A synthesis of common guidelines for regulatory compliance verification in the context of ICT governance audits 1

Abstract

Information and Communications Technologies (ICT) comprise a large integrated set of structures and functions employed to access, transfer, store and treat all forms of information. These technologies continue to be an important factor for improving organizational management and achieving competitive advantage, since they can be used to add value, continuously, to almost all business processes. Based on a survey of the literature, international and national regulations, and best practices bodies, this paper presents and discusses common elements that are considered important to guide regulatory compliance verifications of ICT management practices. Designated hereinafter as Elements that Orient Regulatory Compliance Verification Audits (ECVAs), these elements are characterized and their selection is validated in a case study for improving ICT Governance in a Brazilian Public Agency.

Keywords

Information and Communications Technologies (ICT)ICT governance ICT management regulatory compliance auditing Brazilian public companies

1. Introduction

Information and Communication Technologies (ICT) is a common expression to designate a set of integrated structures and functions for the access, transfer, storage, and treatment of all forms of information, specifically text, voice, computational data, as well as static images and videos. Aside from the technological elements themselves (machinery, algorithms, data structures, protocols), the term ICT also comprises the processes and organizational structures necessary for these technologies to be used and managed.

It is generally recognized that ICT has become an important factor in management for obtaining a competitive advantage, as ICT can add value, continuously, to business in all kinds of organizations, as well as exerting a critical role in supporting organizational components. Then, organizations are realizing that ICT is becoming not only a significant expense item but one of the main organizational assets (Nath and Liu, 2017).

Given this evolution, it is not surprising that ICT auditing has also gained importance in organizations and good practices in this domain have increasingly been established. As a consequence, the activity of ICT auditing already outgrown its original mission of performing the certification of accounting systems and became a powerful instrument for the management and governance of evolving organizations, this form of auditing being considered as favorable in terms of cost-benefit.

Considering the diversity of national ICT governance objectives and regulatory frameworks, good practices for ICT governance generate criteria which constitute a reference to assess government ICT initiatives in terms of economy, effectiveness, and efficiency. Hence, these practices are related to stable auditing criteria in the government agencies.

Being tightly related to the idea of using the audit as a control means, the concept of governance comprises the mechanisms of leadership, strategy, and control put in place to evaluate, direct and monitor the performance of management towards the conclusion of stakeholders’ goals and their interests (Kouzmin et al., 1999). The implementation of ICT governance principles is currently considered the preferred method to ensure effective, efficient, secure and acceptable use of ICT within organizations.

Albeit ICT is acknowledged as one of the main assets of modern organizations, decisions regarding the adoption, implementation, and management of ICT are still rather complex. There are countless examples of companies that invested heavily into unplanned technological projects, resulting in systems that were never concluded, projects in which the budget and deadline exceeded the initial estimate and even were discontinued (Simonsson et al., 2008).

The monitoring of ICT investments and management has achieved successful results enough to make ICT and business executives recognize that nowadays ICT success is not due to the technology itself, but to how it is governed and aligned to business. In face of such scenario, ICT governance appears as an attempt to guarantee that investments in ICT really add value to the organization or business (De Haes and Van Grembergen, 2004).

In this context, an important risk to be managed is related to the fact that, being ICT one of the main assets in the organization, either overinvestiment and underinvestment in ICT can result in damages to the organization structure and its functioning (Van Grembergen et al., 2004).

According to Jensen (Jensen and Meckling, 1976), companies that possess good ICT governance models present superior results compared to their competitors, especially because they have consistently better decision making processes related to ICT.

The possibility of enjoying technological resources seems to be something simple compared to the complex tasks of managing, controlling, and balancing such resources with all the organizational components to which they are effectively linked. Therefore, one of the main challenges for the modern organization is to govern technology so that this resource is used to add real value to the business.

Faced with these questions, it is important to inquire about what can be missing to organizations in order to establish the desired control regarding ICT, and how to implement the elements that are still needed for this control. According to Simonsson (Simonsson, 2008), the ICT governance structuring process comprises three phases: comprehension, decision, and monitoring. The comprehension and decision phases involve the identification of the controls that will be operationalized and supervised in the monitoring phase.

Recycling these three phases is a practice that allows the continued verification of how much the ICT is contributing for the organization and the business. In this context, particularly in the public sector, verifications related to regulatory compliance play an important role for the success of this contribution of ICT. It is important to question how the organization can be sure that its ICT governance processes are, effectively, in conformity with the legislation, the determinations of regulatory agencies, the standards and best international practices for management and governance.

These questions related to ICT governance motivated the research question considered in this paper, specifically regarding which orientations for regulatory compliance are necessary to ascertain the general compliance of ICT governance.

To address this research question, we sought to identify elements that orient regulatory compliance verification audits – ECVAs – in ICT governance. Our interest is specially in ECVAs applicable to the Brazilian Federal Public Administration organizations, since this research constituted an opportunity to select guidelines that are common to the literature, to the regulatory documentation and to the best practices bodies, and then to validate our selection of common guidelines and ECVAs in a case study performed to improve ICT Governance in a Brazilian public company.

Thus, this paper presents results from an exploratory research about the theme of regulatory compliance within ICT governance, taking into consideration works published by Henderson (Henderson and Venkatraman, 1992), Haes (De Haes and Van Grembergen, 2004; Simonsson, 2008; Norfolk, 2011) and Henderson (Henderson and Venkatraman, 1993). These sources were completed with information from regulatory agencies, such as the Rulings of the Brazilian Federal Court of Audits (in Portuguese, Tribunal de Contas da União – TCU), in this case specifically the Rulings numbered 1603/2008, 2308/2010, 2585/2012, and 3117/2014 (de Contas da União, 2014). Other sources for the study include international standardization bodies, especially the ISO/IEC 27007:2013 standard (for Standardization, 2013), and the guides for best ICT governance practices, such as the Control Objectives for Information and Related Technologies (COBIT) (Isaca, 2012) and the Technology Infrastructure Library (ITIL) (Adams, 2009).

