A holistic approach to information technology project ...

G13F

A HOLISTIC APPROACH TO INFORMATION TECHNOLOGY

PROJECT MANAGEMENT AUDITING

by

JOHN NYABADI MUKENDI

809813571

DISSERTATION

Submitted in fulfilment for the requirements for the degree

MAGISTER TECHNOLOGIAE

in

INFORMATION TECHNOLOGY

FACULTY OF MANAGEMENT

at the

UNIVERSITY OF JOHANNESBURG

Supervisor: Dr. Carl Marnewick

AUGUST 2012

ii

ABSTRACT

Increasingly, more now than before, the corporate world has been paying more attention to

the prominent topic of “governance”. The absence of governance in an organisation or

ineffective governance has become synonymous with all that is wrong. It is regarded to be the

root cause of all evils – not only in the corporate environment, but also in society. Following

corporate scandals of recent years that have exposed corporate malpractices and

mismanagement, corporate governance is increasingly being recognised worldwide as a best

practice and an effective mechanism that not only promotes corporate efficiency,

competitiveness and sustainability, but is also a tool for combating corporate corruption. The

audit function is considered one of the main supporting pillars of corporate governance, as it

plays an important role in helping management attain its business goals and strategic

objectives. This is realised through a systematic and disciplined approach to evaluating and

improving the effectiveness of the organisation’s system of internal control, risk management

and governance processes. The failure of the audit function is said to have been one of the

critical contributors to recent global corporate scandals. Robust auditing is believed to be the

cornerstone of modern corporate governance. The use of auditing in project management

processes increases the probability of project success. Using corporate governance as a best

practice and audit as one of its sub-sets, this research study deals with the topical issue of

failures in Information Technology (IT) projects. The study strives to address this problem by

adopting a holistic approach to IT project management auditing that includes corporate

governance principles over and above the traditional principles and processes for auditing IT

projects. Over the past 15 to 20 years, the rate of failure of IT projects has changed little in

continual surveys, showing that more than half of all IT projects overrun their schedules and

budgets. This situation has continued in spite of new technologies, innovative methods, tools

and different management methods. Although most organisations heavily rely on IT-enabled

projects for competitive advantage, it is estimated that worldwide over $6.2 trillion is being

wasted annually on IT project failures. One of the reasons for this situation has allegedly been

the failure of project governance. Thus, the importance and added value of this research study

lies in adopting a holistic approach to IT project management auditing. The study involves

corporations and not government agencies or other institutions. The study adopts a qualitative

research approach and uses semi-structured face-to-face interviews as the primary method for

data collection. It is intended that this study fills a gap in the research literature on the topic.

iii

ACKNOWLEDGEMENT

THIS WORK IS DEDICATED TO MY FAMILY

I would like to use this opportunity to thank all the people who contributed in whatever way

in making this research undertaking a reality. My special thanks to: Mioya Moto Su Mahikari Ohomikami Sama, Almighty Creator God, for being my source

of inspiration and strength. Without your help and support I would not have made it.

Thank you very much. My wife Blandine, my children, Yudy, Jessica, Gracia, and grandson David for your

patience and sacrifices. My supervisor, Dr. Carl Marnewick, for always being there, even when I came close to

giving up. The language editor, Yvonne Smuts, for re-editing my dissertation within very tight

deadlines.

All participants in the interviews, for your time, availability and contribution.

My sponsors and work colleagues, Stephen Olivier and Janine Nel, for your support and

trust.

All Yokoshi friends, for your support and encouragement.

iv

v

TABLE OF CONTENTS

CHAPTER 1: INFORMATION TECHNOLOGY PROJECT MANAGEMENT

AUDITING ...................................................................................................................... 1

1.1 OVERVIEW .................................................................................................................... 1

1.2 BACKGROUND ............................................................................................................. 2

1.3 PROBLEM STATEMENT AND RESEARCH QUESTION ......................................... 4

1.4 RESEARCH OBJECTIVES ............................................................................................ 5

1.5 DISSERTATION SCOPE ................................................................................................ 5

1.6 DISSERTATION ORGANISATION .............................................................................. 5

CHAPTER 2: LITERATURE REVIEW: CORPORATE GOVERNANCE PRINCIPLES ..... 7

2.1 INTRODUCTION ........................................................................................................... 7

2.2 GOVERNANCE .............................................................................................................. 8

2.3 CORPORATE GOVERNANCE ................................................................................... 11

2.3.1 System of internal control .................................................................................. 18

2.3.2 IT governance ..................................................................................................... 21

2.3.2.1 IT governance frameworks .................................................................... 24

2.3.2.2 IT governance standards ........................................................................ 26

2.3.3 IT project governance and IT project management ........................................... 28

2.3.3.1 Standards for managing individual projects ....................................................... 31

2.3.3.2 Standards for enterprise project management .................................................... 32

2.3.4 Internal audit ...................................................................................................... 42

2.3.4.1 IT project audit ...................................................................................... 44

2.4 SUMMARY ................................................................................................................... 49

CHAPTER 3: RESEARCH DESIGN ..................................................................................... 50

3.1 INTRODUCTION ......................................................................................................... 50

vi

3.2 RESEARCH QUESTIONS ............................................................................................ 51

3.3 RESEARCH APPROACH ........................................................................................... 51

3.4 QUALITATIVE RESEARCH METHODS .................................................................. 56

3.5 RESEARCH DATA COLLECTION PROCESS .......................................................... 59

3.5.1 Sampling ............................................................................................................. 60

3.5.2 Instruments for data collection ........................................................................... 61

3.5.3 Ethical considerations ........................................................................................ 61

3.5.4 Interview process ................................................................................................ 62

3.6 RESEARCH DATA ANALYSIS .................................................................................. 64

3.7 SUMMARY ................................................................................................................... 65

CHAPTER 4: DATA ANALYSIS .......................................................................................... 67

4.1 INTRODUCTION ......................................................................................................... 67

4.2 DATA COLLECTION PROCESS ................................................................................ 67

4.3 DATA ANALYSIS PROCESS ..................................................................................... 69

4.3.1 Data preparation process .................................................................................... 69

4.3.2 Data coding process ........................................................................................... 70

4.3.2.1 Qualitative data analysis software ......................................................... 70

4.3.2.2 Qualitative data coding and approaches ................................................ 73

4.4 DATA INTERPRETATION PROCESS ........................................................................ 76

4.4.1 Understanding the concept of corporate governance ......................................... 77

4.4.1.1 Data interpretation ................................................................................. 78

4.4.2 Understanding the concept of IT governance .................................................... 79


4.4.3 Understanding the concept of project governance ............................................. 81


4.4.4 IT project critical success factors………………………………………… ....... 83

vii


4.4.5 Corporate governance principles applicable to portfolio, programme and

project offices ..................................................................................................... 87


4.4.6 The impact of using corporate governance principles in project

management ....................................................................................................... 89


4.4.7 The impact of corporate governance principles on project success ................... 92


4.4.8 Project monitoring mechanisms in place for attaining project objectives ......... 94


4.4.9 Understanding the concept of project audit ........................................................ 97


4.4.10 Process followed during project audits .............................................................. 99

4.4.10.1 Data interpretation ............................................................................. 102

4.4.11 Project audit triggers ........................................................................................ 102


4.4.12 Elements used during project audit .................................................................. 105


4.4.13 Corporate governance principles that can be included in project audits .......... 108


4.4.14 Can corporate governance principles be used to measure project success? ..... 111


4.4.15 Project audit approach for positive impact on project success ......................... 113


4.5 SUMMARY ................................................................................................................. 117

viii

CHAPTER 5: KEY FINDINGS AND CONCLUSIONS ..................................................... 119

5.1 INTRODUCTION ....................................................................................................... 119

5.2 OVERVIEW OF CHAPTERS ..................................................................................... 120

5.3 KEY FINDINGS .......................................................................................................... 122

5.4 CONCLUSIONS .......................................................................................................... 124

5.5 LIMITATIONS ............................................................................................................ 125

5.6 FUTURE RESEARCH ................................................................................................ 125

5.7 LESSONS LEARNED ................................................................................................. 126

REFERENCES ...................................................................................................................... 127

APPENDIX A ....................................................................................................................... 139

APPENDIX B ........................................................................................................................ 141

APPENDIX C ........................................................................................................................ 144

ix

LISTS OF FIGURES, GRAPHS, TABLES AND ACRONYMS

LIST OF FIGURES

Figure 2-1: Governance types and main actors ....................................................................... 10

Figure 2-2: Characteristics of effective governance . .............................................................. 11

Figure 2-3: The three main corporate governance sub-sets .................................................... 18

Figure 2-4: IT governance with its main sub-disciplines ........................................................ 24

Figure 2-5: Governance of project management .................................................................... 39

Figure 2-6: General audit process ........................................................................................... 48

Figure 4-1: Understanding of corporate governance ............................................................... 77

Figure 4-2: Understanding of IT governance .......................................................................... 79

Figure 4-3: Understanding of project governance ................................................................... 81

Figure 4-4: IT project critical success factors ......................................................................... 84

Figure 4-5: Corporate governance principles applicable to portfolio, programme

and project offices .............................................................................................. 88

Figure 4-6: Impact of using corporate governance principles in project management ........... 90

Figure 4-7: Impact of corporate governance principles on project success ............................ 93

Figure 4-8: Monitoring mechanisms for attaining project objectives ..................................... 95

Figure 4-9: Understanding of project audit ............................................................................. 97

Figure 4-10: Process followed in project audit ...................................................................... 100

Figure 4-11: Project audit triggers ......................................................................................... 103

Figure 4-12: Elements used during project audits ................................................................. 106

Figure 4-13: Corporate governance principles that can be included in project audit ............ 109

Figure 4-14: Can corporate governance principles be used to measure project success? ..... 112

Figure 4-15: Project audit approach for positive impact on project success ......................... 114

Figure 5-1: Graphical view of some of the main concepts discussed ................................. 122

x

LIST OF GRAPHS

Graph 2-1: The Standish Group Chaos Report 2009 ………………………………… .. ……35

Graph 4-1: Summary of respondents’ views on IT project critical success factors . .............. 86

LIST OF TABLES

Table 1-1: The Chaos Report 2009 on IT project failures ........................................................ 4

Table 2-1: Summary of the eight common principles of good corporate governance ............ 15

Table 2-2: Top 10 reasons that cause projects to be challenged . ........................................... 37

Table 2-3: Critical success factors for IT projects . ................................................................. 38

Table 2-4: Governance of IT project management principles ................................................ 40

Table 2-5: Main code of ethics for auditors . .......................................................................... 44

Table 3-1: Positivists and naturalists beliefs and assumptions. ............................................... 52

Table 3-2: Summary of quantitative and qualitative research characteristics ........................ 53

Table 3-3: The seven stages of interviews .............................................................................. 63

Table 4-1: Summary of common characteristics of ATLAS.ti5, MAXQDA2 and

NVivo9 ............................................................................................................... 71

Table 4-2: Summary of respondents’ views on IT project critical success factors ................. 81

Table 4-3: Corporate governance principles – Project audit criteria. .................................... 110

LIST OF ACRONYMS

ADB : Asian Development Bank

AICPA : American Institute of Certified Public Accountants

APM : Association for Project Management

APM-BoK : Association for Project Management Body of Knowledge

CACG : Commonwealth Association for Corporate Governance

CCANB : Comptroller of the Currency Administrator of the National Banks

CF : Code Family

CICA : Canadian Institute of Chartered Accountants

CIDA : Canadian International Development Agency

xi

CLSA : Credit Lyonnais Securities Asia

CMM : Capability Maturity Model

CMMI : Capability Maturity Model Integration

COBIT : Control Objectives for Information and Related Technology

COCO : Criteria of Control

COSO : Committee of Sponsoring Organisations of the Treadway

Commission

CPA : Certified Public Accountants

CSF : Critical Success Factors

ERM : Enterprise Risk Management

EU : European Union

GAAP : Generally Accepted Accounting Principles

GAAS : Generally Accepted Auditing Standards

GCGF : Global Corporate Governance Forum

GoPM : Governance of Project Management

ICGN : International Corporate Governance Network

ICT : Information and Communication Technology

IDC : International Data Corporation

IEC : International Electrotechnical Commission

IoD : Institute of Directors

IIA : Institute of Internal Auditors

IIARF : Institute of Internal Auditors Research Foundation

ISACA : Information Systems Audit and Control Association

ISO : International Organisation for Standardization

IT : Information Technology

ITGI : IT Governance Institute

ITIL : IT Infrastructure Library

JTC : Joint Technical Committee

OECD : Organisation for Economic Cooperation and Development

OGC : Office of Government Commerce

OPM3 : Organisation Project Management Maturity Model

P2MM : PRINCE2 Maturity Model

P3M3 : Portfolio, Programme and Project Management Maturity Model

P3O : Portfolio, Programme and Project Office

xii

PEP : Project Execution Plan

PMBOK : Project Management Body of Knowledge

PMI : Project Management Institute

POT : Project Office Tool Kit

PPM : Project Portfolio Management

PPQA : Project Product Quality Assurance

PRINCE2 : Projects IN Controlled Environment Version 2

ROI : Return on Investment

SAC : System Auditability and Control Report

SEI : Software Engineering Institute

SW-CMM : Software Capacity Maturity Model

UNDP : The United Nations Development Programme,

UNESCAP : United Nations Economic and Social Commission for Asia and the

Pacific

US : United States

USA : United States of America

WITSA : World Information Technology and Services Alliance

CHAPTER 1 1

CHAPTER 1

INFORMATION TECHNOLOGY PROJECT MANAGEMENT

AUDITING

1.1 OVERVIEW

Looking back at the history of humankind, one can see great undertakings and achievements,

for instance the pyramids of ancient Egypt, the Olympic Games of Greece, the temples and

palaces of Rome and the Great Wall of China, to name but a few. How these great

undertakings have been accomplished sometimes defies imagination, notably in their

planning, control and execution, especially given the tools and techniques available at that

time (Crawford, 2000; Nicholas, 1990).

Although mankind has been involved in the management of projects over time, their nature

and the environment in which they have been developed has changed. It is believed that the

modern concept of project management has begun with the United States military initiated

Manhattan project, which led to the development of the atomic bomb used in World War II

(Schwalbe, 2010:27). Once considered an advantage in the corporate world, project

management has increasingly become a necessity for survival (Kerzner, 2009).

With the advent of computers, modern day projects have become subject to greater

technological complexity, larger budgets, increased competition and uncertainty (Schwalbe,

2010). According to Schwalbe (2010:xviii), “managing IT projects requires ideas and

information that go beyond standard project management”. In the face of today’s fast-

changing global information economy, with technology at the heart of most businesses, many

organisations are relying on IT-enabled projects for survival (Tarantino, 2008). IT has

become a critically important and strategic tool for business competitiveness, productivity

and profitability (KPMG, 2005). While successful IT projects can greatly improve the

organisational competitiveness, failed projects can place an organisation at a strategic

disadvantage to its competitors (Calder, 2006; KPMG, 2005).

According to Davis, Schiller and Wheeler (2011:367-368), “good project management does

not ensure a project’s success, but improves the chances of success; proper project

management techniques are essential elements in the success of any company endeavour”.

CHAPTER 1 2

As Tarantino (2008:158) writes: “the speed of innovation and deployment can be critical in

developing and maintaining competitive advantage”, and how organisations proactively

respond to change can make or break their competitive position. However, despite the

abovementioned improvements in technology and methodology, statistics and surveys show

that the rate of failed IT projects is still alarmingly on the increase, with more than half of all

of them failing to deliver on agreed upon benefits and overrunning their schedule and budget

(Lientz & Larssen, 2006; Dominguez, 2009: Tarantino, 2008; Taylor, 2004).

With regard to auditing, the main objective of the audit function in relation to project

management is to help “achieve its business goals through a systematic and disciplined

approach to evaluating and improving the effectiveness of management, control, and

governance processes” (Tarantino, 2008:83). Helgeson (2010) believes that the use of

auditing in project management increases the probability of project success. Project audits

are performed in order to identify the risks that threaten project success (Davis et al.,

2011:368).

Adopting a risk-based approach to internal audit is more effective in that it allows the

auditors to assess and determine whether internal control are effective in managing risks

arising from the organisation’s strategic planning (Institute of Directors, 2009:15). The

mission of the internal audit team in an organisation is to improve the state of internal control

and provide assurance that they work effectively (Davis et al., 2011). According to Solomon

(2007), the failure of the audit function played a major role and was considered to be one of

the most critical factors that contributed to the recent global corporate scandals, including

failures such as the Enron collapse, WorlCom, Tyco and Parmalat to name just a few. These

scandals exposed corporate malpractices, and led to a demand by the public and governments

for greater independence and a high level of accountability, transparency, responsibility and

integrity, signalling the importance of corporate governance with an independent audit

function (Puttick & Van Esch, 2007:35).

1.2 BACKGROUND

In today’s global market economy, in which businesses are faced with rising costs,

uncertainty, rapidly changing technology and increasing competition, corporate governance

has increasingly become a recognised best practice used worldwide by investors and

policymakers as an effective mechanism that promotes corporate efficiency, competitiveness

and sustainability, while at the same time combating corruption (Institute of Directors, 2009).

CHAPTER 1 3

Experts have also come to recognise corporate governance practices as deciding factors used

by investors in determining where to channel their capital (ICGN, 2009:3; Institute of

Directors, 2009; OECD, 2004:13). For Puttick and Van Esch (2007:iii), “robust auditing is a

cornerstone of modern corporate governance”.

Reliance on information and communication technology (ICT) is growing every year. A

study by the World Information Technology and Services Alliance (WITSA), “Digital Planet

2010”, shows that the total global spending on it will be over $4.4 trillion by the year 2013

(WITSA, 2010). Projections by the International Data Corporation (IDC), a global research

firm, state that spending in the IT sector in Africa has drastically increased and this trend is

expected to continue to increase until 2015, with operational efficiency cited as one of the

main reasons for this increase (IDC, 2011).

