IT Governance: Reviewing 17 IT Governance Tools and Analysing The Case of Novozymes A/S
IT Governance: Reviewing 17 IT Governance Tools and Analysing The Case of Novozymes A/S
IT Governance: Reviewing 17 IT Governance Tools and Analysing The Case of Novozymes A/S
Abstract
Aligning business and IT objectives has been
Complexity in information technology debated for decades among academics and
architectures and infrastructures, and an increasing practitioners (e.g. Sambamurthy & Zmud 1999, ITGI
need for executives to verify and secure value 2001), however, discussions has been intensified
generation processes in private as well as public within the last 5 years (e.g. Robbins 2004, Weill &
organisations, call for an increasing awareness and Ross 2005, Brown & Grant 2005) due to corporate
understanding of Corporate Governance in general scandals like WorldCom, Enron, Arthur Andersen,
and IT Governance in particular. etc. Based on the cited literature in this paper, no
The paper investigates how IT Governance is similar comparison of IT Governance approaches are
adopted in the case company Novozymes A/S, which is available. Further in positioning the research, it is
a biotech-based world leader in industrial enzymes concluded that research into in-depth case studies as
and microorganisms. Based on a review of 17 IT well as providing an overview of IT Governance tools
Governance Tools, the paper analyses the challenges are needed. The research question in this paper is:
of the adopted IT Governance arrangements and what is an appropriate tool for IT Governance case
mechanisms. Finally, the paper point to future analysis, and what is the status of IT Governance in
development directions in order to further unfold the Novozymes A/S? This leads to an analysis of the
potential of IT Governance at Novozymes A/S. applied IT Governance at Novozymes A/S pointing to
relevant development issues.
The structure of the paper is as follows. The .
1. Introduction second section is a methodology section evaluating
different IT Governance tools and identifying the tool
The Information Technology Governance Institute to be applied for the case analysis. The third section
defines IT governance as “the leadership, contains the analysis of IT Governance performance
organizational structures, and processes that ensure at Novozymes A/S, and the fourth section evaluates
that the enterprise’s IT sustains and extends the the alignment of the IT Governance practice with
enterprise’s strategies and objectives”. Additionally, strategy, organisaiton, behaviour and relevant metrics
they state that “While governance developments have using the IT Governance Design Framework for
primarily been driven by the need for the transparency structuring the analysis. Section five concludes the
of enterprise risks and the protection of shareholder paper and draws up a set of recommendations to
value, the pervasive use of technology has created a further development of IT Governance at Novozymes
critical dependency on IT that calls for a specific A/S.
focus on IT governance” (ITGI 2003:1). IT
Governance reflects broader corporate governance 2. Methodology and Selection of an IT
principles (OECD 2004). Corporate Governance and Governance Tool for Case Analysis
IT Governance both pursue an ongoing questioning of
the organisation’s governance model’s sufficiency in As the paper is a case analysis of IT Governance at
minimising risks and maximising returns (Hamaker & Novozymes A/S, the paper will address the following
Hutton 2004). IT governance may also be defined as issues:
specifying the decision rights and accountability • Select evaluation criteria
frameworks to encourage desirable behaviour in using • Review of potential IT governance tools.
IT (Weill & Ross 2004:2).
2
Proceedings of the 39th Hawaii International Conference on System Sciences - 2006
managing processes and providing a coherent, maturity of the whole service organisation covering
rigorous, public domain set of guidance (Bastiaens the service delivery process, i.e. including all
2004, van der Pols 2004). ASL is a part of the IT activities involved in creating the result for the
Service Management (ITSM) Library. ASL customer, starting from identifying the needs of the
recognises three types of control, i.e. functional, customer until evaluation the delivered services
application and technical control. Where Information (Niessink et al. 2005). The model is delimited from
Technology Infrastructure Library (ITIL) is a covering the development of new services.
