Corporate governance and the information system: How a framework for IT governance supports ERM

Corporate Governance (Bingley)

Volumn 14, Issue 3, 2014, Pages 320-338

  Rubino, Michele ^a   Vitolla, Filippo ^a  

^a Libera Università Mediterranea   (Italy)

Author keywords

COBIT 5 framework; Corporate governance; COSO ERM; Internal control; IT governance

Indexed keywords

EID: 84911393412     PISSN: 14720701     EISSN: None     Source Type: Journal    
DOI: 10.1108/CG-06-2013-0067     Document Type: Article

References (118)

1. Abraham, S.E. (2012), “Information technology, an enabler in corporate governance”, Corporate Governance, Vol. 12 No. 3, pp. 281-291.
2. Ashby, S. (2011), “Risk management and the global banking crisis: lessons for insurance solvency regulation”, Issues and Practice, Vol. 36 No. 3, pp. 330-347.
3. Beasley, M.S., Clune, R. and Hermanson, D.R. (2005), “Enterprise risk management: an empirical analysis of factors associated with the extent of implementation”, Journal of Accounting and Public Policy, Vol. 24 No. 6, pp. 521-531.
4. Beasley, M., Chen, A., Nunez, K. and Wright, L. (2006), “Working hand in hand: balanced scorecards and enterprise risk management”, Strategic Finance, Vol. 87 No. 9, pp. 49-55.
5. Beasley, M.S., Pagach, D. and Warr, R. (2007), “Information conveyed in hiring announcements of senior executives overseeing enterprise-wide risk management processes”, Journal of Accounting, Auditing and Finance, Vol. 23 No. 3, pp. 311-332.
6. Beasley, M., Pagach, D. and Warr, R. (2008), “Information conveyed in hiring announcements of senior executives overseeing enterprise-wide risk management processes”, Journal of Accounting, Auditing and Finance, Vol. 23 No. 3, pp. 311-332.
7. Beretta, S. and Pecchiari, N. (2007), Analisi e valutazione del sistema di controllo interno. Metodi e tecniche, Il Sole24ore, Milan.
8. Bhattacharjya, J. and Chang, V. (2006), “Adoption and implementation of IT governance: cases from Australian higher education”, Proceedings of the Australasian Conference on Information Systems (ACIS ‘06), Adelaide.
9. Bhattacharjya, J. and Chang, V. (2007), “Evolving IT governance practices for aligning IT with business – a case study in an Australian institution of higher education”, Journal of Information Science and Technology, Vol. 4 No. 1, pp. 24-46.
10. Boynton, A.C., Jacobs, G.C. and Zmud, R.W. (1992), “Whose responsibility is IT management?”, Sloan Management Review, Vol. 33 No. 4, pp. 32-38.
11. Bradley, R.V. and Pratt, R.M.E. (2011), “Exploring the relationships among corporate entrepreneurship, IT governance, and risk management”, System Science, 44th Hawaii International Conference, Kauai, HI, pp. 1-10.
12. Bradley, R.V., Pridmore, J.L. and Byrd, T.A. (2006), “Information systems success in the context of different corporate cultural types: an empirical investigation”, Journal of Management Information Systems, Vol. 23 No. 2, pp. 267-294.
13. Brand, K. and Boonen, H. (2007), IT Governance based on Cobit 4.1 – A Management Guide, Van Haren Publishing, Hogeweg.
14. Brand, N., Beens, B., Vuuregge, E. and Batenburg, R. (2011), “Engineering governance: introducing a governance meta framework”, International Journal of Corporate Governance, Vol. 2 No. 2, pp. 106-118.
15. Brown, A.E. and Grant, G.G. (2005), “Framing the frameworks: a review of IT governance research”, Communications of the Association for Information Systems, Vol. 15 No. 1, pp. 696-712.