Therefore our research presented in this paper encompasses a survey of regulatory compliance orientations related to ICT governance, which were common to the bibliographical research, the legislation, and TCU Rulings. There was also a verification of the relation between these elements and the ISO/IEC 27002:2013 standard (IEC, 2013), as well as the guides for best ICT governance and management practices.

As such, the work presented in the following sections is a study based on document analysis to address the research question aiming to contribute for the strengthening of regulatory compliance practices for ICT governance. Consequently the contribution extends to improve the decision-making processes in the organizations.

The remaining of this paper is structured as follows: Section 2 reviews the methodology; Section 3 presents the background and the main concepts used in the paper; Section 4 describes the selection process and the selected ECVAs and associated common guidelines found in literature, legislation and best practice recommendations in the area. Section 5 is devoted to the case study used to validate our chosen ECVAs. Section 6 closes this paper with our conclusions and outlines future works.

2. Research methodology

In this section we adopt the point of view that research is a rational and systematic procedure that seeks to find answers to the proposed problems, i.e., a procedure when there is not enough information to answer a problem. Research can be developed based on a process that secures the adequate formulation of the problem, the search for solutions and the presentation of results (Gil, 2002).

The research presented in this paper is classified as exploratory, since a significant part of it consists of bibliographical research due to the necessity of seeking, knowing, and comprehending the ECVAs associated to ICT governance. This work contributes to highlight regulatory compliance practices in ICT governance that are generally considered important to be applied in an organization.

According to Gil (2002), the main objective of exploratory research is to develop ideas with the intent of providing hypotheses in conditions to be tested posteriorly. Although its planning is characterized by flexibility, exploratory research needs the conduction of relatively systematic procedures to obtain empirical observations and to identify the relations between the phenomena being studied.

The research in this work is also classified as applied, having as its core the identification of ECVAs associated to ICT governance, constants in the bibliographical research, the legislation, regulatory rulings, and best practices related to the ICT governance theme. Applied research arises from the desire of knowing and at the same time seeking to do something more efficiently, working on a more practical context.

The studies that were carried out allowed the identification of ECVAs in ICT governance and their observation and analysis in a real context. Thus, the work seeks to contribute to ratify theories found in the bibliographical research or to bring new propositions complementary or alternative to such theories.

Before the case study in a real Brazilian public company, for the realization of the research goals, the following approaches were applied: the first phase of bibliographical research and the second phase of document analysis.

The bibliographical research phase identified the applicable ECVAs found in the academic literature. As mentioned before, the search for these ECVAs was intended to contribute to a Brazilian federal public company that provides ICT services for the government. This company was defined to be the organization for the practical case study to validate our found ECVAs. Then, as part of the investigative process, the documents research included the analysis of this organization’s internal documents, including the organization’s internal regulation related to the themes – ICT governance, information technology, and information security, as well as the organization’s compliance verification reports, and the recommendations from the TCU Rulings directed at the organization. Table 1 presents these documents.

Table 1
Internal documents of the organization considered for the case study

ID	Document
1	The internal normative rules of the organization related to the topics: ICT governance, information technology, and information security.
2	The compliance verification audits of the organization.
3	The documents with assignments and competencies of the ICT areas.
4	The mapping of ICT processes of the organization.
5	The evaluation of recommendations from regulatory agencies, directed to the organization, in regard to ICT processes.
6	The recommendations contained in judicial rulings from the Brazilian Federal Court of Accounts, directed to the organization.
7	Documental evidence presented by the organization, based on legislation enforceable on public agencies.
8	Normative Instructions related to the ISO/IEC 27002:2013 and the guides of better practices related to ICT governance, information technology, and information security used in the organization.

In regard to the situation of the ICT governance in the context of the Brazilian Federal Public Administration, we produced a survey to gather non-conformities shown in reports resulting from information technology audits that were performed by TCU, specifically by the Secretariat of Information Technology (in Portuguese, Secretaria de Tecnologia da Informação – SEFTI) of TCU, from 2008 to 2012, and published in the Rulings numbered 1603/2008, 2308/2010, 1233/2012, and 2585/2012.

These procedures allowed the validation of the selected ECVAs in a case study in the mentioned federal public company whose business is in the ICT services area. This validation was based on verifications of the utilization and importance of the selected ECVAs in ICT governance and management processes of this company.

3. Background

The Information and Communications Technology (ICT) has become a fundamental element in the operations and strategies of the organizations. This only reinforces the concern with practices capable of reducing operating risks and guaranteeing the continuity of the services offered and supported by ICT.

ICT has become widespread in the present business scenario, which is dynamic and very often prone to turbulence. In the past executives could delegate, postpone, or even ignore decisions on ICT (De Haes and Van Grembergen, 2015). This is no longer possible today, particularly in the majority of the bodies in the Brazilian Public Administration (APF), due to a high dependence of organizations regarding ICT, a dependence that is associated to greater vulnerabilities that are inherently found in ICT environments.

As organizations depend on ICT resources to maintain and support their businesses, this dependency creates the need to better manage such resources through the implementation of controls that promote the ICT governance.

Regarding the theme of ICT governance, the present paper focuses on the question of regulatory compliance, thus being dedicated to identifying a set of elements that contribute to the verification of this aspect in work processes related to ICT. Consequently, the theoretical framework of this paper is founded in the governance of information and communications technology, aiming at the identification of elements that orient regulatory compliance verification audits in this context.

