Wednesday, December 16, 2009

[Data Recovery Freeware] Citrix adds Site Recovery to Hyper-V with Citrix Essentials 5.5 for Microsoft Hyper-V
- "This latest release of Citrix Essentials extends disaster recovery
to Windows Server 2008 Hyper-V, adding to existing advanced
virtualization management capabilities including storage management,
provisioning services and lab automation to maximize the benefits of
deploying Hyper-V virtual infrastructure."

Tuesday, December 08, 2009

BS 15000/ISO 20000 Legitimizing the ITSM Market . . .

The British Standards Institute and the International Organisation for Standardisation

are responsible for the drafting and publication of many thousands

of different standards covering everything from apples (ISO 1212 Guidance

on conditions for the cold storage of apples) to zinc (BS 2656 Specification

for zinc anodes, zinc oxide and zinc salts for electroplating).

With the publication of BS 15000 and its internationalised counterpart ISO

20000 IT Service Management has taken a giant lead towards acceptance and

legitimacy. Both standards are based upon the ITIL documentation library

and outline a system for the management of the IT function geared towards

the provision of IT services. It should be noted that external certifications

against these standards are available to enable organisations to demonstrate

that they comply with the requirements of the standard. Whether or not

they deliver excellent IT services is another matter entirely. Products cannot

be certified against the standards and as such any vendor claims or implied

claims should be treated as nothing more than marketing sound bites.

2.1 Are Standards a Good Thing?

Standards work best when they describe something in quantifiable terms that

can be independently tested and verified. Standards define a definite output

in unambiguous language to prevent miscommunications and misunderstandings.

Common understanding allows different parties to deliver something in

a standard manner. Standards enable standardisation. Standardisation aids

the commoditisation of an item. Commoditisation allows different items that

meet the standard to be used interchangeably i.e. standards improve the level

of interoperability that can be realised. Interoperability reduces dependency

upon any one specific vendor. Free market economics can then be applied to

reduce the cost of standards based items. Reduced costs are a good thing.

Therefore, standards are a good thing!
The above tongue in cheek analysis does hold true for some cases and

indeed standards can be incredibly useful. However, within the IT industry

standards compliance is not always consistent and just because something is

purported to follow a specific set of standards does not necessarily mean that

it does. Take for example the DOM standards laid down by the W3C committee

governing HTML and JavaScript implementations within web browsers.

Anyone who has had the pleasure of developing web content for multiple

browser platforms knows that the organisations behind browser development

often take dramatically different views of the meaning of the standard and

implement significantly different approaches to satisfy its requirements.

Let us consider the mission of Apollo 13 . . .

As the spacecraft was on its way to the Moon, at a distance of almost 200,000

miles from Earth, the number two oxygen tank in the Service Module exploded.

This created a series of problems which were overcome thanks to the ingenuity

of both the crew and the flight controllers in Houston. As well as working out

how to return the crew safely to earth, they had to contend with the minor irritation

of the Carbon Dioxide scrubbers in the Lunar Excursion Module (LEM)

lifeboat. The lithium hydroxide canisters available for the LEMs CO2 scrubbers

would not last long enough to get the crew home. Although the Command

Module (CM) had an adequate supply of replacement canisters, they were

the wrong shape to fit the LEMs receptacle; an adapter had to be fabricated

from materials in the spacecraft. Mission Control devised a way to attach the

CM canisters to the LEM system by using plastic bags, cardboard, and gaffer

tape - all materials carried on board.

However, had the scrubbers design been consistent i.e. standardised across

the LEM and the CM, then the potential for CO2 poisoning would have been

one less headache for NASA to deal with during the crisis in 1970.

Monday, December 07, 2009

Information System Audit Reporting Follow-up


Ultimately, the value of an audit lies in the improvements to the business situation brought about as a result of the audit. Where no such improvements take place the audit may well have been a waste of time, resources, and money. Improvements will only take place where the individuals authorized and empowered to take effective action have been convinced that some form of action is appropriate to improve the control situations.

A variety of individuals will use audit reports for a variety of purposes. Executive management will typically use an audit report to gain an insight into the overall status of internal controls within a given business area and for the organization as a whole. Operational management uses audit reports to determine the adequacy and effectiveness of specific controls in achieving specific performance and control objectives. Other agencies may use audit reports to gain insight into the inner workings of specific operations and the degree of reliance that can be placed on the outputs of those business areas.

In general, auditors communicate the overall findings together with recommendations for actions to be taken using the audit report. These reports are sent to those individuals who are in a position to take effective action or ensure that corrective actions are taken. Senior executives within the organization may also receive either copies of the report or summaries of the reports. Results of the audit are usually reported orally in the form of interim reports and closing conferences as well as in writing.


Interim reports are those reports prepared and issued while the audit is in progress. They are typically used to either report progress on an extended audit or to notify the auditee of a finding that warrants immediate attention. They may be either written or verbal, although a written memo-form report can be a useful proof of delivery of a finding. The main advantages of interim reports are the provision of a timely feedback to the auditee coupled with a higher probability of immediate action. This can, in turn, result in a more favorable final report if appropriate action is taken. Interim reports effectively provide a follow-up opportunity during the audit itself.


Before the final audit report is issued, a closing conference is common. This permits an overall review of the audit objectives and findings and is the final opportunity to clear up any misunderstandings or omissions prior to report issuance. It ensures a fair and balanced presentation and allows auditees to express their opinion. It also gives the auditor feedback on the way the audit was handled from a client’s perspective.


Written reports at a minimum should be produced at the end of an audit. Reports generally should be:

  • Accurate

  • Objective

  • Clear

  • Concise

  • Complete

  • Constructive

  • Timely


Written reports should include the audit purpose, scope, results, auditor’s opinion, recommendations for potential improvements, acknowledgment of satisfactory performance, and the auditee’s reply to the auditor’s opinions and recommendations. Because the issued audit report is a reflection of the competence and professional image of the whole IS Audit function, it should be reviewed and approved by the in-charge auditor prior to issue.

For many managers the audit report is the only demonstration they will see that IS Audit has fully discharged its responsibilities. This impression will be based not only on the technical competence of the report, but also the clarity of writing and the tone and style of the report. The report must communicate the auditor’s message in a clear and unambiguous way without leaving any questions unanswered in the reader’s mind.


Given that the objectives of audit communications are to inform, per-suade, and influence, the writer of a report must utilize clear writing techniques to get the message across as effectively as possible. Our normal, human, method of communication uses a conversational style that tends to be more retainable than other, formal methods of communication. Unfortunately, human nature being what it is, every-day conversation takes the form of statements, questions, and answers. In a written communication the auditor is not available to answer questions that the written statements raise in the mind of the reader. As such, written communications must anticipate questions raised and answer them within the report.

In order to be persuasive the auditor must, while ensuring that the point is gotten across, avoid antagonizing the recipient of the audit report. Improvements come about as a result of implemented recommendations, and recommendations will not willingly be implemented if the person responsible reacts negatively to the audit report. Where control deficiencies are reported, care should be taken to avoid personal references and the audit report should criticize poor practices rather than individuals.

There is a rough rule of thumb that says that the more words there are, the less persuasive the report will be. The auditor’s aim is to ensure that appropriate action is taken, which requires first that the report be read. When a manager is faced with a plethora of thick reports with very little content the most likely scenario is that these reports will be consigned to the wastepaper basket. Writing a short, high-impact report is much more difficult than writing a long, mean-dering essay. In order to achieve the desired results the audit report must be written with impact in mind.

Sentences should be kept short, averaging 15 to 20 words, with one basic idea per sentence. Long sentences tend to be foggy, dull, and boring. When the reader gets bored he or she will start to skip through the report seeking any keywords of interest. This does not mean that the auditor should count every word in a sentence and artificially cut long sentences in two. Most auditors know the size of their writing and can see at a glance if the sentence is too long. A rough rule of thumb can be taken as, if the sentence were read aloud and the reader ran out of breath before the end of the sentence, it is too long.

Generally, active voice verbs assist making sentences more read-able because they are normally shorter, livelier, and more conversational. Instead of writing “. . . were asked for by the manager,” which uses a passive form of verb, try “the manager asked for . . . .” Passive voice verbs tend to be dull, unclear, and less emphatic. They also tend to be extremely formal in writing style. Some audit reports are deliberately written to be extremely formal and structured in order to emphasize the impartial and impersonal nature of the report, and under such circumstances passive voice verbs would be highly appropriate. An example of this is fraud audit reports where a deliberate effort is required to show that the opinion expressed is a professional judgment based upon the evidence gathered and not a personal opinion.