16. Brown, C.V. (1997), “Examining the emergence of hybrid IS governance solutions: evidence from a single case site”, Information Systems Research, Vol. 8 No. 1, pp. 69-94.
17. Brown, C.V. and Magill, S.L. (1994), “Alignment of the is functions with the enterprise”, MIS Quarterly, Vol. 18 No. 4, pp. 371-403.
18. Brynjolfsson, E. and Saunders, A. (2010), Wired for Innovation: How Information Technology Is Reshaping the Economy, Institute of Technology, MA.
19. Cadbury, A. (2002), Corporate Governance and Chairmanship: A Personal View, Oxford University Press, New York, NY.
20. Chen, R.-S., Sun, C.-M., Helms, M.M. and Jih, W.-J. (2008), “Aligning information technology and business strategy with a dynamic capabilities perspective: a longitudinal study of a Taiwanese semiconductor company”, International Journal of Information Management, Vol. 28 No. 5, pp. 366-378.
21. Collier, P.M. and Berry, A.J. (2002), “Risk in the process of budgeting”, Management Accounting Research, Vol. 13 No. 3, pp. 273-297.
22. Collier, P.M., Berry, A.J. and Burke, G. (2004), Risk and Control: Drivers, Practices and Consequences, Chartered Institute of Management Accountant, Oxford.
23. Collier, P.M., Berry, A.J. and Burke, G.T. (2006), “Risk and management accounting: best practice guidelines for enterprise-wide internal control procedures”, CIMA Research Executive Summary Series, Vol. 2 No. 11, pp. 1-8.
24. Collier, P.M., Berry, A.J. and Burke, G.T. (2007), Risk and Management Accounting: Best Practice Guidelines for Enterprise-Wide Internal Control Procedures, Elsevier, Oxford.
25. Committee of Sponsoring Organizations of the Treadway Commission (COSO) (1992), Internal Control – Integrated Framework, American Institute of Certified Public Accountants, New York.
26. Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2004), Enterprise Risk Management – Integrated Framework, American Institute of Certified Public Accountants, New York.
27. Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2013), Internal Control – Integrated Framework, American Institute of Certified Public Accountants, New York.
28. Crosman, P. (2006), “Governance gauge: don’t worry, ‘ITIL’ be alright”, available at: www. informationweek.com/software/business-intelligence/governance-gauge-dont-worry-itil-be-alri/177105823 (accessed 15 April 2006).
29. Dahlberg, T. and Lahdelma, P. (2007), “IT governance maturity and IT outsourcing degree: an exploratory study”, System Sciences, 40th Annual Hawaii International Conference, Waikola, HI.
30. Damianides, M. (2005), “Sarbanes-Oxley and IT governance: new guidance on IT control and compliance”, Information Systems Management, Vol. 22 No. 1, pp. 77-85.
31. Davenport, T.H. and Harris, J.G. (2007), Competing on Analytics: The New Science of Winning, Harvard Business School Press, Boston, MA.
32. Davis, S. and Borkin, J. (1994), “The coming of knowledge based business”, Harvard Business Review, Vol. 72 No. 5, pp. 165-170.
33. De Haes, S. and Van Grembergen, W. (2005), “IT governance structures, processes and relational mechanisms: achieving IT/business alignment in a major belgian financial group”, Proceedings of the 38th Annual Hawaii International Conference on System Sciences, Track 8, Hawaii.
34. De Haes, S. and Van Grembergen, W. (2006), “Information technology governance best practices in belgian organisations”, System Sciences, Proceedings of the 39th Annual Hawaii International Conference, Hawaii.
35. DeLone, W.H. and McLean, E.R. (1992), “Information systems success: the quest for the dependent variable”, Information Systems Research, Vol. 3 No. 1, pp. 60-95.