generally accepted standard for organizing technical SAS70: SAS70 is an auditing standard designed to
management, the Application Services Library (ASL) enable an independent auditor to evaluate and issue an
offers a framework for the organization of application opinion on a service organization’s controls.
management (Meijer 2003). Statement on Auditing Standards, No. 70 (SAS70) for
Six Sigma: Six sigma stands for Six Standard Service Organizations, is an internationally
Deviations from mean. The Six Sigma methodology recognized auditing standard developed by the
provides the techniques and tools to improve the American Institute of Certified Public Accountants
capability and reduce the defects in any process. The (AICPA). A SAS70 audit (www.sas70.com) is widely
Six Sigma methodology improves any existing recognized, because it represents that a service
business process by constantly reviewing and re- organization has been through an in-depth audit by an
tuning the process (Hammer 2002). To achieve this independent accounting and auditing firm of their
(cf. Puzdek 2003), Six Sigma uses a methodology control activities, which generally include controls
known as DMAIC (Define opportunities, Measure over information technology and related processes.
performance, Analyze opportunity, Improve Organisations must demonstrate that they have
performance, Control performance). Customer adequate controls and safeguards when they host or
requirements, design quality, metrics and measures, process data belonging to their customers. Control
employee involvement and continuous improvement objectives and control activities should also be
are main elements of Six Sigma Process organized in a manner that allows the user auditor and
Improvement. user organisation to identify which controls support
CMM/CMMI: The Capability Maturity Model the assertions in the user organization’s financial
(CMM) is a methodology used to develop and refine statements, e.g. existence, occurrence, completeness,
an organization’s software development process. The valuation, etc.
model describes a five-level evolutionary path of ISO 17799: The ISO 17799 or the counterpart of
increasingly organized and systematically more British Standard BS 7799 is a standard for
mature processes. CMM was developed and is information security including a comprehensive set of
promoted by the Software Engineering Institute (SEI), controls and best practices in information security.
a research and development center sponsored by the The standard is intended to serve as a single reference
U.S. Department of Defense (DoD). The CMM point for identifying a range of controls needed for
suggests 5 Maturity Levels of Software Processes most situations where information systems are used in
(Mathiassen & Sørensen 1996), i.e. the initial, industry and commerce. Compliance with ISO 17799
repeatable, defined, managed and optimizing level. and BS7799 ensures that an organisation has
CMM is through the years developed further established a certain compliance level for each of the
integrating the different activities, i.e. CMM ten categories covered (Ma & Pearson 2005), i.e.
Ingetration (CMMI). Whereas CMM is based on the security policy, security organisation, asset
classical waterfall model, CMMI is addressing classification and control, personnel security, physical
iterative development and is being more result- and environmental security, communications and
oriented. operations management, access control, systems
IT Service CMM: IT Service CMM is a maturity development and maintenance, business continuity
growth model aimed at IT Service providers (Niessink management, and compliance (ISO 2000, BS 2002).
2003). IT Service CMM is a development of the SOX: The Sarbanes-Oxley Act of 2002 (often
CMM for software development and incorporates shortened to SOX) is legislation enacted to protect
similar maturity stages. Moreover, the IT Service shareholders and the general public from accounting
CMM originates from the efforts to develop a quality errors and fraudulent practices in the organization
improvement framework in order for service (SOX 2002). The legislation not only affects the
organisations to improve service quality (Niessink & financial side of corporations, but also affects the IT
van Vliet 1998). The model does not measure the departments whose job is to store a corporation’s
maturity of individual services, projects or electronic records. The Sarbanes-Oxley Act states that
organisational units. Rather, the model measures the all business records (Alles et al. 2004), including
3
Proceedings of the 39th Hawaii International Conference on System Sciences - 2006
electronic records and electronic messages, must be IT Due Diligence: Sisco (2002b) states that the
saved for not less than five years. The consequences due diligence objective needs to be clearly defined.
