Information technology (IT) has a tremendous impact on the discipline of accounting by introducing new ways of retrieving and processing information about performance deviations and control effectiveness. This paper explores the role of IT for managing organizational controls by analyzing value drivers for particular accounting information systems that commonly run under the label of Governance, Risk Management, and Compliance (GRC IS). We apply a grounded theory approach to structure the value drivers of GRC IS into a research framework. In order to understand the impact of IT, we relate the GRC IS value drivers to control theories. Practical implications include understanding GRC IS benefits beyond compliance and providing clear strategic reasoning for GRC IS depending on the individual company’s situation. Research implications include the fact that integrating IT into the context of accounting leaves several unsolved yet promising issues in theory which future research might address. This paper is the first to use the lens of organizational control theories on Governance, Risk Management, and Compliance information systems and establishes a potentially fruitful research agenda for GRC IS as a highly relevant topic for information systems research.
This research will be presented at ECIS 2011: Wiesche, M., Schermann, M., and Krcmar, H. 2011. “Exploring the Contribution of Information Technology to Governance, Risk, and Compliance (Grc) Initiatives,” in: 19th European Conference on Information Systems (ECIS). Helsinki, Finland. You can access the article here.
On Tuesday we presented our latest research paper “Questioning the need for separate IT risk management frameworks” at the Informatik 2010 Conference in Leipzig, Germany. The paper challenges the use of IT risk management frameworks such as ISO/IEC 27005 and ISACA Risk IT that are to be employed in parallel to an organisation’s enterprise risk management activities. Instead we suggest to enhance ERM frameworks with IT specifics and use the resulting framework for IT risk. That way the organisation-wide use of synergies is more likely, and a common understanding of risk management activities is furthered.
In our study, a mapping of ISACA Risk IT processes to COSO ERM processes showed that the Risk IT framework does not add value; it does not treat IT specifics in a way that would surpass the contents of COSO ERM. The presentation can be downloaded from http://www.grc-resource.com/resources/informatik2010_presentation.pdf.
At the Ninth International Baltic Conference for Databases and Information Systems in Riga last month we presented our latest publication. ISO/IEC 38500, COSO ERM and a compliance process model were merged in a process model for integrated IT GRC management. The conceptual paper describes the selection of standards and best practices, their touching points, the two-fold relation of IT governance to IT risk management and IT compliance, and finally the integrated IT GRC management process model:
The whole paper was published as:
Racz, N., Weippl, E. & Seufert, A. (2010): A process model for integrated IT governance, risk, and compliance management. In: J. Barzdins & M. Kirikova (eds.), Databases and Information Systems. Proceedings of the Ninth International Baltic Conference, Baltic DB&IS 2010, pp. 155-170.
Finally the research community starts to consider the integrated approach to GRC. The Munich University of Technology organises the workshop “Risk Management, Compliance and Governance for resilient Information Systems” as part of the “Informatik 2010″ conference next autumn. Papers can be handed in until April 25.
The purpose of the workshop is to introduce and discuss current research trends in the fields of IT-Risk Management, IT-Compliance, and IT-Governance. Furthermore, it aims at identifying starting-points for methods and tools needed for the development and the operation of resilient Information Systems. The workshop addresses researchers and practitioners with academic interests in the field of Risk Management, Compliance, and Governance.
More information can be found here: http://grc.winfobase.de