A common fault with audit reports is the use of “impressive” words, which the reader may not understand or may misinterpret. “Unless the paradigm is changed the situation may be exacerbated” actually says “unless we change the way we do things, things could get worse.” The writer should use clear, familiar words in order to get across the message intended. While we have already noted that fewer words can have more impact, the auditor should never sacrifice clar-ity for brevity. If that requires ten words to be specific rather than five words to be vague, then take the ten words. Some audit reports become so cryptic that the reader has to guess the auditor’s meaning. Information systems (IS) auditing in particular will involve report recipients who come from a variety of backgrounds and who may or may not understand computing jargon. Wherever possible jargon should be avoided and, where it is unavoidable, it should be explained for the non-technical. The writer must always bear in mind that the onus of communication is on the auditor, not the reader.

Long, monotonous sections of report can cause the reader to skip and browse rather than read and digest. Use of white space and head-ings can break up the monotony of long sections and facilitates the location of specific information. Scanning the report, speed-reading looking for keywords of interest may not, in fact, be a problem. Where the reader does not need to read the full report but only cer-tain sections, it is useful if the auditor can draw the attention directly to those sections. This can substantially speed up the reading process and may result in parts of a report being read that would otherwise be ignored. Some auditors feel that, having written the report, all readers must read the full thing. The alternative may be that the report is not read at all.

In the same way as keeping sentences short, keeping paragraphs short can make the report more reader-friendly. Other techniques to assist in ensuring the readability of reports include the use of bullets, emphasis, white space, graphics, and color. At the same time these techniques should not be used simply to pad the report or make it appear over-fancy. The objective of the report is to communicate and persuade, not to impress with the auditor’s ability to create a piece of artwork.


From the start of the audit the auditor will already have a mental picture of the report in mind. At the time that the scope and objectives are approved the anticipated audience is known and subsequently all audit work should be carried out with the audit report in mind. The subject matter is known and the scope and objectives are known and, although the actual results of the audit are unknown at this stage, the probable areas to be included in the report should be clear by the end of the preliminary survey.

Writing the audit report comes at the end of the audit after the close of field work when time is running out, and this frequently results in audit reports that are rushed and of poor quality. Adequate time must be budgeted from the start to allow the production of a high-quality, communicative audit report. Most auditors agree that the hardest part about writing an audit report is actually commenc-ing. Some auditors find an exercise known as free writing assists in loosening-up the mental muscles. This technique involves writing some piece of unrelated text such as a letter prior to starting on the actual report. The theory is that this ensures that the brain is work-ing in logical communication mode prior to the report writing being commenced and that idea flow is eased.


The contents of most audit reports follow a similar pattern and include:

  • Background, scope, and objectives

  • Summary of major findings

  • Audit opinion

  • Detailed findings and recommendations

  • Acknowledgments of satisfactory performance

  • Detailed technical appendices


A cover is almost always desirable because it sets a professional tone from the start. It should include the report title, name and location of auditee, and the date of audit coverage.

A formalities section normally constitutes an introduction and is typically one to three pages in length. It includes the date of the report, the addressee (get it right), and the background, scope, and objectives of the audit. A brief audit opinion and the general nature of the findings together with the reply expectations and a signature are required. The names of participating auditors, distribution list, and contents of the body of the report are also a normal part of the formalities section.


Most audit reports include an executive summary covering the most important issues and findings from an overall business point of view. The executive summary provides a preliminary perspective to the whole report and focuses on risks to the organization and the specific effect of control weaknesses. It may be all that is read and, in many cases where such summaries go to senior executives, it is all that should be read.

Two approaches are possible in the executive summary, depend-ing on the nature of the executive audience. With a knowledgeable executive, a condense and eliminate approach may be used. This involves an abbreviated explanation of major audit findings, in order of importance to the executive and cross-referenced to the body of the report. A briefings approach that informs, advises, and interprets may be more appropriate in a specialized audit where the executives may not be fully conversant with the implications of findings.


Detailed findings usually constitute the body of the report. Strange as it sounds, a finding is not something that was found. An audit finding is comprised of four distinct parts:

  • Condition. Records what was found by the auditor (i.e., what the evidence showed)

  • Criteria. Indicates what should have happened in terms of con-trol considerations

  • Cause. Indicates whether the condition was caused by the absence of an internal control or the failure of one and, if so, which

  • Effect. Indicates the impact on the business of the cause of the condition


Many auditors struggle to decide how much detail should be included in the body of the report. The detailed findings should include sufficient information for the reader to understand the nature of the finding, the relative importance of the finding, and what needs to be done about the finding. There can be no clear-cut rule on this because it depends on the knowledge level and experience of the audience being communicated with. During the course of the audit, the auditor should assess how much detail will be required in the final report. In order to ensure the final report is readable, exhibits and attachments are usually placed in an appendix if placing the information in the body of the report would make it overly lengthy or unreadable. All graphics, charts, photographs, and financial tabulations should be clearly labeled within the report in case they are referenced in two or three places. Where appendices are used they should be cross-referenced to the report.

One of management’s common requirements is the expression of an audit opinion. This normally takes the form of an opinion on the adequacy and effectiveness of the internal control structures. The auditor must bear in mind that an opinion on adequacy is an indication that the control structures do or do not achieve management’s desired level of control. Many auditors express an opinion on whether the control structures meet their own definition of adequacy. The audit opinion provides an overall perspective to the rest of the report and forces auditors to commit themselves, but can cause a management overreaction resulting in important parts of the report being ignored because, by their nature, audit results are normally mixed.

Auditee responses to findings and recommendations are normally included in the final report. This assists provision of a balanced report and can lend credibility to the report. Where such comments are included, they must be reviewed with and agreed by the auditee. This does not mean, however, that the auditee must agree with all of the auditor’s findings and recommendations. In some cases the two par-ties must agree to disagree with both opinions expressed within the report so that the managerial decision can be made. If the manager decides to accept the risk expressed within the report and take no action, and if such a decision is within their area of authority, the auditor has done their work in drawing the risk to management’s attention and no further audit effort is required in this area.



Because the audit report is a reflection on the professionalism and competence of the whole IS Audit function, the report must appear as professional as possible. Polishing the report involves a rigorous review prior to issue. This can be done by using a checklist to ensure the readability and understandability of the report or by using a peer group, which normally involves one auditor with no knowledge of the specific audit area so that assumptions may be challenged. Ultimately the report will be signed off by the in-charge auditor or a designated deputy. One of the major auditee complaints is that reports containing critical issues are issued late and that they are expected then to implement the recommendations with immediate effect. It is therefore critical that the auditor does not build in delays to report issuance.

Commonly the audit report will involve the coordination of several writers’ efforts. In such cases is may be wise to read the report aloud and recognize the differences where individual contributors change.


Audit reports are normally distributed to a variety of managerial levels. The report should be directed at the first authority level able to take appropriate action. The full distribution list is normally known early in the audit process; however, auditee chains-of-command can cause internal political ramifications. Many IS Audit reports are sent to the recipients by e-mail. In general, the delivery method should take into account both the confidentiality of the reported information as well as the remoteness of the recipient. Couriering or hand-delivery may be preferred but impractical. If e-mail is used, adequate encryption techniques should be implemented to ensure the confidentiality and integrity of the message delivered.

If the audit report contents are highly confidential, detective controls can be implemented to trace individual copies should a leak occur. The most obvious of these techniques is copy numbering, but intentional misspellings or rewording of critical areas may also be used.


It is, unfortunately, a truism that people do not do what is expected, they do what is inspected. The IS Audit executive should establish a follow-up process to monitor progress and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. These two alternatives lead to different follow-up activities. Where management chooses to take appropriate action on the audit findings, auditors must find out what action was taken and determine if it was appropriate. They would typically issue follow-up reports normally directed to the recipients of the original report and the key focus must be on the attainment of the control objectives, not necessarily on the implementation of audit recommendations. Where management accepted the risk of not taking action, no follow-up report may be required. Given the mixed nature of audit findings, it is to be expected that management will implement some recommendations and accept some risks. This should be noted in the follow-up report.

Follow-up reports are normally directed to the recipients of the original report and the key focus is on resolution of the audit findings, not necessarily on the implementation of specific audit recommendations. It may well be that, subsequent to the audit report being issued, management circumstances may have changed in terms of risk prioritization or resource availability and an alternative course of action has been implemented leading to achievement of the same control objectives.

