business and it alignment assurance - vurore vice president of finance and information technology...

Business and IT Alignment Assurance

Assessment of Business and IT alignment

from an IT audit perspective

Author : Jan-Jaap Moerman University : VU University Amsterdam Faculty : Economics and Business Administration Major : IT Audit postgraduate education Supervisors University : Drs. B. van Staveren RE Supervisors PwC : Mr. P. Nieuwenhuizen RE RA Place : Amsterdam, the Netherlands Date : March 31, 2008

2

Preface “Today, as business changes so fast, it’s hard to stay as focused as you want,” explains David Phillips, Unilever vice president of finance and information technology for Foodsolutions North America. “More projects come along in which you have to consolidate. We have to stay on top of these needs to stay on track and meet the bottom line. And while we do that, we’re also looking for ways to incorporate strategies to grow and boost company profits.” This is one of the many examples illustrating the uncertainties related to Business and IT alignment within organizations and the need for assurance. Business-IT alignment is a complex and multidimensional problem that remains among the top-10 issues for many organizations in the past two decades. This thesis will examine the use of a BIA assurance methodology to provide senior management assurance about their Business and IT alignment. This research has been performed in order to graduate in the field of Economics and Business Administration, postgraduate IT audit education at the VU University Amsterdam. This research started at the end of December 2007. I would like to thank all participants for their efforts made in favor of this research. Special thanks will go to Drs. B. van Staveren RE, who was appointed supervisor at the VU University Amsterdam and Mr. P. Nieuwenhuizen RE RA, who was appointed supervisor at PricewaterhouseCoopers. Furthermore special thanks go to Tom Hagenaars, a colleague at PricewaterhouseCoopers, with whom I had many useful and interesting discussions about Business and IT alignment assurance. Utrecht, March 31, 2008 Jan-Jaap Moerman

3

Management Summary Over the last 15 years, a new phenomenon emerged that has since kept the business world in a tight grip. No longer do executives see IT as a cost of doing business. IT is evolving from its traditional administrative role to a more strategic role. Since then, the alignment of IT with business objectives has consistently been among the top concerns of senior management. This alignment involves the degree to which the mission, objectives and business strategies are shared and supported by the IT strategy. A key success factor for a company in a dynamic environment is effective and efficient information technology, supporting business strategies and processes. Recent surveys show that in many cases IT is not aligned with the business strategy. The alignment between business needs and IT capability is yet still an area of concern and in many organizations senior management is uncertain about the realized level of alignment between the business and information technology within their organization. Business and IT alignment is defined as (Luftman and Brier, 1999): Business and IT alignment refers to applying Information Technology (IT) in an appropriate and timely way, in harmony with business strategies, goals and needs. This definition explicitly addresses:

� How IT is aligned with the business and; � How the business should or could be aligned with IT.

To remove the uncertainty by management and thus provide management assurance about their level of Business and IT alignment (BIA), a BIA assurance methodology has been designed to provide assurance to senior management that Business and IT are aligned in an effective and efficient way. Based on the results of this research, relevant BIA criteria and risks were identified and environmental influences were determined, which have a direct or indirect impact on the alignment. These have been incorporated in a BIA control framework, which serves as one of the key elements of the BIA assurance methodology. A BIA assurance methodology has been designed in line with current auditing standards and was validated in a case study. The methodology includes a BIA risk analysis to assess any specific risks the organization faces in the field of Business and IT alignment. The outcomes of the risk analysis are translated to relevant alignment criteria in the BIA control framework. This framework can be considered as the work program of the IT auditor. Based on a comparison between limited and reasonable assurance characteristics and the outcomes of the case study, it came clear that currently only limited assurance can be provided to senior management. In general the proposed BIA assurance methodology (including the BIA control framework) provides insight into the Business and IT alignment subject and provides assistance to the IT auditor in determining the realized level of Business and IT alignment within organizations. In the coming months, further empirical research will be necessary to conclude on the effectiveness of this methodology.

4

Table of contents

PREFACE .............................................................................................................................................................. 2

MANAGEMENT SUMMARY ............................................................................................................................ 3

1. INTRODUCTION ............................................................................................................................................. 5

2. RESEARCH METHODOLOGY..................................................................................................................... 6

2.1 PROBLEM DEFINITION AND CONCEPTUAL MODEL .......................................................................................... 6 2.1.1 Problem Definition ............................................................................................................................... 6 2.1.2 Conceptual Model BIT .......................................................................................................................... 6

2.2 RESEARCH DESIGN ........................................................................................................................................ 8 2.2.1 Research Structure ............................................................................................................................... 8 2.2.2 Research Focus .................................................................................................................................... 8 2.2.3 Research Context .................................................................................................................................. 8

3. BUSINESS AND IT ALIGNMENT................................................................................................................. 9

3.1 INTRODUCTION TO BUSINESS AND IT ALIGNMENT ........................................................................................ 9 3.1.1 BIA and IT Governance ........................................................................................................................ 9 3.1.2 BIA and Business Performance ............................................................................................................ 9 3.1.3 BIA from a Process Point of View ...................................................................................................... 10 3.1.4 BIA Types of Alignment ...................................................................................................................... 10

3.2 ALIGNMENT CRITERIA ................................................................................................................................. 12 3.2.1 Identifying Alignment Criteria ............................................................................................................ 12 3.2.2 Assessing Alignment Criteria ............................................................................................................. 15

3.3 INTERNAL AND EXTERNAL ENVIRONMENT ................................................................................................. 16 3.3.1 Environmental Scanning ..................................................................................................................... 16 3.3.2 Environmental Influences on Alignment ............................................................................................. 17 3.3.3 Alignment Perspectives ....................................................................................................................... 18

3.4 BIA CONTROL FRAMEWORK ....................................................................................................................... 19 3.4.1 BIA Risk and Control .......................................................................................................................... 19 3.4.2 Proposed Control Framework ............................................................................................................ 20

4. BUSINESS AND IT ALIGNMENT ASSURANCE ..................................................................................... 22

4.1 ASSURANCE ENGAGEMENTS ....................................................................................................................... 22 4.2 APPLICABLE AUDITING STANDARDS ........................................................................................................... 23 4.3 REASONABLE AND LIMITED ASSURANCE .................................................................................................... 25 4.4 BIA ASSURANCE METHODOLOGY ............................................................................................................... 25

4.4.1 Engagement Acceptance and Continuance ......................................................................................... 26 4.4.2 Understanding Client and Environment ............................................................................................. 27 4.4.3 Scoping Alignment Criteria and Determine Assurance Level ............................................................ 27 4.4.4 Perform Audit Procedures .................................................................................................................. 27 4.4.5 Risk Assessment and Responses .......................................................................................................... 28 4.4.6 Completion and Reporting .................................................................................................................. 28

5. CASE STUDY ................................................................................................................................................. 29

5.1 INTRODUCTION CLIENT ORGANIZATION ..................................................................................................... 29 5.2 BIA ASSURANCE ENGAGEMENT ................................................................................................................. 29

6. CONCLUSIONS ............................................................................................................................................. 31

SUMMARY OF CONTRIBUTION .................................................................................................................. 32

REFERENCES .................................................................................................................................................... 33

APPENDIX A. BIA CONTROL FRAMEWORK PART 1 ............................................................................. 35

APPENDIX B. BIA CONTROL FRAMEWORK PART 2 ............................................................................. 36

APPENDIX C. BIA CONTROL FRAMEWORK PART 3 ............................................................................. 48

5

1. Introduction This chapter introduces the subject of the IT audit thesis and briefly discusses the relevance of this thesis. Over the last 15 years, a new phenomenon emerged that has since kept the business world in a tight grip. No longer do executives see IT as a cost of doing business. IT is evolving from its traditional administrative role to a more strategic role. Since then, the alignment of IT with business objectives has consistently been among the top concerns of senior management. This alignment involves the degree to which the mission, objectives and business strategies are shared and supported by the IT strategy. A key success factor for a company in a dynamic environment is effective and efficient information technology, supporting business strategies and processes. Recent surveys show that in many cases IT is not aligned with the business strategy. The alignment between business needs and IT capability is yet still an area of concern and in many organizations senior management is uncertain about the realized level of alignment between the business and information technology within their organization. The following definition will be used to refer to Business and IT alignment (Luftman and Brier, 1999): “Business and IT alignment refers to applying Information Technology (IT) in an appropriate and timely way, in harmony with business strategies, goals and needs. This definition explicitly addresses:

� How IT is aligned with the business and; � How the business should or could be aligned with IT.”

