si­bil­i­ties of the IS gov­er­nance struc­ture;

• Cre­ate IS gov­er­nance processes and apply them to all of the orga­ni­za­tion’s IT;

• Dis­cuss and approve the IS strat­egy at the level of the IS gov­er­nance struc­ture;

• Dis­cuss and approve IT pro­grams and bud­gets at the level of the IS gov­er­nance struc­ture;

• Estab­lish met­rics to mea­sure IT per­for­mance;

• Define and mon­i­tor IT per­for­mance tar­gets, met­rics and ser­vice lev­els;

• Mon­i­tor­ing and report­ing on bud­get exe­cu­tion and project sta­tus to the IS gov­er­nance struc­ture by the IS man­age­ment struc­ture.

7. Final Considerations

The sub­ject of align­ment between IS and the busi­ness of orga­ni­za­tions has been stud­ied by var­i­ous authors. The­o­ret­i­cal and empir­i­cal evi­dence sug­gests that bet­ter align­ment between the infor­ma­tion sys­tem and the busi­ness leads to higher lev­els of orga­ni­za­tional per­for­mance. In addi­tion, align­ment pro­vides visu­al­iza­tion of strate­gic infor­ma­tion, as well as posi­tion­ing the IS area and infor­ma­tion sys­tems as key ele­ments in orga­ni­za­tions [Affeldt and Vanti 2009].

To ensure that IT are designed to sup­port the orga­ni­za­tion’s objec­tives, it is impor­tant that there is a com­mit­ment between top man­age­ment, the busi­ness areas and the IS area (IS func­tion), so that they under­stand the role and poten­tial of IT in sup­port­ing the busi­ness and the orga­ni­za­tion and the IS func­tion knows what ser­vices it must deliver to the busi­ness in order to ensure that the busi­ness’s needs in rela­tion to IT are being met. To this end, it is impor­tant that there is a for­mal struc­ture with the respon­si­bil­ity and man­date to define the IS strat­egy in sup­port of the busi­ness, align­ing it with the orga­ni­za­tion’s objec­tives.

IS gov­er­nance assumes a fun­da­men­tal role in embody­ing the activ­i­ties of that for­mal struc­ture, and must be an inte­gral part of orga­ni­za­tional man­age­ment, lead­ing and cre­at­ing the orga­ni­za­tional struc­tures and processes that ensure that IT sup­ports the orga­ni­za­tion’s strate­gies and objec­tives.

As a result, and in com­ple­men­tar­ity with IS gov­er­nance, IS man­age­ment will aim to achieve align­ment between the appli­ca­tion of IT and the busi­ness, guided by the direc­tives issued by IS gov­er­nance.

This work found that NSC Bank does not have an IS gov­er­nance struc­ture to ensure that IT needs to sup­port the busi­ness are being well addressed and that the IS func­tion is pro­vid­ing the ser­vices required by the busi­ness areas. It fol­lows that it can­not be ensured that IT is designed to sup­port NSC Bank’s objec­tives and strat­egy. In addi­tion to the imme­di­ate con­clu­sions of the audit pro­ce­dure, the assess­ment car­ried out at NSC Bank has made it pos­si­ble to put for­ward a set of rec­om­men­da­tions for insti­tu­tion­al­iz­ing the IS gov­er­nance activ­ity, improv­ing the oper­a­tion of the IS func­tion, i.e., the IS man­age­ment activ­ity, and link­ing IS gov­er­nance and man­age­ment at NSC.

In order to assess IS gov­er­nance and man­age­ment activ­i­ties, an audit pro­ce­dure based on COBIT 5 was drawn up, which is believed to be the first step in assess­ing the align­ment between the appli­ca­tion of IT and the busi­ness.

As future work, there is an inter­est in out­lin­ing the sec­ond stage of mea­sur­ing align­ment: hav­ing con­cluded on the exis­tence and qual­ity of IS gov­er­nance and man­age­ment activ­i­ties, it will be impor­tant to mea­sure the degree to which IT sup­ports busi­ness objec­tives and strat­egy. Sub­se­quently, it will be pos­si­ble to launch stud­ies to deter­mine the rela­tion­ship between the degree of align­ment between an orga­ni­za­tion’s infor­ma­tion sys­tem and its busi­ness and the qual­ity of its IS gov­er­nance and man­age­ment activ­i­ties, and thus assess whether these two activ­i­ties are suf­fi­cient to achieve align­ment.