36. Desender, K.A. (2007), “On the determinants of enterprise risk management implementation”, working paper, available at SSRN: http://ssrn.com/abstract=1025982 (accessed 26 July 2013)
37. Dickinson, G. (2001), “Enterprise risk management: its origins and conceptual foundation”, The Geneva Papers on Risk and Insurance, Vol. 26 No. 3, pp. 360-366
38. Dittmeier, C.A. (2011), Internal Auditing. Chiave per la Corporate Governance, 2nd ed, Egea, Milan
39. Enriques, L. and Volpin, P. (2007), “Corporate governance reforms in continental Europe”, Journal of Economic Perspectives, Vol. 21 No. 1, pp. 117-140
40. Fox, C. (2010), “Using COBIT and COSO ERM”, COBITFocus, Vol. 3, pp. 7-13
41. Fraser, J. and Simkins, B.J. (2010), Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executive, John Wiley and Sons, Hoboken, NJ
42. Garrity, J. (1963), “Top management and computer profits”, Harvard Business Review, Vol. 41 No. 4, pp. 6-13.
43. Gordon, L.A., Loeb, MP. and Tseng, C. (2009), “Enterprise risk management and firm performance a contingency perspective”, Journal of Accounting and Public Policy, Vol. 28 No. 4, pp. 301-327
44. Henderson, J.C. and Venkatraman, N. (1993), “Strategic alignment: leveraging information technology for transforming organizations”, IBM Systems Journal, Vol. 32 No. 1, pp. 4-16
45. Hoyt, R.E. and Liebenberg, A.P. (2008), “The value of enterprise risk management: evidence from the US insurance industry”, available at: www.aria.org/meetings/2006papers/Hoyt_Liebenberg_ ERM_070606.pdf (accessed 20 June 2013)
46. Hoyt, R.E. and Liebenberg, A.P. (2011), “The value of enterprise risk management”, Journal of Risk and Insurance, Vol. 78 No. 4, pp. 795-822
47. Information Systems Audit and Control Association (ISACA) (2012), Cobit5-A Business Framework for the Governance and Management of Enterprise IT, ISACA, Rolling Meadows, IL
48. IT Governance Institute (2006a), IT Governance Global Status Report-2006, IT Governance Institute, Rolling Meadows, IL.
49. IT Governance Institute (2006b), IT Control Objectives for Sarbanes-Oxley The Role of it in the Design and Implementation of Internal Control Over Financial Reporting, 2nd ed, IT Governance Institute, Rolling Meadows, IL.
50. IT Governance Institute (2007a), Cobit 4.1, IT Governance Institute, Rolling Meadows, IL
51. IT Governance Institute (2007b), IT Control Objectives for Basel II. The Importance of Governance and Risk Management for Compliance, IT Governance Institute, Rolling Meadows, IL
52. Jensen, M.C. (1993), “The modern industrial revolution, exit, and the failure of internal control systems”, Journal of Finance, Vol. 48 No. 3, pp. 831-880
53. Kaplan, R.S. and Mikes, A. (2012), “Managing risks: a new framework”, Harvard Business Review, Vol. 90 No. 6, pp. 48-60
54. Kayworth, T. and Sambamurthy, V. (2000), “Managing the information technology infrastructure”, Baylor Business Review, Vol. 18 No. 1, pp. 13-15
55. Kleffner, A.E. and Lee, R.B. (2003), “The effect of corporate governance on the use of enterprise risk management: evidence from Canada”, Risk Management and Insurance Review, Vol. 6 No. 1, pp. 53-73
56. Kleffner, A.E., Lee, R.B. and McGannon, B. (2003), “The effect of corporate governance on the use of enterprise risk management: evidence from Canada”, Risk Management and Insurance Review, Vol. 6 No. 1, pp. 53-73
57. Ko, D. and Fink, D. (2010), “Information technology governance: an evaluation of the theory-practice gap”, Corporate Governance, Vol. 10 No. 5, pp. 662-674
58. Korac-kakabadse, N. and Kakabadse, A. (2001), “IS/IT governance: need for an integrated model”, Corporate Governance, Vol. 4 No. 1, pp. 9-11
59. Kraus, V. and Lehner, O.M. (2012), “The nexus of enterprise risk management and value creation: a systematic literature review”, Journal of Finance and Risk Perspectives, Vol. 1 No. 1, pp. 91-163
60. Lazic, M. and Heinzl, A. (2011), “IT governance and business performance-a resource based analysis”, Pacis 2011 Proceedings, Paper 103, Brisbane.