Despite this reliance on ICT and the increase in IT spending, Lientz and Larssen (2006:xv)

write: “The rate of failure of IT projects has changed little in survey after survey over the

past 15 to 20 years. And this situation has continued in spite of new technology, innovative

methods and tools”. Taylor (2004:1) is surprised to note that “even though management tools

and techniques, as well as software development techniques are constantly improving, more

than half of all systems projects overrun their schedules and budgets by at least 200% or

more”. Sessions (2009:2) states that “worldwide, we are losing over $500 billion per month

on IT failures, and the problem is getting worse”. This comes to an estimated total annual

loss of $6.2 trillion.

A 2005 research survey by KPMG of 600 major listed companies around the world found

that in the 12 months before the survey, 49% of the respondent companies had at least one

failed project. Only 2% of organisations had attained their targeted benefits all the time,

while 86% lost up to 25% of them across their entire project portfolio. The average estimated

cost of the failed projects was £8 million, with £133 million being the largest single failure

cost by an unnamed UK company (KPMG, 2005; PMThink, 2005).

Table 1-1 presents a summary of the state of IT project failures between 1994 and 2009 as

provided in The Standish Group’s Chaos Report. It shows that more than half of all IT

projects fail to deliver expected functionalities on time or to the agreed budget (Dominguez,

2009).

CHAPTER 1 4

Table 1-1: The Chaos Report 2009 on IT project failures

2009 2006 2004 2002 2000 1998 1996 1994

Successful 32% 35% 29% 34% 28% 26% 27% 16%

Challenged 44% 46% 53% 51% 49% 46% 33% 53%

Failed 24% 19% 18% 15% 23% 28% 40% 31%

Source: Dominguez (2009). The Curious Case of the CHOAS Report 2009.

The Standish Group defines successful projects as those “delivered on time, on budget and

with all the required features and functions”; challenged projects as those “delivered late,

over budget, and/or with less than the required features and functions”; and failed projects as

those “cancelled prior to completion or delivered and never used” (Dominguez, 2009:1).

A South African perspective on this problem of the high rate of IT project failures shows

similar trends with figures for 2003 showing 43% successful, 22% challenged and 35% failed

projects (Sonnekus & Labuschagne, 2003). These statistics give an indication that there is a

problem with the delivery of IT projects that needs to be addressed but for which currently

there is no solution.

According to Tarantino (2008), the reasons for project failures have to do with failures of

project governance, which is a sub-set of corporate governance. He suggests that “project

risks must be assessed within the organisation’s strategic planning and risk management

framework” (Tarantino, 2008:162). For Weaver (2005), effective IT project governance is a

key sub-set of corporate governance and fundamental to the organisation’s survival.

Brisebois, Boyd and Shadid (2008:5) state that “without effective governance, IT projects

have a higher risk of failure”.

1.3 PROBLEM STATEMENT AND RESEARCH QUESTIONS

Taking into consideration corporate governance as a worldwide best practice, a belief that

using audits increases the probability of project success, and audits being a critical sub-set of

corporate governance for the evaluation of the effectiveness of management and on-going

improvement of governance processes, the following three research questions are posed:

CHAPTER 1 5

1 Can the use of corporate governance principles in auditing IT projects

increase the chances of IT project success?

2 Can the use of corporate governance principles improve the overall IT

project management process?

3 Can corporate governance principles be used to measure project success?

1.4 RESEARCH OBJECTIVES

The following are the three main objectives this research study strives to achieve in the

process of adopting a holistic approach to the auditing of IT project management:

1 To identify best practices and guidelines in the fields of corporate

governance, IT governance, IT project governance, project management,

internal control and internal audit

2 To analyse and identify the gaps between guidelines from these best practices

and the industry’s actual implementation

3 To conclude by providing insight into the three research questions above.

1.5 DISSERTATION SCOPE

This research study can be applicable to IT projects in any environment, from construction to

engineering or retail; however, its scope is limited to the financial sector. This choice is

guided by the fact that the financial sector in South Africa is well-regulated; it complies with

good corporate governance practices, which is a key element to its reputation and survival.

The financial sector is familiar with auditing practices, is competitive and executes many IT

projects.

This research study concentrates on economic governance of which corporate governance is

a sub-set, as opposed to political and administrative governance. The terms “good

governance” and “effective governance” are interchangeably used.

CHAPTER 1 6

1.6 DISSERTATION ORGANISATION

Chapter One introduces the research topic and highlights the challenges facing projects in

the modern global information economy. The chapter also provides the background to this

research study by highlighting the spending on ICT-related projects, the state of IT project

failures and costs, as well as the importance of corporate governance and the internal audit

function. The research problem statement, research questions, objectives and scope are also

highlighted in this chapter.

Chapter Two is a review of the published literature on the different topics of relevance to

this research study, namely governance and its main sub-sets and characteristics, corporate

governance and its different compliance approaches as well as the main sub-sets, namely the

system of internal control, IT governance, its frameworks and standards, IT project

governance, IT project management, internal audit as well as the relationship between

governance and management of IT projects, and how they relate to corporate governance.

Chapter Three presents the research design and the different methods used in order to

provide insight into the research questions. It details the research strategies and approaches

used, techniques for data collection, analysis and interpretation as well as ethical

considerations to be observed.

Chapter Four presents the main objectives and stages of qualitative data analysis,

highlighting the data collection process and the procedures used in conducting semi-

structured interviews. It presents the procedures and approaches used in the process of

analysing, coding and interpreting the data, using qualitative data analysis software. This

chapter also provides a detailed interpretation of the data collected from interviews and a

summary of the level of understanding by the interview participants of the main concepts.

Chapter Five presents the key findings and conclusions, examining each of the objectives

and assessing whether they have been attained. It lists several limitations of the research and

suggests possible future areas for research.

The next chapter presents a detailed review of the published literature on the different topics

of relevance to this research study.

CHAPTER 2 7

CHAPTER 2

LITERATURE REVIEW: CORPORATE GOVERNANCE PRINCIPLES

2.1 INTRODUCTION

Increasingly, more recently than before, the corporate world has been paying more attention

to the topic of “governance” even though it is not a new concept. The absence of governance

or ineffective governance in organisations has been blamed for current problems; this is true

not only in the corporate environment but also in society (UNESCAP, 2010). Cadbury

(1999:1) states that “corporate governance systems have evolved over centuries, often in

response to corporate failures or systemic crises. The first well-documented failure of

governance was the South Sea Bubble in the 1700s, which revolutionised business laws and

practices in England”. It is only recently that corporate governance has emerged as a

discipline in its own right (Cadbury, 1999:4).

Recent global corporate scandals, involving for example Enron, WorlCom, Parmalat, and

recently in South Africa, Saambou Bank and Fidentia, to name just a few, have exposed

corporate mismanagement and mal-practices, and created a renewed focus on the need for

good corporate governance practices (Puttick & Van Esch, 2007). These scandals have

forced governments and other regulatory institutions worldwide to demand a higher level of

control, accountability and transparency by organisations’ top executive management

(OECD, 2004; Puttick & Van Esch, 2007).

According to Solomon (2007), the failure of the audit function played a major role and was

considered to be one of the critical factors that contributed to the global corporate scandals.

This chapter provides an overview of governance in general and economic governance in

particular, concentrating more on corporate governance, its principles, characteristics and

different sub-sets. It strives to establish whether corporate governance has an impact on the

success of IT projects and how it can assist in improving IT project management processes

through auditing.

The next section looks at the concept of governance and analyses why it has become such an

important topic to the extent that the lack of governance at project level has been identified

as the main contributing factor to the problem of the high rate of failure of IT projects.

CHAPTER 2 8

2.2 GOVERNANCE

This section highlights the different types of governance, and the main actors and

characteristics that constitute effective governance. Etymologically, the word “governance”

traces its origin from the Greeks and was used by Plato in reference to the design of a system

of rule (Kjaer, 2004:3). It has traditionally been associated with the term “government” and

with the exercise of power by political leaders. However, currently, apart from that of

political science, governance has been used in the economical, social and cultural fields. Its

meaning has been broadened to include processes and other actors outside the government

environment (Kjaer, 2004:1). However, Hendrikse and Hendrikse (2004) traced the origin of

the word to the old French word “gouvernance” meaning ‘good order’ or ‘to control’ and

‘the state of being governed’.

Whichever origin is accepted, governance is considered the driving force behind any good

change and is pointed to by some as the key factor in improvement in human condition

(UNESCAP, 2010). The term “governance” is defined in many ways, depending on the

context and the field in which it is used:

“Governance is the exercise of political, economic and administrative authority to

manage a nation's affairs at all levels. It includes complex mechanisms, processes,

relationships and institutions through which citizens and groups articulate their interests,

exercise their rights, meet their obligations and mediate their differences” (UNDP,

1997:55).

“Governance is the exercise of authority, direction and control of an organization in

order to ensure its purpose is attained. It refers to who is in charge of what; who sets the

direction and the parameters within which the direction is to be pursued; who makes

decisions about what; who sets performance indicators, monitors progress and evaluates

results and who is accountable to whom for what. Governance includes the structures,

responsibilities and processes that the board of an organization uses to direct and manage

its general operations. These structures, processes and organizational traditions

determine how authority is exercised, how decisions are taken, how stakeholders have

their say and how decision makers are held to account” (Gill, 2002:1).

“Governance relates to the way a business is directed and governed. It deals with the

strategies, policies and procedures that directly impact on organisational performance,

CHAPTER 2 9

stewardship and the business’s capacity to be accountable to its various stakeholders”

(Hendrikse & Hendrikse, 2004:101).

From the above definitions of “governance”, the following four common characteristics can

be highlighted:

It is an exercise of authority to manage, control or govern,

It includes a set of policies, strategies, processes, mechanisms and relationships,

It requires decision-making and leadership,

It can be applied to a country, an organisation or a group of people; it defines how

their interests, rights and obligations can be exercised.

The UNDP (1997) states that governance is made up of the following three main sub-sets:

Political governance, which includes the process of decision-making to formulate

policies,

Economic governance, which includes decision-making processes that influence a

country’s economic activities. Corporate governance is a sub-set of this type of

governance,

Administrative governance, which is the system for implementing policies.

The above view by the UNDP is shared by Hendrikse and Hendrikse (2004:101), who write

that “governance is the exercise of economic, political and administrative authority to

manage business affairs at all levels”.

This study’s understanding of governance can be summarised as a set of policies, rules,

mechanisms and processes established with the purpose of effectively and efficiently

guiding, monitoring and controlling a system, a group of people or an organisation. This

definition will be used for the remainder of this study.

Some of the main actors playing a role in decision making or influencing the decision-

making process in the above-mentioned types of governance include the following (UNDP,

1997):

The main actor for political governance is the state or government. It is the governing

authority of a political unit.

CHAPTER 2 10

The main actor for economic governance is the private sector. It is the part of the

economy not under government control.

The main actor for administrative governance is civil society. These are individuals and

groups who interact in the social, political and economic domains.

Figure 2-1 (below) shows the three types of governance as per the UNDP, with

corresponding main actors as well as showing where corporate governance fits in.

Figure 2-1: Governance types and main actors (own figure)

With regard to what constitutes effective governance, different organisations have different

sets of characteristics or attributes that define effective governance. For instance, the United

Nations Economic and Social Commission for Asia and the Pacific (UNESCAP), highlights

eight major characteristics for effective governance, stating that it addresses the allocation

and management of resources in response to collective problems (UNESCAP, 2010).

Effective governance is participatory and consensus oriented; transparent and accountable;

effective and equitable; and promotes the rule of law. According to the Canadian

International Development Agency (CIDA), effective governance has the following

attributes: accountability, efficiency and effectiveness, an independent legal framework, and

responsible and equitable administration at all levels of government (CIDA, 1997).

Actors

Types

Governance

Political Governance

State / Government

Economic Governance

Private Sector

Corporate Governance

Administrative Governance

Civil Society

CHAPTER 2 11

The Asian Development Bank (ADB), defines effective governance as based on four

interrelated pillars, namely those of accountability, transparency, predictability and

participation (ADB, 1995).

Figure 2-2 below shows the eight most cited characteristics of effective governance

according to UNESCAP.

Figure 2-2: Characteristics of effective governance Source: UNESCAP (2010). What is good Governance?

The next section looks at governance at corporate level, concentrating on corporate

governance and its main sub-sets.

2.3 CORPORATE GOVERNANCE

This section defines corporate governance, its principles as well as its different enforcement

approaches. It details each of the corporate governance sub-sets and how some relate to and

impact on IT project management.

The use of effective corporate governance practices provides an incentive for the board and

executive management to pursue objectives that are in the interest of all company

Characteristics Of effective governance

Accountable

Transparent

Responsive

Follows the rule of law Equitable

and inclusive

Consensus oriented

Participatory

Effective and

efficient

CHAPTER 2 12

stakeholders. It is also an effective monitoring tool. It also provides the incentive for the

state by strengthening the economy, and discouraging fraud and mismanagement (OECD,

2004:11). It is the responsibility of the board of directors to establish a corporate governance

framework that provides strategic guidance for the organisation, the mechanism for effective

monitoring of management by the board, and the board’s accountability to the organisation

and its shareholders (OECD, 2004:58). Mallin (2007:124) states that “the board of directors

leads and controls the company and hence an effective board is fundamental to the success

of the company”.

With regard to the role and duties of the board of directors, Mallin (2007:124) highlights the

following responsibilities, namely to determine the company’s aims, goals and strategies,

the plans on how to achieve them as well as the monitoring process in their achievement.

As Cadbury (1999:vi) has written, disclosure is the foundation of any structure of corporate

governance and openness is the basis of public confidence. An effective corporate

governance strategy is the one that allows an organisation to manage all aspects of its

business in order to meet its objectives. It must incorporate all the relationships amongst

many stakeholders, and strive to organise them to meet the organisation’s goals in the most

effective and efficient manner.

The Credit Lyonnais Securities Asia (CLSA) states that “corporate governance pays”

(CLSA, 2001:3). Also, in its report on corporate governance it argues that “well managed

corporations with high corporate governance standards perform well in every aspect and

attract more investment” (CLSA, 2001:26). Many experts have come to recognise effective

corporate governance practices as deciding factors used by investors in determining where to

channel their capital (Institute of Directors, 2009; OECD, 2004:13). The Organisation for

Economic Cooperation and Development (OECD) document “Principles” highlights

guidelines, which deal with internal mechanisms for directing the relationships between

managers, the board of directors, shareholders and other stakeholders. This document has

become an international benchmark standard, providing guidance to investors, policymakers,

corporations and other stakeholders worldwide (OECD, 2004).

As per the Global Corporate Governance Forum (GCGF), the incentive for the adoption of

internationally accepted governance standards by both corporations and those who own and

manage them is that these standards will assist them in attaining their strategic goals as well

as helping in attracting investment (GCGF, 2005:22).

CHAPTER 2 13

According to Mallin (2007:5-6), some of the most important features of corporate

governance include the following:

It helps to ensure the existence of an adequate and appropriate system of controls in the

company.

It helps to prevent that any single person has too powerful an influence.

It helps to maintain a good relationship between the company’s management, the board

of directors, shareholders as well as other stakeholders.

It helps to ensure that the company is managed in the best interest of all shareholders and

stakeholders.

It helps to encourage both transparency and accountability.

At this point it is necessary to explore the way in which corporate governance is defined:

The most widely cited definition of corporate governance is that of the OECD, which

states that “corporate governance involves a set of relationships between a company’s

management, its board, shareholders and other stakeholders. It provides the structure

through which the objectives of the company are set, and the means of attaining those

objectives and monitoring performance are determined” (OECD, 2004:11).

Hendrikse and Hendrikse (2004:101) state that “corporate governance is the control

mechanism that ensures that the right checks and balances are in place to prevent the risk

of mismanagement from conflicting priorities, misallocation of resources, conflict of

interests, misaligned incentives and other manifestations of human weaknesses

associated with excessive power”.

The Commonwealth Association for Corporate Governance (CACG) looks at corporate

governance as “an essentially leadership issue – striving to achieve leadership for

efficiency and probity, leadership with responsibility, and leadership that is transparent

and accountable” (CACG, 1999:3).

Cadbury (1999:vi) states that “corporate governance is concerned with holding the

balance between economic and social goals and between individual and communal

goals. Its framework is there to encourage the efficient use of resources and equally to

require accountability for the stewardship of those resources, with the aim to align as

nearly as possible the interests of individuals, corporations and society”.

CHAPTER 2 14

The following three common characteristics can be highlighted from the above corporate

governance definitions:

It is a set of rules and principles that governs relationships among all stakeholders with

an interest in the organisation.

It is a control mechanism to provide checks and balances in the efficient use of the

organisation’s resources to attain its strategic goals and objectives.

It applies to all levels of the organisation, starting from the top management that has to

lead by example.

From the above, this study’s definition of corporate governance can be summarised as a

code of principles and value practices defining the rights, relationships, roles and

responsibilities among all stakeholders, providing a control mechanisms for the effective and

efficient use of the organisation’s resources to fulfil its objectives and responsibilities toward

individuals, the corporation and society. The study uses this definition when referring to

“corporate governance”.

There is a consensus amongst experts that there is no single model applicable to effective

corporate governance practices, because companies vary in size, organisational complexity

and structure (OECD, 2004). According to Veasey (2000), the expectation of a “one size fits

all” structure of internal governance and the management style of businesses are unrealistic;

the same is true of company law and corporate governance systems. The OECD (2004)

principles suggest a corporate governance legal framework that ensures a fair and equitable

treatment of shareholders, managerial and supervisory body accountability, transparency of

corporate performance, ownership structure and governance as well as corporate

responsibility. The King III Report (Institute of Directors, 2009:16) wrote that “good

corporate governance is essentially about effective leadership that is characterised by the

ethical values of responsibility, accountability, fairness and transparency”. These values are

known as the fundamental four primary pillars of corporate governance (CACG, 1999;

OECD, 2004; Institute of Directors, 2009).

To ensure flexibility, experimentation and continuous improvement, Millstein (1998) argues

that corporate governance practices should be viewed as “works in progress”. In spite of the

differences in view, however, some common principles have been identified and they

constitute what may be regarded as best corporate governance practices applicable to any

corporation in any country, regardless of differences in culture, laws and regulations

CHAPTER 2 15

(Calder, 2005:17). As an example, Cadbury (1999:v) states that “principles such as

transparency, accountability, fairness and responsibility are universal in their application”.