for non-compliance are fines, imprisonment, or both. Sisco (2002b) suggests that an IT due diligence plan
Hence, Sarbanes-Oxley compliance induces should be broken down to seven parts, i.e.: (1)
significant implications for the IT function (Moore & Current IT operation, (2) Risks and risk avoidance
Swartz 2003). The Sarbanes-Oxley requirements are plans, (3) Financial plan (expected cost and budget to
increasingly integrated with enterprise risk continue operation), (4) Capital investment
management initiatives (Beasley et a. 2004, Sammer requirements, (5) Leverage opportunities and
2004). recommended plans, (6) Transition plan, (7) The due
SysTrust: The SysTrust service is an assurance diligence report.
service that was jointly developed by the American IT Governance Review: Weill & Ross (2004)
Institute of Certified Public Accountants (AICPA) suggest that an IT Governance review contains the
and the Canadian Institute of Chartered Accountants following activities (1) Mapping the organisations
(CICA). It is designed to increase the comfort of current governance with the tools of a Governance
management, customers, and business partners with Design Framework (GDF) and a Governance
systems that support a business or particular activity Arrangements Matrix (GAM). (2) Comparing the
(Pacini et al. 2000). In a SysTrust engagement GDF and GAM, (3) Auditing IT Governance
(McPhie 2000), the practitioner evaluates and tests Mechanisms, (4) Designing the To-Be Governance
whether or not a specific system is reliable when Structure, (5) Transform to the To-Be version of the
measured against three essential principles: GDF and GAM of the organisation, and focus on
availability, security, and integrity. communicating, teaching, convincing, refining, and
PRINCE2: PRINCE, which stands for Projects IN measuring the success of IT Governance. Alternative
Controlled Environments, is a project management mechanisms for design of IT Governance scenarios
method covering the organisation, management and are proposed by Meyer (2004).
control of projects. PRINCE was first developed as a IT Governance Assessment: Weill & Ross
UK Government standard for IT project management. (2004:119) suggest a framework for assessing IT
Since its introduction, PRINCE has become widely Governance Performance. As IT Governance is
used in both the public and private sectors and is now defined as specifying the decision rights and
the UK’s de facto standard for project management. accountability framework to encourage desirable
Although PRINCE was originally developed for the behaviour in IT usage (Weill & Ross 2004),
needs of IT projects, the method has also been used governance performance must then be assessed as
on many non-IT projects. The latest version of the how well the governance arrangements encourage
method, PRINCE2, is designed to incorporate the desirable behaviours, i.e. how well the organisation
requirements of existing users and to enhance the achieves it’s desired performance goals. Hence, the
method towards a generic, best practice approach for framework proposes that IT Governance should
the management of all types of projects (OGC 2005). address five important factors, which are: enterprise
IT Audit: Sisco (2002) argues that an IT review setting, governance arrangements, governance
should contain three main areas to focus the awareness, governance performance, and financial
evaluation, i.e.: (1) Technology: identifying capability performance.
to meet company needs, stability, capacity and IT Governance Checklist: Damianides (2005)
scalability, security, and risks. (2) IT organization: suggests a checklist for IT Governance containing a
expertise and depth needed to support the business set of 44 diagnostic questions. For each of the
needs, management, morale, capacity, and risks. (3) questions the extent to with the it relates to (a) IT
IT processes: change management, software licenses, Value Delivery, (b) IT Strategic Alignment, (c), Risk
project management, policies and procedures Management, and/or (d) Performance, is specified.
regarding technology, and tracking and measuring The questionnaire contains 3 subgroups, i.e. to
performance. As a technology organization has many uncover IT issues, to find out how management
functional parts, a quantification of the IT addresses the IT issue, and to self-assessment of IT
organisational structure will include (Sisco 2002): (a) Governance practice with regard to the board and
Infrastructure. Networks, i.e. LAN, WAN, and management.