Where the auditor feels that the alternative course of action has not adequately addressed the control objective, the auditor will need guidelines for rejecting auditee’s corrective measures. Under the circumstances care should be taken not to attempt to force audit preferences on management. The audit focus should be on control objectives and principles; management should focus on the controls themselves. To do otherwise is to risk becoming the approver. Management must decide, not the auditor. Where a management action is rejected, the auditor must take care never to attack the individuals concerned. The auditor must avoid becoming emotionally involved in disagreements. State specifically in rejections, why the rejection has occurred and which control objectives are still threatened.


The auditor will commonly review auditee responses and corrective actions, evaluate the adequacy of those responses and corrective actions, and report follow-up findings. Follow-up actions will vary significantly for differing audits in terms of the breadth, degree of focus, depth, and extent of follow-up examination. Practical considerations such as time available must be taken into consideration. Auditors tend to be optimists as far as time is concerned and follow-ups are often used to take shortcuts. In many cases follow-ups are completely omitted. In order to reduce the time required for follow-ups, the auditor should attempt to:

  • Follow up as many as possible during the audit itself

  • Review written responses prior to the review

  • Review only the documentation of corrective action for less critical findings

  • Do not perform audit work at all on minor items

  • Limit follow-up tests to only the problems noted


It is not necessary that the follow-up be done by the original auditor or audit team. In some lower risk cases all that may be required is confirmation from management that the agreed action has been taken. In other cases the audit committee itself may seek reassurance from management that agreed actions have been implemented.

Standards and Guidelines for Information System Auditing


In 1978 the IIA introduced the Standards for the Professional Practice of Internal auditing to be used around the world in order to pro-vide international consistency and as a measurement tool for audit quality assurance. These consisted of 5 general and 25 specific standards together with numerous Statements on Auditing Standards. Standards were considered mandatory while non-mandatory Guide-lines were also included.

The IIA standards were intended to establish a yardstick for consistent measurement of Internal Auditing operations. This allowed the unification of internal auditing worldwide by improving internal audit practice, proclaiming the role, scope, performance, and objectives of internal auditing, promoting the recognition of internal auditing as a profession, and promoting responsibility within the internal auditing profession.

As part of its ongoing research into the evolving role of internal auditing, an extensive research project known as the Competency Framework for Internal Auditing (CFIA) was undertaken by the IIA.

It was intended to update the Common Body of Knowledge (CBOK) expected from a professional Internal Auditor.

The CFIA included not only the competencies needed by auditors, but also how these competencies would be assessed. Based upon this research, the IIA brought together an international group of audit professionals, the Guidance Task Force (GTF), to formulate a guidance framework for the future.

This resulted in the Professional Practices Framework, which comprises mandatory, advisory, and practical guidance in the forms of the Standards, Practice Advisories, and Development and Practice Aids, respectively.

In January 2002, the IIA adopted revised standards. Included within these revisions is the new definition of internal auditing. Since 2002, internal auditing has been defined as:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.1


In general, Internal Auditors are expected to apply and uphold the following principles:


The integrity of internal auditors establishes trust and thus provides

The basis for reliance on their judgment.


Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments.


Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.2

Their rules of conduct cover:

1. Integrity Internal auditors:

1.1. Shall perform their work with honesty, diligence, and responsibility.

1.2. Shall observe the law and make disclosures expected by the law and the profession.

1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization.

Shall respect and contribute to the legitimate and ethical objectives of the organization.

 Objectivity Internal auditors:


2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization.

2.2 Shall not accept anything that may impair or be presumed to impair their professional judgment.

Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.

 Confidentiality Internal auditors:


3.1 Shall be prudent in the use and protection of information acquired in the course of their duties.

Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.

 Competency Internal auditors:


4.1 Shall engage only in those services for which they have the necessary knowledge, skills, and experience.

4.2 Shall perform internal auditing services in accordance with the International Standards for the Professional Practice of Internal Auditing.

4.3 Shall continually improve their proficiency and the effectiveness and quality of their services.3

Compliance with both the Code of Ethics and the Standards are mandatory. All mandatory statements are first promulgated for discussion by the entire profession through the issuance of exposure drafts. Compliance with these statements is considered essential to the delivery of professional services by both the individual auditor and the internal audit function.


The Guidelines were replaced with Practice Advisories representing the best approaches to implementation of the Standards. Essentially, the Practice Advisories are designed to assist the auditor by interpreting the Standards in a variety of internal auditing environments. Practice Advisories will continue to be issued from time to time, both as general aids as well as to meet specialized needs within a given industry, geographic location, or audit specialty.


The IIA has also developed or endorsed Development and Practice Aids. These include educational products, research studies, seminars, conferences, and other aids related to the professional practice of internal auditing. These are not intended to be either compulsory as are the Standards, nor advisory as are the Practice Advisories. They are intended solely to assist in the development of Internal Audit staff by introducing them to techniques and processes developed by a variety of experts in their fields.


The Standards themselves have been regrouped and redefined into Attribute, Performance, and Implementation Standards:

Attribute Standards. These address the attributes of organizations and individuals performing internal audit services and apply to all internal audit services.

Performance Standards. These describe the nature of internal audit services provided and provide quality criteria against which the performance of these services can be measured.

Implementation Standards. These prescribe Standards applicable to specific types of engagements in a variety of industries as well as specialist areas of service delivery.


Full details of the Standards for the Professional Practice of Internal Auditing can be found at


The framework for the IS Auditing Standards provides multiple levels of guidance:

?          Standards define mandatory requirements for IS Auditing and reporting. They inform:

IS Auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics for IS Auditors

Management and other interested parties of the profession’s expectations concerning the work of practitioners

Holders of the Certified Information Systems Auditor™ (CISA®) designation of requirements. Failure to comply with these standards may result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately, in disciplinary action.

Guidelines provide guidance in applying IS Auditing Standards. The IS Auditor should consider them in determining how to achieve implementation of the standards, use professional judgment in their application, and be prepared to justify any departure. The objective of the IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards.

Procedures provide examples of procedures an IS Auditor might follow in an audit engagement. The procedure documents provide information on how to meet the standards when performing IS Auditing work, but do not set requirements. The objective of the IS Auditing Procedures is to provide further information on how to comply with the IS Auditing Standards.


Control Objectives for Information and related Technology (COBIT®) resources should be used as a source of best practice guidance. Each of the following is organized by IT management process, as defined in the COBIT Framework. COBIT is intended for use by business and IT management as well as IS Auditors; therefore its usage enables the understanding of business objectives and communication of best practices and recommendations, to be made around a commonly understood and well-respected standard reference. COBIT includes:

Control objectives. High-level and detailed generic statements of minimum good control

Control practices. Practical rationales and how-to-implement guidance for the control objectives

Audit guidelines. Guidance for each control area on how to obtain an understanding, evaluates each control, assess compliance, and substantiate the risk of controls not being met

Management guidelines. Guidance on how to assess and improve IT process performance, using maturity models, metrics, and critical success factors


Full details of the IS Standards, Guidelines and Procedures for Auditing and Control Professionals can be found at


ISACA also has its own code of ethics, which requires that members, CISMs, and CISAs shall:

Support the implementation of, and encourage compliance with, appropriate standards, procedures, and controls for information systems.

Perform their duties with due diligence and professional care, in accordance with professional standards and best practices.

Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.

Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.

Maintain competency in their respective fields and agree to undertake only those activities that they can reasonably expect to complete with professional competence.

Inform appropriate parties of the results of work performed; revealing all significant facts known to them.

Support the professional education of stakeholders in enhancing their understanding of information systems security and control.


Failure to comply with this Code of Professional Ethics can result in an investigation into a member’s or certification holder’s conduct and, ultimately, in disciplinary measures.

Full details of the Code of Professional Ethics can be found at


In 1992, the American Institute of Certified Public Accountants, the Institute of Internal Auditors, the American Accounting Association, the Institute of Management Accountants, and the Financial Executives Institute issued a jointly prepared study entitled Internal Control—An Integrated Framework. This document identifies the fundamental objectives of any business or government entity. These included economy and efficiency of operations, safeguarding of assets, achievement of desired outcomes, reliability of financial and management reports, and compliance with laws and regulations.

Internal control was defined by the Committee of Sponsoring Organizations (COSO) as a broadly defined process, affected by people, designed to provide reasonable assurance regarding the achievement of the three objectives that all businesses strive for, namely:

Economy and efficiency of operations, including achievement of performance goals and safeguarding of assets against loss;

Reliable financial and operational data and reports; and

Compliance with laws and regulations.


In order to achieve these objectives, COSO defined five components that would assist management in achieving these objectives. These consisted of:

Sound Control Environment. A sound control requires the correct level of attention and direction from senior management. The control environment is implemented by employing managers and employees who possess integrity, ethical values, and competence. It is a function of management’s philosophy and operating style. For this to be effective, proper assignment of authority and responsibility coupled with the proper organization of available resources is required. The training and development of people to the required standard is essential in ensuring the competence of people in exercising control.