To remove the uncertainty by management and thus provide management assurance about their level of Business and IT alignment (BIA), a BIA assurance methodology is proposed in chapter four. Chapter three introduces the concept of BIA and chapter four starts describing the applicable auditing standards which serve as the basis for the proposed methodology. The BIA assurance methodology is validated in chapter five, followed by the most important conclusions in chapter six.

6

2. Research Methodology This chapter presents the research methodology that has been followed during this research. The research methodology explains the structure of the research process and it shows the researcher’s approach to understand the business problem identified in the problem statement (Leeuw, 2001). This section describes the problem definition and the conceptual model. This model includes the key concepts used. The last section will describe the focus, structure and context of the research.

2.1 Problem definition and conceptual model This section introduces the main reason for the research and shows the researcher’s approach to the identified problems. The foundation of the research is described by formulating the research objective and the conceptual model (Leeuw, 2001).

2.1.1 Problem Definition Problem statement: How does senior management ensure that Business and IT are aligned? Research objective: How to provide assurance to senior management that Business and IT are aligned in an effective and efficient way? Research questions: The following research questions are defined in order to support the research objective: 1. Which BIA criteria and BIA environmental influences can be identified and how to assess these

BIA criteria and BIA environmental influences? 2. What are the main BIA risks involved and which control objectives can be identified? 3. How to structure / perform a BIA audit in line with current auditing standards?

2.1.2 Conceptual Model BIT The purpose of the conceptual model is to show the research view of the researcher. It is a reflection of the empirical reality and reflects the building blocks of the research (Leeuw, 2001). It can also be considered as a tool to illustrate the research linkages of different organizational areas. This section will explain the key concepts used in the conceptual model, which form the basics of the framework. The concepts will be used throughout the thesis and will be explained in more detail where appropriate. The conceptual model BIT, as illustrated in figure 1, is mainly based on the strategic alignment model proposed by Henderson and Venkatraman (Henderson and Venkatraman, 1993), which is considered one of the most widespread and accepted models among the alignment community. All later alignment models and consulting practices start from this model. The term BIT stands for the binary digit symbol, taking a value of either 0 or 1. Binary digits are a basic unit of information storage and communication in digital computing and digital information theory. Furthermore it also refers to both Business (B) as well as Information Technology (IT). The Yin and Yang symbol has been adopted from Rob Poels’ PhD thesis (Poels, 2006). The dual concepts of yin and yang describe two primal opposing but complementary principles or cosmic forces said to be found in all non-static objects and processes in the universe. It illustrates the problems organizations face in aligning their business and information technology.

7

Figure 1. Conceptual model BIT (derived from the strategic alignment model) The strategic alignment model of Henderson and Venkatraman is defined in terms of four basic domains of strategic choice: business strategy, information technology strategy (IT strategy), organization infrastructure and processes (Business Operations) and information technology infrastructure and processes (IS Operations). Internal and external environmental influences can be assessed using the Five Forces Model of Porter (Porter, 1979; Porter and Miller, 1985) and the 7S framework of Waterman (Waterman, 1980) and have a direct or indirect influence on the Business and IT alignment subject. Within the conceptual model the COSO (Committee of Sponsoring Organisations of the Treadway Commission) Enterprise Risk Management, integrated framework (COSO, 2004) is used to approach the BIA subject from a risk and control perspective. COSO defines Enterprise risk management as a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. The highlighted objective below, is the main focus of this research.

� Strategic: High-level goals, aligned with and supporting its mission; � Operations: Effective and efficient use of its resources; � Reporting: Reliability of reporting; � Compliance: Compliance with applicable laws and regulations.

Effectiveness and efficiency are useful characteristics for assessing business processes. Effectiveness reflects the way an organization is successful in delivering the customer what he wants. Efficiency reflects the ‘energy’ the organization spends to produce and deliver the requested product or service (Norea, 1999). Both quality aspects have been translated to a set of alignment criteria, which will be discussed in chapter three.

8

2.2 Research Design The research design can be considered as a tool to understand the different elements of the research in search for answers to the research questions (Leeuw, 2001). This section describes the research focus, the research structure and the research context.

2.2.1 Research Structure This section illustrates how the research has been structured. The next figure graphically illustrates the research structure and provides an overview of the structure of this report. Based on the BIA and auditing standards literature in chapter three and four, a BIA assurance methodology is proposed. This methodology has been validated in the case study and the results have been included in the final chapter, which presents the answers to the main research questions (1-3).

Figure 2. Research structure

2.2.2 Research Focus The research focus sets the boundaries of the research and determines which problems will be addressed during the various phases as mentioned in the research structure. This research addresses the BIA subject from a risk and control perspective and focuses on the assessment of the realized BIA by introducing a BIA control framework and BIA assurance methodology that assists the IT auditor in assessing the realized level of Business and IT alignment control in order to provide assurance to senior management. The focus of the research has been marked by the question mark in the conceptual model BIT.

2.2.3 Research Context This research has been conducted in a period of four months at the VU University Amsterdam. The case study has been performed at Hirschmann Automation and Control GmbH in Germany, Neckartenzlingen in March 2008 under supervision of PricewaterhouseCoopers, Systems and Process Assurance.

9

3. Business and IT alignment This chapter introduces the subject of Business and IT alignment. Section 3.1 presents the concepts used within this research area. Section 3.2 identifies the alignment criteria based on extensive literature research. Section 3.3 will elaborate on the internal and external environmental influences on the alignment. Based on these sections, section 3.4 introduces a Business and IT alignment control framework to be used in the BIA assurance engagement. This engagement will be based on the BIA assurance methodology which is discussed in chapter four.

3.1 Introduction to Business and IT alignment Business and IT alignment (BIA) involves the degree to which the mission, objectives and plans contained in the business strategy are shared and supported by the IT strategy (Reich and Benbazat, 1996). According to Luftman and Brier, strategic alignment involves “applying IT in an appropriate and timely way and in harmony with business strategies, goals, and needs” (Luftman and Brier, 1999). In a broader sense, IT alignment is about coordinating the relationship between business aspects IT aspects and can be considered as a significant aspect of IT governance.

3.1.1 BIA and IT Governance IT Governance concentrates on performing and transforming IT to meet present and future demands of the business and the business’ customers. Many definitions are used for IT governance. The following definitions will be used in this research to illustrate the need for Business and IT alignment. Henderson and Venkatraman define IT governance as: “How the authority for resources, risk and responsibility for IT is shared among business partners, IT management and service providers.” (Luftman, 1996) Van Grembergen defines IT Governance as “the organizational capacity exercised by the Board, Executive Management and IT management to control the formulation and implementation of IT strategy and in this way ensure the fusion of Business and IT.” (Grembergen and Haes, 2004). They claim the ultimate goal of IT Governance is achieving strategic alignment between Business and IT. Both definitions above illustrate that Business and IT alignment is one of the main drivers and outcomes of IT governance practices.

3.1.2 BIA and Business Performance The importance of aligning the IT to business is widely recognized: alignment influences business performance (Chan, et al., 2006; Kearns and Sabherwal, 2006; Nash, 2006). Luftman found positive correlations between the maturity of IT-business alignment (Luftman and Kempaiah, 2007):

� IT’s organizational structure; o Federated IT structures are associated with higher alignment maturity than centralized

or decentralized structures. � The CIO’s reporting structure;

o Companies with CIOs reporting directly to the CEO are associated with higher alignment maturity.

� Firm performance. o Higher alignment maturity correlates with higher firm performance.

The actual performance implications of Business and IT alignment have not yet been addressed extensively in scientific literature. This remains an area for further research. Business/IT alignment practices provide a way of deploying (IT) resources in a more efficient way. This makes Business/IT alignment a distinctive competency of an organization, and thus a potential source of competitive advantage. This competitive advantage creates value for the organization. In general, the main benefits of Business/IT alignment that may lead to value creation are:

� Cost reduction

10

� Cost avoidance � Increased revenue

Alignment helps an organization deliver the same products/services as the competition, but at a lower cost, or it increases revenues. This means alignment realizes competitive advantage in the form of ‘cost advantage’ (Porter, 1994).