desktop support. (b) Business applications. Research IT Governance Assessment Process (ITGAP)
& development, and support, including installation Model: Peterson (2004) suggests a four stage process
services, professional services, help desk, computer for assessing IT Governance. The Process contain the
center operations, technology assets, business following steps (1) describe and assess IT Governance
processes and procedures. value drivers, (2) describe and assess the
4
Proceedings of the 39th Hawaii International Conference on System Sciences - 2006
differentiation of IT decision making authority for the design of IT Governance by addressing the
portfolio of IT activities, (3) describe and assess the insufficiencies of the current IT Governance structure.
capabilities of IT Governance, and (4) describe and The IT Governance Assessment is a measurement of
assess IT value realisation. the current state of IT Governance Performance – but
without the design element. Also the IT Governance
2.3. Evaluating the IT Governance Tools Assessment does not include a thorough alignment
discussion as the IT Governance Review due to the
The table below classifies the 17 IT Governance GDF. However, the analysis is somewhat broader
tools in relation to a specific process type and with addressing e.g. the IT intensity, the IT Governance
respect to a certain organisational entity. Although, an Awareness and relating these findings to the financial
IT governance tool may relate to more areas and performance of the organisation.
processes, the dominating scope and process, Based on the above findings an IT Governance
respectively, is marked. Based on the review of the Review will be conducted in the following analysis,
individual tools, the classification is the following: where the IT Governance Design Framework will
structure an analysis of the degree of alignment of the
•SAS70 • COBIT
• IT Governance
Review
IT Governance mechanisms in relation the strategy,
Decision-
• IT Governance
Assessment organisation, behaviour and relevant metrics.
Making • IT Governance
Processes Checklist
• IT Governance
Assessment Process
Model
3. Assessing IT Governance at Novozymes
• ITIL / BS15000 • CMM / CMMI • Six Sigma • IT Service CMM
A/S
Core
• IT Audut
Business
Processes
• IT Due Diligence
3.1. Company Background
5
Proceedings of the 39th Hawaii International Conference on System Sciences - 2006
6
Proceedings of the 39th Hawaii International Conference on System Sciences - 2006
IT decisions are derived from the business Marshall & McKay (2004) acknowledge this
strategy. The business strategy is here presented as a approach as good IT Governance practice. Moreover,
Strategy Map representing the four Focus Area the PO verifies that the proposed project supports the
Drivers (FADs). IT Strategy, and that IT resources and capabilities are
available. Priorities of the proposals are then set by
Novozymes Strategy map 2004-2006 the ASG/ExM group resulting in a prioritised list of
Live The NZ Touch Strategic objectives
Generate value IT projects.
Project and resource planning and execution.
Strong free
iv .
c t rg
Fi spe
cash flow
pe O
pe
na c
e
r
n c tiv
pe ple
ia e
l
o
Pe
High
An organization
prepared for the
profitability Double digit
sales growth
Simulation is used to obtain the best possible match.
Internationalization
future
Moreover, these tools are used for following up on
External
Internal
Liberating
progress of execution and delivered results. Only
capacity for growth
opportunities Performance through
Support to our use
of biotechnology
projects larger than 2 mio. DKK are considered.
innovation and
Turning innovation New enzyme partnerships Projects with a lower expected total cost base are
supply process
into growth
addressed in relation to maintenance. Approximately,
pe et
e
Pr s pe
pe
iv
One company brand
rs rk
oc c t
ct
pe Ma
r
7
Proceedings of the 39th Hawaii International Conference on System Sciences - 2006
Through several years, the Novo Group has performance goals and metrics and accountabilities
developed and validated an internal management and are aligned.
control system that goes beyond financial reporting.
The system embraces three elements: 4.4. Aligning Enterprise Strategy and IT
Organisational audit, Facilitations, and Triple bottom Governance Arrangements
line reporting. These internal management and control
systems are elaborated in the following. The main tasks of the Board of Directors are to:
Organisational Audit. The organisational audit • Ensure the right executive management and
measures the extent to which the manning and organisation of the company.
organisation of a business unit are adjusted to present • Supervise financial performance of the com-
and future business requirements. Specific measures pany, and supervise executive management's
are: performance and integrity.