It is worth to mention that the concept of compliance is generally related to acting according to a rule, request, or command. The word compliance is also related to the duty of complying, being in compliance, and enforcing internal and external regulations imposed on the organization activities (De Haes and Van Grembergen, 2015).

3.1 Origins of governance

There is consensus in the literature that the 1929 economic crisis among other consequences saw the rise of very large corporations and the creation of a new model for corporate control that recognized the so-called agency conflict (Jensen and Meckling, 1976), i.e., the idea of a relationship by which a Principal (holder of assets or contracting party) delegates to an Agent (person hired to execute a task and that holds some execution power) the authority to decide on such assets. Given that the interests of the Principal are not always aligned with those of the Agent, agency conflicts may occur, i.e., the interests and motivations of the Principal and the Agent may diverge.

According to Jensen (Jensen and Meckling, 1976), the agency conflict consists, in brief, of the divergence that occurs between the owners and the directors of the organization. As the directors manage the assets of others, it is considered that they cannot do so with the same degree of care and zeal as the owners of such assets. Principal-Agent relations can be seen in many situations such as, for example, in the relation between officers/managers (Agent) and the shareholders/owners (Principal) of a corporation/organization, as shown in Fig. 1.

One of the theories developed to solve such conflicts was the agency theory formalized by Jensen (Jensen and Meckling, 1976), who also created a model regarding agency costs for shareholders. In such model, the costs of protecting, controlling and monitoring a business are defined as the agency costs, comprising the costs required to align the interests of the Agent with those of the Principal (Jensen and Meckling, 1976). One corollary of this definition is the requirement to adopt measures to regulate the actions of the agent, considering three conditions stated in the agency theory:

1.
The Agent has several behaviors to resort to;
2.
The actions of the Agent affect not only his own welfare but also that of the Principal;
3.
The actions of the Agent are hardly observable by the Principal, as there is an information asymmetry between the parties.

Figure 1.
Principal-Agent relation type.

These ideas evolved to the area of ICT governance with the unique characteristics discussed bellow.
3.2 ICT governance

Different definitions for ICT governance have been developed and improved over the years. According to the ICT Governance Institute (SLTI/MP, 2016), ICT governance is the responsibility of the board of directors and the executive management, as it is part of the corporate governance. As such, it encompasses the leadership, processes, and organizational structures to guarantee that the organization supports and expands its strategies and objectives, integrating and institutionalizing good practices (Nastase et al., 2009).

For Grembergen (Van Grembergen, 2004), ICT governance is the organizational capacity exerted by the board of directors, the executive managers, and the ICT managers, to control the implementation of the ICT strategy, seeking the alignment between the business and ICT.

ICT Governance is the system through which the present and the future use of ICT is directed and controlled. It means assessing and directing the use of ICT to provide support and monitoring its use in the execution of the organization plans. It includes the strategy and the policies on the use of ICT within the organization. It is appropriate that management govern ICT through three main tasks (Calder, 2008), as shown in Fig. 2.

Figure 2.

ICT governance tasks. Source: ISO/IEC 38500 2009 Adapted.

ICT Governance can also be seen as a model on how decisions are made and responsibilities directed so that ICT presents a behavior that is desirable for its alignment with the goals and objectives of the organization and that is coherent with the organization culture. Thus, ICT governance consists of policies, roles, flows, and rules aimed at aligning ICT with the business goals of an organization, allowing the structuring and planning aimed at obtaining the information necessary for the organization. This planning should provide mechanisms for the control and recovery of information that meet the needs of the organization (Weill and Ross, 2004).

According to the Brazilian Institute of Corporate Governance (in Portuguese, Instituto Brasileiro de Governança Corporativa – IBGC), corporate governance is the system through which organizations are directed, monitored, and get an incentive, involving the relationship between the owners, the administrative council, the board and the regulatory agencies.

Considering that good governance practices include principles of preserving and improving the value of the organization (Bernroider and Ivanov, 2011), attaining effective ICT governance imperatively requires to develop organizational structures and processes that effectively support the governance actions. It is also important to evaluate the application of interaction protocols that promote bidirectional communication, the collaboration between the ICT and business teams, and the management of knowledge. These goals can be attained through professional rotation between the ICT and business teams, continuous education, and diversified training (De Haes and Van Grembergen, 2004).

Regarding decision-making aspects, according to Simonsson (Simonsson et al., 2008), ICT governance is a form of organizational decision-making related to the way the decisions should be taken and carried out respective to the hardware and software assets that constitute the technological infrastructure of the organization, the ICT processes, the teams and strategic goals of ICT. Thus, the efficacy of ICT governance requires a thorough analysis of who makes the decisions and how they are carried out. Such analysis takes place in, at least, five critical ICT domains: the principles, the infrastructure, the architecture, the investments, and the prioritization. This way, a direct relationship between ICT governance and decision-making is established (Morais, 2005; Simonsson et al., 2008).

According to Simonsson (2008), it is important to ensure that ICT governance is not projected to simply reach the internal efficiency of ICT, but also to sustain good organizational processes assisted by ICT, as the objective of a good ICT governance is to provide business with the best possible support. In this context, the effectiveness of the decision-making process depends on the application of mechanisms that ensure the continuous supervision and monitoring of such process (Simonsson, 2008).

3.3 Compliance

For David Norfolk (Norfolk, 2011), compliance is the process that ascertain the enforcement of internal policies and procedures, as well as laws, regulations, standards, and agreements. It can come in three forms:

1.
Regulatory compliance: seeks to ensure the compliance to the rules to which the organization is conditioned;
2.
Commercial compliance: has the objective of dealing with business requirements, applied in the organization, encompassing the commercial relations with partners, clients and suppliers;
3.
Organizational compliance: handles organizational questions, driven by different factors, such as the need of preserving the net assets of the organization, or the desire of showing corporate social responsibility.