Sound Risk Assessment Process. A sound risk assessment process requires the implementation of an awareness of the risks and obstacles to successful achievement of business objectives and the development of an ability to deal with them. As such management must establish a set of objectives that integrate all the organization’s resources so that the organization operates in unison. The risk assessment itself involves the identification, analysis, and management of the risks and obstacles to successful achievement of the three primary business objectives.

?          Sound Operational Control Activities. Sound operational control activities involve the establishment and execution of sound policies and procedures. These help ensure effective implementation of actions identified by management as being required to address risks and obstacles to achievement of business objectives. These would include such concepts as authorization, reviews of operating performance, security of assets, and segregation of duties.

?          Sound Information and Communications Systems. Information systems facilitate the running and control of a business by producing reports containing financial-, operational-, and compliance-related information. They deal with both internally generated data as well as with the external activities, conditions, and events necessary to make informed business decision making and external reporting. For this to happen, appropriate information must be identified, captured, and communicated in a manner and time frame that enables people to carry out their responsibilities

Effective communication must flow down, up, and across the organization. (This includes a clear message from top management to all personnel that control responsibilities must be taken seriously.) This means that all personnel must understand their own role in the internal control system, as well as how their individual activities relate to the work of others. Personnel also require a means of communicating significant information upward as well as with external parties.

Effective Monitoring. To ensure the affectivity of the control process, the entire control system must be monitored to assess the quality of the system’s performance over time. Deficiencies must be reported, with serious matters reported directly to top management.


In addition, there should be separate, independent evaluations of the internal control system. The scope and frequency of these independent evaluations depend primarily on the assessment of risks and obstacles, and the effectiveness of ongoing monitoring procedures.


Both British Standard 7799 and International Standards Organization 19977 were developed to assist companies by ensuring that, when electronic commerce is entered into, some degree of assurance regarding the security and control is implemented at either end within the trading partners’ own systems.

The standards break down IS security into ten main areas, namely:

Security Policy

Security Organization

Asset Classification and Control

Personnel Security

Physical and Environmental Security

Computer and Network Management

Systems Access Control

System Development and Maintenance

Business Continuity Planning



Within each of these areas, key controls are identified to be considered mandatory and additional controls considered optional dependent on the level of risk sustainable by the organization. The detailed standard explains what is required to provide a secure organization but at minimum, the standards require the existence of:

Written information system security policy

Allocation of responsibility for information security

Users trained appropriately on information security risks and controls

A feedback mechanism for the reporting of security-related issues

Fully tested and effective business continuity plans

Controls to ensure compliance with the appropriate data protection legislation

Controls to ensure safeguarding of records in line with corporate statutory requirements

Controls to prevent and detect malicious software such as viruses and spyware

Review procedures



With the passage of the Federal Information Security Management Act (FISMA) of 2002, 4 there is a statutory provision to ensure that agencies comply with mandatory Federal Information Processing Standards (FIPS). The National Institute of Standards and Technology (NIST) is the federal technology agency that works with technology measurements and standards. The Computer Security Resource Centre (CSRC), a division of the NIST, has assisted by producing both a handbook on IT security as well as multiple security standards.

The NIST Handbook covers very similar ground to BS 7799 and ISO 17799, but goes into considerably more detail on subjects such as:

Elements of computer security

Roles and responsibilities

Common threats


Management Controls

Computer security policy

Computer security program management

Computer security risk management

Security and planning in the computer system life cycle



Operational Controls

Personnel/user issues

Preparing for contingencies and disasters

Computer security incident handling

Awareness, training, and education

Security considerations in computer support and operations

Physical and environmental security


Technical Controls

Identification and authentication

Logical access control

Audit trails



The NIST Handbook also includes sections on the practical implementation of assessing and mitigating risks within the computer system.

Another recent standard, Minimum Security Requirements for Federal Information and Information Systems, specifies minimum security requirements for federal information and information systems in 17 security-related areas. Federal agencies are required to meet the minimum security requirements as defined therein. All such standards are available from NIST at


The British Standards Institution (BSI) Baseline Controls for Information Security can be obtained from They describe a minimum set of controls to provide medium-level protection for information systems and cover:

IT Security Management

IT security process

Responsibilities and authorization in the IT security process


IT Baseline Protection for Generic Components



Contingency Planning

Data Protection






Server Room

Storage Media Archives

Technical Infrastructure Room

Protective cabinets

?Home working place

Non-Networked Systems

DOS PC (single user)

UNIX System


DOS PC (multi-user)

Non-networked Windows NT computer

PC with Windows 95

Local Area Networks (LANs)

?Server-Based Network

Networked UNIX Systems

Peer-to-Peer Network

Windows networks

Novell Netware

Heterogeneous networks

?Data Transfer Systems

Data Carrier Exchange





Telecommunication systems

Fax Machine

Telephone Answering Machine

LAN integration of an IT system

?Other IT Components

Standard Software




It should not be thought that the standards are definitive. From time to time new standards are created and old ones updated and it is part of the job requirement of the IS Auditor to keep abreast of the latest developments in internationally recognized standards.

Information System Risk and Fundamental Auditing Concepts


“Control” comprises all the elements of an organization (including its resources, systems, processes, culture, structure and tasks) that, taken together, support people in the achievement of the organiza-tion’s objectives. Control is “effective” to the extent that it provides reasonable assurance that the organization will achieve its objectives reliably. Leadership involves making choices in the face of uncer-tainty. “Risk” is the possibility that one or more individuals or orga-nizations will experience adverse consequences from those choices. Risk is the mirror image of opportunity.1

All entities encounter risk regardless of their size, structure, nature, or industry. In common with this, all business decisions involve elements of risk including such elements as financing, prod-uct lines or sources, and methods of supply.

All businesses, products, and processes involve some degree of risk. Risk management involves assessing a product, process, or business by:

  • Identifying processes

  • Identifying the types of risks associated with each process

  • Identifying the controls associated with each process

  • Evaluating the adequacy of the system of control in mitigating risk

  • Determining the key controls associated with each process

  • Determining the effectiveness of the key controls


Three types of risk are normally considered when using a risk-based audit approach. They are inherent risk, control risk, and audit risk.

Inherent Risk

Inherent risk is the likelihood of a significant loss occurring before taking into account any risk-reducing factors. In evaluating inherent risk, the auditor must consider what are the types of and nature of risks as well as what factors indicate a risk exists. To achieve this the auditor must be familiar with the environment in which the entity operates.

Control Risk

Control risk measures the likelihood that the control processes established to limit or manage inherent risk are ineffective. In order to ensure that internal audit evaluates the controls properly, the auditor must understand how to measure which controls are effective. This will involve identifying those controls that provide the greatest degree of assurance to minimize risks within the business. Control effectiveness is strongly impacted by the quality of work and control supervision.

Controls in business operations provide the major line of defense against inherent risk. In general, the auditor may assume that stronger controls reduce the amount of risk; however, at some point the cost of control may become prohibitive (in terms of both monetary and staff resources as well as customer satisfaction).

Audit Risk

Audit risk is the risk that audit coverage will not address significant business exposures. Pro-forma audit programs may be developed in order to reduce audit risk. These provide guidance as to which key controls should exist to address the risk, and the recommended com-pliance and/or substantive test steps to be performed. These programs should be used with care and modified to reflect the current business risk profile.


In general, business risks may affect a company’s ability to success-fully compete, to maintain financial strength, a positive public image, and ultimately, its ability to survive. Risks will impact the overall quality of an organization’s products, people, or services. Risks can-not be eliminated—only managed.

Auditors have traditionally been tasked with gaining and confirming an understanding of the system of internal control as fundamental to evaluating the adequacy and effectiveness of management’s internal controls. Internal control has been presumed to be a response to business risk. In order to evaluate the effectiveness of risk control measures, the auditor must have a comprehensive understanding of the underlying business risks.

Within a heavily computerized organization, such an under-standing requires, initially, a thorough understanding of the business process in order to identify critical processes where less than optimum performance could have severe consequences. In addition, an under-standing of the risks inherent within a computerized environment is essential in order to assess the appropriateness and mitigating effects of the control environment.

Such understandings of both the business process and the IT environment imply a collaborative approach because the internal auditor is rarely as knowledgeable about the process as the manager who routinely controls it or the IT staff implementing the IT control environ-ment. By the same token, the management and IT teams who are involved in a business or IT process on a day-to-day basis will nor-mally lack the independent perspective an internal auditor can bring to risk evaluation.