• The extent to which market and technology • Participate in managing the company by
changes are currently identified and providing direction to executive management,
incorporated into a unit's business strategy and and participate in determining the strategies of
into unit's goals and business plan. the company and approve major business
• The extent to which staff qualifications and plans and decisions.
organisation of work are suited for As the board is ultimately responsible for corporate
implementing this business strategy and plan. development, is has been decided that certain issues
• The extent to which candidates are developed that were formerly pure management items, now are
to take on key positions in the organisation. being dealt with at board meetings too. Consequently,
Facilitations. A facilitation measures the degree to these items are now discussed among board and
which a unit lives up to the individual elements of management. Novozymes A/S has put their meeting
what is referred to as The Novo Way of Management, frequency and contents of board meetings on the
i.e.: Internet for public orientation. The calendar and
• Corporate core values. contents are structured in accordance with the three
• Corporate commitments to international requirements of The Danish Public Companies Act,
standards and conventions. and showing that the intention is to spend an equally
• Corporate policies (e.g. with regard to amount of time addressing each of the three
communications and information technology). requirements of management/organisation,
• Corporate code of conduct concerning the way operations/ financials, and strategy.
business is done. Novozymes A/S strives continuously for more
Triple bottom line reporting. In the openness and transparency. This is also in line with
environmental and social reporting, the extent to what is considered as good corporate governance.
which the individual unit locally and the company Implementation of effective IT Governance is
globally fulfil their declared goals in respect of however time and resource consuming, cf. Rau
environmental and social performance is measured. (2004). Hence, it is concluded that Enterprise Strategy
Examples of measures are: consumption of energy, and IT Governance Arrangements are aligned.
water, and raw materials, amounts of waste water and
solid waste, emissions to air, applied gene technology, 4.5. Aligning IT Governance Arrangements
extent and nature of animal testing, compliance with and Business Performance Goals
human rights, creation of working places, training and
development of employees, and working environment IT Governance frameworks rely on a dominant
(physical and psychological). premise that the organisation to a large extent is stable
For all three management control systems, and that all activities can be planned (Patel et al.
concrete actions are defined to improve the situation, 2002). However, most organisations find themselves
and the implementation of actions is verified. – or at least parts of the organisation - as emergent.
The Chairman of the Board of Directors at This fact needs to be addressed in the governance
Novozymes A/S, Henrik Gürtler, assesses that the arrangements and mechanisms, measurements and
results of these three measurements and management detailed measures. Though some frameworks seek
reporting on operations as well as drafting of overall dynamic perspectives of the organisation, this is
strategies for future periods combine to give a solid seldom sufficient to grasp the complexity of the
impression of where the business is today and of the modern business environment.
credibility and soundness of future plans for corporate
development. Hence, it is concluded that business
8
Proceedings of the 39th Hawaii International Conference on System Sciences - 2006
Novozymes A/S addresses this issue of the • Develop and implement an IT Governance
emergent organisation through evaluations. In order to structure, i.e. arrangements and mechanisms,
improve the quality of the work between the with regard to external business partners in
management and the board, they have developed a general, cf. Larsen & Klischewski (2004), and
more qualitative assessment of the work of the board, long-term IT vendors in particular.
the management, and the interaction and cooperation • Develop and implement a complete IT project
within and between these two entities. In December delivery model containing assessments and
2001 it was decided to deploy a self-developed follow-ups on outcome value and performance
system to evaluate performance in board and of delivered IT solutions in addition to the
management work as from 2002. The system entails current time and cost assessments.
that: • Consider a combination of more IT
• the individual member of management governance tools, cf. section 2.2 and Niessink
evaluates his own and his fellow & van Vliet (2001), in optimising the IT
management members' performance in Governance process.
relation to the cooperation with the board. • Cascade IT governance arrangements and
• the individual member of management mechanisms down through the organisation to
evaluates the board's performance in the embrace the emergent organisation, cf. Patel
cooperation. (2002) and Van Grembergen (2000).