61. Liebenberg, A.P. and Hoyt, R.E. (2003), “The determinants of enterprise risk management: evidence from the appointment of chief risk officers”, Risk Management and Insurance Review, Vol. 6 No. 1, pp. 37-52
62. Loh, L. and Venkatraman, N. (1992), “Diffusion of information technology outsourcing: influence sources and the Kodak effect”, Information Systems Research, Vol. 3 No. 4, pp. 334-359
63. Luftman, J. (2003), “Assessing IT/business alignment”, Information Systems Management, Vol. 20 No. 4, pp. 9-15
64. McWhorter, L.B., Matherly, M. and Frizzell, D.M. (2006), “The connection between performance measurement and risk management”, Strategic Finance, Vol. 87 No. 8, pp. 50-55
65. Masli, A., Richardson, V.J., Sanchez, J.M. and Smith, R.E. (2011), “The business value of IT: a synthesis and framework of archival research”, Journal of Information Systems, Vol. 25 No. 2, pp. 81-116
66. Merna, T. and Al-Thani, F.F. (2008), Corporate Risk Management, 2nd ed, John Wiley and Sons, Chichester, West Sussex.
67. Miccolis, J. and Shah, S. (2000), Enterprise Risk Management: An Analytic Approach, Tillinghast -Towers Perrin, New York
68. Mikes, A. (2006), “Interactive control use as a political and institutional phenomenon - the case of divisional control in a financial services organization”, available at: http://aaahq.org/mas/mas2006/ display.cfm?Filename=Manuscript36.pdf&MIMEType=application%2Fpdf (accessed 10 May 2013)
69. Mikes, A. (2009), “Risk management and calculative cultures”, Management Accounting Research, Vol. 20 No. 1, pp. 18-40
70. Mikes, A. and Kaplan, R. (2013), “Managing risks: towards a contingency theory of enterprise risk management”, Working paper no. 13-063, Harvard Business School, Boston
71. Nocco, B.W. and Stulz, R.M. (2006), “Enterprise risk management: theory and practice”, Journal of Applied Corporate Finance, Vol. 18 No. 4, pp. 8-20
72. Novotny, A., Bernroider, E. and Koch, S. (2012), “Dimensions and operationalisations of IT governance: a iterature review and meta-case study”, Proceedings of the 2012 International Conference on Information Resource Management (Conf-IRM 2012), University of Economics and Business, Vienna, pp. 1-13, available at: http://epub.wu.ac.at/3660/1/novotny2012.pdf (accessed 20 April 2013)
73. OECD-Organisation for Economic Co-Operation and Development, (2004), Principles of Corporate Governance, OECD Publications Service, Paris
74. Olson, M.H. and Chervany, N.L. (1980), “The relationship between organizational characteristics and the structure of the information services function”, MIS Quarterly, Vol. 4 No. 2, pp. 57-69
75. Paape, L. and Speklé, R.F. (2012), “The adoption and design of enterprise risk management practices an empirical study”, European Accounting Review, Vol. 21 No. 3, pp. 533-564
76. Pagach, D. and Warr, R. (2007), “An empirical investigation of the characteristics of firms adopting enterprise risk management”, Working paper, NC State University, NC, Raleigh
77. Pagach, D. and Warr, R. (2010), “The effects of enterprise risk management on firm performance”, available at: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1155218 (accessed 8 August 2013)
78. Pagach, D. and Warr, R. (2011), “The characteristics of firms that hire chief risk officers”, Risk and Insurance, Vol. 78 No 1, pp. 185-211
79. Parent, M. and Reich, B.H. (2009), “Governing information technology risk”, California Management Review, Vol. 51 No. 3, pp. 134-152
80. Peterson, R. (2004), “Crafting information technology governance”, Information Systems Management, Vol. 21 No. 4, pp. 7-22
81. Porter, M.E. and Millar, V.E. (1985), “How information gives you competitive advantage”, Harvard Business Review, Vol. 63 No. 4, pp. 149-174