3.1.3 BIA from a Process Point of View Although many models focus on a creating a state of alignment, it is important to stress that most authors agree on the fact that alignment is a dynamic process rather than a static state. This means alignment requires not only a set of steps and procedures for measuring alignment, but also a continuing process that can realize and monitor alignment, in order to stay on track over a long period of time (Henderson and Venkatraman, 1991). The complexity of the alignment process suggests a need to focus on a subset of choices. Since focusing on a subset of choices means giving the rest of the choices less attention, such a focus carries a risk. This means the alignment process must be viewed as a series of events, each with a specific focus, which together lead to an alignment strategy. This makes alignment a dynamic process. Alignment is also a continuous process. It is argued by Henderson and Venkatraman that “alignment is not an event but a process of continuous adaptation” (Henderson and Venkatraman, 1991). Alignment must be a dynamic and continuous process in order to respond to changes in the external and internal environment.

3.1.4 BIA Types of Alignment In 1994, B.H. Reich and S. Fraser published their paper on linkage between Business and IT objectives (Reich and Benbazat, 1996). They established the linkage between business and information technology objectives as one of the key concerns of IT management. According to their research, the linkage construct has two dimensions:

� Intellectual dimension of alignment; � Social dimension of alignment.

There has been much support in the literature to divide alignment into these two types (Reich and Benbazat, 2000), (Reich and Benbazat, 1996). In general, research into the intellectual dimension is concentrated on the content of strategies, structure planning end execution methodologies. Research into the social dimension covers the people involved in creating business IT alignment and thus the more social aspects of alignment. A. Intellectual dimension The intellectual dimension refers to the validity and consistency of IT and business plans. It includes methodologies, techniques and data used in the formulation of technology. It defines the state in which IT and business objectives are consistent and valid. According to Henderson and Venkatraman (Henderson and Venkatraman, 1991), the definition of strategic alignment involves two types of integration: strategic integration and operational integration.

11

Figure 3. Strategic Alignment Model (Henderson and Venkatraman, 1991) The model, illustrated in figure 3, identifies two types of integration between Business and IT domains. The first one is called strategic integration, the second one operational integration. Strategic integration refers to the capability of the IT functionality to shape and support business strategy. It refers to the link between business strategy and IT strategy (external domains). Operational integration refers to the link between organizational infrastructure & processes and IT infrastructure & processes (internal domains). Furthermore, this model shows how effective IT management requires efforts across four domains:

I. Business strategy: involves all choices that position the organization in the (global) market. Also, it defines the way in which the company realizes competitive advantage;

II. Organizational infrastructure: Defined as the choices that determine the internal arrangement of the firm in order to execute the business strategy;

III. IT strategy: involves all choices that position the firm in the (global) IT market; IV. IS infrastructure: Defined as the choices that determine the arrangement of IT. It defines how the

organization executes the IT strategy. Besides the strategic and operational integration, Henderson and Venkatraman recognizes the need to make choices about the position of the firm in the external market as well as decide how to best structure internal arrangement of the firm to execute this market position strategy. This is called strategic fit. It indicates how well the firm's mission and strategies fit its internal capabilities and its external environment. Functional integration is defined as the integration between business and functional domains. This dimension considers how choices made in the IT domain impact those made in the business domain and vice versa (Henderson and Venkatraman, 1991). According to Henderson and Venkatraman, the Business and IT strategy are said to be aligned, when a strategic fit has been realized, and functional integration is reached. B. Social dimension The social dimension refers to alignment aspects such as the choice of actors, their degree of involvement and the methods of communication and decision making. The objective is to get IS and business executives to understand each others’ objectives and plans. Reich and Benbazat define social alignment as (Reich and Benbazat, 1996):

12

“The level of mutual understanding of and commitment to the Business and IT mission, objectives, and plans.” Taylor-Cummings stated that one of the main accusations directed at the IS department is their lack of understanding of the business, and their apparent disregard for business priorities and objectives (Taylor-Cummings, 1998). One of the main accusations directed at the business department is their total ignorance of technological feasibility. This results in a culture gap that is the primary cause of system failure. This makes the social dimension of alignment a relevant factor to be considered.

3.2 Alignment criteria The main objective of this section is to identify all significant direct and indirect alignment criteria and to determine how to measure these criteria to be able to provide assurance to senior management about the realized level of Business and IT alignment.

3.2.1 Identifying Alignment Criteria This section identifies the alignment criteria for both the intellectual as well as the social dimension. These alignment criteria serve as the primary input for the BIA control framework that will be presented in the last section of this chapter. A. Intellectual dimension Henderson and Venkatraman claim that, in order to reach alignment, three sets of choices must be made for each of the four major building blocks (business strategy, IT strategy, organizational infrastructure, IS infrastructure) (Henderson and Venkatraman, 1991). The choices itself do not directly influence the level of alignment, it is the relationships that exist among the twelve components that define the Business and IT alignment. The primary factors that influence the level of intellectual alignment are strategic fit and functional integration, and these factors are in turn influenced by the choices concerning the business scope, distinctive competencies, business governance, the administrative structure, business processes, skills, IT scope, systemic competencies, IT governance, IT processes, IT skills and the IT architecture.

Figure 4. The twelve components of alignment (Henderson and Venkatraman, 1991)

13

Based on the components illustrated in figure 4 and further explained in table 1, six alignment categories were proposed by Luftman (Luftman, 2003) to be used in a BIA assessment. Statistical evidence was provided to support these six categories from the strategic alignment model (Luftman, et al., 2006). The assessment instrument was evaluated using confirmatory factor analysis that reduced the set of 39 criteria to 22 criteria for a more pragmatic representation of the strategic alignment model. The assessment instrument has also been validated by Rob Poels (Poels, 2006). All criteria (39) are taken into consideration in the development of the BIA control framework. The underlying criteria have not been included here, but will be addressed in the last section of this chapter. The following categories will be used in the BIA control framework (Luftman and Kempaiah, 2007).

1. Communication: Measures the effectiveness of the exchange of ideas, knowledge, and information between IT and business organizations, enabling both to clearly understand the company’s strategies, plans, business and IT environments, risks, priorities, and how to achieve them.

2. Metrics (Competency/Value Measurement): Uses balanced measurements to demonstrate

the contributions of information technology and the IT organization to the business in terms that both the business and IT understand and accept.

3. Governance: Defines who has the authority to make IT decisions and what processes IT

and business managers use at strategic, tactical, and operational levels to set IT priorities to allocate IT resources.

4. Partnership: Gauges the relationship between a business and IT organization, including

IT’s role in defining the business’s strategies, the degree of trust between the two organizations, and how each perceives the other’s contribution.

5. Technology (Scope & Architecture): Measures IT’s provision of a flexible infrastructure,

its evaluation and application of emerging technologies, its enabling or driving business process changes, and its delivery of valuable customized solutions to internal business units and external customers or partners.

6. Human resources (skills): Measures human resources practices, such as hiring, retention,

training, performance feedback, encouraging innovation and career opportunities, and developing the skills of individuals. It also measures the organization’s readiness for change, capability for learning, and ability to leverage new ideas.

Building block Components Description Business strategy Business Scope Includes markets, products, customers and locations, as well

as competitors, suppliers and other issues affecting the business environment.

Distinctive Competencies

The critical success factors and core competencies that provide potential competitive advantage.

Business Governance How companies set the relationship between management stockholders and the board of directors. Including government regulations.

IT strategy Technology Scope The specific information technologies that support current business strategy initiatives or could shape new business strategy initiatives.

System Those capabilities that distinguishes the IT services.

14

Competencies IT Governance How the authority for resources, risk and responsibility for IT

is shared among business partners, IT management and service providers.

IS Infrastructure Architecture The technology priorities, policies and choices that allow applications, software, networks, hardware and data management to be integrated into a cohesive platform.

Processes Those practices and activities carried out to develop and maintain applications and manage IT infrastructure.

Skills IT human resource considerations such as training, motivation, hire / fire and culture.

Organizational Infrastructure

Administrative Structure

The way the firm organizes its businesses.

Processes How the firm’s business activities operate or flow. Skills H&R considerations such as how to hire/fire motivate and

train employees.