Answering these needs, which can be impacted by technological factors, is what makes compliance a critical concern for organizations, also considering the legislation that orient the actions of compliance. Therefore, it is fundamental to comprehend, accept, and manage the legislation and orientation memos (Norfolk, 2011).
4. Selection of elements that Orient Regulatory Compliance Verification Audits (ECVAs)

The following approach was used in the collection and analysis of information regarding possible ECVAs: the review of the academic literature, the legislation, TCU rulings, the ISO/IEC 27002:2005 standard (N.U,) and best practices as shown in Table 1.

The identification of candidate ECVAs was performed by looking for terms, expressions, and sentences related to this subject in the chosen body of knowledge. In this process, search expressions were applied in the content that could contain possible recurrent elements necessary for ICT governance. These expressions included the following terms: Critical; Determined; Must; It is fundamental; It is important; Must be; Should; Must not; Should have; Need; Requires; Has, and vital. These criteria were used to determine the structures, processes and mechanisms considered necessary for ICT Governance, then resulting in the identification of ECVAs. For example, the following sentences illustrate some of the findings:

1.
In the structure the roles and responsibilities of ICT are critical requirements for an effective ICT Governance framework;
2.
In the process of system development and maintenance, solutions must be firmly based on business requirements analysis and prioritization, including regulatory requirements, and also source code to help identify the organization’s business objectives;
3.
In the mechanism the business should be multifunctional being critical to the organization the sharing and management of knowledge through mechanisms such as continuing education and cross-training for people working in different tasks or having various skills.

From the survey of ECVAs recurrent in the academic literature, 257 academic papers were considered and we selected these set of papers using selection and inclusion criteria. The keywords used to search for the related papers were Governance ICT and Compliance Verification Audits. It was possible to build the facto conception of ECVAs associated to ICT governance.

Regarding the identification of ECVAs in the Brazilian Legislation, it was possible to verify the existence of recurrent ECVAs that are also applicable to public organizations, particularly considering the Law 13303/2016, the Decree 8.945/2016, the Normative Instruction Number 1 from the Ministry of Planning, Budget and Management (MPOG) and the General Comptroller of the Union (CGU), the CGPAR Resolutions, the Normative Instruction Number 2 (IN 02), from the Secretariat of Logistics and Information Technology (SLTI) of MPOG, and the normative acts of the Institutional Security Office of the Presidency of the Republic of Brazil (GSI/PR).

For instance, after obtaining the cited IN 02 in the MPOG website and reading the recurrent determinations in its normative assertions, the terms “must”, “won’t be able to”, or “is prohibited” were identified. The contents of such determinations were then analyzed, leading to the identification of ECVAs in this regulation.

Systematically, the identification of ECVAs associated to ICT governance was carried out from these sources: literature review (1), Law 13303/2016 (2), Decree 8.945/2016 (3), CGPAR Resolutions (4), IN Number 01 MP/CGU (5), IN 02 SLTI/MPOG (6), Complementary Norms GSI/PR (7), TCU rulings (8), ISO/IEC 27002:2013 standard (IEC, 2013) and best practices guides (9). In this procedure, the interest of the research was focused on the ECVAs that are effectively applicable in the case study regarding the organization chosen to validate this work.

From the summarization of ECVAs that are common an recurrent in the considered sources, it was possible to build a list of ECVAs that are the most associated to ICT governance and to factorize common concepts and definitions for each of them. The identification of ECVAs associated to ICT governance in our sources resulted in the elaboration of Table 2.

Table 2
ECVAs identified from the chosen body of knowledge

ID Elements that Orient the Regulatory Compliance Verification Audits 1 2 3 4 5 6 7 8 9

A The boards and executives of ICT and their responsibilities x x x x x

B The strategic and tactical body x x x x

C The representation of ICT in the high leadership of the organization (The board of directors) x x x x x x

D The organizational structure x x x x

E The roles and duties x x x x x x x

F The alignment of ICT with governance models x

G The application of better practices for ICT x x x

H Methodology to measure and manage performance – Balanced scorecard x

I The organizational culture x

J The development, acquisition, and maintenance of technologies x x x x x x x

K The management of service-level agreements x x x x

L The management of assets x x x

M The management of capacity x x

N The management of configuration x x x

O The management of business continuity x x x x

P The management of physical and logical access x x x x

Q The management of incidents x x x

R The management of changes x x x x

S The management of problems x x

T The management of risks x x x x

U The strategic planning x x x x x x

V The ICT security policy x x x x x

X The collaboration and participation of the main stakeholders x

Z The shared understanding of the business objectives and the ICT x

W The location (position) of the business and the ICT x

Y The multifunctional business/ICT training (continued education and cross-training, knowledge management) x x x x x x x

A1 The multifunctional business/rotation of ICT tasks (crossover professionals) x

A2 The partnerships, rewards, and incentives x

It is worth to reiterate that the analysis was done with the objective of verifying how a public company maintains the compliance of its ICT governance and how problems related are resolved on a daily basis, using the identified ECVAs as a guiding instrument. This process also allows to validate our findings by verifying whether the selected ECVAs are useful and interesting in solving governance questions in a real organization.
5. Case study – validation of selected ECVAs

The case study was done in a public company, a government agency of the Brazilian Federal Public Administration. This company business is the provision of ICT services for the federal government.