The Institute of Directors writes “…the board could decide to apply the recommendation

differently or apply another practice and still attain the objective of the overarching

corporate governance principles of fairness, accountability, responsibility and transparency”.

Highlighted in Table 2-1 below are the eight common principles most cited by organisations

as constituting principles of good corporate governance. These principles were drawn up

using the literature and reports of the following five international corporate governance

organisations: the Organisation for Economic Cooperation and Development, the

Commonwealth Association for Corporate Governance, the Credit Lyonnais Securities Asia,

the International Corporate Governance Network (ICGN) with the Combined Code and the

Institute of Directors with the King III Report. Only those principles that were mentioned by

more than four organisations are highlighted in Table 2-1.

Table 2-1: Summary of the common principles of good corporate governance (own table)

PRINCIPLES OECD CACG CLSA King III Report

Combined Code

1 Accountability X X X X X 2 Transparency X X X X X

3 Responsibility X X X X X

4 Fairness X X X X X

5 Independence X X X X X

6 Leadership X X X X X

7 Corporate discipline X X X X X

8 Communication X X X X

The above-mentioned principles of good corporate governance are defined as follows:

Accountability refers to a mechanism by which those who make decisions and those

who take actions on specific issues must be accountable for their decisions and actions.

Transparency refers to the ease with which an organisation is able to conduct its

activities and provide information in an open, candid and accurate way.

Responsibility refers to the state of having control or authority and being answerable for

one’s actions and decisions.

Fairness refers to the condition of being free from any discrimination or dishonesty, and

in conformity with rules and standards.

CHAPTER 2 16

Independence refers to the absence of undue influence and bias, which can be affected

by the intensity of the relationship between the director and the company.

Leadership refers to the ability to successfully integrate and maximise available

resources for the attainment of organisational goals.

Corporate discipline refers to the commitment – mainly by the organisation’s senior

management to adhere to behaviour that is universally recognised and accepted as

correct.

Communication refers to a timely, accurate and honest sharing of relevant information

– whether in writing or orally with all concerned stakeholders.

Two principles in Table 2.1, namely accountability and transparency, have also been

mentioned amongst the eight characteristics of efficient governance in Figure 2-2.

Corporate governance experts advocate two main approaches with regard to the enforcement

of corporate governance principles (OECD, 2004). On one side there is a “comply or

explain” approach, which encourages companies to adopt ethical behaviour while providing

the flexibility to explain non-conformance with corporate governance recommendations

(Calder, 2005; Institute of Directors, 2009; OECD, 2004). On the other hand, a “comply or

else” approach, also called “comply or be punished”, is advocated mainly by the Sarbanes-

Oxley Act of 2002, in the aftermath of recent years’ corporate scandals (Calder, 2005). This

approach also encourages compliance with corporate governance best practices, and

penalties are imposed for non-compliance (Bisoux, 2004; Institute of Directors, 2009;

OECD, 2004).

The King III Report (Institute of Directors, 2009) found that the majority of international

corporate governance organisations and committees, at least 56 countries in the

Commonwealth and 27 states in the European Union (EU), advocated the “comply or

explain” approach. There is also an emergence worldwide of new approaches deriving from

the “comply or explain” approach, namely the “apply or explain” adopted by the King III

Report and the “adopt or explain” advocated by the United Nations (Institute of Directors,

2009). The reasons advanced by the King III Report (Institute of Directors, 2009) in this

shift toward the “apply or explain” approach is that it is not often a case of whether to

comply or not but of how best to apply the principles and recommendations.

There is a further debate amongst experts in the field of corporate governance on whether

governance is an issue of ethics or law enforcement (Bisoux, 2004). For instance, Judge

CHAPTER 2 17

Mervyn King, as noted in Bisoux (2004), in defence of the “comply or explain” approach,

argues that the success of a business is not assured by compliance to governance rules. He

cites the example of the Enron collapse in which the company used ingenious methods to

circumvent established laws to its advantage. He thus advocates what he calls “Intellectual

Honesty”, which is a quality of governance that cannot be legislated (Bisoux, 2004). King’s

argument is supported by Charles Elson (Bisoux, 2004), who promotes the “back to the

basics” approach, advocating the idea that ethical behaviour is the most effective and

greatest source of profit. However, in opposition to the above views, Millstein in Bisoux

(2004), argues that past experiences have shown that in spite of many Corporate Governance

Codes of Ethics and best practices, non compliance by corporations has continued. Millstein

supports the “comply or be punished” approach as the most suitable, as it turns the “what

you should do” into “what you must do”.

According to the CLSA report on emerging markets corporate governance, there is a need

for strong enforcement of rules and regulations without which companies will get away with

scandalous behaviour, while at the same time recognising the “box-ticking” mentality as a

danger to stringent enforcement of rules (CLSA, 2001:36). While conformance to good

corporate governance practices is important, there is agreement that a balance should be

created between conformance and profitability. Proper corporate governance should

embrace both performance and conformance (CACG, 1999:4; Institute of Directors, 2009).

There is also a trend toward moving the focus away from the “profit for shareholders at all

cost” approach, also called “single bottom line”, to a ”triple bottom line” approach, which

embraces the economic, environmental and social aspects of corporate activities (Institute of

Directors, 2009).

Highlighted in Figure 2-3 below are the three main sub-sets of corporate governance

comprising a system of internal control, IT governance and internal audit (Institute of

Directors, 2009; Kadre, 2011; OECD, 2004; Thornton, 2009). IT project governance is also

highlighted as one of the IT governance sub-sets of interest to this research study. Other sub-

sets have been highlighted in Figure 2-4 below.

CHAPTER 2 18

Figure 2-3: The three main corporate governance sub-sets (own figure)

The following sections look into detailing each of the sub-sets highlighted in Figure 2-3,

starting with the system of internal control by analysing and defining them. It also strives to

establish whether corporate governance principles can help improve the governance of IT

project management processes in the delivery of successful IT projects.

2.3.1 System of internal control

This section deals with the system of internal control as one of the sub-sets of corporate

governance and is also a sub-set of a broader enterprise risk management (ERM) strategy. It

defines a system of internal control, and highlights its main objectives and guiding

principles. In any business, risks are an inevitable part of the process. However, if left

unchecked they can influence the achievement of the organisation’s strategic, operational,

financial and compliance objectives (Thornton, 2009). Aware of the threat of risks to the

organisation, executive management and experts have long recognised the importance of

identifying those facing the organisation. The implementation of systems of control to

mitigate and manage these is also important by deciding on those that can be avoided and

those that can be controlled or tolerated (Thornton, 2009).

According to the Committee of Sponsoring Organisations of the Treadway Commission

(COSO) Framework of (1994), a system of internal control is one of the management tools

designed and implemented to provide reasonable assurance of attaining the organisation’s

strategic goals and objectives (COSO, 1994). They are put into place to keep the

organisation’s goals on track while minimising surprises along the way.


System of Internal Control

IT Governance

IT Project Governance

Internal Audit

CHAPTER 2 19

Because of its impact on promoting efficiency, risk management and compliance, there are

more calls for better systems of internal control. It is increasingly considered a solution to a

variety of problems facing organisations (COSO, 1994; Puttick & Esch, 2007).

Davis et al. (2011) identify three types of internal control, namely:

Preventative – those controls that stop a bad event from taking place

Detective – those controls that record a bad event after it has taken place

Reactive or corrective – those controls that provide a systematic way of detecting bad

event, after they have taken place and address the situation to correct it.

The Comptroller of the Currency Administrator of the National Banks Report (CCANB,

2001:3) found that “an effective system of internal control reduces the possibility of

significant errors and irregularities, and assists in their timely detection when they do

occur”. It also recognised that even well-designed systems of internal control can be subject

to execution risks by humans. Most control systems still require human intervention, and

even well-trained personnel with the best of intentions can become distracted, careless, tired

or confused.

Moeller (2004) believes that a good system of internal control should be able to help attain

some of the following objectives:

Accomplish its stated mission

Produce accurate and reliable data

Comply with applicable laws and organisational policies

Provide for economical and efficient use of resources

Provide for appropriate safeguarding of assets.

There are many different frameworks, models and definitions of internal control, including

the following well-known internal control models and frameworks:

1 The Committee of Sponsoring Organisations of the Treadway Commission (COSO),

Internal Control–Integrated Framework, first developed in 1992. The COSO is a

framework for establishing and evaluating the effectiveness of an organisation’s system

of internal control (COSO, 1994; Moeller, 2004).

CHAPTER 2 20

The COSO (1994:9) defines internal control as “a process affected by an entity’s board

of directors, management and other personnel, designed to provide reasonable assurance

regarding the achievement of objectives with regard to the effectiveness and efficiency

of operations, reliability of financial reporting, and compliance with applicable laws and

regulations”.

The COSO framework describes an effective system of internal control as consisting of

the following five interrelated components which are further subdivided into 26

fundamental principles. These work in tandem to mitigate the risks threatening the

attainment of the organisation’s strategic objectives:

The Control Environment: This component is sometimes referred to as “the tone at

the top” of the organisation. It sets the foundation on which other components can

build by providing discipline and structure. It deals with such issues as integrity,

ethical values and people’s competence.

Risk Assessment: This component helps identify, analyse and manage relevant risks

to attaining the organisation’s strategic goals and objectives.

Control Activities: This component deals with activities set up at all levels of the

organisation that help ensure that management directives are followed.

Information and Communication: This component addresses communication

throughout the organisation.

Monitoring: This component is closely associated with the organisation’s internal

auditing function in that it deals with the monitoring of all organisational activities

and reporting of deficiencies.

According to the COSO (1994), all five of these components must be present and

functioning in order to consider that a system of internal control is effective in any

category of objectives – operational, financial reporting or compliance.

2 The Criteria of Control (COCO) is another internal control model adapted from the

COSO. The COCO was developed by the Canadian Institute of Chartered Accountants

(CICA) in 1995. However, in comparison to the COSO, users find it to be more user-

friendly and concrete (Moeller, 2004). The COCO defines internal control as “actions

that foster the best results for an organisation”. These actions, as in the case of the

COSO, focus on the three categories of the effectiveness and efficiency of operations,

CHAPTER 2 21

namely reliability of internal and external reporting, compliance with applicable laws

and regulations, and internal policies. The COCO also has four interrelated elements of

internal control, which support people in the attainment of the organisation’s goals and

objectives. These are the purpose, capability, commitment, monitoring and learning.

Each of these elements includes many different components.

3 The SAS No. 55 was developed by the American Institute of Certified Public

Accountants (AICPA) in 1988. It was upgraded in 1995 and given the new name of SAS

No. 78. However, SAS No. 78 only focuses on those systems and controls dealing with

financial reporting objectives (CPA Journal, 2000).

4 The COSO Enterprise Risk Management Framework, sometimes called COSO II, works

in relation to COSO I, which is the Internal Control Integrated Framework. This

framework consists of eight interrelated components, which complement the way in

which management runs the enterprise. They are integrated with other management

processes. The components are linked and serve as criteria for determining whether

enterprise risk management is effective (COSO, 2004). The main objective of the COSO

Enterprise Risk Management Framework is to help management of businesses and other

entities better deal with risk inherent in attaining an organisation’s objectives in the

following four categories:

Strategic: Relating to high-level goals, aligned with and supporting the entity’s

mission

Operations: Relating to effective and efficient use of the entity's resources

Reporting: Relating to the reliability of the entity’s reporting

Compliance: Relating to the entity's compliance with applicable laws and

regulations.

This section has highlighted the importance for organisations to establish effective and

efficient systems of internal control, and the different internal control frameworks that can

be used in order to help them attain their strategic goals and objectives. The next section

deals with IT governance.

2.3.2 IT governance

This section looks at IT governance in detail as a sub-set of corporate governance and the

impact it has had on modern organisations, highlighting some of its frameworks and

standards as well as how it relates to IT project management.

CHAPTER 2 22

IT governance is often mistaken for an independent field of study; however, it is an integral

part of an organisation’s strategies for corporate governance aimed at enabling the

organisation attain its strategic goals in the most effective and efficient manner possible

(Brisebois et al., 2008).

In today’s information age in which IT is at the heart of most modern organisations,

information and the technology that supports it is looked upon by top management as their

most valuable asset. They are fast realising the significant impact that IT can have on their

success (IT Governance Institute, 2007). In the new environment an increasing number of

organisations and business processes are becoming dependent on their information systems

for survival, with significant resources being invested in IT (IT Governance Institute, 2007).

This is contrary to the historical view of IT held by senior management, namely that of an

isolated department.

Since IT has become such a critical component in organisations, a formal system of

governance is necessary in order to align IT objectives with those of the organisation, and to

achieve the best return on IT investment (RoI). For this to be achieved, it is imperative that

the board and senior management become involved in IT decision-making, and ensure that

IT governance becomes an important management priority (De Haes & Van Grembergen,

2004). With IT governance being a sub-set of corporate governance, it is the board of

directors and executive management’s responsibility to drive its implementation as part of

the organisation’s overall governance (IT Governance Institute, 2007).

For the first time, the King III Report on Corporate Governance (Institute of Directors,

2009:16) has included IT governance in the report, stating that information systems have

become an integral part of the business and a component built into the business strategy. IT

is used to support, sustain and grow the business. Almost all components of an

organisation’s operational processes would include some form of automation.

The King III Report continues by stating that “this pervasiveness of IT in business has

mandated the governance of IT as a corporate imperative” (Institute of Directors, 2009:16).

Furthermore, the emergence of new technologies, such as the Internet, E-commerce and

online transactions, has not only changed the way in which business is conducted, but also

introduced a significant risk aspect that must be governed and controlled (Institute of

Directors, 2009:16).

CHAPTER 2 23

The following are some of the definitions of IT governance:

“IT governance is the responsibility of executives and the board of directors, and

consists of the leadership, organisational structures and processes that ensure that the

enterprise’s IT sustains and extends the organisation’s strategies and objectives” (IT

Governance Institute, 2007:8).

“IT governance is the term used to describe how those persons entrusted with

governance of an entity will consider IT in their supervision, monitoring, control and

direction of the entity. How IT is applied will have an immense impact on whether the

entity will attain its vision, mission or strategic goals” (Brisebois & La Salle, 2008:31).

“IT governance can be considered as a framework that supports effective and efficient

management of IT resources to facilitate the achievement of a company’s strategic

objectives” (Institute of Directors, 2009:82).

While corporate governance is more concerned with the establishment of a system by which

corporations are directed and controlled, and mainly deal with issues of shareholders’ rights,

transparency and board accountability, IT governance has emerged as a supporting tool for

effective corporate governance aiming to ensure that IT expectations are met and IT risks

mitigated (IT Governance Institute, 2007).

IT governance focuses specifically on information technology systems, their performance

and risk management. It integrates best practices to ensure that IT supports business

objectives, thereby maximising benefits, capitalising on opportunities and gaining

competitive advantage (IT Governance Institute, 2007). As Brisebois and La Salle (2008)

write, how IT is applied will have an immense impact on whether the organisation will attain

its vision, mission or strategic goals. This view is shared by De Haes and Van Grembergen

(2004), who highlight the need to differentiate IT governance from IT management. They

explain that IT management is more concerned with the management of IT operations and

mainly focuses on the effective supply of IT services while IT governance is much broader

and more focused on the transformation of IT to meet current and future needs of business.

Some disciplines, such as information security, risk management, IT service management,

IT project governance, business continuity and disaster recovery have been cited as sub-

disciplines of IT governance (APM, 2007; IT Governance Institute, 2007). Business

continuity and disaster recovery, for example, are two areas that are becoming increasingly

http://www.itgovernance.co.uk/bc_dr.aspx

http://www.itgovernance.co.uk/bc_dr.aspx

CHAPTER 2 24

important in today’s world in which terrorist threats and natural disasters are becoming an

everyday concern.

Shown in Figure 2-4 below is a graphical representation of the different IT governance sub-

disciplines.

Figure 2-4: IT governance with its main sub-disciplines (own figure)

The next section looks at the different frameworks associated with some of the IT

governance sub-disciplines highlighted in Figure 2-4.

2.3.2.1 IT governance frameworks

In order for IT to deliver successfully on business requirements it is important that

management ensures the implementation of a system of control over IT that will optimise

the use of IT resources. This section looks at the different frameworks that can be

implemented in an organisation to help IT governance attain its objectives.

Regarding the implementation of an IT governance framework it is important to understand

that, as with corporate governance, there is no “one-size-fits-all” approach because of

different needs of different organisations (De Haes & Van Grembergen, 2004), nor is it a

case of what works for one organisation necessarily works for the other.

Listed below are some of the characteristics Calder (2005:20) believes should be part of a

good IT governance framework:

IT GOVERNANCE

IT PROJECT GOVERNANCE

IT SERVICE MANAGEMENT

INFORMATION

SECURITY

RISK MANAGEMENT

BUSINESS CONTINUITY / DISASTER RECOVERY

CHAPTER 2 25

It requires and depends on the board of directors’ informed, balanced and entrepreneurial

leadership.

It requires and depends on executive execution of business and information strategies

into goals and actions that deliver the business goals.

It leverages the organisation’s intellectual assets for competitive advantage.

It ensures that IT risks facing the organisation are identified, managed and controlled

effectively.

It ensures that there are no unplanned regulatory, statutory or contractual exposures.

It ensures that IT projects deliver benefits, instead of destroying value.

One of the most widely recognised IT governance frameworks that helps achieve the

alignment between business and IT objectives is the Control Objectives for Information and

related Technology (COBIT), developed by the IT Governance Institute (ITGI) in 1996 and

the Information Systems Audit and Control Association (ISACA) (IT Governance Institute,

2007). Currently in its fourth edition, COBIT is a broad and IT-specific control framework

that is business-focused, process-oriented, controls-based and measurement-driven. At its

core are the management and control of information to ensure IT goals alignment to business

requirements. COBIT combines two types of internal control, namely business controls and

IT controls. It is aimed at bridging the gap between the two. It also provides acceptability

and compatibility with other controls, making it possible and easy to map other standards to

it (IT Governance Institute, 2007).