Table 1. Twelve components of alignment (refer also to figure 4) B. Social dimension In 2000, Reich and Benbasat identified four criteria (1-4) that influence the social aspect of alignment (Reich and Benbazat, 2000). In 2002, Hussin et al. identified in their research to Business and IT alignment within small firms, three additional criteria (5-7) that influence the social dimension of alignment (Hussin, et al., 2002). These alignment criteria (table 2) have been incorporated in the list of 39 criteria items already identified in the intellectual domain of alignment. No. Criteria (social dimension) Description 1 Shared domain knowledge

between Business and IT executives (communication)

The ability of IT and business executives to, at a deep level, understand and be able to participate in the others key processes and to respect each other’s unique contribution and challenges.” Important factors are: IT's understanding of business processes and challenges/opportunities and line manager understanding of technology and technological possibilities.

2 Connections between Business and IT planning processes (partnership)

The way IT is included in the planning process of the business (strategic/tactical/operational) and the level of connections between Business and IT planning.

3 Communication between Business and IT (communication)

The structure and richness of the communication between Business and IT.

4 IT implementation success (metrics)

The historical success of IT projects.

5 CEO commitment to IT (partnership)

The degree of support of the CEO for IT.

6 IT sophistication (technology) IT sophistication refers to a combination of IT use and IT management factors.

7 External expertise (technology, human resources, governance)

The knowledge available at external parties that plays a role in the business processes of an organization.

Table 2. Social dimension criteria of alignment

15

3.2.2 Assessing Alignment Criteria Alignment criteria differ from organization to organization and a standard set of alignment control activities is not applicable. Therefore it is more difficult to measure an organizations’ alignment. This section will introduce the concept of maturity as a method to measure the BIA alignment criteria. This section will explicitly not discuss the use of maturity levels for Business and IT alignment. This area has been suggested for further research in chapter six. Identifying an organization’s alignment maturity provides an excellent vehicle for understanding and improving the Business and IT relationship (Luftman, 2003). A careful assessment of an organization’s alignment maturity is necessary to ensure that IT is being used to appropriately enable or drive the business strategy. The term capability maturity model (CMM) broadly refers to a specific kind of process improvement approach. Process improvement is a series of actions that are taken to analyze and improve existing (business) processes, in order to meet (business) objectives. The CMM (Humphrey's Capability Maturity Model) was originally described in the book Managing the Software Process and published in a 1988 article (Humphrey, 1988). The CMMI approach (originally developed for software development) is based on a process model, and was developed by the Software Engineering Institute (SEI). This approach is also followed in the Control Objectives for Information Technology (COBIT) framework (ITGI, 2007). COBIT provides good practices across a domain and process framework and presents activities in a manageable and logical structure. For IT to be successful in delivering against business requirements, management should put an internal control system or framework in place. The COBIT control framework contributes to these needs by:

� Making a link to the business requirements; � Organizing IT activities into a generally accepted process model; � Identifying the major IT resources to be leveraged; � Defining the management control objectives to be considered.

The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of Business and IT process owners. COBIT does not explicitly assess the Business and IT alignment process. As stated earlier, and similar to the COBIT approach, a process based approach is followed for the Business and IT alignment subject. Therefore this research follows a maturity approach to measure the process (set of alignment criteria) of Business and IT alignment. The model identifies five levels of process maturity for an organization (Humphrey, 1988; Luftman and Kempaiah, 2007):

1. Initial (chaotic, ad hoc processes): Organizations at Level 1 generally have poor communications between IT and the business and also a poor understanding of the value or contribution the other provides.

2. Repeatable (committed processes): Organizations at Level 2 have begun enhancing their IT-business relationship. Alignment tends to focus on functions or departments (e.g., finance, R&D, manufacturing, marketing) or geographical locations (e.g., U.S., Europe, Asia). The business and IT have limited understanding of each others’ responsibilities and roles. IT metrics and service levels are technical and cost-oriented, and they are not linked to business metrics.

3. Defined (established, focused processes): In Level 3 organizations, IT assets become more integrated enterprise-wide. Senior and mid-level IT management understand the business, and the business’s understanding of IT is emerging.

16

4. Managed (improved, managed processes): Organizations at Level 4 manage the processes they need for strategic alignment within the enterprise. One of the important attributes of this level is that the gap has closed between IT understanding the business and the business understanding IT.

5. Optimizing (process improvement): Organizations at Level 5 have optimized strategic IT-business alignment through rigorous governance processes that integrate strategic business planning and IT planning. Alignment goes beyond the enterprise by leveraging IT with the company’s business partners, customers, and clients, as well.

Based on research performed by Luftman (Luftman, 2003) in assessing the Business and IT alignment maturity, maturity levels have been defined. These maturity levels will be incorporated in the BIA control framework. Although a properly applied capability already reduces risks, an organization still needs to analyze the controls necessary to ensure that risk is mitigated and value is obtained in line with the risk appetite and business objectives. These controls are guided by the high level control objectives that will be introduced in the BIA control framework. Furthermore a BIA risk analysis will be introduced in the BIA assurance methodology to link risks to the alignment criteria.

3.3 Internal and External Environment A changing competitive environment often requires the organization to adjust its existing strategy that, in turn, triggers change of organization form and governance. To be able to identify the relevant aspects and their impact on the alignment, the concept of environmental scanning is suggested to identify these aspects.

3.3.1 Environmental Scanning Environmental scanning is a process in the organization which acquires data from the internal and the external environment that may be used in decision making processes in the organization (Maier, 1997). The primary purpose of the environmental scan is to provide a comprehensive view of the current and future condition of the internal and external influences, whereas the capabilities to control the external influences are limited. The internal analysis can be structured according the 7S Framework. This model has been first introduced in 1980 (Waterman, 1980). It considers the organization of a company as a mix of seven dimensions that function around the Shared Values of a Company. The seven dimensions are: Strategy, Structure, Systems, Style, Staff and Skills and Shared Values. The model will be used to understand the internal organization of the company. This model can be used to consider the links between the seven dimensions to identify the strengths and weaknesses and to highlight how a change made in one of the dimensions will influence the others. Some examples of internal environmental influences are: Business strategy

� Supplier rationalization; � Excelling in service delivery and customer relationships; � Cost efficiency which drives centralization and standardization; � Leading on quality which drives a customized IT environment Innovation; � Non-IT executives support for information technology.

Corporate governance:

� Clear separation of business units, governance model used for other support functions (e.g. HR, Finance)

17

The external analysis will provide insight into the external environment of the company. The external environment will be analyzed using the five force model of Porter (Porter, 1979) as illustrated in figure 5. The main purpose is to provide a clear picture of the environment in which the organization conducts business by following a structured approach. Porter's Five Forces include three forces of 'horizontal' competition: threat of substitute products, the threat of established rivals, and the threat of new entrants; and two forces of 'vertical' competition: the bargaining power of suppliers, bargaining power of customers.

Figure 5. Five Forces model (Porter, 1979) The intention of Porter was to provide an overall model that would help enterprises realize the impact of external scenarios (the forces) on their overall performance. Some examples of external environmental influences are: Industry:

� Aggressive cost cutting in the industry; � Highly demanding customers with a need for customized products; � Drive towards outsourcing/off shoring in an industry; � Global firms with market specific needs may opt for federal IT structure to be able to respond

to local requirements with agility; � Rate of change (driven by new technologies, regulation or disruptive change driven by

competition) e.g. telecommunications vs. airlines. Regulatory environment:

� Compliance risks need to be assessed and addressed in an structured manner; � Examples are Sarbanes Oxley, Basel II, Code Tabaksblat (Dutch corporate governance code).

3.3.2 Environmental Influences on Alignment Based on empirical research performed by Rob Poels (Poels, 2006), several environmental aspects have a direct impact on the Business and IT alignment subject. He identified two significant interdependences with respect to Business and IT alignment:

� IT in product or service: Alignment improves when IT is a significant component in the product or service of the organization.

� Product leadership strategy: Alignment improves when a strong product leadership strategy is followed.

18

Other internal or external environmental aspects, such as the size of the organization, change management preferences and the type of CEO didn’t seem to interfere with alignment. These observations have been made based on a sample size of ten organizations. These findings need to be considered in the BIA assurance methodology.