Acknowledgments

This work was sup­ported by FCT - Foun­da­tion for Sci­ence and Tech­nol­ogy under the Pro­ject Scope PEst-OE/EEI/UI0319/2014.

References

• Affeldt, F. S. and A. A. Vanti (2009). Alin­hamento Estratégico e Tec­nolo­gia da Infor­mação: Análise de Mod­e­los e Pro­postas para Pesquisas Futuras. Revista de Gestão da Tec­nolo­gia e Sis­tema de Infor­mação 6(2), 203–226.

  Belfo, F. and R. D. Sousa (2012). A Crit­i­cal Review of Luft­man’s Instru­ment for Busi­ness-IT Align­ment. MCIS 2012 Pro­ceed­ings, Paper 6.

  Buckby, S., P. Best and J. Stew­art (2005) The Role of Boards in Review­ing Infor­ma­tion Tech­nol­ogy Gov­er­nance (ITG) as part of Orga­ni­za­tional Con­trol Envi­ron­ment Assess­ments. In Cusack, B. (Ed.). Pro­ceed­ings 2005 IT Gov­er­nance Inter­na­tional Con­fer­ence, 1–14. Auck­land (New Zealand).

  Calle Jr, E. and J. Kan­ter (1998). Align­ing Infor­ma­tion Sys­tems and Busi­ness Strat­egy: A Case study. Jour­nal of Infor­ma­tion Tech­nol­ogy Man­age­ment IX(1).

  Camp­bell, B., R. Kay and D. Avi­son (2005). Strate­gic align­ment: a prac­ti­tioner’s per­spec­tive. Jour­nal of Enter­prise Infor­ma­tion Man­age­ment 18(6), 653–664.

  Chan, Y. E. B. H. Reich (2007). IT align­ment: what have we learned? Jour­nal of Infor­ma­tion Tech­nol­ogy 22(4), 297–315.

  Chan, Y.E., R. Sab­her­wal and J. B. Thatcher (2006). Antecedents and Out­comes of Strate­gic IS align­ment: An Empir­i­cal Inves­ti­ga­tion. IEEE Trans­ac­tions on Engi­neer­ing Man­age­ment 53(1), 27–47.

  Croteau, A. and F. Berg­eron (2001). An Infor­ma­tion Tech­nol­ogy Tril­ogy: Busi­ness Strat­egy, Tech­no­log­i­cal Deploy­ment and Orga­ni­za­tional Per­for­mance. Jour­nal of Strate­gic Infor­ma­tion Sys­tems 10, 77–79.

  Haes, S. and W. van Grem­ber­gen (2009). An Exploratory Study into IT Gov­er­nance Imple­men­ta­tions and Its Impact on Busi­ness/IT Align­ment. Infor­ma­tion Sys­tems Man­age­ment 26(2), 123–137.

  Hen­der­son, J. and N. Venka­tra­man (1993). Strate­gic Align­ment: Lever­ag­ing Infor­ma­tion Tech­nol­ogy for Trans­form­ing Orga­ni­za­tions. IBM Sys­tems Jour­nal 32(1), 4–16.

  ISACA (2012). COBIT 5—A Busi­ness Frame­work for the Gov­er­nance and Man­age­ment of Enter­prise IT. ISACA.

  Kaplan, R. and D. Nor­ton (2006). Align­ment: Using the Bal­anced Score­card to Cre­ate Cor­po­rate Syn­er­gies. Boston: Har­vard Busi­ness School Pub­lish­ing Cor­po­ra­tion.

  Kap­pel­man, L., E. McLean, J. Luft­man and V. John­son (2013). Key Issues of IT Orga­ni­za­tions and Their Lead­er­ship: The 2013 SIM IT Trends Study. MIS Quar­terly Exec­u­tive 12(4), 227–240.