COBIT business controls are adapted from the COSO concepts and defines this as, “the

policies, procedures, practices, and, organisational structures designed to provide reasonable

assurance that business objectives will be achieved and that undesired events will be

prevented or detected and corrected” (IT Governance Institute, 2007:17). COBIT IT

controls are adapted from the System Auditability and Control Report (SAC) concepts. SAC

was developed by the Institute of Internal Auditors Research Foundation (IIARF) in 1991

and revised in 1994. It is one of the internal control frameworks built on the COSO

concepts. However, SAC only focuses on those objectives affected by the organisation’s

information system and technology. The process orientation of COBIT is established by a

process model that subdivides IT into four domains in line with the four stages of plan,

CHAPTER 2 26

build, run and monitor as well as 34 processes that provide an end-to-end view of IT (IT

Governance Institute, 2007:8).

Components of COBIT support IT governance with issues in the following five areas:

Strategic alignment of business and IT

Delivery of IT value against business strategic objectives

Management of critical IT resources

Management of risks

Measurement of performance through continued monitoring.

The next section looks at the different IT governance standards.

2.3.2.2 IT governance standards

This section looks mainly at the different IT governance standards currently in use and is

closely connected to the previous section on IT governance frameworks. The following are

some of the most well-known IT governance standards:

1 The ISO/IEC 38500:2008 is the latest international standard for the Corporate

Governance of Information Technology based on an Australian Standard AS 8015:2005.

This standard was jointly issued by the International Organisation for Standardization

(ISO) and the International Electrotechnical Commission (IEC) in 2008. Its main

objective is to provide broad guidelines and a framework of practices to assist the board

and executives in delivering the maximum value for IT when evaluating, directing and

monitoring the effective, efficient and acceptable use of IT in their organisation (ISO,

2008).

The ISO/IEC 38500:2008 standard sets out the following six main principles for good

corporate governance of IT:

Responsibility: Those with authority must take responsibility for their actions with

respect to both supply of and demand for IT.

Strategy: Business strategies are to take into account IT capabilities.

Acquisition: IT acquisitions provide appropriate balance between benefits,

opportunities, costs and risks.

CHAPTER 2 27

Performance: IT provides quality services required to meet current and future

business requirements.

Conformance: IT complies with all mandatory regulations and legislations.

Human behaviour: IT policies, practices and decisions to show respect for the

needs of all people in the process.

2 The IT Infrastructure Library (ITIL) is a standard in the IT operations and service

management area. ITIL, since 2007 in its third edition, was developed by the British

Office of Government Commerce (OGC) (IT Governance, 2007). ITIL is organised as a

library that provides guidance and best practices for achieving business effectiveness and

efficiency in IT service management through a comprehensive, consistent and coherent

best practice framework and related processes. ITIL describes approaches, functions,

roles and processes, upon which organisations may base their own practices.

3 The ISO/IEC 27002:2005 is the global standard for information security management in

organisations. It was issued by the ISO and the IEC. The main objective of ISO/IEC

27002:2005 is to provide information to parties responsible for implementing

information security within an organisation. It is also concerned with developing and

maintaining security standards and management practices within an organisation to

improve reliability on information security. It defines 133 security controls strategies

under 11 major headings (IT Governance, 2006).

According to Calder (2008), none of the frameworks and standards mentioned above is a

complete IT governance framework on its own, but while all have a useful role to play in

assisting organisations to manage and govern their IT operations more effectively, the

challenge for many organisations is to combine the strength and create integrated framework

that draws on all the above frameworks and standards.

Cascarino (2012:70) agrees with the above views by Calder. He states that “three

frameworks, namely ITIL, COBIT and ISO/IEC 38350 have become widely recognised as

‘IT governance frameworks’. While each has significant IT governance strengths, none may

be looked at as a complete IT governance solution” (Cascarino, 2012:70).

According to Cascarino (2012:70-71), “the ISO/IEC 38350 was developed in 2008 by the

Joint Technical Committee ISO/IEC JTC1, and was designed to be considered as a

CHAPTER 2 28

worldwide formal international IT governance standard and sets out a clear framework for

the board’s governance of information and communication”.

The next section details one of the sub-disciplines of IT governance, namely IT project

governance. This sub-discipline was selected for its impact on this study, and to help

examine the connection between corporate governance and IT projects.

2.3.3 IT project governance and IT project management

This section deals with the governance and management of IT projects, highlighting the

difference between the two concepts and the way in which they relate to corporate

governance. It looks at the impact of IT projects in the business world, the currently popular

topic of IT project failure and IT project standards.

In the contemporary, changing and complex information economy with technology at the

heart of most businesses, business leaders are finding themselves under increased pressure to

perform and deliver on commitments which are mostly achieved through projects (KPMG,

2005).

IT has become such a critical and strategic tool for business competitiveness, productivity

and profitability (KPMG, 2005) that many organisations are relying on IT-enabled projects

for survival. They have become catalysts that generate new income streams, greater

efficiency and business changes that affect the overall organisational performance (Weaver,

2005).

In order to understand the governance and management of IT projects, it is important to look

at the concept of a project. Amongst the many definitions of a project, the most cited is that

of the Project Management Institute which states that “a project is a temporary endeavour

undertaken to create a unique product, service, or result” (PMI, 2008a:5).

The ISO 10006 defines a project as “a unique process, consisting of a set of coordinated and

controlled activities with start and finish dates, undertaken to achieve an objective

conforming to specific requirements, including the constraints of time, cost and resources”

(Kousholt, 2007:15).

Not all endeavours can be considered as projects (Kerzner, 2009; PMI, 2008a). The

following are some of the characteristics of a project:

It must be temporary – with a definite beginning and a definite end.

CHAPTER 2 29

It must be unique – it must create unique deliverables.

It must have progressive elaboration – it must be developed in steps.

It can be large or small, involving one person or many people.

With regard to project management, the following are some definitions:

“Project management is the application of knowledge, skills, tools and techniques to

project activities to meet project requirements” (PMI, 2008a:6).

“Project management is the discipline of planning, implementing, and monitoring

project activities to meet project objectives, achieved by effectively controlling and

balancing the constraint of time, cost, and scope in producing quality deliverables that

meet or exceed the expectations of the project stakeholders” (PM4DEV, 2007:20).

“Project management is the process by which projects are defined, planned, monitored,

controlled and delivered such that the agreed benefits are realized; and, projects are

unique, transient endeavours undertaken to achieve a desired outcome. Projects bring

about change and project management is recognised as the most efficient way of

managing such change” (APM, 2006:2).

“Project management is a formalised and structured method of managing change in a

meticulous manner, focussing on developing specifically defined outputs that are to be

delivered by a certain time, to a defined quality and with a given level of resources so

that planned outcomes and benefits are achieved” (Camilleri, 2011:6).

According to PricewaterhouseCoopers (2004), successful organisations use project

management as a strategic tool to respond to an ever-changing environment and to

outperform those that do not adapt.

The process of managing projects involves the identification of requirements, the

establishment of clear and attain goals, establishment of a balance between competing

requests for quality, scope, time and cost, and, responding to different concerns and

expectations of various stakeholders by adapting the specifications, plans and approaches

(PMI, 2008a). For Miller (2008:1), the connection between IT project management and

corporate governance ensures the integrity of IT systems by providing the appropriate

controls for the management of risks, records, assets as well as compliance with laws and

regulations. Project management “helps in getting projects done correctly. However, when

CHAPTER 2 30

project management and corporate governance join forces, the result meets the evolving

needs of today’s organisations” (Miller, 2008:1).

It is appropriate at this point to discuss portfolio, programme and project offices (P3O).

According to Jenner, OGC and Kilford (2011:38), the P3O model is a “decision-enabling

and support business model for all business change within an organisation”. According to

the P3O model guidance (Jenner et al., 2011:38), a portfolio office provides the means to

perform, amongst others, the following:

The establishment of a structure for selecting the right programmes and projects for the

organisation.

Ensuring on-going alignment of programmes and projects with strategic objectives and

targets.

Allocation of the right resources to the right programmes and projects.

Monitoring of progress of programmes and projects against key objectives.

The programme and project offices are mainly concerned with coordinating the delivery of

individual change initiatives in the right way (Jenner et al., 2011:39). The main difference

between a portfolio office, and programme and project offices is that “portfolio offices are

usually permanent and integrated into the organisational governance structure, and report to

the management board, while programme and project offices are temporary structures set up

to support a specific change initiative” (Jenner et al., 2011:39).

The OGC (2008:6) defines a portfolio as “the totality of an organisation’s investment in the

changes required to achieve its strategic objectives”. And portfolio management as a

“coordinated collection of strategic processes and decisions that together enable the most

effective balance of organisational change and business as usual”.

According to the OGC (2008:6), the organisation’s strategic objectives are attained through

portfolio management by ensuring that the following four key points are observed:

Changes to business as usual are agreed upon at the appropriate management level and

contribute to at least one strategic objective.

Strategic decisions are made based on a clear understanding of cost, risk, impact on

business as usual and the strategic benefits to be realised.

CHAPTER 2 31

Resources and changes are prioritised in line with the current environment, existing

changes, resource capacity and capability.

All changes are reviewed frequently in terms of progress, cost, risk, priority, benefits and

strategic alignment.

According to Rad and Levin (2006:10), traditionally project management is “a process

whereby each project is approved and managed independently. The focus is on a single

project and the triple constraint of scope, time and cost”. They also advocate a portfolio

management environment, which has a pre-defined process for selecting projects and a

uniform process for evaluating their success (Rad & Levin, 2006:10).

Rad and Levin (2006:11) indicate the difference between ‘project management’ and ‘project

portfolio management’ as follows:

In the project portfolio management environment, “the overall performance of the

organisation is directly tied to the sophistication of the organisation in managing the entire

suite of projects. In turn, project management performance is partly tied to having best

practices in managing projects and partly tied to strategic planning in selecting those

projects”.

There are many bodies of knowledge guides and standards for project management

(Crawford, 2004:1152), generally classified in the following two categories:

2.3.3.1 Standards for managing individual projects

The most widely known project management standards in this category include:

The Project Management Body of Knowledge Guide (PMBOK), developed by the US-

based Project Management Institute (PMI). Now in its fourth edition, the PMBOK Guide

“is the standard providing guidelines for managing individual projects most of the time

across many types of industries. It describes the project management processes, tools and

techniques used to manage a project toward a successful outcome” (PMI, 2008a:3-13).

The PMBOK is made up of 42 project management processes that fall into five project

management process groups: Initiating, Planning, Executing, Controlling and

Monitoring, and Closing. These are organised into nine project management knowledge

areas: Project Integration, Scope, Time, Cost, Quality, Human Resource,

Communication, Risk and Procurement Management (PMI, 2008a:42-43).

CHAPTER 2 32

As per the PMBOK Guide (2008:6), managing a project includes the following three

main activities, namely identifying requirements, addressing the various stakeholders’

needs, concerns and expectations, and finally balancing the varying and sometimes

competing project constraints.

The Projects IN Controlled Environment (PRINCE2), developed by the United

Kingdom’s OGC. Initially developed for managing IT projects, PRINCE2 has become a

general project management methodology widely used in Europe. PRINCE2 traces the

management of projects directly from the business cases and has a strong concern for

corporate governance (Crawford, 2004:1169). Now in its second edition, PRINCE2 is a

process-driven methodology that defines 40 separate activities organised into seven

processes: starting up a project, directing it, initiating it, controlling a stage, managing a

stage boundary and closing it (IT Governance, 2006).

The Association for Project Management Body of Knowledge (APM BoK), developed

by the Association for Project Management (APM). Now in its fifth edition, APM BoK

includes some of the aspects not included in the PMBOK Guide, such as technology, and

environmental, business and design management (APM, 2006; Crawford, 2004:1156).

The APM BoK identifies 52 key areas of knowledge and experience under seven topics

considered essential for people involved in project management. These apply to all

project management situations (Crawford, 2004:1157).

2.3.3.2 Standards for enterprise project management

The following are some of the enterprise project management standards. Their purpose is to

enhance an organisation's ability to implement organisational strategy through successful,

consistent and predicable delivery of projects.

1 The Organisation Project Management Maturity Model (OPM3), developed by the PMI.

OPM3 is a standard that has as objective to “help organisations translate strategy into

successful outcomes, consistently and predictably” (PMI, 2003:ix). OPM3 seeks to

identify and organise a number of accepted project management best practices. It also

provides a means to assess an organisation’s maturity against these best practices, thus

allowing the organisation to decide how best to plan for improvements (PMI, 2003:xi).

The OPM3 has three key elements, namely knowledge, which presents and describes the

content of the standard; assessment, which presents the methods, processes and

CHAPTER 2 33

procedures for organisational maturity self-assessment; and lastly improvement, which

provides a process for an organisational change. (PMI, 2003:ix).

2 The Portfolio, Programme and Project Management Maturity Model (P3M3), developed

by the OGC. P3M3 is based on the Software Engineering Institute’s (SEI) Capability

Maturity Model (CMM). It has a five-level maturity framework, which constitutes its

structural components, namely, initial, repeatable, defined, managed and optimised

(OGC, 2006:4).

P3M3 describes the “portfolio, programme and project-related activities within each

process area that contributes to consistently achieving successful project outcomes”

(Murray & Ward, 2007:95).

3 The PRINCE2 Maturity Model (P2MM), also developed by the OGC. P2MM is derived

from the P3M3 mentioned above. It has as its main objective the definition of the

“minimum standards to be adopted by an organisation for it to be considered mature in

the application of PRINCE2” (Murray & Ward, 2007:77).

P2MM can be used in either of the following two ways, namely as a stand-alone

maturity model for the assessment of the maturity level of use of PRINC2 or in

conjunction with the P3M3 for the assessment of the maturity level project management

using PRINCE2 (OGC, 2006:4).

Compared to P3M3, P2MM only assesses the first three of the five maturity levels and

applies to project management only (OGC, 2006:4).

4 The Capacity Maturity Model Integration (CMMI), developed by the Software

Engineering Institute. CMMI “is an essential process improvement approach that

provides companies with all the basic components to achieve effective improvements in

their processes” (Batten, 2008:88).

Companies that implement CMMI best practices can achieve, amongst others, the

following: improved processes and sound organisational systems; create process-

improved objects aligned to business objectives; and conceptualise, develop, deliver and

maintain quality products and services (Batten, 2008:88).

According to Nandyal (2004:8), CMMI comes in two different approaches or

representations, namely a staged representation, which organises the process areas into

clusters of practices and advocates a methodical growth of process capability; and a

CHAPTER 2 34

ontinuous presentation in which the process areas are grouped into the following four

categories, namely project management, process management, engineering and support.

As per Nandyal (2004:16), the staged CMMI approach advocates five maturity levels as

opposed to the continuous approach, which has an incidental notion of maturity.

However, is more focussed on improving the capability levels of individual process

areas.

The following are the five maturity levels of the staged CMMI approach (Nandyal,

2004:16-31):

Performed level: This is the initial level in which only the specific goals of a

process area are fulfilled.

Managed level: At this level the generic practices are institutionalised and are

established into the process. The focus in this level is basic project management.

Defined process level: At this level the key aspects behind engineering, process

management, project management and support mechanisms are defined. The focus is

on process standardisation.

Quantitatively managed level: At this level a solid foundation of quantitative

process understanding is established. The focus is on quantitative management.

Optimisation level: This is the level of continuous improvement.

Most Standards for enterprise project management deal with maturity models. Nandyal

(2004:22) defines an organisation’s maturity model as “the extent to which an organisation

has explicitly and consistently deployed processes that are documented, managed, measured,

controlled, and continually improved”. This organisational maturity can be measured

through different appraisals (Nandyal, 2004:22).

While successful IT projects contribute to the improvement of the competitive positioning of

the organisation, failures can put an organisation at a strategic disadvantage to its

competitors (Calder, 2005).

The following section presents statistics and survey results on the topic of IT project failure

rate. The amount of money wasted on failed IT projects is alarming and still on the increase

despite the advances in software technology and project management methodologies.

CHAPTER 2 35

The Standish Group’s Chaos Report, a landmark study on IT projects failure, shows that

very little has changed since 1995, when the first Chaos Report was published. In 1994,

only 16% of IT projects were successful compared to 53% challenged and 31% impaired

IT projects. In 2009, 32% were successful, 44% challenged and 24% impaired IT

projects (The Standish Group, 2009).

Shown in Graph 2-1 shows results of the Chaos Report on the state of IT projects in the

United States of America (USA) from 1994 to 2009, as published by the Standish Group

(2009).

Graph 2-1: The Standish Group “Chaos Report” Source: Dominguez (2009). The Curious Case of the CHOAS Report 2009.

The Standish Group’s Chaos Report also revealed that at least $250 billion was spent on

IT software development projects each year in the USA (Lewis, 2001; Marchewka,

2006).

Lientz and Larssen (2006:xv) state that “the rate of failure of IT projects has changed

little in survey after survey over the past 15 to 20 years. And this situation has continued

in spite of new technology, innovative methods, tools and different management

methods”.

2009 2006 2004 2002 2000 1998 1996 1994SUCCESSFUL 32% 35% 29% 34% 28% 26% 27% 16%CHALLENGED 44% 46% 53% 51% 49% 46% 33% 53%FAILED 24% 19% 18% 15% 23% 28% 40% 31%

IT Project failures

CHAPTER 2 36

Taylor (2004:278) is surprised to note that “even though software and hardware

development techniques are constantly improving, more than half of all IT projects

overrun their schedules and budgets by at least 200% or more”.

A 2005 research survey by KPMG on 600 major listed companies around the world

found that in the 12 months before the survey, 49% of the respondent companies had at

least one failed project. Only two percent of organisations had achieved their targeted

benefits all the time, while 86% lost up to 25% of their targeted benefits across their

entire project portfolio (KPMG, 2005). The estimated cost of the failed projects was was

£8 million (PMThink, 2005).

A study by the World Information Technology and Services Alliance (WITSA), “Digital

Planet 2010”, showed that the ICT total global spending will go beyond $4.4 trillion by

2013 (WITSA, 2010).

The above statistics give an indication that there is a problem with the delivery of IT projects

that needs to be addressed but for which currently there is no solution.