3.3.3 Alignment Perspectives In order to reach strategic alignment, the model of Henderson and Venkatraman identifies four dominant types of alignment perspectives. Each perspective travels through the building blocks differently (Henderson and Venkatraman, 1993):

� Perspective 1: Strategy execution, the business strategy is the driver of both organizational design choices and the design of the information systems infrastructure.

� Perspective 2: Technology transformation, implementing the business strategy through an appropriate IT strategy and the design of the information systems infrastructure

� Perspective 3: Competitive potential, this perspective tries to fully exploit the capabilities of an IT strategy by influencing the business strategy and identifying the most efficient organizational infrastructure

� Perspective 4: Service level, this perspective focuses on building a superior information systems service organization.

A possible reason for the low level of integration between Business and IT domains lies in the lack of understanding of the strategic choices that enable the integration. This model identifies these choices and makes them more understandable. This view will be used in the BIA assurance methodology to be able to scope the relevant alignment criteria based on the strategy followed by the organization and the BIA risk analysis (as part of the scoping phase, refer to chapter four).

Figure 6. Dominant types of alignment

19

3.4 BIA Control Framework This section will summarize the findings in the field of Business and IT alignment and will conclude on this topic with a proposed control framework that will be used in the BIA assurance methodology (refer to chapter four).

3.4.1 BIA Risk and Control The Committee of Sponsoring Organisations of the Treadway Commission’s (COSO’s) Enterprise Risk Management - Integrated Framework, the widely accepted control framework for enterprise governance and risk management, is used to approach the BIA subject from a risk and control perspective as mentioned in the conceptual model BIT. The implications for the Business and IT alignment subject have been included in the description of these ERM components. According to the COSO framework (COSO, 2004), enterprise risk management consists of eight interrelated components. These components provide an effective framework for describing and analyzing the internal control system implemented in an organization. The eight components are mentioned below. Internal Environment – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. The internal environment (control environment) will be taken into consideration when evaluating the internal environment as mentioned in section 2.3 and which will be incorporated in the BIA assurance methodology (section 4.4.2). Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite. Objective setting is critical in the alignment of the Business and IT and will be considered as one of the key areas in the BIA control framework. Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes. Events will be identified in the BIA risk analysis, as part of the BIA assurance methodology (section 4.4.2). Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. Events are categorized in the BIA risk analysis. For each risk is determined whether the risk is low, medium or high based on the likelihood and impact (section 4.4.2). Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite. Based on the risk analysis and the internal and external environmental influences, based on the strategy of the organization, risk response is determined. This may results in BIA criteria that may not be applicable to the organization (section 3.4.2 and 4.4.3). Control Activities – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. A standard set of control activities are not available for Business and IT alignment as alignment is for every organization different. Nevertheless based on recent literature, a set of alignment criteria is proposed to serve as a starting point for assessing BIA. Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication

20

also occurs in a broader sense, flowing down, across, and up the entity. Information and communication is critical in the definition of the alignment criteria. One of the six alignment categories specifically addresses this issue. Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both. Business and IT alignment is a dynamic and continuous process (instead of a state) and should be carefully monitored in order to maintain and/or improve the realized level of alignment. Enablers and inhibitors of strategic alignment In their research Luftman, Papp and Brier identified areas that help or hinder alignment (Luftman, et al., 1999). It is aimed to determine enablers and inhibitors of Business and IT alignment. The following table shows all categories from the enablers and inhibitors research. This list of enablers and inhibitors have been matched against the alignment criteria to be sure that all major risks have been addressed in the BIA control framework. Furthermore this list will be helpful in guiding the BIA risk analysis at the client organization, which will be included in the BIA assurance methodology. Enablers Inhibitors Senior executive support IT/non-IT lack close relationship IT involved in strategy development IT does not prioritize well IT understands business IT fails to meet its commitments IT, non-IT have close relationship IT does not understand business IT shows strong leadership Senior executives do not support IT IT efforts are well prioritized IT management lacks leadership IT meets commitments IT fails to meet strategic goals IT plans linked to business plans Budget and staffing problems IT achieves its strategic goals Antiquated IT infrastructure IT resources shared Goals/vision are vague Goals/vision are defined IT does not communicate well IT applied for competitive advantage Resistance from senior executives Good IT/business communication IT, non-It plans are not linked Partnerships/alliances

Table 3. Enablers and inhibitors adopted from Luftman et al.

3.4.2 Proposed Control Framework The proposed control framework has been included in Appendix A. It consists of the alignment criteria identified in the intellectual and social dimension of Business and IT alignment. The BIA control framework consists of three parts. The first part (appendix A) needs to be completed to be able to identify relevant internal and external environmental influences that may have an impact on the results of the BIA assurance engagement. For example, if the whole IT department has been outsourced to a third party, the focus for Business and IT will differ compared to a 100% in-house IT department. Furthermore it will give an indication of the internal control environment of the organization and how the organization addresses risks. Besides the environmental influences, this part of the control framework also includes the BIA risk analysis and the mapping to the alignment criteria. The second part includes the audit work program (appendix B). For each of the six alignment categories, a control objective has been defined and relevant aspects have been included in the specific work programs. Each alignment criteria will be evaluated and based on the maturity levels defined, the level of alignment is determined. Based on the maturity levels of all criteria, for each category an average maturity level is calculated. This average is reflected in the BIA summary.

21

The last part provides a summary of the Business and IT alignment assessment based on the audit work program followed during the engagement (appendix C). It summarizes the differences found between the audit baseline (soll-position), which has been determined in the scoping phase, and the observations made in the six different alignment categories. The scoping phase will be discussed in the audit methodology section (section 4.4).

22

4. Business and IT alignment Assurance This chapter will introduce the concept of assurance engagements. Based on the current auditing standards and the BIA control framework (chapter three), a structured assurance methodology is proposed to perform an assurance engagement in the field of Business and IT alignment. The first section starts with the characteristics of an assurance engagement, which also apply to the Business and IT alignment subject. The second paragraph describes the current auditing standards, which have to be assessed to ensure compliance to these requirements. The next section discusses the level of assurance which can be provided (limited or reasonable assurance). In the last section the BIA assurance methodology is introduced and explained. This methodology will be validated in the case study which is described in chapter five.

4.1 Assurance Engagements According to the International Federation of Accountants (IFAC) an assurance engagement can be defined as: “An engagement in which a practitioner expresses a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the outcome of the evaluation or measurement of a subject matter against criteria.” (IAASB, 2005a). An assurance engagement can take many forms, such as:

� Financial performance or conditions (for example, historical or prospective financial position, financial performance and cash flows) for which the subject matter information may be the recognition, measurement, presentation and disclosure represented in financial statements.

� Non-financial performance or conditions (for example, performance of an entity) for which the subject matter information may be key indicators of efficiency and effectiveness.

� Physical characteristics (for example, capacity of a facility) for which the subject matter information may be a specifications document.

� Systems and processes (for example, an entity’s internal control or IT system) for which the subject matter information may be an assertion about effectiveness.

� Behavior (for example, corporate governance, compliance with regulation, human resource practices) for which the subject matter information may be a statement of compliance or a statement of effectiveness.

Assurance engagements regularly have the following characteristics: a. A three party relationship involving a practitioner, a responsible party, and intended users;

� Assurance engagements involve three separate parties: a practitioner (Accountant), a responsible party (typically management) and intended users (addressee of our report besides management). Within the BIA alignment, a practitioner is involved (IT auditor), the responsible party is senior management (CEO / CFO / CIO) and the intended users are the Business and IT managers / staff.

b. An appropriate subject matter: A subject matter is appropriate, if it is:

� Identifiable and capable of consistent evaluation or measurement against the identified criteria. Based on the defined maturity levels this requirement is met for the BIA engagement.