One of the major cornerstones of IS governance is the management of risks. This is increasingly being seen as a strategic issue to be addressed at board level in order to ensure the ongoing viability of the organization because failure within IS can have a catastrophic effect on the organization.

For many business executives, understanding the risks relating to the use of IS remains a challenge. In some cases, this results from a basic lack of understanding of the uses and potential abuses of such information systems. Many executives derive their understanding of IS risk from the popular media, who tend to focus on risk areas of high visibility and human interest and neglect the underlying flaws in control strategies that allowed those risks to materialize.

Elimination of risk is neither possible nor desirable because it is by careful management of risks that organizations achieve their objec-tives. The risk of not using IT in an appropriate way is as great or possibly greater than the risk of the existing technology failing or being penetrated.

Because of the increasingly complex business environment cou-pled with the growth in the use of advanced technological solutions, the management of information risks has become one of the most challenging areas within which management must operate. Conduct-ing business, particularly at an international level, requires the demonstration of high levels of good governance. As a result of this requirement for good governance, organizations place a growing emphasis on enterprise risk management (ERM).

Enterprise risks come in a variety of forms including operational, financial, and systemic risk. Within these, technology risk and the risk of failures with an information security are critical.

  • COSO has defined the ERM Framework as encompassing:

  • “Strategic. High level goals, aligned with and supporting its mission

  • Operations. Effective and efficient use of its resources

  • Reporting. Reliability of reporting

  • Compliance. Compliance with applicable laws and regulations”2


As can be seen, IS plays an important role in all of these areas. As such, IS risks could be defined as:

  • Strategic. The risk that IS either developed in-house or purchased are not aligned with the organization’s goals and do not support the achievement of its mission.

  • Operations. The risk that the information systems in use by the organization impose unacceptable overheads on the organization or result in sub-optimal service levels. At the same time, the dependency of organizations on the information systems means that unavailability of those systems within appropriate timescales can also prove a major operational risk.

  • Reporting. The risk that IS cannot be relied on to produce infor-mation in an accurate, complete, and timely manner.

  • Compliance. The risk that IS, in themselves, lead to breaches of laws and regulations with a result of losses to the organization, either financial or in reputation.



The Institute of Internal Auditors (IIA) Practice Advisory 2100-6: Control and Audit Implications of E-commerce Activities highlights the challenges facing internal auditors in organizations that increasingly use IT in business operations and provides guidance as to the role and responsibilities of internal audit.

Continuous changes in technology offer the internal auditing profession both great opportunity and risk. Before attempting to provide assurance on the systems and processes, an internal auditor should understand the changes in business and information systems, the related risks, and the alignment of strategies with the enterprise’s design and market requirements. The internal auditor should review management’s strategic planning and risk assessment processes and its decisions.3

It is the responsibility of operational management to identify, assess, and manage risk. It is IS Audit’s responsibility to assist management in this process by facilitating the identification and assessment of risk and by assisting management monitor how well risks are actually being managed by the business.

Many organizations do not have the resources available to identify, analyze, and control all business risks from an IS perspective. Implementing a formal risk assessment process assists by providing a consistent method for selecting high-impact risks on which to focus audit resources.

During the risk assessment, IS Auditors develop an understanding of the operation’s business in order to facilitate the identification and assessment of significant risks to and from the information systems. This assessment is then used to allocate audit resources to areas within the organization that provide executive management and the Audit Committee with the most efficient and effective level of audit coverage.

Auditors must always keep in mind that individual managers have differing attitudes toward risk. Some managers or even organizations see the acceptance of risk as fundamental to the making of profits, whereas others are highly risk-averse and consider reducing risk a fundamental component of the business. This is referred to as risk tol-erance. Unless the auditor understands this concept, it is likely that management and auditors will talk at cross purposes on risk and that audit recommendations may be deemed impractical or unacceptable.

Based upon the individual risk positions adopted, companies will have many different risk mitigation interventions, such as insurance coverage, financial instruments, compliance, and internal audit functions. Management must understand that internal audit does not replace management’s responsibility to control its own risk to accept-able levels.

Risks themselves are commonly categorized based on the organization’s response, thus:

Controllable risks. Risks that exist within the processes of an organization and that are wholly in the hands of the organization to mitigate.

Uncontrollable risks. Risks that can arise externally to the organization and that cannot be directly controlled or influenced but that nevertheless call for a risk position to be taken by the organization.

Influence able risks. Risks that arise externally to the organization but that can be influenced by the organization.



IS Auditors are frequently expected to express an opinion on the adequacy and effectiveness of internal controls in mitigating risk. For this the auditor must gather audit evidence. Evidence may be defined as information intended to prove or support a belief. Individually, items of evidence may be flawed by a personal bias or by a potential error of measurement and each piece may be less competent than desirable so the auditor will look in total at the “body of evidence,” which should provide a factual basis for audit opinions.


Audit evidence may be classified as:

  • Sufficient. Factual, adequate and convincing such that a prudent person would reach the same conclusions as the auditor

  • Competent. Reliable and the best attainable through the use of appropriate audit techniques

  • Relevant. Supports audit findings and recommendations and is consistent with the objectives for the audit

  • Useful. Helps the organization meet its goals


Evidence, for the IS Auditor, is frequently thought of as being obtained by direct interrogation of computer data files. Although this is a common technique, evidence may also be obtained by observing conditions, interviewing people, and examining records. Such evidence is typically classified as:

Physical evidence. Generally obtained by observation of people, property, or events, and may be in the form of photographs, maps, and so on. Where the evidence is from observation, it should be supported by documented examples or, if not possible, by corroborating observation.

Testimonial evidence. May take the form of letters, statements in response to inquiries, or interviews, and are not conclusive in themselves because they are only another person’s opinion. They should be supported by documentation where possible.

Documentary evidence. The most common form of audit evidence and includes letters, agreements, contracts, directives, memo-randa, and other business documents. Such documented evidence may also be derived from computerized records using the appro-priate audit tools and techniques. The source of the document will affect its reliability and the trust we place on it. The quality of internal control procedures will also be taken into account.

Analytical evidence. Commonly derived from computations, comparisons to standards, past operations, and similar opera-tions. Once again, in this area, computerized tools will normally prove a highly effective aid to the auditor. Regulations and com-mon reasoning will also produce such evidence.


It is worth noting that a common concept within the gathering of evidence, namely “materiality,” may differ among the varying types of audit. For financial auditing, materiality is generally taken to be a sum of money and is used to determine levels of significance in assess-ing audit evidence. From an internal audit perspective, materiality relates rather to weaknesses or failures within the internal control structures of the organization. Any evidence, however small, indicat-ing a failure within a major control relied upon by management would be deemed significant evidence.


The auditor relies heavily on gathering evidence. This is done in a variety of ways and follows the Audit Program. The Audit Program is a set of detailed steps that the auditor will follow in order to gain the appropriate evidence and, for the IS Auditor, may well include the use of computerized techniques, although this is not always the case.

The actual program used will vary from audit to audit depending on what the auditor wishes to find out and must always include a degree of flexibility to allow for changes based on the evidence already acquired. For example, the auditor may wish to examine data files in order to determine that the printouts relied upon by manage-ment match the live data files. In such a case, the use of computer-assisted tools and techniques would be appropriate. In a different scenario, an auditor wishing to examine the authorization of trans-actions may use such tools to do extractions of records in order to do a follow-up on the documentary evidence of original documents seek-ing authorize signatures.

In gathering evidence, auditors must ensure that they maintain an independent and objective attitude both in fact and in appearance. Such independence is normally taken to be in jeopardy when an audi-tor is charged with auditing an area where there has been line respon-sibility within the previous year. Many auditors interpret this as indicating that they cannot be too detailed in making recommenda-tions because this would preclude their conducting subsequent audits due to a perceived lack of independence and objectivity. This may indeed be the case, and both management and auditors must under-stand that, where detailed assistance is given in designing audit imple-menting control structures, the auditor is functioning primarily as an internal control consultant. Subsequent auditing of these structures should be done independently of the consultant.


It must be clearly understood that the primary responsibility for the prevention and detection of all frauds, including IS frauds, is the responsibility of operational management. Nevertheless, the auditor has a role to play in assisting management in establishing a control environment in which fraud is unlikely to occur, but where it does occur, it will be quickly detected.

This contrasts to the approach of the forensic auditor whose pri-mary obligation is the resolution of fraud with sufficient proof to prove or disprove allegations of fraud. Forensic auditors must pre-sume that all cases eventually will end up in litigation and the quality of evidence gathered must take this into account.