Whittaker (2006) has found that amongst the many reasons IT projects fail, the lack of top

management involvement and support are often cited as the main ones. This often dooms the

project to failure before it even starts and increasingly, shareholders are becoming concerned

about IT project failure (Calder, 2005:20). This is where the governance of IT projects

comes into play.

At this stage it is important to define what constitutes the critical success factors (CSFs) for

an individual IT project and for IT project management. Melton (2007:71) states that a CSF

is “an identifiable action or activity that can be quantifiable or measurable. It is critical

because it has the potential to impact the overall success of the project”.

With regard to the purpose of CSFs, Remenyi (2008:316) states that “project critical success

factors are aimed at providing project managers with factors that they need to concentrate

their efforts on in order to achieve success”.

According to Cooke-Davies (2002:185), CSFs are “those inputs to the management system

that lead directly or indirectly to the success of the project”. He adds that for an individual

IT project, success is measured against the overall project objectives; while project

management success is measured against the widespread and traditional measures of

performance against cost, time and quality.

CHAPTER 2 37

Heldman (2011:92) on his part defines CSFs as “those requirements or project deliverables

that absolutely must be completed and must be completed correctly to consider the project a

success”. However, he cautions that although a project’s critical success factors include

project deliverables, all deliverables are not CSFs.

Heldman (2011) advises that it is important for all project stakeholders to reach consensus

about deliverables and requirements that are considered critical to the project’s success.

Heldman (2011:92) also suggests the following five points as critical success factors for all

projects:

Common understanding of and consensus with regard to the project goals by all key

project stakeholders – If not reached, the project will not deliver the expected results.

A well-defined scope statement – A poorly defined project scope can lead to a

misdirection of the project team.

The involvement and buy-in from all project stakeholders through signing off of all

project documents.

A well-defined project plan that includes all the main project documents such as the

project schedule, risk management plan, budget schedule and cost baseline,

communication plan as well as change control procedures.

The use of well-established practices in project management.

In the 2010 Chaos Summary Report (Wysocki, 2011), the Standish Group highlighted the

three major reasons why projects succeed, namely user involvement, executive management

support and clear statement of requirements.

Compared with 2001, the Chaos Report’s analysis of the CSFs, executive management

support, user involvement and experienced project managers respectively occupied the top

three positions.

Table 2-2 shows the top ten reasons that cause projects to be challenged, as highlighted in

the Chaos 2010 Summary Report by the Standish Group (Wysocki, 2011:21).

CHAPTER 2 38

Table 2-2: Top ten reasons that cause projects to be challenged

No. Reason

1 Lack of users input

2 Incomplete requirements and specifications

3 Changing requirements and specifications

4 Lack of executive support

5 Technology incompetence

6 Lack of resources

7 Unrealistic expectations

8 Unclear objectives

9 Unrealistic time frame

10 New technology

Source: Wysocki (2011). Executive's Guide to Project Management

Table 2-3 below presents a recent study on the critical success factors by Nazir and

Shahibuddin (2011). It was conducted by means of a review of 43 worldwide published

articles from 1990 to 2010. The question was “What constitutes the critical success factors

for IT projects?”

It shows the ten top critical success factors amongst the 26 identified, with the frequency

each factor scored as a number of times the factor was counted in the literature.

Table 2-3: critical success factors for IT projects.

No. Critical success factors Frequency of citation count

1 Clear requirements and specifications 26

2 Clear objectives and goals 24

3 Realistic schedule 23

4 Effective project management skills/ methodologies (project manager)

23

5 Support from top management 22

CHAPTER 2 39

6 User/client involvement 20

7 Effective communication and feedback 20

8 Realistic budget 19

9 Skilled and sufficient staff 18

10 Frozen requirement 17

Source: Nazir & Shahibuddin (2011). Critical Success Factors for software projects. Comparing Table 2-2 and Table 2-3, some similarities can be noticed as to the factors not

taken into account, causing projects to be either challenged or successful.

While project management is the key discipline that drives and manages projects, project

governance provides a broader oversight, and more control, responsibility and

accountability. It is better suited to ensuring that project and business values are aligned, that

risk and resource management are achieved, that costs are controlled and that best practices

and standards are applied to every IT project (Calder, 2005).

The Association for Project Management (2006:98) defines the governance of project

management (GoPM) as “those areas of corporate governance that are specifically related to

project activities. Effective governance of project management ensures that an

organisation’s project portfolio is aligned to the organisation’s objectives, is delivered

efficiently and is sustainable”.

As per the APM (2006:98), GoPM is a sub-set of the overall activities involved in the

organisation’s corporate governance framework.

Figure 2-5 illustrates how GoPM is positioned within an organisation as a component of

both corporate governance and project management.

CHAPTER 2 40

Figure 2-5: Governance of project management.

Source: APM (2007). Directing Change – A guide to governance of Project Management.

As with corporate governance principles, IT project governance is crucial for effective

utilisation of strategic resources towards business goals and objectives (McKusker & Crair,

2006). It provides a framework for project risk assessment and management by applying

necessary considerations to risk management, verification and validation of existing

processes, quality assurance and measurable business value of project deliveries (McKusker

& Crair, 2006). IT decisions expose organisations to many risks, For example, financial,

operational or competitive (Calder, 2005; KPMG, 2005). Calder (2005:18) states that, “risk

assessment is a cornerstone of today’s corporate governance, and risk management is the

responsibility of the organisation’s board of directors”. As such, project governance is also a

board’s responsibility (APM, 2006:99).

Calder (2005:17) highlights the two key strategic IT risks as interruption to business

processes and customer services as well as overspending on IT, thus causing a cost-

disadvantage for the organisation. The relationship between IT project governance and

corporate governance is defined by the Information Systems Audit and Control Association

(ISACA) as “the set of responsibilities and practices exercised by the board and executive

management with the goal to providing strategic direction, ensuring that objectives are

achieved, ascertaining that risks are managed appropriately and verifying that the

corporation’s resources are used responsibly” (Miller, 2008:1).

CHAPTER 2 41

The APM (2007:9) lists the four core components of GoPM:

Portfolio direction

Project sponsorship

Project management

Disclosure and reporting.

The APM (2007:9) also identifies 13 basic principles for the governance of project

management based on both governance requirements and the discipline of project

management. Table 2-4 presents the thirteen GoPM principles.

Table 2-4: Governance of IT project management principles.

No. Governance of project management principles

1 The board has overall responsibility for governance of project management. 2 The organisation differentiates between projects and non project-based

activities. 3 Roles and responsibilities for the governance of project management are

defined clearly. 4 Disciplined governance arrangements, supported by appropriate methods,

resources and controls are applied throughout the project life cycle. Every project has a sponsor.

5 There is a demonstrably coherent and supporting relationship between the overall business strategy and the project portfolio.

6 All projects have an approved plan containing authorisation points at which the business case, inclusive of cost, benefits and risk is reviewed. Decisions made at authorisation points are recorded and communicated.

7 Members of delegated authorisation bodies have sufficient representation, competence, authority and resources to enable them to make appropriate decisions.

8 Project business cases are supported by relevant and realistic information that provides a reliable basis for making authorisation decisions.

9 The board or its delegated agents decide when independent scrutiny of projects or project management systems is required and implement such assurance accordingly.

10 There are clearly defined criteria for reporting project status and for the escalation of risks and issues to the levels required by the organisation.

11 The organisation fosters a culture of improvement and of frank internal disclosure of project management information.

12 Project stakeholders are engaged at a level that is commensurate with their importance to the organisation and in a manner that fosters trust.

13 Projects are closed when they are no longer justified as part of the organisation’s portfolio.

Source: APM (2007). Directing Change – A guide to governance of Project Management.

CHAPTER 2 42

According to the APM (2007:10), the above principles help prevent the following common

causes of programme and project failure when they are applied:

Lack of a clear connection with key strategic priorities

Lack of clear senior management ownership and leadership

Lack of effective engagement with stakeholders

Lack of skills and proven approach to project and risk management

Lack of understanding of or contact with supply industry at senior level

Evaluation of proposals driven by initial price rather than long-term value for money

Too little attention to breaking down development and implementation into manageable

steps.

The next section looks at the internal audit as another sub-set of corporate governance.

2.3.4 Internal audit

This section deals with auditing in general and internal audit in particular, namely its

definition, objectives, types and standards.

The internal audit function is considered by experts as one of the most important sub-sets of

corporate governance (Thornton, 2009). In organisations in which the internal audit function

is absent, the board must consider how the effectiveness of internal processes and systems

will be verified (Thornton, 2009).

The King III Report on corporate governance considers the existence of an internal audit

function in an organisation as essential. Where the board and executive of an organisation

decide not to have it, full reasons must be provided in the organisation’s annual report

(Institute of Directors, 2009).

The Institute of Internal Auditors (IIA) (2001:1) defines the internal audit as “an

independent, objective assurance and consulting activity designed to add value and improve

an organisation’s operations. It helps an organisation accomplish its objectives by bringing a

systematic, disciplined approach to evaluate and improve the effectiveness of risk

management, control, and governance processes”.

By its nature audit is a reactive process. However, new trends in internal auditing suggest a

move toward pre-event, a more proactive and risk-based approach (IIA, 2001).

CHAPTER 2 43

The audit function, as it is known today, has gone through many changes. It has greatly

evolved in response to the increased public expectations of accountability, the complexities

in the global economy and technological advances (Kumar & Sharma, 2005). Its relevance

has been proven through its historical role, and its value for providing checks and balances

as well as an independent opinion on the fairness, correctness and accuracy of evaluated

accounts (Kumar & Sharma, 2005).

Puttick and Esch (2007:79-84) state that experts from various professional backgrounds,

such as attorneys, criminal investigators, IT specialists and environmentalists have been

applying auditing principles to many fields other than financial.

According to Kumar and Sharma (2005:95), “the main and most important objective of

internal audit is early detection of errors and fraud”.

At this point it is important to highlight that there are different types of audit activities and

also different types of auditors. According to (Puttick & Esch, 2007:78) the three main

categories of auditors are:

External auditors, sometimes referred to as ‘independent auditors’. They are either

individual practitioners or public accounting firms who render professional auditing

services to clients.

Internal auditors are employees of an organisation, appointed to assess and evaluate its

system of internal control and provide other types of audit activities.

Government auditors are government employees who undertake different types of public

sector audits and report to the Auditor General.

The term “internal audit” is sometimes used to refer to any of the abovementioned types of

audit activities when performed by internal auditors (Puttick & Esch, 2007:80).

Sometimes organisations perform the following types of audits:

First-Party audit – conducted by internal auditors

Second-Party audit – carried out by customers or any external party with an interest in

the organisation

Third-Party audit – conducted by external independent auditors.

The difference between external and internal auditors lies mainly in the objectives and focus

of their activities.

CHAPTER 2 44

Basu (2006) highlighted some of the differences between these two types:

External auditors work retrospectively– they look at things that have happened in the

past, in the last year, while internal auditors look mainly at the current and future

situations.

With regard to financial statements, external auditors strive to obtain sufficient evidence

that will support their opinion on the fairness and correctness of financial statements.

Due to the potential for conflict of interest, internal auditors do not perform financial

statement audits but rather are more concerned with the evaluation of procedures

followed in the preparation and presentation of reliable financial information.

Both external and internal auditors use generally accepted auditing standards (GAAS) to

perform any audit activity, but they must have a good understanding of GAAP to

perform a financial statement audit.

In the fulfilment of their duties, auditors must adhere to auditing standards, principles and

code of ethics defined by different standard-setting organisations and bodies to which they

belong.

The two most recognised auditing standards are:

The ten generally accepted auditing standards by the AICPA, which include general,

field work and reporting standards.

The international standards for the professional practice of internal auditing by the IIA,

which include the attribute, performance and implementation standards.

Table 2-5 lists some of the main features of the code of ethics for auditors as defined by the

AICPA, ISO and IIA (IIA, 2001).

Table 2-5: Main code of ethics for auditors.

AICPA Principles

ISO 19011 principles

IIA principles

1 Responsibility Ethical conduct Integrity 2 Public interest Fair presentation Objectivity 3 Integrity Due professional care Confidentiality 4 Objectivity and independence Independence Competence 5 Due care Evidence-based approach 6 Nature of services

Source: IIA (2001). International Standards for the Professional Practice of Internal Auditors

CHAPTER 2 45

The next section looks at the connection between internal audit and IT project governance.

2.3.4.1 IT project audit

This section defines the IT project audit, outlines its main objectives and benefits, and

discusses the impact internal audits can have on the governance of IT projects in the delivery

of successful ones.

Billions of rands, pounds and dollars are wasted worldwide every year on failed IT projects

(see section 1.2). As noted by Sessions (2009), over $500 billion per month and $6.2 trillion

annually are lost on IT failures with the problem worsening. It is of constant concern to

executives and board members.

Faced with such a situation, an increasing number of organisations are looking for ways to

save money and time while getting a return on their investments through the successful

delivery of IT projects. Helgeson (2010:8) writes: “Auditing is part of the quality strategy

plan of an organisation”.

A project audit, sometimes called ‘project health check’, is the process that provides an

opportunity to uncover issues, concerns and challenges encountered in the execution of a

project. It also helps to isolate those factors that lead to success and prevent those that lead

to failure (Stanleigh, 2009).

A project audit or project quality audit is a project quality management tool. It is defined by

the PMI (2008a:204) as “a structured, independent review to determine whether project

activities comply with organisational and project policies, processes and procedures. It has

as main objective to identify inefficient and ineffective policies, processes and procedures in

use on the project”.

For the PMI (2008a), project quality management addresses both the management of the

project as well as the product of the project. Failure to meet this or the project quality

requirements often has serious negative consequences for all concerned stakeholders.

PMI defines quality as “the degree to which a set of inherent characteristics fulfil

requirements”, and the relationship between quality management and project management is

such that “modern quality management complements project” (PMI, 2008a:190). This is

achieved because both disciplines recognise the importance of the following four

deliverables:

CHAPTER 2 46

Customer satisfaction: This aspect requires that the project produces what it was

created to produce and that it is fit for use.

Prevention over inspection: Quality management requires that quality be planned,

designed and built in, which is different from being inspected. The cost of prevention is

less than the cost of corrections when discovered by inspection.

Continuous improvement: This highlights the ‘Plan-Do-Check-Act’ cycle as the basic

quality improvement rule.

Management responsibility: The responsibility of management to provide the project

team with the necessary resources for the project to succeed.

According to Helgeson (2010), quality requires that processes, which are the steps followed

in order to perform a task, be in place. Quality is the point of the audit, and auditing reviews

the quality of the system. By raising the quality standard, the project product is improved. A

project quality audit can be performed at any time in the life cycle, but is often carried out

when there are sufficient project deliverables for review. It is undertaken to measure and

report the actual quality of deliverables.

In order to keep IT project costs under control and save time, early detection of problems is

essential. Late detection of serious problems can result in the whole project being cancelled,

as in the case of failed or impaired projects (see Graph 2-1 above).

By participating in the IT project management life cycle, internal auditors are able to help

find and improve the quality and effectiveness of IT projects delivered (Gumz, 2006). They

can make recommendations that can help improve key areas of the IT project management

life cycle, such as user requirements, project planning, resource management, project

monitoring, and risk management. Along with the globally accepted best practices and

standards for effectively managing IT projects, internal auditors can use key project

management processes to address most of the problems encountered in the IT project life

cycle.

Stanleigh (2009) highlights the following three phases in the process of a successful IT

project audit that can be undertaken at any time in the life cycle of an IT project:

Background research: This phase involves the definition of success criteria,

questionnaires and audit interview development.

CHAPTER 2 47

In-Depth research: This phase involves conducting an intensive review of all aspects

and key project management areas, including interviews with all stakeholders, e.g.,

executives, project sponsors and project team members to identify problems and

opportunities for improvement.

Report development: This phase involves reporting on information gathered during the

IT project audit process, highlighting major issues, concerns, challenges and

opportunities for improvement.

Davis et al. (2011) define the following as the six stages of an audit, namely:

Planning: This is a stage in which the audit objectives and scope are determined. A

series of steps to be executed in the process of achieving the objectives must be

developed here.

Fieldwork and documentation: The stage in which the audit plan is executed.

Issues discovery and validation: At this stage a list of issues and potential concerns

encountered during fieldwork is established.

Solution development: At this stage an action plan to deal with issues and concerns is

established.

Report drafting and issuance: At this stage an audit report is drafted with proposed

solutions to address the issues and concerns.

Issue tracking: At this stage a trace and follow-up process is conducted to ascertain

whether issues and concerns have been resolved.

The IT project audit is a highly beneficial process for the organisation in that it provides the

following outcomes (Gumz, 2006):

Development of projects “Lessons Learned” for the organisation

Development of projects “Successful Criteria” for future projects

Development of strategies for successfully managing IT projects

Development of a contingency plan for risk management

Development of change management “Successful Criteria”.

CHAPTER 2 48

Figure 2-6 presents Helgeson’s (2010:15) detailed general audit process.

Figure 2-6: General audit process

Source: Helgeson (2010). The Software Audit Guide. Helgeson (2010) explains the general audit process highlighted in Figure 2-6 as follows:

Purpose & scope: This is the phase in which the audit objectives and scope are

determined.

Contact & document requests: This is the phase where all available project

documents are collected.

Review documents: This is the phase in which the review of collected documents

takes place.

Announcement: This is the phase in which the auditors give the project notice of the

coming audit.

Writing the checklists: In this phase the roadmap of the audit process is prepared.

Opening meeting: At this meeting, the lead auditor informs the project team about

the audit objectives and the estimated completion times.

The audit: This is the phase where the audit takes place. The auditors need to know

what to look for and what questions to ask.

Review documents

Contact & document

request

Announcement

Purpose & scope

Do the audit

Opening meeting

Closing meeting

Write checklists

Review corrective

actions

Present the report

Confirm corrective

actions

Write the report

CHAPTER 2 49

Closing meeting: This is the phase in which the auditors report the audit findings

and observations.

Writing the report: This is the phase in which the audit report document with

findings and observations is written.

Present the report: This is the phase in which the audit report document is

presented to the client.