• the individual board member evaluates his • Coordinate and integrate IT Governance
own and his fellow board members' practice with other asset governance practices
performance in relation to the cooperation (i.e. HR, IP, facilities, etc.), and generate value
with management. from this multiple asset governance approach
• the individual board member (cf. Classman 2000, and Weill & Ross 2004).
evaluates management's performance in the With implementation of these initiatives
cooperation. Novozymes A/S might be even more prepared to meet
• management and board give a total evaluation the challenges of generating value from “unlocking
of the cooperation between management and the magic of nature”.
board.
The board and management evaluate the results 6. Conclusion and Future Research
and (if needed) agree on changes of work processes,
course of board meetings, behaviour, performance, The paper addresses the issues of optimising
etc. that could make future management-board profits and reducing risks by focusing on decision-
cooperation more constructive, efficient, challenging making processes and accountability frameworks.
and forward-looking - to the benefit of Novozymes This paper reviews 17 IT Governance tools, and
A/S. Hence, each year, concrete actions are defined to selects one assessment tool most appropriate for case
improve the situation. The implementation of actions evaluation. An IT Governance Assessment is carried
is verified and documented in the minute book. out concluding that IT Governance Arrangements and
This evaluation is considered to be quite unique Mechanisms to a large extent are aligned with
and to go far beyond what other companies' boards- strategy, organisation, behaviour and relevant metrics.
management teams do to optimise their collaboration. The study is a single case study, and therefore the
On an individual IT project level, projects are findings will in principle only be applicable for the
evaluated based on time and cost/resource measures. case organisation, although the findings may have a
However, the final delivery of IT solutions is not more general nature and broader scope of
evaluated based upon the solutions output quality and applicability.
performance, cf. IT manager Lars Refslund. The contribution of this paper is a) providing an
Consequently, the delivery model seems partial, and overview of potential IT Governance approaches, i.e.
might be optimised based on these conditions. a “toolbox”, b) providing an evaluation method, i.e. a
Therefore, IT Governance Arrangements to a large IT Governance tool screening framework, consisting
extent are aligned with Business Performance Goals, of relevant classification parameters in order to
though the reviewing process might be optimised. address the variation and demarcations between the
approaches, and c) providing a rich case study with
5. Recommendations potential general recommendations.
Learning from the case analysis shows that though
Recommendations for enhancing the current IT the organisations is considered to be fairly mature
Governance practice at Novozymes A/S are: with regard to adopting IT governance, several
9
Proceedings of the 39th Hawaii International Conference on System Sciences - 2006
development directions can be pointed out, which [13] ISO (2000). BS ISO/IEC 17799:2000 Information
have practical as well as scientific relevance. technology. Code of practice for information security
Future research may go into unfolding the IT management. International Standard Organisation.
Governance structures with external partners, in [14] ITGI (2001). Information Security Governance:
addition to investigating the implications for IT Guidance for Boards of Directors and Executive
Governance arrangements and mechanisms in Management. Information Systems Audit and Control
balancing the current versus the emergent Foundation, Information Technology Governance
organisation. Institute. Available at http://www.itpi.org.
[15] ITGI (2003). Board Briefing on IT Governance, 2nd
6. Reference Edition. Information Technology Governance Institute.
Available at http://www.itpi.org.
[1] Alles, M. & Kogan, A. & Vasarhelyi, M. (2004). The
Law of Unintended Consequences? Assessing the [16] Lainhart IV, J.W. (2000). COBIT[TM]: A
Costs, Benefits and Outcomes of the Sarbanes-Oxley Methodology for Managing and Controlling
Act. Information Systems Control Journal. Vol. 1. Information and Information Technology Risks and
Vulnerabilities. Journal of Information Systems,
[2] Bastiaens,B. (2004). Professional Application December.
Management. The ITSM Journal. Vol. 1, March 1, p.