� Such that the information about it can be subjected to procedures for gathering sufficient appropriate evidence to support a reasonable assurance or limited assurance conclusion. The level of assurance will be addressed in the next section.

c. Suitable criteria: Criteria are the benchmarks used to evaluate or measure the subject matter;

� Either be established or specifically developed; � Need to be available to the intended users to allow them to understand how the subject matter

has been evaluated or measured;

23

� Suitable criteria are required for reasonably consistent evaluation or measurement of the subject matter within the context of professional judgment to avoid individual interpretation and misunderstanding. Suitable criteria have the following characteristics:

o Relevance: Relevant criteria contribute to conclusions that assist decision making by the intended users.

o Completeness: Criteria are sufficiently complete when relevant factors that could affect the conclusions in the context of the engagement circumstances are not omitted. Complete criteria include, where relevant, benchmarks for presentation and disclosure

o Reliability: Reliable criteria allow reasonably consistent evaluation or measurement of the subject matter including, where relevant, presentation and disclosure, when used in similar circumstances by similarly qualified practitioners.

o Neutrality: Neutral criteria contribute to conclusions that are free from bias o Understandability: Understandable criteria contribute to conclusions that are clear,

comprehensive, and not subject to significantly different interpretations. d. Sufficient appropriate evidence;

� Obtain sufficient appropriate evidence on which to base the conclusion � The reliability of evidence is influenced by its source and by its nature.

e. A written assurance report in the form appropriate to a reasonable assurance engagement or a

limited assurance engagement. � Oral and other forms of expressing conclusions can be misunderstood without the support

of a written report. These requirements are all applicable to the BIA assurance engagement, which will be described in more detail in the methodology section. The suitability of the alignment criteria and the evidence gathering will be assessed in the case study. The case study will point out whether these characteristics are appropriately addressed by the BIA methodology.

4.2 Applicable Auditing Standards All assurance engagements should be conducted in accordance with relevant standards; either:

� A subject-matter specific national standard; � The relevant international standard (ISAE 3000)

This section presents the relevant standards that may be applicable to the BIA assurance methodology. International Standards on Auditing (ISA) The International Standard on Auditing (ISA 220) deals with the specific responsibilities of accounting personnel regarding quality control procedures for an audit of financial statements (IAASB, 2007a). The ISA is to be read in conjunction with relevant ethical requirements. It is to be adapted as necessary in the circumstances when applied to audits of other historical financial information. This standard does not apply to the BIA assurance methodology as this is not an audit of historical information. International Standards on Review Engagements (ISRE) The purpose of the International Standard on Review Engagements (ISRE) is to establish standards and provide guidance on the auditor’s professional responsibilities when an engagement to review financial statements is undertaken and on the form and content of the report that the auditor issues in connection with such a review (IAASB, 2007b). The objective of a review of financial statements is to enable an auditor to state whether, on the basis of procedures which do not provide all the evidence that would be required in an audit, anything has come to the auditor’s attention that causes the auditor to believe that the financial statements are not prepared, in all material respects, in accordance with an identified financial reporting framework (negative assurance). This standard does not apply to the BIA assurance methodology as this is not a review of financial statements.

24

International Standards on Assurance Engagements (ISAE) The purpose of the International Standard on Assurance Engagements (ISAE) is to establish basic principles and essential procedures for, and to provide guidance to, professional accountants in public practice for the performance of assurance engagements other than audits or reviews of historical financial information covered by International Standards on Auditing (ISAs) or International Standards on Review Engagements (ISREs). The ISAE 3000 (revised) applies to assurance engagements regarding: (IAASB, 2005b)

� Environmental, social and sustainability reports; � Information systems, internal control, and corporate governance processes; and � Compliance with grant conditions, contracts and regulations.

The ISAE 3000 (Revised) “Assurance Engagements other than Audits or Reviews of Historical Financial Information” is therefore the standard required for non audit assurance engagements for which a subject-matter specific standard does not exist. As a result the proposed BIA assurance methodology should comply with this standard. International Framework for Assurance Engagements The International Framework for Assurance Engagements defines and describes the elements and objectives of an assurance engagement, and identifies engagements to which International Standards on Auditing (ISAs), International Standards on Review Engagements (ISREs) and International Standards on Assurance Engagements (ISAEs) apply. It provides a frame of reference for (IAASB, 2005a):

a) Professional accountants in public practice (“practitioners”) when performing assurance engagements. Professional accountants who are neither in public practice nor in the public sector are encouraged to consider the Framework when performing assurance engagements;

b) Others involved with assurance engagements, including the intended users of an assurance report and the responsible party; and

c) The International Auditing and Assurance Standards Board (IAASB) in its development of ISAs, ISREs and ISAEs.

Recently (12th December 2007), the NOREA introduced the framework and policy for assurance engagement for IT auditors. This framework is in line with the international framework for assurance engagements as NOREA is an affiliate member of the International Federation of Accounting (IFAC). The policy is mandatory for all members as of the first of January 2008 (Norea, 2008a; b). In addition to this Framework and ISAs, ISREs and ISAEs, practitioners who perform assurance engagements are governed by:

a) The IFAC Code of Ethics for Professional Accountants (the Code), which establishes fundamental ethical principles for professional accountants (IFAC, 2005);

b) The Norea Code of Ethics for IT auditors in the Netherlands (Norea, 2006); c) International Standards on Quality Control (ISQCs), which establish standards and provide

guidance on a firm’s system of quality control (IAASB, 2007c). ISQC 1 refers to “Quality Control for Firms that Perform Audits and Reviews of Historical Financial Information, and Other Assurance and Related Services Engagements.” An accounting firm has an obligation to establish a system of quality control designed to provide it with reasonable assurance that (IAASB, 2007c):

a) The firm and its personnel comply with professional standards and regulatory and legal requirements

b) The auditors’ reports issued by the firm or engagement partners are appropriate in the circumstances.

25

The Business and IT alignment assurance methodology is subject to the International Framework for Assurance Engagement and the International Standard on Assurance Engagement. Based on the setting of this research (PricewaterhouseCoopers as an accounting firm), the International Standard on Quality Control is also applicable. Due to the scope of this research, this will not be further investigated.

4.3 Reasonable and Limited Assurance The ISAE uses the terms "reasonable assurance engagement" and "limited assurance engagement" to distinguish between the two types of assurance engagement the IT auditor is permitted to perform. This section will discuss which one is applicable to BIA assurance engagements. The objective of a reasonable assurance engagement is a reduction in assurance engagement risk to an acceptably low level in the circumstances of the engagement as the basis for a positive form of expression of the practitioner’s conclusion. The objective of a limited assurance engagement is a reduction in assurance engagement risk to a level that is acceptable in the circumstances of the engagement, but where that risk is greater than for a reasonable assurance engagement, as the basis for a negative form of expression of the practitioner’s conclusion. Based on the characteristics described above, the BIA assurance engagement will be initially categorized as a limited assurance engagement. In a limited assurance engagement, the combination of the nature, timing, and extent of evidence gathering procedures is at least sufficient for the practitioner to obtain a meaningful level of assurance as the basis for a negative form of expression on the Business and IT alignment. The lack of a generally accepted set of standards, which can be used to evaluate the level of alignment, does indicate a limited assurance engagement. Furthermore, the presumption that extensive judgment in gathering and evaluating evidence and forming conclusions based on that evidence will be necessary is a strong indication of a limited assurance engagement. This hypothesis will be tested in the case study.

4.4 BIA Assurance Methodology This section introduces the proposed assurance methodology to assess whether Business and IT are aligned. This methodology will be validated in chapter five, the case study, which can be categorized as a BIA assurance engagement. The objective of this section is not to be conclusive, but to provide a clear guidance in assisting the auditor performing a BIA assurance engagement.

26

Figure 7. BIA assurance methodology

4.4.1 Engagement Acceptance and Continuance This phase includes the client engagement letter and the formal acceptance of the engagement. Based on the setting of this research, client acceptance is also an important aspect for consideration. A client assessment has to be performed, prior to the engagement negotiations. As part of the engagement assessment information is gathered whether (PwC, 2008):

� The engagement has a rational purpose; � The level of assurance which is requested can be achieved; and � The independence requirements are met.

As discussed before, the level of assurance to be provided is limited assurance (refer to section 4.3). All risks identified during the acceptance process and the planned responses to address them are included in the risk and response table. This is a dynamic document to be updated constantly throughout the engagement and addresses the need for identifying risks and response to these risks by the BIA engagement team. Deliverables in this phase of the engagement are:

� Engagement letter: The purpose of the engagement letter or contract is to record the understanding of the nature and scope of the services and to communicate the nature of the firm’s and the client's responsibilities when the BIA assurance services are performed.

� Audit project plan: This mainly includes determining an appropriate BIA engagement team, timetable and budget to perform the BIA assurance engagement.