Trends and Pressures in the Health Care Industry

In the European region, as also in the rest of the world, the health systems and services are undergoing a major transformation as a consequence of changes in age structures, social imbalance, increase in unhealthy lifestyles and new diseases. Fundamental differences between countries and especially between Western and Eastern European countries and their health problems have emerged. EU published a report (The State of Health in the European Community, 1996) about the state of the health in 1996 in which a few main features in development of population in EU region were discovered: fewer children, more older people, people live longer and differences persist between countries and regions. Especially the difference in life expectancy between the Western and Eastern European countries was highlighted in the report, as well as in the European Health report 2002 by World Health Organization (WHO) (The European Health Report, 2002). The difference of the share of population living below the poverty line is considerable between these countries. Poverty has a clear effect for the upward amount of illnesses due to communicable diseases (HIV/AIDS, tuberculosis) in the Eastern Europe. In the Western Europe the non-communicable diseases (e.g., cardiovascular diseases, cancer, neuropsychiatric disorders, overweight) account for about 75% of the burden of ill health and constitute a "pan-European epidemic". In addition to the concept of Digital Divide (Compaine, 2001; Norris, 2001) we can also well establish the concept of "Health Divide".


In the Communication on the development of Public Health Policy (OECD, 2003) EU has defined the following challenges facing the Member States: "Health care systems in the Member States are subject to conflicting pressures. Rising costs due to demographic factors, new technologies and increased public expectations are pulling in one direction. System reforms, greater efficiencies and increased competition are pulling in another. Member States must manage these conflicting pressures without losing sight of the importance of health to people's well-being and the economic importance of the health systems."

This Communication points out several important challenges, but in economic perspective, rising costs and the economic importance of the health system are especially interesting. Further, in discussion about technological and other supply-driven developments the Communication brings out the management issues. "Computerisation and networking, including the implementation of health care telematics, may help reduce health costs, particularly in relation to the management of health care."

The increasing costs have driven countries to develop and find new solutions in organizing their health care but still retaining the high standards and availability. Reorganizing functions and processes, new strategies, information systems and management issues play an important role in this effort. WHO has found four trends in organizing health services in Europe (The European Health Report, 2002):

·         Countries are striving for better balance sustainability and solidarity in financing. Especially in the Western countries the solidarity is kept at a relatively high level.


·         There is an increasing trend towards strategic purchasing as a way of allocating resources to providers to maximize health gain. Those are e.g.:


o        Separating provider and purchaser functions,


o        Moving from passive reimbursement to proactive purchasing,


o        Selecting providers according their cost-effectiveness,


o        Effective purchasing is based on contracting mechanism and performance-based payment.


·         Countries are adopting more aggressively updated or new strategies to improve efficiency in health service delivery.


·         Effective stewardship is proving central to the success of health system reform. This role (health policy, leadership, appropriate regulation, effective intelligence) is usually played by governments but it can also involve other bodies such as professional organizations.


Issues like financing problems, management strategies, provider-purchaser models and professional economical management are not the concepts which have been under very close attention in health care. The late adoption of these concepts have resulted that health care organizations are still in relatively early stages in learning to internalize them. The boost for the adoption is mostly the result of a serious recession in economics in the 1990s, which forced also public organizations — including health care — to consider issues like effectiveness. Before that, health care did by no means waste money or resources but those were not as scarce as today.

In the business environment effectiveness has been a central mantra for decades; mostly, therefore, these concepts were adopted from there. However, business environment is quite different in many ways, which don't make the adoption any easier. The differences can be seen to originate already from research paradigms, which are different, e.g., in medicine and business economics. The paradigms have influence on education and through that also to the professions and are therefore deep in organizations and difficult to change (Turunen, 2001).

Although it is also a consequence of the effectiveness demand, increased use of information and communication technology can be seen as a trend as well. In health care there can be seen several trends and visions about the increased use of ICT. After the use of ICT started almost from scratch in the beginning 1990s it has increased exponentially.

One of the most visible and effective trends has been the introduction of electronic patient record (EPR) systems, which are widely in use today. For example in Finland about 63% of public health care organizations use EPRs and the number is increasing rapidly. Use of electronic records has several advantages like easier and faster access to customer information, and information is in real time and thus the reliability of information is better. However, most of the advantages are still most likely not yet achieved. E.g., though implementation of systems is successful, organizations have mostly failed in renewing their processes which new systems enable and require to become effective. Another nation-wide attempt in Finland is to integrate the local systems to one nation-wide system where the information of patient is available for the clinician regardless of time or place.

Another interesting trend caused by increased electronic health information is the use of Internet. Health information is one of the most frequently sought topics on the Internet, with more than 40% of all Internet users. It is second in popularity after pornography (Nicholas, Huntington, Williams, & Jordan, 2002). Increased use of the Internet has surfaced also the question about reliability of the information acquired. Reliability is also concerning electronic systems in health care organizations. Along with the increased use of electronic health information, also organizations assessing that information have increased. Organizations like Health on the Net Foundation (HON) assess information on the Internet. National and international example is Finnish organization FinOHTA, which supports and coordinates health care technology assessment and distributes both national and international assessment results within the health care system (Järvelin, 2002).

Internet has advanced also the use of different types of call, contact and communication centres. Those are established in an attempt to concentrate some of the services on one place including usually phone or Internet contacts. Centralizing certain services in one place should bring the advance for both to the patient when she/he can contact one place to get service, and to the organization that can offer information through phone or Internet and thus avoid unnecessary visits to doctors or nurses. One of the best-known examples of these services is in UK offered by NHS (NHS Direct Online).

A current trend in the health care technology can be seen in the use of mobile technology in communication between the patient and the clinician. Sending and receiving information through mobile phone is however still quite clumsy and the benefits of the use of it are not yet fully proven. Wireless communication is however in use, e.g., in hospitals and health centres where doctors use portable computers in their daily visits to the wards to get access in patient health records online.

There are several other trends and visions about use of ICT in health care (like use of digital images) which are not mentioned here (Table 2). However, the basis of the use of ICT seems to be the use of an integrated database, like EPR, in which all the information about a single patient is integrated so that it is available for the clinicians in their decision-making despite the time or location. The EPRs in use today are not yet able to offer all the required information from one application.

Table 2: Summary of Trends in the Health Care Industry

·         The gap between the rich and poor countries, the "Health Divide" even growing 

·         Increasing costs and increased economic importance of the health care system 

·         Demographic pressures to the health care system 

·         Increased expectations of the public 

·         New technologies offering solutions and pressures too 

·         Health care must happen in an environment valuing solidarity and sustainable environment 

·         Outsourcing health care functions from the public sector might be a solution 

·         Strategic planning is increasingly taking place 

·         Effective stewardship is of central importance 

·         Thinking patterns and paradigms in business management and health care are integrating in the health care sector 

·         Application of modern ICT is increasing fast 

·         The Internet offers new functionalities for the health care sector 

·         Several electronic means are used for communication between patients and health care staff 

However, two trends or visions are certain: First, the pressure for more effective organizations is not going to diminish in health care for the next few decades and new solutions, forms of organizations and methods have to be searched for. Second, once the health care industry got off the ground in using ICT, it is not going to diminish its use, and therefore the development of new technology for health care is going to increase ever faster (as in most of the other industries too) and governance structures and management issues are going to play ever-increasing roles in trying to get all the benefits from it.

Tools for Analyzing Governance Structures in healthcare industry

In this section, we shortly discuss three disciplines to study governance structures. They are handpicked and surely do not cater for all the possibilities of analyzing governance structures. The first and most classic is that of transaction costs. Agency cost concepts are closely linked to those in the transaction cost analysis. An established concept is also that of a value chain. Finally, trust as an element in governance structures is shortly touched upon.


Transaction Costs

The transaction cost approach (TCA) is founded upon the following assumptions (Williamson, 1985):


·         The transaction is the basic unit of analysis.


·         Any problem that can be posed directly or indirectly as a contracting problem is usefully investigated in transaction cost economizing terms.


·         Transaction cost economics are realized by assigning transactions (which differ in their attributes) to governance structures (which are the organizational frameworks within which the integrity of contractual relation is decided) in a discriminating way. Accordingly:


o        the defining attributes of transactions need to be identified,


o        the incentive and adaptive attributes of alternative governance structures need to be described.


·         Although marginal analysis is sometimes employed, implementing transaction cost economics mainly involves a comparative institutional assessment of discrete institutional alternatives — of which classical market contracting is located at one extreme; centralized, hierarchical organization is located at the other; and mixed modes of firm and market organization are located in between.