82. Posthumusa, S. and von Solms, R. (2005), “IT oversight: an important function of corporate governance”, Computer Fraud and Security, Vol. 2005 No. 6, pp. 11-17
83. Power, M. (2004), The Risk Management of Everything: Rethinking the Politics of Uncertainty, Demos, London
84. Racz, N., Weippl, E. and Seufert, A. (2010), “A process model for integrated it governance, risk, and compliance management”, Databases and Information Systems, Proceedings of the Ninth International Baltic Conference, Baltic DB&IS 2010, University of Latvia Press, pp. 155-170
85. Raghupathi, W. (2007), “Corporate governance of IT: a framework for development”, Communications of the ACM, Vol. 50 No. 8, pp. 94-99
86. Rai, A., Lang, S.S. and Welker, R.B. (2002), “Assessing the validity of IS success models: an empirical test and theoretical analysis”, Information Systems Research, Vol. 13 No. 1, pp. 50-69
87. Rasid, S.Z.A., Rahman, A.R.A. and Ismail, W.K.W. (2011), “Management accounting and risk management in Malaysian financial institutions. an exploratory study”, Managerial Auditing Journal, Vol. 26 No. 7, pp. 566-585
88. Reich, B.H. and Benbasat, I. (2000), “Factors that influence the social dimension of alignment between business and information technology objectives”, MIS Quarterly, Vol. 24 No. 1, pp. 81-113
89. Ross, J.W. and Weill, P. (2005), “A matrixed approach to designing IT governance”, Sloan Management Review, Vol. 46 No. 2, pp. 26-34
90. Rubino, M. and Vitolla, F. (2012), “Risk management, a key process of corporate governance: analysis of the related effects on organisational behavior”, in Tipuric, D. and Dabic, M. (Eds), Management, Governance and Entrepreneurship. New Perspectives and Challenges, Access Press, Darwen
91. Sabherwal, R., Jeyaraj, A. and Chowa, C. (2006), “Information system success: individual and organizational determinants”, Management Science, Vol. 52 No. 12, pp. 1849-1864
92. Saeidi, P., Sofian, S., Rasid, S.Z.A. and Saeid, S.P. (2012), “The role of chief risk officer in adoption and implementation of enterprise risk management-a literature review”, International Research Journal of Finance and Economics, No. 88, April, pp. 118-123
93. Sambamurthy, V. and Zmud, R.W. (1999), “Arrangements for information technology governance: a theory of multiple contingencies”, MIS Quarterly, Vol. 23 No. 2, pp. 261-290
94. Sambamurthy, V. and Zmud, R.W. (2000), “Research commentary: the organizing logic for an enterprise’s IT activities in the digital era-a prognosis of practice and a call for research”, Information Systems Research, Vol. 11 No. 2, pp. 105-114
95. Schlosser, F., Wagner, H.-T., Beimborn, D. and Weitzel, T. (2010), “The role of internal business/IT alignment and it governance for service quality in IT outsourcing arrangements”, System Sciences (HICSS), 43rd Hawaii International Conference on System Sciences, Honolulu, HI, pp. 1-10
96. Schobel, K. and Denford, J.S. (2013), “The chief information officer and chief financial officer dyad in the public sector: how an effective relationship impacts individual effectiveness and strategic alignment”, Journal of Information Systems, Vol. 27 No. 1, pp. 261-281
97. Scholey, C. (2006), “Risk and the balanced scorecard”, CMA Management, Vol. 80 No. 4, pp. 32-35
98. Schwarz, A. and Hirschheim, R. (2003), “An extended platform logic perspective of IT governance managing perceptions and activities of IT”, Journal of Strategic Information Systems, Vol. 12 No. 2, pp. 129-166
99. Shenkir, W.G. and Walker, P.L. (2006), Enterprise Risk Management: Frameworks, Elements, and Integration, IMA-Institute of Management Accountants, Montvale, NJ
100. Simonsson, M. and Johnson, P. (2006), “Defining IT governance - a consolidation of literature”, Proceedings of the 18th Conference on Advanced Information Systems Engineering (CAISE ‘06), Luxembourg.