2, 4. [17] Larsen, M.H. & Bjørn-Andersen, N. (2001). From
Reengineering to Process Management – A
[3] Beasley, M.S. & Clune, R. & Hermanson, D.R. (2004). Longitudinal Study of BPR in a Danish Manufacturing
Enterprise Risk Management and the Internal Audit
Company. Proceedings of the 34th Hawaii
Function. North Carolina State University and
International Conference on System Sciences (HICSS
Kennesaw State University. Working Paper. 34). January 3-6, 2001, Island of Maui, Hawaii, USA.
December.
[18] Larsen, M.H. & Klischewski, R. (2004). Process
[4] Behr, K. & Kim, G. & Spafford, G. (2004). The Ownership Challenges in IT-Enabled Transformation
Visible Ops Handbook: Starting ITIL in 4 Practical of Interorganizational Business Processes. Proceedings
Steps. Information Technology Process Institute. of the 37th Hawaii International Conference on System
[5] Brown, A.E. & Grant, G.G. (2005). Framing the Sciences (HICSS 37). January 5-8, The Big Island of
Frameworks: A Review of IT Governance Research. Hawaii, Hawaii, USA.
Communications of the AIS. Vol. 15, Article 38. [19] Ma, Q. & Pearson, J.M. (2005). ISO 17799: “Best
[6] BS (2002). BS7799-2:2002 Information Security Practices” in Information Security Management?
Management. Specification with guidance for use. Communications of the AIS. Vol. 15, Article 32.
British Standard. [20] Mainelli, M. (2005). Standard Differences:
[7] Dallas, S. & Bell, M. (2004). IT Governance Requires Differentiation through Standardisation?” (ISO9001,
Decision-Making Guidelines. Gartner, January 19, SAS70 and management systems), Journal of Risk
Business Issues. Available at www.gartner.com. Finance, Volume 6(1), January, pp. 71-78.
[8] Damianides, M. (2005). Sarbanes-Oxley and IT [21] Marshall, P. & McKay, J. (2004). Strategic IT
Governance: New Guidance on IT Control and Planning, Evaluation and benefits Management: The
Compliance. Information Systems Management. Basis for Effective IT Governance. The Australian
Winther, pp. 77-85. Journal of Information Systems. 11(2).
[9] Glassman, D. (2000). Joining the New Economy. [22] Mathiassen, L. & Sørensen, C. (1996). The Capability
Journal of Applied Corporate Finance. Vol. 13(3), Fall, Maturity Model and CASE. Information Systems
p. 116. Journal, Vol. 6.
[10] Hamaker, S. & Hutton, A. (2004). Principles of IT [23] McPhie, D. (2000). AICPA/CICA SYSTRUST[TM]
Governance. Information Systems Control Journal, Principles and Criteria. Journal of Information
Volume 2, ISACA. Systems. American institute of Certified Public
Accountants, Canadian Institute of Chartered
[11] Hammer, M. (2002). Process Management and the Accountants. December 22.
Future of Six Sigma. MIT Sloan Management Review.
Winter 2002, Vol. 43(2), pp. 26–32. [24] Meijer, M. (2003). Application Service Library (ASL)
and CMM. bITa Monitor – The journal of IT
[12] Hill, G.M. (2004). Evolving the Project Management Alignment and Business IT Alignment, Vol. 1(1),
Office: A Competency Continuum. Information March, pp. 21-26.
Systems Management. Fall, pp. 45-51.
10
Proceedings of the 39th Hawaii International Conference on System Sciences - 2006
[25] Meyer, N.D. (2004). Systemic IS Governance: An [40] Robbins, S. (2004). IS Governance. Information
Introduction. Information Systems Management. Fall, Systems Management. Fall, pp. 81-82.
pp. 23-34.
[41] Sambamurthy, V. & Zmud, R.W. (1999).
