Full Text

1 Introduction

Information technology (IT) is an integral part and fundamental to support, sustain, and grow a business. Knowing this, corporations make huge investments in IT. [34] Gartner (2010) reports that despite the current economic slowdown, worldwide IT spending reached $3.4 trillion in 2010, a 4.6 percent increase from 2009; yet a large portion of IT investment does not guarantee high returns. The [90] Standish Group (2006) reports that approximately 67 percent of IT projects failed or were challenged to justify the investment. As corporations invest highly in and rely heavily on IT, they expose themselves to high risks. Thus, organizations need to review continuously and protect information assets from disaster. The September 11 terrorist attack on the World Trade Center in New York City and corporate financial misdeeds like Worldcom and Enron are among notable disasters.

Assuring sound business systems and adequate internal controls, regulatory frameworks are instituted. Sarbanes-Oxley Act (SOX) 2002 was enacted to enhance corporate governance, foster organization responsibilities, strengthen internal controls, and increase accountabilities ([14] Damianides, 2004). Although SOX requires all financial reporting needs to be assessed, it does not ensure that businesses are secure fully. The Basel II Accord was enacted to prevent major bank failures; banks complying with the Basel II Accord pledge to safeguard themselves against financial and operational risks, including technology risks.

In the last decade, IT governance captured the attention of both practitioners and academics and was cited as a subset of corporate governance ([50] Korac-Kakabadse and Kakabadse, 2001; [51] Lainhart, 2000). Rising interest in IT governance is attributed to SOX 2002, the Basel II Accord, and the acknowledgment that IT investments must be protected from severe losses. [51] Lainhart (2000) suggests that concern with IT governance focuses primarily on policies and procedures that define how organizations direct and control the use of technology and protect its information from IT-related risks.

IT governance involves discharging roles and responsibilities in assuring sound IT practices in organizations. [99] Van Grembergen (2000) refers to IT governance as:

[...] the ability of the organizations to achieve specified goal(s) or organizational capacity, exercised by the board, executive management and IT management to control the formulation and implementation of IT strategy and to ensure the fusion of business and IT.

As a...