Review corrective actions: This is the phase in which the auditors receive feedback

from the client on the audit report findings and observation.

Confirm corrective actions: This is a follow-up phase in which the auditors

confirm that the corrective actions have been implemented or the reasons why

corrective actions were not implemented.

This section has given an overview of an IT project audit by defining it, highlighting its

relationship with project management, the different phases of a project audit and the

processes followed for project audit.

2.4 SUMMARY

This chapter commenced with an overview of governance and how it has become a

“standard” to strive for in many organisations. It provided different definitions, types and

characteristics for efficient governance and looked at corporate governance, defining it and

highlighting its common principles. An analysis was made of each of the corporate

governance sub-sets as well as the relationships between corporate governance and the

governance of IT projects. This showed how executive management’s involvement in the

project activities can help improve the possibility of managing successful IT projects. The

chapter also highlighted the importance of the implementation of a system of internal

control, the importance of IT governance, and how internal auditing can assist IT project

management by preventing the waste of money, time and resources through IT project audit

and quality assessment in the delivery of successful IT projects.

This chapter also helped collect the necessary information that may assist in the process of

providing insight into the three main research questions posed.

The next chapter deals with the research design processes.

CHAPTER 3 50

CHAPTER 3

RESEARCH DESIGN

3.1 INTRODUCTION

In every profession there is a set of tools that helps improve techniques and assures a

quality product. The same can be said for research where the knowledge and the

understanding of the procedures involved are the most important tools. According to

Henrischsen and Smith (1997:1), “research is an organised and systematic way of finding

answers to questions, because in conducting research there is a structure, a method and a

definite set of planned procedures to be followed in order to find answers to questions”.

Trochim (2006:1) writes that “research design provides the glue that holds the research

project together, by structuring and showing how all of the major components work

together to address the central research questions”. Similarly, Flick (2009:128) states that

“research design addresses the questions of how to plan a study in order to answer the

research questions; it is defined as a plan for collecting and analysing evidence that will

make it possible for the investigator to answer whatever questions he/she has posed”. It is

a plan within which the how, when, where, who and why of data collection and analysis

are considered (Offredy & Vickers, 2010).

With regard to this research study, the main objective is the use of a holistic approach to IT

project management auditing by including corporate governance principles beyond the

traditional principles and processes for auditing IT projects. In the process of attaining the

above-mentioned goal, chapter 1 highlighted the background and the different objectives

to be achieved, and chapter 2 reviewed some of the previously published literature in

different areas of interest to this research study.

This chapter highlights the roadmap and the different steps followed in the research design

process. It looks at the research questions, the appropriate strategies and approaches to be

used, the methods, techniques and instruments to be used in the processes of data

collection, analysis and interpretation.

CHAPTER 3 51

3.2 RESEARCH QUESTIONS

Boeije (2009:24) states that “the research question is the central question which the

researcher wants to answer by doing the research project”.

As highlighted in chapter 1, the high failure rate of IT projects is a problem that needs to

be addressed. The failure of project governance was identified as the main reason for IT

project failures (Tarantino, 2008:162). Corporate governance has emerged as a recognised

worldwide best practice with auditing as one of its main sub-sets. Auditing adds value by

evaluating and improving the effectiveness of the organisation’s operations, processes and

procedures in order to accomplish its strategic objectives (IIA, 2001).

The following are the research questions this research study is going to work on providing

insight into:



2 Can the use of corporate governance principles improve the overall IT project

management process?

3 Can corporate governance principles be used to measure a project’s success?

Insight into these questions will help ascertain and evaluate whether the use of corporate

governance principles in auditing IT projects is the answer to the problem of the high

failure rate of IT projects.

The next section looks at the research approach used.

3.3 RESEARCH APPROACH

This section looks at different research approaches and identifies the most appropriate one

for this research study. The identification and understanding of the research approach to be

considered for a given research study are important because the choices strongly influence

the questions asked as well as the methods and statistical analysis to be used (Trochim,

2006).

Traditionally there have been two main research approaches, namely quantitative and

qualitative (Creswell, 2003; Punch, 2005).

CHAPTER 3 52

For Gravetter and Forzano (2011:158), the “quantitative research approach is based on

measuring variables for individual participants to obtain scores, usually numerical values

submitted to statistical analysis for interpretation. And, qualitative research approach is

based on making observation that are summarised and interpreted in a narrative report”.

Newman and Benz (1998) argue that both quantitative and qualitative research approaches

have philosophical roots in the naturalistic and the positivistic philosophies; therefore, the

debate about their differences is often based on assumptions with regard to the definition

of reality and whether or not it can be measured.

Table 3-1 below presents different beliefs and assumptions of these two philosophical

currents (Lincoln & Guba, 1985).

Table 3-1: Positivist and naturalist beliefs and assumptions.

Beliefs About Positivist Approach (Quantitative)

Naturalist Approach (Qualitative)

The nature of reality Reality is single, tangible and can be fragmented

Realities are multiple, constructed and holistic

The relationship of knower to the known

Knower and known are independent, a dualism

Knower and known are interactive, inseparable

The possibility of generalisation

Time and context-free generalisations are possible

Only time and context-bound working hypotheses are possible

The possibility of causal linkages

There are real causes, temporally precedent to or simultaneous with their effects

All entities are in a state of mutual simultaneous shaping so that it is impossible to distinguish causes from effects

The role of values Inquiry is value-free Inquiry is value-bound

Source: Lincoln & Guba (1985). Naturalistic Inquiry. According to Dawson (2002:15), the quantitative research approach generates statistics

through the use of large-scale surveys using questionnaires or structured interviews with

the advantage of reaching many people much quicker. On the other hand, the qualitative

research approach explores people’s attitudes, behaviour and experiences through the use

of methods, such as interviews and focus groups; thus, fewer people take part in it.

CHAPTER 3 53

For Mack, Woodsong and MacQueen (2005), the most important difference between

quantitative and qualitative research methods is the flexibility of the latter. With a research

method such as an interview the researcher can ask open-ended questions and is allowed

greater spontaneity and adaptation of the interaction with participants who are also free to

respond in their own words rather than simply “yes” or “no”.

Table 3-2 presents a comparative summary of most of the above-mentioned characteristics

of quantitative and qualitative research approaches (Mack et al., 2005).

Table 3-2: Summary of characteristics of quantitative and qualitative research approaches.

Quantitative Approach Qualitative Approach

General framework

Seeks to confirm hypotheses about phenomena

Seeks to explore phenomena

Analytical objectives

Used to quantify variation, to predict casual relationships and to describe characteristics of a population

Used to describe variation, to describe and explain relationships, individual experiences and group norms

Research methods

Uses highly structured methods such as questionnaires, surveys and structured observations

Uses semi-structured methods such as in-depth (also called semi-structured) interviews, focus groups, and participant observation

Questions format

Uses closed-ended questions Uses open-ended questions

Data format Uses numerical data obtained by assigning numerical values to responses

Uses textual data obtained from audiotapes, videotapes and field notes

Flexibility in study design

Stable study design from beginning to end

Participant responses do not influence or determine how and which questions the researcher will ask next

Study design is subject to statistical assumptions and conditions

Participant responses affect how and which questions the researcher will ask next

Study design is flexible and iterative, which means data collection and research questions are adjusted according to what is learned

Source: Mack, Woodsong & MacQueen (2005). Qualitative Research Methods.

CHAPTER 3 54

When comparing Table 3-1 to Table 3-2, it can be said that the difference between these

two main research approaches is deeply philosophical, based on how reality is viewed and

whether it can be measured. The data to be collected, whether textual or numerical, will

determine the appropriate research approach to be used.

Dawson (2002:16) believes that neither a quantitative nor a qualitative research approach

is better than the other. He argues that both of these main research approaches has its

strengths and weaknesses, and that many researchers believe that the mixed method

approach is the most appropriate because it counteracts the weaknesses of the other two.

Creswell (2003) defines the three research approaches as follows:

A quantitative research approach is “one in which the researcher tends to use

philosophical assumptions based primarily on post-positivist claims for developing

knowledge, and uses strategies of enquiry such as experiments and surveys, and

collects data on predetermined instruments that yield statistical data using closed-

ended questions” (Creswell, 2003:18).

A qualitative research approach is “one in which the researcher tends to use

philosophical assumptions based primarily on constructivist or participatory

knowledge claims, and uses strategies of inquiry such as narratives, phenomenology,

ethnographies, grounded theory studies or case studies. Data are collected using open-

ended questions with the intention of developing themes from data” (Creswell,

2003:18).

A mixed methods research approach is “one in which the researcher tends to base

knowledge claims on pragmatic grounds, using strategies of enquiry that involve

collecting data either simultaneously or consequentially using both open-and-closed

ended questions to best understand research problems” (Creswell, 2003:18).

The difference between the quantitative and qualitative research approaches is not only in

the characteristics of the required data, but also in the techniques used for collecting and

analysing it (Creswell, 2003; Walliman, 2005).

Creswell (2003:22-23) also highlights the following cases in which it is appropriate to use

either the quantitative, qualitative or mixed research methods approaches:

A quantitative research approach is best suited for cases where there is a need to test a

theory or an explanation as well as the need to identify factors that influence an

CHAPTER 3 55

outcome, the utility of an intervention or an understanding of the best predictors of

outcomes.

A qualitative research approach is best suited for cases where a concept or a

phenomenon needs to be understood well because it has never been addressed before.

A mixed methods research approach is best suited when there is a need to combine

elements of both the quantitative and qualitative approaches.

As per Creswell (2003:21), the following are the main factors that influence determining

which approach to use for a particular research study:

The research problem

The researcher’s personal experiences

The audience for whom the report is written.

Trochim (2006) highlights some of the elements that lead to choosing a qualitative

research approach:

A research topic that needs to be explored

A need to present a detailed answer to a problem

A need to study individuals in their natural environment

The research problem

The audience.

For the reasons outlined above, the nature of this research study dictates the use of a

qualitative research approach as the most appropriate, as opposed to a quantitative

approach. The reasons are as follows:

This research topic needs to be explored with regard to people’s attitudes, behaviour

and experiences.

There is a need for detailed insight into the problem with participants describing and

explaining their experiences.

This study requires contact with individuals in their natural environment, in this case,

their place of work.

There is a need to interpret reality with the aim of explaining the experiences.

CHAPTER 3 56

This research study does not require numerical or statistical data.

It is necessary to highlight the different research methods that may be employed in the

qualitative research approach.

3.4 QUALITATIVE RESEARCH METHODS

This section looks at the research methods applicable to a qualitative research approach.

According to Dawson (2002:22), “research methods are the tools you use to gather the

data”. Trochim (2006) lists the following as some of the assumptions underlying the

choice of the qualitative method:

Multiple realities exist in any given situation, every one of which is included in the

study.

The researcher interacts with those he/she studies.

The research is based on inductive forms of logic.

The goal is to uncover and discover patterns or theories that help explain a

phenomenon of interest.

According to Marshall and Rossman (2010), the following are the four core methods relied

upon by qualitative researchers for the purpose of collecting data:

Participating in the setting: This allows for firsthand involvement by the researcher,

by being a participant and an observer at the same time.

Observing directly: This allows for noting and recording of events, behaviour and

artifacts in the social setting.

Interviewing in depth: This yields a large quantity of data quickly. However, it is

dependent on a relationship of trust to encourage the participants to open up.

Analysing documents: This uses content analysis as the analytic approach.

Following are descriptions of some of the main qualitative research methods to be

considered for use in this research study (Creswell, 2003; Dawson, 2002; Olivier, 2009;

Trochim, 2006):

Case study: This is a research method characterised by the exploration of a single

entity or phenomenon bound by time and activity. The researcher collects detailed

CHAPTER 3 57

information through a variety of data collection procedures over a sustained period of

time. This method uses techniques such as structured or unstructured interviews and

direct observation, and the data collected can be classified as either qualitative or

quantitative (Olivier, 2009).

Ethnographic studies: In this research method the researcher studies the intact

cultural group in a natural setting over a specific period of time (Creswell, 2003).

Dawson (2002) believes it to be best used where there is a need for describing and

interpreting cultural behaviour.

Phenomenological studies: This research method examines human experiences

through the detailed description of the people being studied with the objective of

understanding their lived experiences.

Action research: This is an interactive research method in which the researcher

determines the current situation of interest and then makes an intervention in close

collaboration with a group of people to improve a situation in a particular setting.

According to Dawson (2002), this method is best used in areas such as organisational

management, community development, education and agriculture.

Focus group: In this research method the researcher plays the role of a facilitator or

moderator, and keeps a small and homogeneous group of people focused on the

discussion of the research topic (Olivier, 2009). One of the advantages is that it permits

the exploration of ideas as well as gathering in-depth information and people’s views

on an issue. This research method is also referred to as ‘discussion group’ or ‘group

interview’ (Dawson, 2002). According to PMI (2008b:108), focus groups “are used in

requirement analysis to assemble a group of people and ask questions about their

attitudes to the product, service and concepts”.

Grounded theory: In this research method the emphasis is placed on the generation of

theory, which is grounded in data (Dawson, 2002). The researcher observes the field of

interest first and then allows the theory to emerge from what is observed (Olivier,

2009).

Observation: There are two main types of observation research methods (Dawson,

2002:32), namely:

CHAPTER 3 58

a) Direct observation: This method tends to be used in fields such as health and

psychology. It involves the observation of a “subject” in certain situations.

b) Participant observation: In this method the researcher is much more involved in the

lives of the people being observed.

Interviews: There are several types of interviews of which the three most used are:

a) Unstructured interviews: In these interviews the researcher attempts to achieve a

holistic understanding of the interviewee’s point of view or situation. These are

called unstructured because the participants can freely express themselves with

little directional influence from the researcher (Dawson, 2002). A weakness of this

form of interview is that it can produce a great deal of data which is then difficult

to analyse (Dawson, 2002).

b) Semi-structured interviews: In these interviews the researcher produces and follows

an interview list of questions on the topic of interest, while maintaining a certain

level of flexibility. Semi-structured interviews are sometimes called ‘conversation

with purpose’ (Offredy & Vickers, 2010).

c) Structured interviews: These are interviews used for market research and mostly in

quantitative research. The researcher asks a series of questions and ticks boxes

according to the participants’ responses (Dawson, 2002).

From the different qualitative research methods, semi-structured face-to-face interviews is

the most appropriate research method to be used for this study, as each participant will be

asked a list of specifically prepared questions designed to elicit his/her views and

experiences. The choice of the interview method has been determined by a wish to focus

on the group, whilst seeking the views and experiences of each participant.

According to Robinson (2006), people are likely to say more than they write and more

questions are likely to be answered. Face-to-face interviews also provide immediate

opportunity for probing and clarifying answers.

It is also important to mentioned telephone interviews as one of the semi-structured

interview methods. For Biemer and Lyberg (2003:188) face-to-face interviews and

telephone interviews are referred to as “interviewer-administered modes”. The difference

between these two methods of data collection is that with face-to-face interviews, the

CHAPTER 3 59

interviewer and the respondents are physically present during the interview, whereas with

telephone interviews, the interview is conducted by an interviewer over the telephone.

As per Biemer and Lyberg (2003:194), some of the advantages and disadvantages of face-

to-face and telephone interview methods include the following:

Face-to-face interviews provide for a maximum level of communication and

interaction between the interviewer and respondents, which is not the case with

telephone interviews.

Face-to-face interviews are considered more flexible then telephone interviews in that

many things that are possible with face-to-face interviews are not possible with


The number of “don’t know” and “no” answer responses tend to be larger over the

telephone then in face-to-face interviews.

The social desirability bias is smaller in telephone interviews than in face-to-face

interviews.

Face-to-face interviews are often associated with the collection of good data quality

(Biemer & Lyberg, 2003:189). The response rate is also higher than with telephone

interviews.

Face-to-face interviews tend to be costly in terms of time and money compared with


As can be seen from the above list of advantages and disadvantages of both face-to-face

and telephone interview methods, it is appropriate to use the face-to-face interview method

for this research study as its method for collecting data.

The next section presents the strategies to be used in the process of data collection using

semi-structured face-to-face interviews.

3.5 RESEARCH DATA COLLECTION PROCESS

This section looks at the data collection process. It includes the sampling strategies, the

instruments for data collection, ethical considerations, the interview process and the

process of data analysis.

CHAPTER 3 60

Offredy and Vickers (2010) regard the researcher as the major qualitative research tool for

data collection. His or her ability to communicate with participants before, during and after

data collection is critical in obtaining reliable data.

The researcher observes, reacts, interacts, attaches meanings and records everything taking

place during the data collection process.

3.5.1 Sampling

Gravetter and Forzano (2011:143) define sampling as “a process of selecting individuals to

participate in a research study” while for Boeije (2009:35) a sample “consists of elements

selected from a defined research population that will be examined”. Samples in qualitative

research are flexible and the subjective experiences of the sample chosen are of great

importance to the study (Macnee & McCabe, 2008).

Following are some of the sampling techniques used in qualitative research (Mack et al.,

2005; Macnee & McCabe, 2008):

Convenience sampling: It includes members of the population who can be readily

found.

Snowball, also known as chain referral sampling: The researcher finds samples

through referrals by other participants.

Purposive sampling: Participants are intentionally and purposefully selected for

characteristics related to the purpose of the research study.

For the purpose of this study, the most appropriate sampling method to be used is

purposive sampling, as it seeks to find those participants who have experience in project

management and understanding of the IT audit process. Boeije (2009:35) also states that

“in qualitative research the sample is intentionally selected according to the needs of the

study, commonly referred to as purposive sampling or purposeful selection”. Mack et al.

(2005) acknowledge purposive sampling as one of the most commonly employed method

with participants selected according to pre-selected criteria relevant to a particular research

question. The sample size is also dependent on resources, time available and the study

objectives. In a case in which the sample size is fixed, purposive sampling becomes ‘quota

sampling’ (Mack et al., 2005).

CHAPTER 3 61

3.5.2 Instruments for data collection

This section responds to the question of how data will be collected, and what instruments

and procedures will be used. Taking into consideration that this study takes a qualitative

research approach, the collected data will be in the form of words, mainly elicited from

face-to-face-interviews and observations.