  Kap­pel­man, L., E. McLean, V. John­son and N. Ger­hart (2014). The 2014 SIM IT Key Issues and Trends Study. MIS Quar­terly Exec­u­tive 13(4), 237–263.

  Kearns, G. S. and A. L. Led­erer (2003). A Resource-Based View of Strate­gic IT Align­ment: How Knowl­edge Shar­ing Cre­ates Com­pet­i­tive Advan­tage. Deci­sion Sci­ences 34 (1), 1–29.

  Lau­rindo, F., T. Shimizu, M. Car­valho, M and R. Rabe­chini Jr. (2001). O Papel da Tec­nolo­gia da Infor­mação (TI) na Estraté­gia das Orga­ni­za­ções. Gestão e Pro­dução 8(2), 160–179.

  Luft­man, J. (2000). Assess­ing Busi­ness-IT Align­ment Matu­rity. Com­mu­ni­ca­tions of Asso­ci­a­tion of Infor­ma­tion Sys­tems 4, Arti­cle 14.

  Luft­man, J. and B. Derk­sen (2012). Key Issues for IT Exec­u­tives 2012: Doing More with Less. MIS Quar­terly Exec­u­tive 11(4), 207–218.

  Men­donça, C., L. Guerra, M. Neto and A. Araújo (2013). A Gov­er­nança de Tec­nolo­gia da Infor­mação: Um Estudo do Processo Decisório em Orga­ni­za­ções Públi­cas e Pri­vadas. Revista Admin­is­tração Pública—Rio de Janeiro 47(2), 443–468.

  Pas­cutti, M., L. Modesto, T. San­tos and W. Aquino (2009). Gov­er­nança de Tec­nolo­gias de Infor­mação: Um Estudo de Caso de Micro e Peque­nas Empre­sas na Cidade de Apu­carana. Revista F@pcien­cia 9, 89–98.

  Peter­son, R. (2003). Inte­gra­tion Strate­gies and Tac­tics for Infor­ma­tion Tech­nol­ogy Gov­er­nance. In van Grem­ber­gen, W. (Ed.), Strate­gies for Infor­ma­tion Tech­nol­ogy Gov­er­nance. Idea Group Pub­lish­ing.

  Pitassi, C. and S. Leitão (2002). Tec­nolo­gia de Infor­mação e Mudança: Uma Abor­dagem Crítica. RAE—Revista de Admin­is­tração de Empre­sas 42(2), 77–87.

  Reddy, G., R. Srini­vasi, S. Rikkula and V. Rao (2009). Man­age­ment Infor­ma­tion Sys­tems to Help man­agers for Pro­vid­ing Deci­sion Mak­ing in an Orga­ni­za­tion. Inter­na­tional Jour­nal of Reviews in Com­put­ing.

  Sab­her­wal, R. and Y. E. Chan (2001). Align­ment between busi­ness and IS strate­gies: A study of prospec­tors, ana­lyz­ers, and defend­ers. Infor­ma­tion Sys­tems Research 12(1), 11–33.

  Tan, F. B. and R. B. Gallupe (2006). Align­ing busi­ness and infor­ma­tion sys­tems think­ing: a cog­ni­tive approach. IEEE Trans­ac­tions on Engi­neer­ing Man­age­ment 53(2), 223–237.

  Teo, T. S. H. and J. S. K. Ang. (1999). Crit­i­cal suc­cess fac­tors in the align­ment of IS plans with busi­ness plans. Inter­na­tional Jour­nal of Infor­ma­tion Man­age­ment 19, 173–185.

  Wang, J. W., F. Gao and W. H. Ip (2010). Mea­sure­ment of Resilience and Its Appli­ca­tion to Enter­prise Infor­ma­tion Sys­tem. Enter­prise Infor­ma­tion Sys­tems 4(2), 215–223.

  Weill, P. and J. Ross (2004). IT Gov­er­nance: How Top Per­form­ers Man­age IT Deci­sions Rights to Supe­rior Results. Boston: Har­vard Busi­ness School Press.