·         Any attempt to deal seriously with the study of economic organization must come to terms with the combined ramifications of bounded rationality and conjunction with a condition of asset specificity.


A very central concept is that of a transaction cost. Transaction is a difficult concept that materializes in several levels (Figure 2). First, each transaction has its exchange object(s), actors performing the transaction, and some channel(s) through which the transaction is performed. These offer the basic ramifications for any transaction and its associated transaction costs. In general, transactions tend to be more fluent the better the channel for them and the more voluminous they are. In literature, the main conceptual reasons for transaction costs are those of asset specificity, complexity of product description, bounded rationality and opportunistic behaviour. From the concepts, there is still a long way to the actual measurement of transaction costs, which is a difficult task.
Figure 2: A Tri-Level Transaction Cost Framework

The basic distinction of TCA among different organizational forms is the distinction between markets and hierarchies (Coase, 1937), which are forms of economic organizations. Given the division of labor, economic organizations control and coordinate human activities.

A market is an assemblage of persons which tries to arrange the exchange of property, where prices serve as both coordinating guides and incentives to producers in affecting what and how much they produce — as well as the amount they demand. At the equilibrium free-market price, the amounts produced equal the amounts demanded — without a central omniscient authority (Alchian & Allen, 1977).

In a hierarchy (firm) market transactions are eliminated and in place of the market structure with exchange transactions we find the entrepreneur-coordinator, the authority who directs production (Coase, 1937).

In addition to these two basic forms of organizational design, research on the subject has produced several sub-forms of organizations.

In the early days of transaction cost approach, the focus was mostly on hierarchies, as this was the dominant governance structure. An example of this focus is A.D. Chandler's division of hierarchies into multidivisional and unidivisional structures (Chandler, 1966).

The most important of the current developments of organization forms is the concept of groups or clans by Ouchi (1980). He breaks down hierarchies into bureaucracies and clans. These two organizational forms differ in their congruence of goals. Clans have a higher goal congruence than bureaucracies, and thus are further along in their attempt to eliminate transaction costs.

Cooperative behavior among firms is the root of many success stories of today's management (Jarillo, 1988). Like many other authors, he calls for a generally accepted framework for the study of inter-organizational systems. His contribution to the framework formulation is the concept of a strategic network. In discussing markets and hierarchies, he further divides markets into two segments, the segments of "classic market" and "strategic network". The difference between these two concepts lies in how transactions are organized: they can be based on competition or on cooperation, respectively.

Thomas Malone introduces several other organizational designs. He studies organizational forms and their effects on production, coordination, and vulnerability costs. Focusing on the internal organization of a firm, he introduces the following organizational designs (Malone, 1987):

·         product hierarchy,


·         decentralized market,


·         centralized market,


·         functional hierarchy.


In a product hierarchy, divisions are formed along product lines. In a functional hierarchy, similar processors are pooled in functional departments and shared among participants. In the realm of decentralized markets, different kinds of processors can be freely acquired from the market: processors supplied by different organizational units can be freely interchanged. In the case of centralized markets, freedom to choose remains but all processors must be collected from the same place.

We can further differentiate between six types of transaction costs (Casson, 1982):

·         information costs,


·         costs caused by requirement analysis,


·         costs caused by negotiating,


·         costs caused by initiating the transaction,


·         costs caused by monitoring the transaction,


·         costs caused by making the transaction legal.


The Value Chain

One of the most established governance structure concepts is that of the value chain as presented in Porter (1985). Since then the concept has been widely used, but has also awakened a lot of critique for its simplicity. The basic idea of the value chain is a one-directional flow of material and information in a production process. The value chain emphasizes the resources needed for production, but does not mention information or information systems, at least not explicitly. Analysis of the flows of information, money and physical goods is a key task for understanding any exchange transaction.


The strength of the value chain is its simplicity. It paved the way to the thinking that organizations should concentrate on the main value-adding activities, later called core competencies. The weakness of the value chain lies in its one-direction flow of activities. The value chain is unable to explain complicated market-based interactions, not to speak of modern virtual organizations.

The value chain helps individual participants in exchange relationships to understand their place in the totality. It is too strong in focusing attention to the value-adding elements of any exchange relationship, calling for less attention to those traits that do not add value to the exchange relationship.



Trust is a general concept usable in all human activity. It is present in some way, most visibly when absent, in all exchange relationships. We can define it as a one- or two-direction relationship between a human and a system, which according to Checkland (1981) can be one of the following:


·         Natural system, including human,


·         Designed activity system,


·         Designed abstract system,


·         Designed technical system,


·         Transcendental system.


With the two first ones, the Trust relationship can materialize in two directions. You can trust a natural system and a designed activity system, and that one can trust you. Trust might be defined as an individualistic feature of human relations. Even in case of Trust existence as interorganizational Trust, de facto it is Trust between those organizations' managers and their staff consultants. Here we would like to refer to Berger (1991): "The most important experience of others takes place in the face-to-face situation, which is the prototypical case of social interaction. All the other cases are derivatives of it."

In transaction cost economics, Trust is not a key concept. However, the discipline puts emphasis on at least two dysfunctional phenomena that exist in a transaction if Trust is absent: Opportunism, Moral hazard.

In this connection, Trust is a key element in the fight against transaction costs. As Thompson (1967) cites: "Information technology belongs to those technologies, like the telephone and money itself, which reduce the cost of organizing by making exchanges more efficient." We might add, "Trust belongs to those technologies, like the telephone, information technology and the money itself, which reduce the cost of organizing by making exchanges more efficient."

We summarize the basic conceptual tools usable for studying governance structures in Table 1.

Table 1: Conceptual Tools Offered by Different Disciplines to the Analysis of Governance Structures

The transaction cost approach 

·         Transaction as a unit of analysis 

·         Basic governance structures: markets and hierarchies 

·         Transaction costs and economising them 
The value chain model 

·         The value chain, the individual exchange relationship as a part of a totality 

·         Flows of information, money and physical goods 

·         Value-adding activities 

·         One- or two-directional relationship 

·         Inter-personal and inter-organizational trust 

·         Trust as an eliminator of transaction costs 

Governance Factors for it Suppliers

Adequate Contract and Account ManagementContract and account management make up the front office of the IT supplier and are denoted as the "customer outsourcing interface" by MacFarland and Nolan (1995). It is important in this regard to make a clear distinction between contract management and account management, due to the fact that there is a big difference between the primary tasks performed by an account manager and a contract manager (Beulen, 2000).


Contract management is responsible for the operational management of the relationship and therefore the direction of the service delivery processes. Contract management is therefore focused on the effectiveness and efficiency of the agreed upon contractual commitments.

Account management is responsible for maintaining the relationship with the outsourcing organization (Holden, 1990) and is focused on obtaining an extension of existing contracts and on expanding the services provided through means of new contracts. This requires the account manager to understand both new business developments and technological developments.
Expert 4: "An anecdotal examplean outsourcing organization was getting desktop hardware from supplier X. At the time they were also talking with this supplier about the use of Lotus Notes, which was going to be used to perform business processes, which is a very different way of working. Now one contract is a hardware acquisition commodity contract, while the other is very innovative and very collaborative and involves how a product is going to be used as part of the business. They <the outsourcing organization> had enormous difficulties in persuading the account manager to cooperate, because this account manager used to work in a commodity environment, and he simply didn't understand what they were talking about. They got him moved before they could get any sense out of supplier X, because he was blocking the line of communication to this supplier." 

Expert 1 indicates that particularly smaller outsourcing contracts, with a value of less than U.S.$5 million, combine different functions, because the scope of these contracts does not warrant the involvement of two different contracting officers. For the case studies analyzed here, this is indeed so for case studies 6 and 9, but not for case study 8. The explanation for the latter is likely that the size of this contract was decreased after it was signed. 

Adequate Service Delivery ProcessesThe existence of adequate service delivery processes are considered to be a "core capability" by Feeny (1997b): "delivery of IS services" and using Mintzberg's (1979) terminology, the "operating core". When the service delivery processes are set up it is essential to make a distinction between the IT supplier's business units, which are involved in the delivery of the IT services that have been contractually agreed upon with the IT supplier's customers: the so-called service delivery units, and the IT supplier's business units that are involved in researching the potential of new technological developments and which are responsible for building up knowledge about these new technologies: the so-called competence centers (Cash, McFarlan, & McKenney, 1988; Markus, 1996). The service delivery units must be assessed in terms of their degree of effectiveness and efficiency and are directly controlled by the contract managers responsible for the contracts signed with the outsourcing organization. It is important in this regard that the service delivery units use a standardized methodology for delivering their services. For this purpose, IT suppliers could make use of methodologies such as ITIL (CCTA, 1993) for setting up the management organization, and CMM for software development (Paulk, Curtis, Chrisses, & Weber, 1993). These industry standards help ensure uniformity, which is certainly essential when multiple IT suppliers are involved. 
Contract manager, Firm 3: "A portion of the software is developed in India. We use a software development process, which is CMM Level 5 certified. This certification was the deciding factor for company X to select us as their supplier. This certification only carries advantages with it for performing our activities. Because of the certification our processes have been set up such that the quality of our services is high and that we are able to work efficiently." 