� Mobilisation of the BIA engagement team: Due to the high inherent risk of this BIA assurance engagement, as it is as new area to assess and is subjective to extensive professional judgment, knowledge sharing is very important to ensure skilled team members.

27

4.4.2 Understanding Client and Environment This phase includes the environmental analysis and the BIA risk analysis to determine the risks involved in the Business and IT alignment process. The environmental risks identified will also be included in this risk assessment. The BIA risk analysis will serve as input to the scoping phase. Section 3.3 already identified relevant environmental influences that need to be considered by the auditor. In summary, the auditor’s understanding of the entity and its environment consists of an understanding of the following aspects:

� Industry, regulatory, and other external factors (environmental analysis); � Nature of the entity; � Objectives and strategies and the related business risks that may result in an impact on the

alignment; � Measurement and review of the entity’s (financial) performance; � Internal control environment.

4.4.3 Scoping Alignment Criteria and Determine Assurance Level In the scoping phase the auditor needs to focus on:

� Update understanding of the subject matter and criteria: In particular this is necessary because the BIA assurance engagement has not been performed before.

� Identify specific (local) standards or laws to be considered: This is necessary to ensure that the required procedures of these standards or laws will be applied. This research does not focus on the compliance issues and the impact on Business and IT alignment, but consideration should be given to these aspects.

� The information criteria in scope. Effectiveness and efficiency are the main drivers for Business and IT alignment.

Based on the four dominant types of strategic alignment, identified in section 3.3.3, the organization will be categorized and the identified risks (environmental influences and the BIA risk assessment with management) will be mapped to the specific alignment criteria to determine the soll-position of the organization and to select the relevant criteria based on the planned level of reliance, the nature and inherent risks related to the Business and IT alignment environment. This will serve as a set of control criteria (BIA audit baseline) that will be used during the audit procedures.

4.4.4 Perform Audit Procedures The next phase is performing the fieldwork based on the BIA audit work program. Refer to section 3.4 for the contents of this control framework. The main purpose to use such a work program is for guidance and to minimize the level of professional judgment to achieve a more objective opinion on the alignment within the organization. Audit evidence is relevant when it assists in achieving the audit objectives. Sufficiency is the measure of the quantity of audit evidence. Appropriateness is the measure of the quality of audit evidence. The reliability of audit evidence is influenced by its source and its nature and is dependent on the individual circumstances under which it is obtained. Professional judgment and exercise professional skepticism is applied in determining the quantity and quality of audit evidence, and thus its sufficiency and appropriateness, to support the audit opinion (IAASB, 2006). In this case, the BIA audit is subject to a high level of professional judgment and therefore the evidence gathering is very important to support the audit opinion. The case study in chapter five will prove whether sufficient and appropriate audit evidence can be obtained.

28

4.4.5 Risk Assessment and Responses After the fieldwork, the risk and response table will be updated and completed and based on the initial risk assessment any additional risks are determined. The BIA engagement team then has to decide whether sufficient appropriate evidence has been obtained to express a negative conclusion (this is the case in a limited assurance engagement, such as the BIA assurance engagement) on the BIA subject. If sufficient appropriate evidence has not been obtained, additional procedures should be performed and included in the risk and response table. If sufficient appropriate evidence cannot not be obtained, consultation with the client organization is required to discuss the impact on the conclusion (PwC, 2008).

4.4.6 Completion and Reporting The last phase is to report on the findings, conclusions and recommendations for discussing the results with senior management. The completion phase includes:

� Reassessment of engagement risks; � Preparation of summary of findings; � Obtaining client representations, including the client’s own measurement of the subject

matter; � Preparation of the report and additional communications.

29

5. Case study The case study has been performed at Hirschmann Automation and Control GmbH. in Neckartenzlingen, Deutschland as part of their Internal Controls Optimization project. The main objective of the case study is to validate the BIA assurance methodology as proposed to determine the strengths and weaknesses of this methodology. This case study will only present high level results of the audit at the organization.

5.1 Introduction Client Organization Hirschmann Automation and Control GmbH. is a subsidiary of Hirschmann Automation and Control Inc. and is a specialist in automation and networking systems, and offers a complete, integrated structure for data communication to customers. The product range includes network components for Ethernet, Fast Ethernet and Gigabit Ethernet through fibre interfaces for different field bus systems up to electrical actuator and sensor connectors. In 2005 Hirschmann received an innovation award for their innovative businesses.

5.2 BIA Assurance Engagement This section will present the experiences performing the assessment based on the BIA assurance methodology. Each step in the methodology framework will be discussed based on this case study. Engagement Acceptance and Continuance This assignment part is not relevant as the assignment was part of a larger project. Therefore the deliverables of the engagement letter, the risk and response table and the audit plan have not been assessed in this case study. Based on the experience at Hirschmann, the audit team was a challenge due to the fact that this new area requires new skills from auditors. Therefore an internal training was provided to educate the audit team in Business and IT alignment assurance. Understanding Client and Environment Based on the four dominant types as described in section 3.3, Hirschmann can be categorized in perspective 4: Service level. This perspective focuses on building a superior information systems service organization. Hirschmann outsourced all IT activities to a third party. The internal control environment was still immature, but was changing rapidly due to a take-over and SOx (Sarbanes-Oxley Act 2002) regulation. A risk assessment was performed to identify any specific alignment risks within the organization. Scoping Alignment Criteria and Determine Assurance Level Based on the risk assessment (BIA risk analysis), risks were mapped to the BIA criteria in the framework. The BIA audit baseline and scope was confirmed with both Business and IT management. IT management consisted of one responsible person within the controlling department at the business side. Based on the initial findings it was decided to focus more on providing BIA transparency instead of BIA assurance. Perform Audit Procedures By performing the audit procedures, the BIA audit work program (BIA control framework) was tested for the first time. During the audit, it became clear that especially the soft skills were hard to evidence, as expected, and professional judgment was very important to determine which maturity level was applicable. Based on these findings, the BIA control framework will be enhanced and further detailed. Risk Assessment and Responses All results were evaluated and compared to the initial risk analysis. Mainly the soft aspects needed some further clarification and evidencing. This was cleared with Business and IT management.

30

Completion and Reporting Based on the findings, the results were communicated to Business and IT management. Based on these findings a roadmap was created to work on in the future. Current projects were mapped to this roadmap to ensure that all initiatives were in line with this roadmap. The main observation within the case study was the lack of a clear IT strategy and the misalignment, caused by an inadequate ERP system / enterprise architecture. Based on the findings and conclusions, it was decided to in source some of the IT activities to be able to regain control over the alignment issues identified.

31

6. Conclusions This final chapter presents the answers to the main research objective as stated in chapter two. The main objective of this research was: How to provide assurance to senior management that Business and IT are aligned in an effective and efficient way? Based on the results of chapter thee and four, BIA criteria were identified and environmental influences were determined. These have been incorporated in a BIA control framework, which serves as one of the key elements of the BIA assurance methodology. This methodology was designed in line with current auditing standards and regulation. Common risks have been identified and integrated in the control framework. Furthermore a BIA risk analysis is proposed in the methodology to assess any specific risks the organization faces in the field of Business and IT alignment. Based on a comparison between limited and reasonable assurance characteristics, it came clear that only limited assurance can be provided to senior management. The main advantage to management of the BIA assurance engagement is that it makes the alignment more transparent and it helps management to focus on those issues that really matter in conducting business. Based on the case study the following main observations were noted:

� The use of extensive judgment in gathering and evaluating evidence and forming conclusions based on that evidence in the BIA assurance engagement implies a limited assurance engagement. This means that professionals can only provide limited assurance to senior management. This is a confirmation of the expected outcome as discussed in chapter four.

� Providing insight into the level of Business and IT alignment, based on a set of alignment

criteria is already an eye opener for senior management and thus can be considered as value added to the organization. Based on the new insights management is able to identify and prioritize new initiatives that will add value to the level of alignment.

� The impact of internal and external environmental influences on the BIA is hard to predict and

can only be assessed on a high level. Therefore classifying the organization in the strategic grid of Henderson and Venkatraman and the BIA risk analysis is a more pragmatic and ensures transparency.

� Several alignment criteria (mainly the social dimension of alignment criteria) need further

definition and clarification to ensure that interpretation differences among team members and the client organization is reduced. Extensive reasoning is necessary in case of professional judgment.