The primary instrument for data collection and analysis is therefore the researcher, for the

reasons mentioned in Section 3.5 (Punch, 2006). Other data collection instruments

mentioned by Punch (2006) are questionnaires for a qualitative survey with open-ended

questions and the researcher’s own specific instruments. In addition to the researcher, a

voice recording device will be used as data collection instrument.

3.5.3 Ethical consideration

Consideration has to be given to the moral accuracy of the research activity. With regard to

field work, Boeije (2009:44) states that a basic concept in qualitative research is trust from

participants. Consent is needed to ensure that participants offer their free and non-coerced

willingness to participate in the research. Assurance must be given to the research

participants through informed consent that their identities will not be disclosed because:

“being clear and specific in the ethical behaviour can increase the quality of the data”

(Boeije, 2009:50-54).

Doyle (1999) lists the following three important ethical principles that need to be

observed:

Participants have to be informed that their participation is voluntary. If they choose,

they can omit answering any particular question.

Adequate measures must be taken to protect the confidentiality of respondents.

Although overall interview results may be presented publicly, individuals should never

be publicly identified or associated with their responses.

Any promises made to the interviewees must be kept.

With regard to this research study, participants have been informed of the voluntary aspect

of their participation in the study. They have also been informed that there would be no

mention of any individuals or their specific responses in the final thesis. Collected data

will be transcribed and double-checked with the participants for completeness.

CHAPTER 3 62

Any promises made to participants shall be kept. A copy of the final report of the thesis

shall be sent to them.

3.5.4 Interview process

The tools to be used for collecting data in this study are semi-structured face-to-face

interviews as an open-ended, discovery-oriented method that has as its objective deeply

exploring the participants’ views, feelings and perspectives, as described by Guion (2008).

This type of interview involves more than just asking questions but also includes

systematic recording and documenting of responses coupled with intense probing for

deeper meaning and understanding of the responses. For the purpose of this research study,

whenever the term ‘semi-structured interviews’ is used, it refers to ‘semi-structured face-

to-face interviews’.

Some of the key characteristics of semi-structured qualitative research interviews include

the following (Guion, 2008):

Open-ended questions: These should not yield a ‘yes’ or ‘no’ answer.

Semi-structured format: they must have some pre-planned questions to ask.

However, the flow of the conversation dictates the questions asked and those omitted

as well as the question order.

Seek understanding and interpretation: One must try to interpret responses and seek

to clarify understanding.

Conversational interview: The interview should be conversational and have smooth

topic transitions.

Recording responses: Responses must be recorded and notes taken.

Record observations: Observe and record non-verbal behaviours.

Record reflections: Record researcher’s views and feelings immediately after the

interview.

Table 3-3 highlights the seven main stages for semi-structured interviews, according to

Kvale (1996):

CHAPTER 3 63

Table 3-3: The seven stages of semi-structured interviews.

Stages Description

1 Thematising In this stage, clarify the purpose of the interviews and determine what to find out.

With regard to this study, the purpose is to ascertain and establish whether:

a) The use of corporate governance principles can have a positive impact on IT project management process.

b) The use of corporate governance principles in auditing IT projects can increase the chances for the project’s success.

c) Corporate governance principles can be used to measure a project’s success.

2 Designing In this stage prepare the interview guide. For example, a list of questions, probing and follow-ups that guide the interview.

3 Interviewing This stage is the actual interview.

The main focus should be on listening and observing the respondent.

Ask permission to audio record the interview for later reference and increased accuracy.

4 Transcribing This stage involves creating a written text of the interview.

It involves writing down each question and response from the interviewee using recorded information and written notes.

Study and review the transcript and highlight important information related to the study.

5 Analysing This stage involves determining the meaning of the information gathered in relation to the purpose of the study.

6 Verifying This stage involves checking the validity, reliability and credibility of the interview findings.

7 Reporting In this stage the research study findings are communicated.

Source: Kvale (1996). Interviews: An introduction to qualitative research interviewing.

CHAPTER 3 64

Trochim (2006) highlights the following four steps in conducting semi-structured

interviews:

Developing a sampling strategy: This is a phase in which the researcher sets the criteria

for identifying and selecting participants whose attitudes and beliefs matter most to the

research.

Writing a semi-structured interview guide: In this phase an interview guide that

contains the questions that will be asked during the interview is prepared.

Conducting the interviews: In this phase potential respondents are contacted to

complete an interview.

Analysing the data: This is the phase in which the researcher tries to make sense of the

findings.

Comparing the above guidelines provided by Kyale and Trochim, it can be said that

Kyale’s stages are more detailed and also include the four steps mentioned by Trochim.

This research study will use Kyale’s seven stages for the purpose of data collection.

It is also important to mention that while scheduling the interviews, a list of the main

topics of the interview questions was given to all participants to allow them time to

familiarise themselves with the questions involved during the interviews.

The next section discusses the means of analysing the collected data.

3.6 RESEARCH DATA ANALYSIS

This section deals with the qualitative method for analysing data collected through

interviews, as highlighted in Section 3.4.

Trochim (2006) writes that unlike qualitative data, quantitative data collection is expressed

in numerical form, and that qualitative analysis of data is achieved in the following three

major steps:

Data preparation: This is a phase in which data are cleansed and organised for

analysis. It involves gathering all collected information, as specified in Table 3-5, stage

4 “Transcribing”, checking data for accuracy, capturing and transforming the data, and

creating a structure for data in order to integrate various measures.

CHAPTER 3 65

Descriptive statistics: This phase involves describing the basic features of the data in

the study. Descriptive statistics simply describe what the data are and what the data

show.

Inferential statistics: In this phase interpretation is given to the data, linking each

inferential analysis to specific research questions.

Hesse-Biber and Leavy (2011:302) highlight the following four phases for the analysis and

interpretation of qualitative data:

Data preparation: Data are transcribed and captured into a database.

Data exploration: The researcher becomes familiar with the data, by repeatedly

reading, highlighting, thinking and writing memos.

Specification or reduction of data: The researcher categorises data by coding and

looking for patterns in the data.

Interpretation: The researcher presents the findings.

Closely looking at the above-mentioned phases, similarities can be noted. The only

difference is that Trochin has combined Phase 1 and Phase 2, as indicated by Hesse-Biber

and Leavy into Phase 1.

Pequegnat, Stover and Boyce (2011), meanwhile, summarise the following as basic steps

for analysing qualitative textual data:

Reading: Data are transcribed; data content and quality are evaluated.

Coding: Data are categorised so that conclusions can be drawn more systematically.

Summarising: Data are examined, characterised and meaning extracted.

Synthesising: Data are viewed and presented as a whole.

With the above-mentioned in mind, this research study uses the three-phases approach to

analyse and interpret the data, as described by Trochim (2006).

3.7 SUMMARY

This chapter highlighted the research study design strategies, the research questions and

the research approach to be used in order to provide insight into the research questions.

The selected qualitative research approach influenced the choice of the research methods

for data collection, which entailed primarily semi-structured face-to-face interviews with

purposively sampled participants.

CHAPTER 3 66

The chapter also presented the different stages of semi-structured interviews that were

used with other instruments used for data collection, the ethical considerations to be

observed before, during and after the interviews as well as the steps for the data analysis

and interpretation processes.

This chapter presented the required steps toward the process of providing insight into the

research questions. The next chapter deals with data analysis and looks at the different

processes for collecting, analysing and interpreting data.

CHAPTER 4 67

CHAPTER 4

DATA ANALYSIS

4.1 INTRODUCTION

All research involves some form of data analysis, which can employ the quantitative,

qualitative or mixed method. This study employs a qualitative data analysis, defined by

Monette, Sullivan and DeJong (2011:376) as “the process of deriving some meaning from the

observations that are made during a research process”. The researcher strives to transform the

raw material from the data collection process, such as field notes, narratives and audio

recordings, and to extract meaning from these without any type of data quantification.

According to Hesse-Biber and Leavy (2011:301), the processes of analysing and interpreting

involve cycles of visiting, revising and interpreting the collected data as the research study

proceeds. For Mills et al. (2010) it is an active process that involves working with data in

order to organise, create small units, code, synthesise and search for patterns.

In chapter 3 the research design process was highlighted and the research questions presented

as well as the end-to-end processes, procedures and methodologies to be used in order to

collect data, analyse and provide insight into them. This chapter presents the processes

followed in the collection of the data through semi-structured face-to-face interviews. It

details the processes used for data analysis and interpretation. The term “corporate

governance principles” refers to corporate governance principles, as defined in Table 2-1 of

chapter 2. Also, whenever the term “project audit” is used, it refers to “IT project audit”. The

next section details the data collection process.

4.2 DATA COLLECTION PROCESS

This section looks at the main objectives of the interviews process and the procedures used in

conducting interviews. The interview process had as its main objectives to establish whether:

The use of corporate governance principles can have a positive impact on the IT project

management process

The use of corporate governance principles in auditing IT projects can increase the

chances of project’s success

Corporate governance principles can be used to measure a project’s success.

CHAPTER 4 68

In order to attain the main research objectives, the interview questions covered topics in the

areas of governance, project management and project audit.

The interview questions strived to address the following four main aspects:

1. Participants’ understanding of the concepts of:

Corporate governance

IT governance

Project governance

IT project critical success factors

Project audit.

2. The appropriateness of using corporate governance principles within the project

management environment of portfolio, programme and project offices, as decisions made

at one level influence the other levels.

3. The impact that the application of corporate governance principles would have on:

The overall project management process

The project’s success.

4. IT project audit:

Elements used in IT project audit

Process followed for IT project audit

Corporate governance principles that can be used in the IT project audit

Corporate governance principles usefulness to measure an IT project success

The best approach to be used by the project audit to have an impact on project

success.

Fifteen project managers in the IT project environment were interviewed and each asked

fifteen questions. In some instances follow-up questions were used for clarification of

answers. An audio recorder device was used during the interviews and handwritten notes

were taken. All ethical considerations highlighted in chapter 3 were taken into consideration

during the interviews. All participants in the interviews were employees of the same

company, working in different teams and on different projects in the IT division. All the

interviews took place at the participants’ place of work.

After the completion of the data collection process, the next step was to start the process of

CHAPTER 4 69

analysing and interpreting collected data presented in the next sections.

4.3 DATA ANALYSIS PROCESS

This section presents the procedures used in the process of analysing and interpreting the data

collected during the interview process. According to Sapsford and Jupp (2006), the common

concerns with regard to the framework for analysing qualitative data are the identification of

participants’ perspectives, the documentation of the problems with which they are faced and

the description of the strategies they have developed to address those problems. The

substance or elements of this framework are provided by the data (Sapsford & Jupp, 2006).

Regarding the strategies or approaches used for analysing qualitative data, Monette et al.

(2011:432) state that the emphasis is more on inductive than deductive reasoning in the sense

that with the former emphasis is on allowing concepts and abstract ideas arising from the data

to be analysed. The latter approach uses data to provide evidence for already existing

concepts and theories. There is no uniform or correct way to go about qualitatively analysing

and interpreting data, but rather it should be looked at as intellectual craftsmanship (Hesse-

Biber & Leavy, 2011:302).

The following sections provide details of how this research study underwent the three phases

of data analysis and interpretation, namely data preparation with its coding taking into

consideration that this will be a computer-assisted qualitative data analysis.

4.3.1 Data preparation phase

This section highlights the process used in the preparation of collected data as the first step of

the qualitative data analysis. It is rare to find that collected data are in an immediately

analysable form (Sapsford & Jupp, 2006); thus, there is a need to prepare the data before any

analysis and interpretation can take place. It is important to mention that the researcher did

not use any third party element in the steps of data preparation highlighted below.

In the case of this research study, data were collected through semi-structured interviews with

the use of an audio recording device. The data preparation phase was achieved through the

following steps:

Repeatedly listening to the audio recorded interviews

Transcribing and organising each interview text according to the questions asked/ A word

processing application was used. Only responses relevant to the interview questions were

CHAPTER 4 70

transcribed.

Repeatedly reading, comparing and double-checking each transcribed text with the audio

recording

Validating transcribed responses with each of the fifteen participants by sending a copy of

the transcript, and receiving an update and approval of the content.

Ensuring the final updated and verified document represented the views of the participant.

4.3.2 Data coding process

This section deals with data coding as a second phase of qualitative data analysis. It presents

an overview of the main leading qualitative data analysis software, defines the concept of

qualitative data coding, and highlights the different approaches and strategies to qualitative

data coding. It also presents the coding process and approach followed.

4.3.2.1 Qualitative data analysis software

This sub-section looks at the different leading qualitative data analysis packages currently

available and highlights some of their common characteristics.

The first question generally asked when choosing software for a particular task is ‘What is

best for the job?’ The complexity increases with the range of software packages available.

There are many qualitative data analysis software available on the market, such as ATLAS.ti

by Scientific Software Development Gmbh, NVivo by QSR International Pty, MAXQDA by

VERBI Software, QDA Miner by Provalis Research and HyperRESEARCH by

ResearchWare. Each of these software packages has distinctive characteristics, features and

tools. It is the researcher’s responsibility to decide on which features and tools within the

software best facilitate the chosen approach to data management and analysis (Lewins &

Silver, 2007). According to Faherty (2010:51), most qualitative data analysis computer-based

software is good at providing efficiency and data structural help to researchers, as they

manipulate large quantities of text and other types of files. However, because qualitative data

analysis is essentially a subjective process dependant on the critical thinking abilities of the

researcher, the software cannot perform the actual data analysis by itself. Similar views are

expressed by Lewins and Silver (2007:82) who state that software packages do not provide

methodologies for data analysis; rather their purpose is to provide a range of tools that, when

used, facilitate different analytic processes. Therefore, it is imperative for the researcher to

choose the software package most appropriate for the research project and to use only the

CHAPTER 4 71

required features.

Denzin and Lincoln (2011) highlight the following five advantages of using software

packages for qualitative data analysis:

Easy functionality for searching, retrieving, sorting, separating and categorisation of data

and codes

The ability to work on a project at multiple levels of analysis simultaneously

The visibility or transparency of both the data and analytic processes

Capabilities to share documents for team research purposes

Capabilities to manage a data and emerging analysis.

Highlighted in Table 4-1, is a summary of some of the common characteristics of the three

leading software packages used for analysing qualitative data, namely ATLAS.ti5,

MAXQDA2 and NVivo9, as described by Lewins and Silver (2007) and Mills et al. (2010).

Table 4-1: Summary of common characteristics of ATLAS.ti5, MAXQDA2 and NVivo9 (own table)

Description Characteristic Software Package

Data type and format Support for the analysis of text The most used data file format is the Rich Text Format (RTF)

All

Closeness to and interactivity with data

Increased access to all data files as a whole, using different tools

All

Data exploration Easy data exploration once files are incorporated into the project

All

Coding and retrieval functionalities

Easy generation of user-defined keywords or codes and easy code retrieval

All

Coding schema Complete freedom with regard to the coding structure – inductive or deductive approach can be used

All

Data organisation Different ways of managing and organising data in a project

All

Writing tools Different writing tools and ways to sort and All

CHAPTER 4 72

retrieve data

Output Generation of output reports in other standard applications

All

Internet hyperlinks Support for the activation of Internet hyperlinks

All

In the case of this research study, ATLAS.ti5 (5 being the software version) was used for the

purpose of analysing data because of the many specific characteristics and features it has over

the other software packages. Lewins and Silver (2007) highlight the following specific

characteristics of ATLAS.ti5:

It is the only package that allows for a non-textual data files format, including graphics,

audio and video, to be directly incorporated into the project.

It is able to handle a high volume of data types because of its ability to use an external

database structure.

When coding, it allows automatic selection of text to certain units of context due to its

capability to recognise text segments at the level of a word, sentence or paragraph.

It is the only package that allows embedded objects in RTF primary documents, such as

Excel tables or PowerPoint slides to be executed within its environment and without

opening the host application.

It is the only package that creates ‘quotations’ or ‘data segments’ as independent objects,

allowing the user flexibility in the way of working with quotations completely

independent of the coding process.

It uses two main files, the project file called the hermeneutic unit (HU) and separate

documents or data files.

Lewins and Silver (2007) advise that, in order to derive the most benefit from using any

software package for data analysis, it is important to familiarise oneself with the software

capabilities and tools to attain the desired objectives. In the case of ATLAS.ti5, a better

understanding of the functions, the architecture and how data files are stored are prerequisites

(Lewins & Silver, 2007).

CHAPTER 4 73

4.3.2.2 Qualitative data coding and approaches

This sub-section looks at data coding in more detail, defines it and highlights its purpose. It

looks at the different types of coding, as well as the strategies and approaches used in

qualitative data coding, and highlights the coding process used in this research study.

Anderson (2004) states that “categorising and coding data forms the first part of data analysis

process” while for Lewins and Silver (2007:83), the main aim of coding is “to facilitate the

development of a detailed understanding of the phenomena which the data are seen as

representing”.

The following are some of the many definitions given about the qualitative data coding

process:

“…a process by which segments of data are identified as relating to or being an example

of a more general idea, instance, theme or category” (Lewins & Silver, 2007:81)

“…the process of assigning categories, concepts or codes to segments of information that

are of interest to your research objectives” (ATLAS.ti, 2010:6)

“…a procedure for organising the text of the transcripts, and discovering patterns within

that organisational structure”. Once patterns are identified from the data, grounded theory

can be developed from these patterns” (Auerbach & Silverstein, 2003:31)

“Coding is the key process in the analysis of qualitative social research data – that is

classifying or categorising individual pieces of data, coupled with some kind of retrieval

system” (Babbie (2010:400).

For Lewins and Silver (2007:82), coding provides a mechanism for qualitative data

management and order. It enables quick and easy identification of similarities, differences,

patterns and relationships in the data. It also enables segments of data from across the whole

dataset to be placed together in order to be retrieved together at a later stage. One of the

advantages of using software packages for data analysis is that they provide coding and quick

retrieval capabilities (Lewins & Silver, 2007). A code is created by linking a data segment

with it; thus enabling quick retrieval of the coded data segments (Lewins & Silver, 2007).

The purpose of using coding methods is to discover patterns in the data, thereby avoiding

difficulties of having to work directly with large amounts of data contained in the transcripts

(Auerbach & Silverstein, 2003:32).

