Communications of the Association for Information Systems


In the past, IT was only marginally affected by regulatory matters. Today, however, IT is in the middle of a whirlwind of corporate governance reforms. New standards for internal controls are affecting almost every aspect of IT work. These, in turn, have significant implications on how IT is managed and on IT costs and productivity. For example, many IT organizations have been so involved in developing and implementing Sarbanes-Oxley (SOX) procedures that very little has actually been accomplished for the business itself. This paper explores how new compliance frameworks and governance reforms, mandated by governments and/or industry groups, are changing IT work. It examines what IT managers perceive to be most significant issues these reforms present IT in their particular organizations. This paper is not designed to provide detailed information about IT controls and how to achieve them. Instead, it is intended to be a general introduction to the changing expectations of IT and how these are affecting IT work, structure and governance. It looks at the new effects regulatory issues are having in IT, and then examines the key issues IT managers face in an increasingly regulated environment. Next, it identifies the key areas within IT that are affected and the types of activities that need to be addressed by managers in order to achieve effective controls. Finally some recommended good practices are presented. The authors conclude that there is no question that new laws and regulations governing organizations, their finances and their information are having a huge impact on IT. IT managers are struggling to implement new controls and document existing ones, while still ensuring business as usual and trying to develop the new systems their companies need. The world is requiring IT to become thoroughly professional about what it does. The IT of the future will therefore of necessity be increasingly controlled, standardized and bureaucratized. It remains to be seen whether or not management will be able to use this "new and improved" IT for competitive advantage.