Initially, a document analysis was performed regarding the information related to the processes and procedures of ICT governance applied in the target organization. As such, the sources of data and information were the policies, the regulations, the documentation of ICT-related organizational processes, and the regulatory compliance verification reports pertaining to the chosen organization. The number of documents we have surveyed in total was 257.

Specifically, in this survey the analysis of internal documents of the company was focused on the following interesting and important items:

•
The value chain;
•
The business model;
•
The governance process model;
•
The mapping and descriptive documentation of processes of project management, development of solutions, integrated service management, information security, internal regulations related to the ICT governance, information technology, and information security themes, internal regulations related to the organic structure of the organization;
•
The list of recommendations that the TCU sent to the agency between 2008 and 2017;
•
The documents with tasks and competence of the areas involved with the ICT governance;
•
Legislation applicable to the organization;
•
The compliance verification reports in the processes related to ICT governance, information technology, and information security, between 2011 and 2017.

Considering the findings shown in Table 2 and the documents surveyed in the target company, the following study propositions were identified to orient the strategy to validate the selected ECVAs:

1.
The public organizations apply ECVAs associated to ICT governance to meet the recommendations of supervisory and regulatory agencies.
2.
The public organizations use ECVAs associated to ICT governance to boost their businesses.
3.
The organizations effectively apply ECVAs as a means of control and improvement for their activities.

The units of analysis were defined considering the initial research questions and the following validation requirements:

•
Verify the application of ECVAs in a public company;
•
Verify, qualitatively, the organization handling of the ECVAs.

It is worth to note that the identified ICT governance ECVAs have a close relationship to matters pertaining to information security. Consequently, there was motivation to execute the ECVAs validation procedure in the area of the organization responsible for information security. Also, during the survey of the organization data, it was possible to observe the following characteristics:

•
The organization has as its business the provision of ICT services, which makes the ICT governance processes applicable and necessary to its activities.
•
The ICT governance is still treated informally in some areas of the organization, as part of ICT processes are not yet mapped.
•
The ICT governance and management are centralized in a specific executive board.
•
The governance elected some mission critical services (MCS) and actions of evolution and continuous improvement regarding ICT processes are mostly directed to providing these services.
•
The processes related to ICT governance are still in their implementation phase.

In the ECVAs validation process the information obtained from internal organizational documents (internal norms, description of assignments and competences, operational technical manuals, etc.) was clarified and completed in meeting minutes and interviews with the heads of the areas of ICT governance, institutional compliance and security information. The direct verification of some ECVAs was also carried out when applicable.

Table 3
Application of ECVAs on ICT governance in the company chosen for our validation process

Compliance to ECVAs General outcome

74% – Applied

26% – Partially applied

Table 4
Similar ECVAs associated to the ICT governance

Considered framework ECVAs Common to various frameworks

Bibliographical research; Information from The roles and responsibilities of ICT.

Brazilian regulatory agencies The development and maintenance of information systems.

The management of service level agreements.

The management of assets.

The management of configuration.

The management of business continuity.

The management of physical and logical access.

The management of incidents.

The management of changes.

The management of risks.

The information security policy.

The multi-functional business/ICT training, management of knowledge.

A detailed report on the application of the ECVAs presented in Table 2 in the target company is shown in Table 6 of Appendix of this paper, but some of the validation finding are worth to be highlighted, as discussed hereafter.

It was observed that the area responsible for the compliance verification represents a point of control for organizational processes, as services to verify the compliance take place periodically focused on the organization ICT processes. From these verifications, the reported issues provide an understanding of how the ICT governance is structured inside the organization. This fact corroborate our goal that with the application of ECVAs associated to the ICT governance it will be possible to clarify the situation of the ICT governance in the organization.
5.1 Discussions

Considered framework	ECVAs Common to various frameworks
Bibliographical research; Information from	The roles and responsibilities of ICT.
Brazilian regulatory agencies	The development and maintenance of information systems.
	The management of service level agreements.
	The management of assets.
	The management of configuration.
	The management of business continuity.
	The management of physical and logical access.
	The management of incidents.
	The management of changes.
	The management of risks.
	The information security policy.
	The multi-functional business/ICT training, management of knowledge.

After the analysis of the information obtained through document analysis, it was possible to verify that 74% of the ECVAs associated to ICT governance that we have identified are effectively applied and 26% are partially applied in the target company, as shown in Table 3.

In light of the information and the evidence presented by the organization, it is possible to observe that the compliance to the ICT governance ECVAs is strongly related to the governmental recommendations and orientations from the TCU, the Ministry of Planning, Budget and Management, and the Presidency of the Republic. The results of the analysis identified similarities in ECVAs, as shown in Table 4.

The 40% of the ECVAs was identified through the bibliographical research (through selected papers). Table 5 presents the ECVAs identified.

Table 5
ECVAs Exclusive to the bibliographical research

The committees, the councils, the ICT executives and their responsibilities.

The ICT director in the board.

The strategic and executive ICT committees.

The technological customization of the business.

The organizational structure of ICT.

The collaboration and participation between the main stakeholders.

The shared understanding of the objectives of the business and of ICT.

The position of the business and of ICT.

The multi-functional business, the rotation of ICT tasks (crossover professionals).

The partnerships, the rewards, and the incentives.

As for the analysis of ECVAs and the decision-making process of the organization, those were verified in the reports generated by the compliance area of the organization. In these reports, there are records of the recommendations generated from their identification of non-conformities in the ICT processes.

It is worth to note that the reports generated by the compliance area are forwarded to the boards of the concerned areas of the organization. It was also observed that the constant recommendations of the aforementioned reports have outcomes relevant to the decision-making process of the organization, considering that:

•

The recommendations have to be inserted in the strategic planning of the organization, contributing to the related decision-making process.