The competence centers are directed by the IT supplier's general management and fall within Mintzberg's (1979) so-called "technostructure". New technologies are researched on the basis of proposals and projects. Feeny refers to this as "making the technology work" (Feeny & Willcocks, 1997c). It is evident that it is more difficult to measure the output of a competence center than the results produced by a service delivery unit. An important factor here is the development of an innovative capability. The competence centers develop the IT services of the future.
Account Manager, Firm 11: "I maintain intensive contacts with the managers of the competence centers. I very much want to discuss the innovative things that are being developed there, with my customers. However, it is the service delivery units that deliver the actual services when a contract is signed." 

The Availability of Human Resources to IT SuppliersFrom the mid-90s to the year 2000, the shortage of IT professionals was seen as a factor that would limit the growth of the IT services industry (Kitzis, 1998). Due to economic developments there has been a decrease in this shortage in the labor market (Hirschheim & Lacity, 2000). In spite of this, IT suppliers must continue to pay attention to the availability of IT professionals for delivering their IT services. A staff disposition plan involves the grouping of all IT professionals into expertise groupings, on the basis of their current expertise. Based on the projected IT services to be delivered in the future, a plan is prepared for updating the current expertise groupings. There are three factors that play a role in this plan: staff turnover, training and recruitment. By preparing a staff disposition plan, it becomes possible to ensure that the required IT services can continue to be delivered in the future (Outsourcing Transition Management, 1996; Young & Cournoyer, 2000). 
Contract Manager, Firm 2: "Due to the migration from a mainframe environment to a client server environment, I required IT professionals with a completely different skill set. The mainframe experts were phased out on the basis of a staff disposition plan. They are now working for customers who are still using mainframe technology. I obtained access to a team that had worked for another one of our customers to provide the new services. I complemented this team with three recruited trainees and an experienced service manager from the responsible service delivery unit. Unfortunately the contract was not extended. However, these IT professionals were able to find employment with my customer." 

Key Issues in IT Management

IT functions face many challenges in today's rapidly changing environment. One approach to understanding these challenges is to survey CIOs to elicit what they consider are key issues. The purpose of such studies is to determine the IT management issues expected to be most important over the next three to five years and thus most deserving of time and resource investments.


A survey was conducted among CIOs in Norway, and their average ranking of key issues in IT management is listed in Figure 7.

Rank Key Issue in IT Management Score M/IT P/C E/I 
Improving links between information systems strategy and business strategy 3.28 
Planning information technology projects for competitive advantage 2.00 
Improving interorganizational information systems planning 1.05 
Developing and implementing an information architecture 1.02 
Controlling a responsive information technology infrastructure 1.02 
Recruiting and developing IS human resources 0.90 
Assuring software quality 0.86 
Ensuring quality with information systems 0.36 
Reducing IT projects completion time 0.34 
10 Making effective use of data and information systems resource 0.31 
11 Measuring benefits from information technology applications 0.16 
12 Managing Internet applications -0.02 
13 Managing application architecture planning -0.10 
14 Improving control, security and recovery capabilities -0.21 
15 Improving computer operations planning -0.21 
16 Implementing and managing knowledge work systems -0.34 
17 Improving information technology infrastructure planning -0.47 
18 Planning information technology for electronic commerce -0.78 
19 Improving software engineering practices -1.00 
20 Implementing information technology for electronic commerce -1.10 
21 Improving availability of national and international networks -1.41 
22 Managing the technical foundation of information systems -1.67 
23 Managing and controlling end-user computing -1.78 
24 Scanning emerging technologies -2.21 

Figure 7: Key Issues Ranking in Norway

Improving links between information systems strategy and business strategy was ranked as most important key issue in IT management in Norway. We have seen how these links can be improved using the Y model and measuring strategic integration.

Implementing and managing knowledge work systems was ranked only sixteenth. That may seem surprising. However, in a separate investigation in knowledge-intensive firms such as law firms, this key issue was ranked sixth.

In Figure 7, scores are listed in a separate column. The scale went from great importance (+4) to little importance (-4). Improving links between information systems strategy and business strategy had an average score of 3.28.

In Figure 7, key issues are classified according to the following dimensions:
    Management (M) versus technology (T). 
  • Planning (P) versus control (C). 

  • External (E) versus internal (I). 

Improving links between information systems strategy and business strategy is classified as M, P, and E. Improving links is a management task, the task is conducted through planning, and the issue covers more than the IT function. External means external to the IT function, while internal means an issue that is mainly solved within the IT function. Brancheau et al. (1996, p. 233) stressed the importance of alignment:

"The importance of aligning long-range IS plans with strategic business plans has always been high. Rapidly changing business environments, increased involvement of end users, and accelerated technology change make this difficult. Shorter planning cycles require a great deal of flexibility in any plan." 

Implementing and managing knowledge work systems is classified as T, C, and E. It is a technology issue, it is to be carried out, and it is to be implemented in the organization.

At the top of the list we find two issues that are M, P, and E. This implies that CIOs in Norway currently struggle with management issues that involve planning and that cannot be solved within the IT function.

Key issues in IT management surveys have been conducted for some years in many nations and regions. Most surveys have used the so-called Delphi method, while the results in Figure 7 are based on the so-called Q Method as presented in the appendix. Key issues studies are of interest to many stakeholders (Niederman et al., 1991, p. 476):
"Vendors can use this information to develop and market products and services. Professional societies can use this information to plan conferences and seminars as well as disseminate knowledge through their publications. Consultants can use this information to help accelerate the transfer of technology and management skills among their clients. Educators can use this information to develop programs and place their graduates. Finally, researchers can use this information to guide their inquiry and improve understanding of critical managerial issues. Thus, the entire IS community needs to be aware of the issues that are judged to be of critical concern by its leading practitioners." 


Figure 7 gives a static picture of key issues as it ranks key issues at a specific point in time. Over time, key issues change. Some key issues become more important and some issues become less important. Reduced importance can occur when the issue is becoming solved or when an issue is less relevant than before. The Year 2000 issue is an example, where this issue was extremely important in 1999, but lost its importance after the beginning of the new millennium.

In the US, key issues studies have been conducted several times, enabling comparison of key issues in a time perspective. In 1986, 'improving strategic IS planning' was ranked first. In 1989, this issue had dropped to third rank, and in 1994, this issue had dropped to tenth rank. An interpretation of this result is that strategic IS/IT planning became quite successful in the early 1990s. However, the formulation of the issue is limited to strategic IS planning; it does not cover links between information systems planning and business strategy.

In the same time frame, information architecture rose from eighth rank in 1986 to first rank in 1989 in the US, and then dropped again to fourth rank. In 1994 the issue of infrastructure was at the first rank, climbing from sixth rank in 1989. In 1986, the issue of infrastructure was nonexistent on the key issues list. Brancheau et al. (1996, p. 229) discussed the importance of infrastructure based on the top ranking in 1994:
"Building a technology infrastructure that supports existing applications while remaining responsive to change is a key to long-term enterprise productivity. This task is made difficult by the continuing rapid changes in infrastructure technology and the increasing breadth and depth of applications needing support. More than any other, this issue captures an important contemporary thrust of enterprise IS management: providing the processor power, network connectivity, and application framework required to support core business activities and unknown future ventures." 

Key issues studies can be done at the national and regional level. Key issues studies can also be done within a firm. By surveying people in the firm, it is possible to get a picture of ranking that is shared by employees and management. When using the dimensions of M/T, P/C, and E/I, such surveys can provide management with guidance on management or technology focus, planning or control focus, and external or internal focus to solve firm challenges in information technology management.

Ranking of key issues can also be useful as a communication tool for top management and IT management. Often, top management can have a different agenda and different opinions about IT in the organization than IT management. One way of making different opinions visible is to let both top management and IT management produce ranking lists. A comparison of the two lists can spark communication and enable clarification, so that top and IT management have the same priorities in the future.

Hasleo Data Recovery FreeV3.2 - Free as in Freeware - Permanently from Hasleo Software "Hasleo Data Recovery FreeV3.2 100% Free Data Recovery Software...