� Based on the experience with the BIA control framework it is suggested to include the concept

of Andrew McAfee (2006) into the conceptual framework. This approach places work-changing technologies into three categories. Function IT (e.g. spreadsheets, word), Network IT (e.g. mail) and Enterprise IT (e.g. ERP systems).

Proposed further research:

� Positioning of BIA in relation with other best practices and standards (ITIL, COBIT, ASL, ISO27001 etc.).

� This initiative from a process risk and control perspective can be aligned with strategic implications of the choice how to use IT as an enabler within the organization (consulting perspective).

� Which level of BIA is required in an outsourcing strategy (TPM, SAS70)? � How does BIA control relate to BIA innovation? � Does a controlled BIA process enhance shareholders value? � What impact has BIA on inter-organizational relationships?

32

Summary of contribution This section presents the researchers view on the research performed in the field of Business and IT Alignment (BIA). From my point of view, IT auditors will play a key role in assisting organizations to ensure that IT is aligned to the Business in the near future. The area of this research is new to many organizations. In my daily work as an IT auditor, it is often one of the main issues within organizations. The lack of clear communication caused by e.g. a common language between Business and IT is often mentioned as one of the main problems faced by organizations. Another example of concern is the information architecture, which may be very sophisticated, but does not (completely) support the daily business without incidents. These are just two examples which served as the primary reason to investigate the BIA subject and to determine whether assurance can be provided to the organization to remove any uncertainties they have in aligning their IT to the Business. In search for a methodology to assist the IT auditor in assessing this alignment, it became clear that this area is relative new and there are only a few assessment methods available. Therefore the proposed BIA assurance methodology will be very helpful in assisting the auditor in determining the current status of BIA within organizations. It will be enhanced and changed after more empirical research, but the foundation for BIA assurance remains. From my perspective, I consider BIA the next step in integrating Business and IT. The IT auditor should assist in assuring that this objective will be realized by providing an independent opinion on the realized level of alignment. This requires a strong knowledge of the client and its environment. The IT auditor must act like an enabler (linking pin) of Information Technology and the Business. This requires additional skills and knowledge from the IT auditor. As long as organizations treat IT apart from their “Business”, the BIA gap still remains an area of concern. It is a dynamic process and changes whenever the external or internal environments are changing. Therefore it should be implemented as a continuous process, monitored by both Business and IT.

33

References Chan, Y.E., Sabherwal, R. and Thatcher, J.B., (2006). 'Antecedents and Outcomes of Strategic IS Alignment: An Empirical Investigation'. IEEE Transactions on engineering management, 53 (1).

COSO, (2004). 'Enterprise Risk Management – Integrated Framework'. The Committee of Sponsoring Organizations of the Treadway Commission.

Grembergen, W.v. and Haes, S.d., (2004). 'IT Governance and its mechanisms'. information Systems Control Journal, 1.

Henderson, J.C. and Venkatraman, N., (1991). 'Understanding Strategic Alignment'. Business Quarterly, 55 (3).

Henderson, J.C. and Venkatraman, N., (1993). 'Strategic alignment: Leveraging information technology for transforming organizations'. IBM systems journal, 32 (1).

Humphrey, W.S., (1988). 'Characterizing the software process: A maturity framework'. IEEE Software, 5 (2):73-79.

Hussin, H., King, M. and Cragg, P., (2002). 'IT alignment in small firms'. European Journal of Information Systems, 11 (2):108.

IAASB, (2005a). 'International Framework for Assurance Engagements'.

IAASB, (2005b). 'International Standard on Assurance Engagements 3000'.

IAASB, (2006). 'The Auditor’s Responses to Assessed Risks (ISA 330)'.

IAASB, (2007a). 'International Standard on Auditing (ISA 220)'.

IAASB, (2007b). 'International Standard on Review Engagements'.

IAASB, (2007c). 'ISQC1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements'.

IFAC, (2005). 'Code of Ethics for professional accountants'.

ITGI, (2007). 'Control Objectives for Information Technology 4.1'. IT Governance Institute.

Kearns, G.S. and Sabherwal, R., (2006). 'Strategic Alignment Between Business and Information Technology: A Knowledge-Based View of Behaviors, Outcome, and Consequences'. Journal of Management Information Systems, 23 (3):129.

Leeuw, A.C.J.d., (2001). Bedrijskundige Methodologie, Management van Onderzoek (dutch): Van Gorcum.

Luftman, J., (2003). 'Assessing Business / IT alignment'. Information Systems Management, 20 (4):9.

Luftman, J. and Brier, T., (1999). 'Achieving and sustaining business-IT alignment'. California Management Review, 42 (1):109.

34

Luftman, J.N., (1996). Competing in the information age: strategic alignment in practice. New York: Oxford University Press.

Luftman, J.N. and Kempaiah, R., (2007). 'An update on business-IT alignment: "A line" has been drawn'. MIS quarterly executive, 6 (3):12.

Luftman, J.N., Papp, R. and Brier, T., (1999). 'Enablers and inhibitors of Business-IT alignment'. Communications of the Association for Information Systems, 1 (11).

Luftman, J.N., Sledgianowski, D. and Reilly, R.R., (2006). 'Development and Validation of an Instrument to Measure Maturity of IT Business Strategic Alignment Mechanisms'. Information Resources Management Journal, 19 (3):18.

Maier, L., (1997). 'Environmental scanning for information technology: An empirical investigation'. Journal of Management Information Systems, 14 (2):177.

Nash, E.M., (2006). 'Assessing IT as a driver or enabler of transformation in the pharmaceutical industry employing the strategic alignment maturity model'.

Norea, (1999). 'IT auditing aangeduid, Norea geschrift No1'.

Norea, (2006). 'Code of Ethics'.

Norea, (2008a). 'Norea Richtlijn 3000, assurance opdrachten door IT auditors'.

Norea, (2008b). 'Raamwerk voor assurance-opdrachten door IT-auditors'. In: Norea (ed).

Poels, R., (2006). 'Beïnvloeden en meten van business - IT alignment'. Economics and Business Administration. Amsterdam: VU University Amsterdam.

Porter, A.M., (1994). 'Beyond cost avoidance'. Purchasing, 117 (8):2.

Porter, M.E., (1979). 'How competitive forces shape strategy'. Harvard Business Review, 57 (2):137.

Porter, M.E. and Miller, V.E., (1985). 'How information gives you competitive advantage'. Harvard Business Review, 63 (4):149.

PwC, (2008). 'PwC Audit Guide'.

Reich, B.H. and Benbazat, I., (1996). 'Measuring the linkage between business and information technology objectives'. MIS quarterly, 20 (1):55-81.

Reich, B.H. and Benbazat, I., (2000). 'Factors That Influence the Social Dimension of Alignment between Business and Information Technology Objectives'. MIS quarterly, 24 (1).

Taylor-Cummings, A., (1998). 'Bridging the user-IS gap: a study of major information systems projects'. Journal of Information Technology, 13 (1).

Waterman, H., (1980). 'Structure is not Organization'. Business horizons, 23 (3):14.

35

Appendix A. BIA Control Framework Part 1

BIA risk analysis: Risks are classified in high, medium and low, based on the impact and likelihood. Risks are mapped to the alignment criteria and the initial baseline is determined. Note that this figure does only illustrate the risks. Further discussion with management may result in other alignment criteria that are relevant to the audit baseline.

36

Appendix B. BIA Control Framework Part 2 1A. Communications: Work Program

37

1B. Communications: Maturity Levels

38

2A. Metrics: Work Program

39

2B. Metrics: Maturity Levels

40

3A. Governance: Work Program

41

3B. Governance: Maturity Levels

42

4A. Partnership: Work Program

43

4B. Partnership: Maturity Levels

44

5A. Technology: Work Program

45

5B. Technology: Maturity Levels

46

6A. Human Resources: Work Program

47

6B. Human Resources: Maturity Levels

48

Appendix C. BIA Control Framework Part 3

BIA Summary

1

2

3

4

5Communications

Metrics

Governance

Partnership

Technology

Human Resources

Audit baseline scoping

Current maturity levels

Based on the initial baseline scoping and the results from the audit, a comparison can be made. Based on this mapping and the ambition level of management, a roadmap is suggested to improve alignment processes within the organization.

business and it alignment assurance - vurore vice president of finance and information technology...

Documents