•

The recommendations can be part of action plans, covering the strategic, tactical, and operational levels.

•

The recommendations can be included in a monitoring process, done by the compliance area, until the non-conformities are properly addressed.

As such, the compliance verification process plays an important role in the guidance of ICT processes, as actions of compliance verification also encompass the compliance of the ECVAs, generating benefits to the decision-making process of the organization.

The details of the verification process and validation of ECVAs application in the organization are presented in the Appendix of the present paper.

6. Conclusion

This work sought to identify ECVAs associated to ICT governance, based on common guidelines and concepts found in sources from literature, legislation, orientations and recommendations of regulatory agencies, as well as in the ISO/IEC 27002:2005 standard and in the best practices guides for ICT governance and management.

This work initially looked for definitions related to ICT governance and the identification of the ECVAs related to ICT governance based on bibliographical research.

It was verified that existing definitions of ICT governance differ in some aspects, due to the time in which they were written, although they strongly encompass issues related to decision-making, considering: the authority level of the decision in the organization (structure), the way ICT resources are managed and controlled (processes), the alignment of investments with the corporate strategies for ICT.

The studies that were conducted identified ECVAs related to ICT governance, shown in Table 2. This list of ECVAs can support the regulatory compliance verification audits in public organizations. As such, the research met its initial proposed objective, which was to identify ECVAs for ICT governance.

Furthermore, the study intended to investigate and verify the applicability of ECVAs associated to the ICT governance in a public company of the Brazilian Federal Public Administration.

According to the analysis performed in the chosen company, it was verified that the ECVAs originated from supervisory and regulatory agencies, and from the legislation, especially those related to the TCU rulings, have priority in being met by the organization.

In this company, it was possible to determine that the effective application of ECVAs guides and improves the actions of ICT governance, and promote the compliance to legal mechanisms and to the recommendations of supervisory and regulatory agencies. The application of ECVAs is linked to the corporate process named “compliance verification”, ensuring the application of the regulatory compliance and the continuous improvement of the organizational processes.

The case study verified that the reports generated by the compliance area are sent to the boards of the organization, and that the recurrent recommendations of these reports cause relevant outcomes to the decision-making processes of the organization.

Also, it was verified that the “compliance verification” process performs an important role in the guidance of ICT processes, as the actions of this process include the compliance of the ECVAs, resulting in benefits to the decision-making process of the organization.

This validation result yields to the conclusion that the ECVAs associated to the ICT governance identified in this work encompass the ICT governance practices applied internally in the analyzed organization.

Based on the verification of the application of ECVAs associated to the ICT governance in the mentioned public company, it was confirmed that ICT governance is in an evolutionary process, considering the need to deal with critical issues related to the business, such as its alignment with ICT, which can influence the development of the ICT governance.

As a perspective for future works, it was observed that the ECVAs associated to ICT governance, as identified in this paper, can be applied as a querying instrument in the elaboration of works related to the regulatory compliance verification on ICT governance in other Brazilian public organizations.

Based in the verification regarding the application of ECVAs associated to ICT governance in a public company, ICT governance was verified to be in an evolutionary process, considering the necessity of treating elements that orient regulatory compliance audits which are partially met and which currently represent 30% of these, and which can impact the evolution and continuous improvement of ICT governance.

The ECVAs associated to ICT governance can be applied as consulting mechanisms in the elaboration of studies related to the verification of regulatory compliance in ICT governance, but also as guiding elements in regard to the structure of ICT governance in public Brazilian organizations.

In synthesis, it’s important to say that the elements that orient regulatory compliance audits – ECVAs, identified in regulation documents and bibliographical research, are applicable to any organization. Moreover, considering the regulatory context, they are compulsory to public corporations.

In this context, the selected ECVAs can be applied to any organization, regardless of them being public or private, and independent of the type of their business, the size of their structure. What matters in these cases is that the concerned organization be aware that ICT is something critical, dynamic, and real, and which has become a cornerstone for the development and evolution of business.

Footnotes

Appendix

Table 6 presents the chosen ECVAs relating them to those identified from documents in Table 2 and showing how they attend to the situation, as well as the verification method applied in their validation.

Table 6

Elements that orient regulatory compliance verification audits associated to ICT governance

ID	Compliance	ID ECVAs	Situation	Verification method
		Table 2

1	Boards and their responsibilities: The existence of a Board of Administration was verified, and its responsibilities are found in the internal regulation.	A	Attended	Documentary Analysis and Interviews.
2	The ICT collegiate body and its responsibilities: The strategic-level collegiate body in ICT governance is composed of Statutory Directors and employees of the organization in the areas of Governance, Risks, Compliance, Personnel Management, and Information and Communication Technology.	B	Partially attended	Documentary analysis and interviews.
3	The representation of ICT in the organization’s high leadership: The ICT leadership is part of the strategic-level ICT collegiate body. It is also part of the Executive Board of the organization and the member responsible for ICT.	C	Attended	Documentary analysis and interviews.
4	The organizational structure of the company: The organizational structure can be represented as follows: General Meeting; Board of Administration; Internal Audit; Executive Board; Strategic-level Collegiate Body; Client Relations Board; Software Development Board; Governance Board; Board of Operations.	D	Attended	Documentary analysis and interviews.
5	The roles and purview of statutory members and employees of the organization: The purview of the statutory members who make up the Board of Administration and Executive Board are specified in the bylaws of the company, but this purview is not exhaustive.	E	Attended	Documentary analysis and interviews.
6	Alignment of ICT to the governance models: The organization works with a few governance models, which are governance of processes, corporate governance, and ICT governance.	F	Partially attended	Documentary analysis.
7	The application of better practices in ICT: The organization applies better practices in ICT, in accordance to the reports that evaluate compliance.	G	Attended	Documentary analysis and interviews.
8	Methodology to measure and manage performance – balanced scorecard: It was verified that the organization applied the balance scorecard to some processes to assess the management of performance of strategic processes.	H	Partially attended	Documentary analysis and interviews.
9	Fostering organizational culture: The organizational culture is fostered through the execution of seminars breaching critical topics of the organization.	I	Attended	Documentary analysis and interviews.
10	Process of developing and maintaining technologies: The organization has a specific problem to acquire technologies based in the regulation for bids and contracts established in Law 13.303/2016 and Decree 8.945/2016, and other pertinent legislations.	J	Attended	Documentary analysis and interviews.
11	Process of acquisition and contracting: The organization has a specific process for acquiring technologies, based on regulation for bids and contracts established in Law 13.303/2016 and Decree 8.945/2016, and other pertinent legislations.	J	Partially attended	Documentary analysis.