101. Sohal, A.S. and Fitzpatrick, P. (2002), “IT governance and management in large Australian organisations”, International Journal of Production Economics, Vol. 75 Nos 1/2, pp. 97-112
102. Soin, K. (2005), “Risk, regulation and the role of management accounting and control in UK financial services”, paper presented at Critical Perspectives in Accounting Conference, New York, NY
103. Spira, L. and Page, M. (2003), “Risk management: the reinvention of internal control and the changing role of internal audit”, Accounting, Auditing and Accountability Journal, Vol. 16 No. 4, pp. 640-661
104. Summerfield, B. (2005), “EU selects CobiT as an auditing standard”, available at: www.certmag.com/ read.php?in=1196 (accessed 3 May 2013)
105. Tallon, P.P. (2007), “A process-oriented perspective on the alignment of information technology and business strategy”, Journal of Management Information Systems, Vol. 24 No. 3, pp. 227-268
106. Tallon, P.P. and Pinsonneault, A. (2011), “Competing perspectives on the link between strategic information technology alignment and organizational agility: insights from a mediation model”, MIS Quarterly, Vol. 35 No. 2, pp. 463-484.
107. Tambe, P. and Hitt, L.M. (2012), “The productivity of information technology investments: new evidence from IT labor data”, Information Systems Research, Vol. 23 No. 3, pp. 599-617.
108. Tiwana, A. and Konsynski, B. (2010), “Complementarities between organizational IT architecture and governance structure”, Information Systems Research, Vol. 21 No. 2, pp. 288-304.
109. Tuttle, B. and Vandervelde, S.D. (2007), “An empirical examination of CobiT as an internal control framework for information technology”, International Journal of Accounting Information Systems, Vol. 8 No. 4, pp. 240-263.
110. Van Grembergen, W. (2003), Strategies for Information Technology Governance, Idea Group Publishing, London.
111. Von Simson, E.M. (1995), “The recentralization of IT”, Computerworld, Vol. 29 No. 51, pp. 1-5.
112. Wahlström, G. (2009), “Risk management versus operational action: Basel II in a Swedish context”, Management Accounting Research, Vol. 20 No. 1, pp. 53-68.
113. Wan Daud, W.N., Yazid, A.S. and Rashid Hussin, H.M. (2010), “The effect of chief risk officer (CRO) on enterprise risk management (ERM) practices: evidence from Malaysia”. International Business and Economics Research Journal, Vol. 9 No. 11, pp. 55-64.
114. Weill, P. and Ross, J.W. (2004), IT Governance. How Top Performers Manage IT Decision Rights for Superior Results, Harvard Business School Press, Boston, MA.
115. Wilkin, C.L. and Chenhall, R.H. (2010), “A review of IT governance: a taxonomy to inform accounting information systems”, Journal of Information Systems, Vol. 24 No. 2, pp. 107-146.
116. Williamson, D. (2004), “A call for management accounting control research into risk management”, paper presented at MARG Conference, Aston Business School, Aston.
117. Woods, M. (2009), “A contingency perspective on the risk management control system within Birmingham City Council”, Management Accounting Research, Vol. 20 No. 1, pp. 69-81.
118. Zattoni, A. (2004), Il governo economico delle imprese, Egea, Milan.