[26] Moore, F. & Swartz, N. (2003). Keeping an eye on Arrangements for Information Technology
Sarbanes-Oxley. Information Management Journal. Governance: a theory of multiple contingencies. MIS
37(6), p. 20. Quarterly. Vol. 23(2), pp. 261-290.
[27] Niessink, F. & Clerc, V. & Tijdink, T. & van Vliet, H. [42] Sammer, J. (2004). Companies migrating from SOX
(2005). The IT Service Capability Maturity Model. “myopia” to risk management. Compliance Week
CIBIT Consultants | Educators, Bilthoven, and Vrije (November): 1, 26-28.
University, The Netherlands. Technical Report.
January. [43] Sherer, S.A. (2004). IS Project Selection: The Role of
Strategic Vision and IT Governance. Proceedings of
[28] Niessink, F. & van Vliet, H. (1998). Towards Mature the 37th Hawaii International Conference on System
IT Services. Software Process - Improvement and Sciences (HICSS 37).
Practice, Volume 4(2), June, pp. 55-71.
[44] Sisco, M. (2002). Technology review is at the core of
[29] Niessink, F. & van Vliet, H. (2000). Software an IT assessment. TechRepublic.
Maintenance from a Service Perspective. Journal of
Software Maintenance: Research and Practice, Vol. [45] Sisco, M. (2002b). Acquisition - IT Due Diligence.
12(2), March/April, pp. 103-120. Publisher: Mike Sisco. ISBN / eBook ID:
MDE_Due_Diligence. March.
[30] Niessink, F. & van Vliet, H. (2001). Measurement
Program Success Factors Revisited. Information and [46] SOX (2002). Sarbanes-Oxley Act, Public Law No.
Software Technology, Vol. 43(10), August, pp. 617- 107-204. Washington, DC: Government Printing
628. Office.
[31] Niessink, F. (2003). IT Service CMM in a Nutshell. [47] Spafford, G. (2003). The Benefits of Standard IT
bITa Monitor – The journal of IT Alignment and Governance Frameworks. IT Management. April 22.
Business IT Alignment, Vol. 1(1), March, pp. 27-31. [48] Van Der Pols, R. (2004). ASL - A framework for
[32] Novozymes (2005). Stock Exchange Announcement. application management. Van Haren Publishing. ISBN
Group financial statement, first quarter 2005, April 28. 90-77212-05-1.
[33] OECD (2004). OECD Principles of Corporate [49] Van Grembergen, W. (2000). The Balanced Scorecard
Governance: 2004. Organisation for Economic Co- and IT Governance. Information Systems Control
operation and Development. Available at Journal.
http://www.oecd.org/document/49/0,2340,en_2649_34 [50] Weill, P. & Ross, J. (2005). A Matrixed Approach to
813_31530865_1_1_1_1,00.html. Designing IT Governance. MIT Sloan Management
[34] OGC (2005). Managing Successful Projects with Review. Winter, 46(2), pp. 26-34.
PRINCE2. Office of Government Commerce. June. [51] Weill, P. & Ross, J.W. (2004). IT Governance – How
ISBN 0113309465. Top Performers Manage IT Decision Rights for
[35] Pacini, C. & Ludwig, S.E. & Hillison, W. & Sinason, Superior Results. Harvard Business School Press.
D. & Higgins, L. (2000). SysTrust and Third-Party Boston. Massachusetts.
Risk. Journal of Accountancy. August 1.
[36] Patel, N.V. (2002). Emergent forms of IT Governance
to support Global e-business models. Journal of
Information Technology Theory and Application.
[37] Peterson, R. (2004). Crafting Information Technology
Governance. Information Systems Management. Fall,
pp. 7-22.
[38] Puzdek, T. (2003). The Six Sigma Handbook – A
complete Guide for Green Belts, Black belts, and
managers at All Levels. McGraw-Hill.
[39] Rau, K.G. (2004). Effective Governance of IT: Design,
Objectives, Roles, and Relationships. Information
Systems Journal. Fall, pp. 35-42.
11