Table 6, continued
ID	Compliance	ID ECVAs	Situation	Verification method
		Table 2
12	Management of service-level agreements: The management of service-level agreements is done by managers. Each expenditure contract has an administrative manager and a technical manager to supervise the activities of contracts management.	K	Attended	Documentary analysis.
13	Asset management: The process of asset management is very focused on managing the service taking place with the support of technologies.	L	Partially attended	Documentary analysis.
14	Management of capacity: the process of capacity of the organization is more tangible in activities revolving around the mainframe.	M	Partially attended	Documentary analysis.
15	Management of configuration: The process of managing configuration is focused on issues regarding service management. The management and maintenance of configuration management is propelled by service management.	N	Attended	Documentary analysis.
16	Management of business continuity: The process of managing continuity is formalized and structured through committees and continuity managers.	O	Attended	Documentary analysis and interviews.
17	The logical and physical access management: The existence of a process for physical and logical access was verified, as well as the rules dealing with this subject.	P	Attended	Documentary analysis and direct verification.
18	Logical security: There is an access control system for users, in which they are automatically blocked when on vacation, on leave, and their bosses are notified via corporate email. Access to the work stations by employees is done via token.	P	Attended	Documentary analysis and direct verification.
19	Management of incidents: We verified the existence of a process to manage incidents, whose activities are formalized and done according to the ITIL.	Q	Attended	Documentary analysis and interviews.
20	Management of changes: We verified the existence of a process to manage changes, whose activities are formalized and done according to the ITIL.	R	Attended	Documentary analysis and interviews.
21	Management of problems: We verified the existence of a process to manage problems, whose activities are formalized and done according to the ITIL.	S	Attended	Documentary analysis and interviews.
22	Risk management: Risk management is based in two main components: Policies and methodology, where the concepts and guidelines of the policies of risk reference the guidelines of MP/CGU Joint Normative Instruction number 1. The methodology of risks is based on regulation ISO 31000 [aaa(000)].	T	Partially attended	Documentary analysis and interviews.
23	The strategic planning: The strategic planning is elaborated based on the Swot matrix (Lee and Sai On Ko, 2000).	U	Attended	Documentary analysis and interviews.
24	The policy for information security: The policy of information security is formalized and includes the aspects of information security in relation to service continuity, physical and logical access, culture of information security, software development, system and service monitoring, and compliance.	V	Attended	Documentary analysis and interviews.

Table 6, continued
ID	Compliance	ID ECVAs	Situation	Verification method
		Table 2
25	The collaboration and participation of the main stakeholders: The participation of clients in elaborating proposals for the strategic planning of the organization was observed.	X	Attended	Documentary analysis and interviews.
26	The shared understanding of business objects and of ICT: The shared understanding of business objects and of ICT also involves an aspect of organizational culture.	Z	Attended	Documentary analysis and interviews.
27	The location (position) do business and of ICT: Business occupies a privileged position in the organization. As such, business is responsible for internalizing demands, the ICT area participates in the negotiations after an evaluation of viability by the business area.	W	Attended	Documentary analysis and interviews.
28	The multifunction business/ICT training (continued education and cross-training, knowledge management): We observed the existence of an area that deals in employee training; the majority of these are promoted via Distance Education – EAD.	Y	Attended	Documentary analysis and interviews.
29	The multifunction business/ICT task rotation (professional crossover): The organization has areas with multidisciplinary knowledge, which can promote the multifunction business and knowledge management, considering that employees with distinct specializations will work together, sharing knowledge.	A1	Partially attended	Documentary analysis and interviews.
30	Knowledge management: We observed that knowledge management is done through means of sharing information, with collaboration environments.	Y	Attended	Documentary analysis and interviews.
31	Partnerships, rewards and incentives: We observed the existence of merit-based promotion as mechanism of reward for employees.	A2	Attended	Documentary analysis and interviews.

References

ISO/IEC 27002:2005 – Information technology – Security techniques – Code of practice for information security management. Technical report.

Adams,

(2009). ITIL V3 foundation handbook, volume 1. The Stationery Office.

Bernroider,

E.W.

and Ivanov,

(2011). {IT} project management control and the control objectives for {IT} and related technology (cobit) framework. International Journal of Project Management, 29(3): 325–336.

Calder,

(2008). ISO/IEC 38500: the IT governance standard. IT Governance Ltd.

Clara,

A.M.C.

Canedo,

E.D.

and de Sousa Júnior,

R.T.

(2017). Elements that orient the regulatory compliance verification audits on ict governance. In Proceedings of the 18th Annual International Conference on Digital Government Research, dg.o ’17, pages 177–184, New York, NY, USA. ACM.

de Contas da União,

(2014). Governance benchmark applicable to public administration agencies.

De Haes,

and Van Grembergen,

(2004). It governance and its mechanisms. Information Systems Control Journal, 1: 27–33.

De Haes,

and Van Grembergen,

(2015). Enterprise governance of information technology. Achieving Alignment and Value, Featuring COBIT, 5.

for Standardization,

I.I.O.

(2013). Iso/iec 27007:2013 information technology – security techniques – guidelines for information security management systems auditing.

10.

Gil,

A.C.

(2002). Como elaborar projetos de pesquisa. São Paulo, 5: 61.

11.

Henderson,

J.C.

and Venkatraman,

(1993). Strategic alignment: Leveraging information technology for transforming organizations. IBM Systems Journal, 32(1): 472–484.

12.

Henderson,

J.C.

and Venkatraman,

(1992). Strategic alignment: a model for organizational transformation through information technology. Transforming Organizations, pages 97–117.

13.

IEC,

(2013). 27002: 2013. Information technology Security techniques-Code of practice for information security controls. Retrieved from http://www. iso. org/iso/catalogue_detail.

14.

Isaca,

(2012). 5-enabling processes. Rolling Meadows, IL, 60008.

15.

Jensen,

M.C.

and Meckling,

W.H.

(1976). Theory of the firm: Managerial behavior, agency costs and ownership structure. Journal of Financial Economics, 3(4): 305–360.

16.

Kouzmin,

Löffler,

Klages,

and Korac-Kakabadse,

(1999). Benchmarking and performance measurement in public sectors: towards learning for agency effectiveness. International Journal of Public Sector Management, 12(2): 121–144.

17.

Lee,

and Sai On Ko,

(2000). Building balanced scorecard with swot analysis, and implementing “sun tzu’s the art of business management strategies” on qfd methodology. Managerial Auditing Journal, 15(1/2): 68–76.

18.

MORAIS,

E.J.D.

(2005). Controles internos e estrutura de decisão organizacional: o caso da Contadoria do Banco do Brasil. PhD thesis, Dissertação (Mestrado em Administração) – Universidade Federal do Paraná, Curitiba.

19.

Nastase,

and Ionescu,

(2009). Challenges generated by the implementation of the it standards cobit 4.1, itil v3 and iso/iec 27002 in enterprises. Economic Computation & Economic Cybernetics Studies & Research, 43(3): 1–16.

20.

Nath,

H.K.

and Liu,

(2017). Information and communications technology (ict) and services trade. Information Economics and Policy.

21.

Norfolk,

(2011). IT Governance: Managing Information Technology for Business; 2nd ed. Thorogood Publishing Ltd, London.

22.

Preda,

(2013). Implementing a risk management standard. Journal of Defense Resources Management, 4(1): 111.

23.

Secretaria de Logística e Tecnologia da Informação do Ministério do Planejamento, O. e. G. S. (2016). Estratégia de governança digital da administração pública federal.

24.

Simonsson,

(2008). Predicting IT Governance performance: A Method for model-Based Decision Making. PhD thesis, KTH, Royal Institute of Technology Stockholm, Sweden.

25.

Simonsson,

and Johnson,

(2008). Earp working paper ms103: Defining it governance – a consolidation of literature.

26.

Van Grembergen,

(2004). Strategies for information technology governance. Igi Global.

27.

Van Grembergen,

De Haes,

and Guldentops,

(2004). Structures, processes and relational mechanisms for it governance. Strategies for information Technology Governance, 2(4): 1–36.

28.

Weill,

and Ross,

J.W.

(2004). IT governance: How top performers manage IT decision rights for superior results. Harvard Business Press.

ID	Elements that Orient the Regulatory Compliance Verification Audits	1	2	3	4	5	6	7	8	9
A	The boards and executives of ICT and their responsibilities	x	x	x	x					x
B	The strategic and tactical body	x	x	x	x
C	The representation of ICT in the high leadership of the organization (The board of directors)	x	x	x	x	x				x
D	The organizational structure	x	x	x	x
E	The roles and duties	x	x	x	x			x	x	x
F	The alignment of ICT with governance models	x
G	The application of better practices for ICT	x							x	x
H	Methodology to measure and manage performance – Balanced scorecard	x
I	The organizational culture	x
J	The development, acquisition, and maintenance of technologies	x	x	x			x	x	x	x
K	The management of service-level agreements	x					x		x	x
L	The management of assets	x					x			x
M	The management of capacity	x								x
N	The management of configuration	x						x		x
O	The management of business continuity	x						x	x	x
P	The management of physical and logical access	x						x	x	x
Q	The management of incidents	x						x		x
R	The management of changes	x						x	x	x
S	The management of problems	x								x
T	The management of risks	x						x	x	x
U	The strategic planning	x	x	x	x				x	x
V	The ICT security policy	x			x			x	x	x
X	The collaboration and participation of the main stakeholders	x
Z	The shared understanding of the business objectives and the ICT	x
W	The location (position) of the business and the ICT	x
Y	The multifunctional business/ICT training (continued education and cross-training, knowledge management)	x	x	x		x		x	x	x
A1	The multifunctional business/rotation of ICT tasks (crossover professionals)	x
A2	The partnerships, rewards, and incentives	x

Compliance to ECVAs	General outcome
	74% – Applied
	26% – Partially applied

A synthesis of common guidelines for regulatory compliance verification in the context of ICT governance audits 1

Abstract

Keywords

1. Introduction

2. Research methodology

Table 1 Internal documents of the organization considered for the case study

3.1 Origins of governance

Table 5 ECVAs Exclusive to the bibliographical research

Footnotes

Appendix

References

Table 1
Internal documents of the organization considered for the case study

Table 5
ECVAs Exclusive to the bibliographical research