CHAPTER 4 74

The following are ways in which codes can be generated (Lewins & Silver, 2007:83):

Themes or topics extracted from within the data

Ideas or concepts derived from existing literature on the data subject matter

Work according to the language or terminology used in the data.

Lewins and Silver (2007) also state that at times codes can represent completely theoretical or

analytical concepts, while at other times they may be completely practical or descriptive.

Also, the process of generating codes can be carried out inductively or deductively.

When codes are generated using the inductive approach, the main underlying principle is “the

desire to prevent existing theoretical concepts from over-defining the analysis and obscuring

the possibility of identifying and developing new concepts and theories” (Lewins & Silver,

2007:83). The inductive approach is often associated with grounded theory, which is an

approach that develops hypotheses or theory from the ground or the data starting at the

bottom and moving upward. This is the most widely used qualitative data analysis approach

(Mills et al., 2010:752).

Bernard and Ryan (2010:444) state that “the heart of grounded theory is identifying themes in

text and coding the texts for the presence or absence of those themes”. They define the

grounded theory approach as “a set of techniques for identifying categories and concepts that

emerge from text and linking the concepts into formal theories” (Bernard & Ryan ,2010:444).

Anderson (2004:183) suggests that many qualitative researchers prefer using the inductive

approach when analysing data, because with this approach “data is collected without any

prior assumptions about categories and theories”. Monette et al. strongly agree with

Anderson’s views, stating that “qualitative researchers stress the value of letting concepts and

abstract ideas emerge from the data rather than using the data to provide evidence for pre-

existing concepts and theories” (Monette et al., 2011:432). This statement explains why

qualitative research promotes inductive over deductive reasoning (Monette et al., 2011:432).

The deductive approach, on the other hand, makes use of pre-existing concepts or theories in

the literature, that is, existing theoretical ideas dictate the coding process (Anderson, 2004;

Lewins & Silver, 2007:83). Anderson (2004) also agrees that both these approaches are

useful and can be used for the analysis of qualitative data. An example of using a deductive

approach would be where a concept highlighted in the literature review can direct

categorisation and coding. Lewins and Silver (2007) agree with this view, stating that “the

CHAPTER 4 75

two methods should not be viewed as dichotomously opposed or mutually exclusive”

(Lewins & Silver, 2007:88).

There is also an emergence of a combined coding approach amongst researchers, especially

those using software packages, by combining grounded theory approach with deductive

processes.

The following are some of the coding procedures associated with inductive and deductive

coding processes (Lewins & Silver, 2007:84-86):

1. Open, axial and selective coding processes linked to the inductive coding approach:

Open coding: Data are fragmented into small segments and thereafter compared.

Axial coding: Data segments fragmented in the first phase are reconsidered for

further processing.

Selective coding: Concepts, theories and conclusions are clarified, discussed or

drawn.

2. Descriptive, interpretive and pattern coding processes linked to the deductive coding

approach:

Descriptive Coding: This is the phase used at the start of coding process, in which

coding is based on predefined areas of interest.

Interpretive Coding: More details are added to the data coded in the first phase.

Pattern Coding: Coded data are reconsidered for similarities, differences or

contradictions.

With all the details provided in this section with coding in mind, the coding process and

approach used by this research study were as follows:

An inductive coding approach was used because this research study has developed

theory from the data, and it is also the most widely used qualitative data analysis

approach.

Most of the code labels were derived or extracted from the descriptions of questions

asked to participants; thus, identified from the data.

It is important to note that this research study uses a deductive approach as well, albeit not as

part of the coding process but as a research approach for analysing research key findings by

CHAPTER 4 76

comparing participants’ views on different interview questions with existing theories, as

highlighted in the literature review in chapter 2.

The ATLAS.ti5 software that was used in the coding process provides the required flexibility

to create codes grounded in the data. It is easy for retrieving and grouping those related

themes and categories that can be displayed together in network diagrams into code families.

The first step used in the coding process after familiarising and understanding how

ATLATS.ti5 works, was to import all transcribed data files into the ATLAS.ti5 project space

called the hermeneutic unit. Each data file imported into the HU is called a primary document

(PD) and is allocated a code in order of import. Thus, the first document imported was

identified as P1:file1, followed by P2:file2 up to P15:file15.

To facilitate understanding and ease of retrieval, the code-naming convention adopted was to

allocate meaningful labels extracted from the interview questions, starting each code label

with a corresponding question number. Thus, all code themes related to Question 1 would

have a code starting with “1 – Code Name1”, for question two, “2 – Code Name2” up to “15

– Code Name15). All related themes for the questions are linked to the same code label. Also,

all related codes for the same question are grouped together into a code family (CF). From a

CF, a network diagram is drawn, showing the different related categories for one particular

question; for example, participants’ different views and the number of respondents who hold

similar ones.

As with codes, a similar naming convention is used for code families. In this case, for

Question 1 it is “01 – Code family name”. The code family name also corresponds with each

interview question. The next section deals with the data interpretation process.

4.4 DATA INTERPRETATION PROCESS

This section presents the data interpretation process using participants’ responses and views

on each of the 15 interview questions. The sub-sections (below) highlight each interview

question and the Atlas.ti5 network diagram for each code family. These show the trends and

differing views in the participants’ responses as well as the number of those who share views

shown in parenthesis. The code family diagrams for each of the 15 interview questions are

numbered from 01 to 15, followed by the question’s code. For example, “01 – Understanding

of corporate governance” refers to the first question dealing with the code family

‘Understanding of the concept of corporate governance’.

CHAPTER 4 77

The next sub-sections analyse the details of each of the 15 interview questions and responses

to them. In this section the terms ‘participants’ and ‘respondents’ are used interchangeably.

4.4.1 Understanding the concept of corporate governance

The first question asked all 15 respondents was designed to elicit their views and

understanding of the concept of “corporate governance” in order to assess how each

respondent defined “corporate governance”.

This question is important in that it is closely linked to this research topic. A good

understanding of the concept of “corporate governance” by project managers would have an

impact on their understanding of how they viewed its impact on project audits.

Figure 4-1 presents the code family “01 – Understanding of corporate governance”. It

highlights respondents’ views, logically grouped into four categories according to the pattern

of the answers provided to the question regarding their understanding of the concept of

“corporate governance”.

Figure 4-1: Understanding of corporate governance

CHAPTER 4 78

As highlighted in Figure 4-1, 12 respondents (80%) believed that corporate governance has to

do with a framework, a set of rules, regulations, policies, procedures, measures, guiding

principles and ethical behaviour that govern an organisation.

The following are quotations showing some of the views of the group:

“Corporate governance is a set of rules, regulations, guidelines and practices we adopt for

running our business. In other words, it is a framework that governs how we should run

our business.”

“Corporate governance is about the protection of stakeholders’ investments in a company.

It deals with rules, procedures, policies and fundamental principles that guide all

stakeholders on how the company must be run. It is about how the company is managed

and directed.”

“Corporate governance is a set of rules, principles, guidelines and boundaries put into

place, within which people in the organisation have to function or operate. It is also the

measurements used against compliance to those established rules, principles and

guidelines.”

“Corporate governance is a set of rules, guidelines and procedures established to monitor

and control how, what and when to do things.”

“Corporate governance is a set of processes, measurements and procedures put into place

by the corporate in order to enable and ensure governance in terms of compliance and

ethics.”

Three respondents (20%) had views that represent the other categories in the Figure 4-1.

4.4.1.1 Data interpretation

Based on the definitions of “corporate governance” highlighted in chapter 2, and as defined

by leading organisations and experts in the field of corporate governance, the first

observation emerging from this first question is that all respondents have a fairly good

understanding of what corporate governance is and what it strives to achieve in an

organisation.

The second observation is that all respondents have been aware of the need for and the

importance of governance as a mechanism for monitoring, control and compliance

enforcement established to allow the organisation to work toward attaining its strategic

objectives.

CHAPTER 4 79

The third observation is that for some respondents, despite their defining corporate

governance as a set of rules, policies and guiding principles, it is looked at in the sense of

ethical behaviour that governs the organisation, For example, how employees and the

organisation as a whole conduct business.

4.4.2 Understanding the concept of IT governance

The second question asked all 15 respondents was designed to elicit their views and

understanding of the concept of “IT governance” and how each participant defined “IT

governance”.

This question is important in that it allows us to see how respondents connected or linked the

concept of “governance” to the IT level.

Figure 4-2 below presents the code family “02 – Understanding of IT governance”. It

highlights respondents’ views, logically grouped into three categories according to the pattern

of the answers provided to the question of their understanding of the concept of “IT

governance”.

Figure 4-2: Understanding of IT governance

CHAPTER 4 80

As highlighted in Figure 4-2, 13 respondents (86.7%) believed that IT governance was

concerned with a set of rules, regulations, standards, measurements, procedures, processes,

guiding principles and methodologies that govern IT.


“IT governance is a set of rules, regulations, policies, guidelines and procedures that

govern the IT cluster in an organisation. It includes things such as software development,

testing, deployment, system support and procurements.”

“IT governance is a framework or a set of rules that govern how we run our IT business -

it deals with things such as access security and control to systems, change management,

deployment and compliance.”

“IT governance relates to the ground rules, principles, guidelines and boundaries to which

technology is applied to make the organisation attain its strategic goals.”

“IT governance is a breakdown of high-level corporate governance rules, measurements,

processes and procedures to an IT department level.”

“IT governance is about setting up guidelines and standards for governing IT processes.”

One respondent looked at IT governance in relation to cost and risk management, and the

other in relation to the return on IT investments for the benefit of all stakeholders.

The views of the two respondents (13.3%) represent the other categories in Figure 4-2.


Based on the definition of “IT governance” highlighted in the literature review in chapter 2,

the first aspect to note is that there has been a good understanding by respondents of what IT

governance was. This could be in 86.7% of respondents who strongly believed that it had to

do with rules and guiding principles for governing IT.

The second aspect observed was that most of the respondents looked at IT governance in

isolation; as something not linked to the larger organisational strategic goals. This view could

be substantiated by observing that respondents remained focused on the IT governance in

relation to the IT environment, and many did not mention the relationship between corporate

governance and IT governance. Also, many did not mention the connection that IT

governance had with the overall organisation’s governance and the support it provided in the

attainment of the organisation’s overall strategic goals and objectives.

CHAPTER 4 81

4.4.3 Understanding the concept of project governance

The third question asked all 15 respondents was designed to elicit their views and

understanding of the concept of “project governance”, namely how each respondent defined

“project governance”. This question is important in that it allows us to see how respondents

connected or linked governance at the organisational level to the governance of IT and

projects.

Figure 4-3 below presents the code family “03 – Understanding of project governance”. It

highlights respondents’ views, logically grouped into three categories according to the pattern

of the answers provided, to the question of their understanding of the concept of “project

governance”.

Figure 4-3: Understanding of project governance

As highlighted in Figure 4-3, 13 respondents (86.7%) believed that project governance had to

do with a set of rules, standards, requirements, measurements, guiding principles, processes

and procedures that define how projects should be managed and how decisions concerning

projects were made.

CHAPTER 4 82


“Project governance is a set of rules, processes and procedures - a framework or a model

that governs the management of projects. It is not a sub-set of IT governance because

projects span beyond IT.”

“Project governance is a set of rules and principles for managing projects. However, by

their nature projects are different and how they are governed depends on the field within

which they are managed - for example construction or IT.”

“Project governance is a set of governing principles, processes and procedures to be

complied with when running projects.”

One respondent looked at project governance in relation to the high-level corporate

governance principles and requirements applicable to projects:

“Project governance is a breakdown of high level corporate governance rules,

measurement, processes and procedures applicable to a project. At the project level your

project methodology becomes your project governance. The methodology dictates your

policies, guidelines, measurements, processes and procedures.”

The other respondent looked at project governance as a management framework that provides

guidelines on how decisions concerning projects should be made:

“Project governance is a management framework that tells how decisions are made on

projects, and if they are made in a correct way. It talks about responsibility and

accountability of resources from all project stakeholders.”


Based on the definitions of “project governance” highlighted in the literature review in

chapter 2, the first aspect to note is that all respondents showed an overall understanding of

the concept of “project governance” as being a set of rules and guiding principles for

efficiently managing projects.

The second aspect is that most respondents viewed project governance only in relation to

guiding principles for running projects.

The third aspect is the question of whether project governance is a sub-set of IT governance.

For one respondent, project governance is not a sub-set of IT governance because projects

span beyond IT; in other words, projects can be managed without the use of IT.

CHAPTER 4 83

4.4.4 IT project critical success factors

The fourth question dealt with respondents’ views and understanding of what they consider to

be the critical success factors for an IT project.

This question is important in that it allows us to identify from respondents’ points of view

what IT project elements they consider to be important factors that most contribute to the

delivery of successful IT projects.

Figure 4-4 below presents the code family “04 – IT Project Critical Success Factors”. This

code family highlights respondents’ views, logically grouped into seven categories according

to the pattern of the answers provided to the question of what they considered to be the main

IT projects critical success factors.

The content of the code family for this question is presented slightly differently from the

previous three definition questions. Answers to this question, as provided by respondents,

could be placed in many categories, as they could mention more than one critical success

factor.

The difference with previous questions is that for this question, categories are made up of

critical success factors mentioned by respondents. One respondent could mention many

critical success factors from other categories – it is a one-to-many relationship with one

respondent’s views on many categories of critical success factors. In this case, numbers in

Figure 4-4 represent the number of times a critical success factor has been mentioned by

respondents.

CHAPTER 4 84

Figure 4-4: IT project critical success factors

As highlighted in Figure 4-4, ten (10) respondents mentioned that critical success factors for

a project had to be identified and clearly defined at the start of the project. These had to be

determined from business case and customer requirements, expectations and satisfaction. All

these must be set at the start of a project.

Nine (9) of the respondents mentioned a clearly defined scope of the work, a proper quality

project plan and time, the cost or budget and the quality as the main IT project critical success

factors.

Eight (8) of the respondents mentioned having the right resources as key critical success

factor, starting with the project manager, project team, project sponsors and project structure.

Five (5) of the respondents mentioned adherence to the project management methodology;

for example, principles, guidelines, standards, processes, procedures, measurements and

templates as being important to the success of a project.

CHAPTER 4 85

Three (3) of the respondents believed that top management leadership and support on the

project would have a positive impact on the project’s success.

Only one (1) respondent believed that user involvement could have an impact on the project’s

success. One (1) other respondent included testing and training as critical success factors with

regard to the management of release projects.

The following are some of the quotations presenting the views of respondents in the seven

different categories:

“Proper quality project planning - all decisions and assumptions for project success are

made at the planning level.”

“A project’s critical success factors should be determined and defined right at the

beginning or start of the project.”

“Methodology - guidelines, procedures, templates, processes to assist the project

manager.

o Right resources - people, sponsors, stakeholders and tools for measuring project

output

o Proper structure for running a project - roles and responsibilities definition,

sponsors…”

“Executive sponsorship – executive support and buy in.

o Right human resources that know and understand what needs to be done

o Customer expectations – aligned to the project scope

o The budget – realistic finances

o Fit for the purpose

o Project size – must be manageable and measurable.”

“User involvement.

o Executive involvement

o Methodology used

o Good project manager.”

CHAPTER 4 86

“I often manage release projects which are different from standard projects.

o Managing deliverable dependencies from other teams in the project

o Time constraints

o Meeting business requirement expectations

o Testing and training.”

“Right resources working on the project.

o Adherence to project management standards and guidelines

o Understanding of stakeholders’ mandate - their responsibility and accountability in the project

o Clearly defined and agreed upon scope of work.”

Graph 4-1 shows a view of the respondents’ views on the IT project critical success factors.

Graph 4-1: Summary of respondents’ views on IT project critical success factors


The first aspect to mention is that, even though all respondents were working in the same

company, they seemed to have very differing views as to the critical factors that contributed

to the success of their projects. This difference of views suggests that, despite the company

10

9

8

5

3

1 1

Clearlydefined

requirements

Clearlydefined scope

of work

Rightresources

Adherence toproject

methodology

Leadership &Exec support

Userinvolvement

Testing &Training

IT Project - Critical Success Factors Respondents

CHAPTER 4 87

having a standard and set of guidelines for managing projects, their application seemed

different.

The second observation is that, when comparing the views of respondents with the recent

literature on the topic of critical success factors for projects, there are some similarities. Three

of the seven success factors mentioned by respondents have been cited amongst the five

critical success factors for all projects by Heldman (2011), namely clearly defined

requirements, a clearly defined scope of work and adherence to project management best

practices. Also, three of the seven success factors were cited in the Standish Group’s 2010

summarised Chaos Report (Wysocki, 2011). These are user involvement, executive support

and clearly defined requirements.

4.4.5 Corporate governance principles applicable to portfolio, programme and

project offices

The fifth question dealt with respondents’ views and understanding of whether corporate

governance principles could be applied to a portfolio, programme and project office. This

question is important, as it allows us to determine if the implementation of governance

principles at a higher level in the organisation filter down to lower levels; in this case, from

portfolio to programme and project offices. It also addresses the question of where in the

project management structure of portfolio, programme and project offices should corporate

governance principles be applied appropriately.

Figure 4-5 below presents the code family “05 – Corporate governance principles applicable

to portfolio, programme and project offices”. This code family highlights respondents’ views,

logically grouped into three categories according to the pattern of the answers provided to the

question of whether corporate governance principles can be applied to portfolio, programme

and project offices.

CHAPTER 4 88

Figure 4-5: Corporate governance principles applicable to portfolio, programme and project

offices

As highlighted in Figure 4-5, seven (7) respondents (46.7%) believed that corporate

governance principles could be applied in the same way to all three levels of portfolio,

programme and project offices, starting from the top at the portfolio office level filtering

down to the project office.

The same number of respondents (46.7%) also believed that all the corporate governance

principles could be applied to all three levels, albeit to different degrees.

One (1) participant believed that some of the eight corporate governance principles

highlighted in chapter 2 would apply to all three levels, and others either to one or the other

level.

The following are some of the quotations presenting the views of respondents:

“All of these corporate governance principles are applicable to all levels at different

degrees of roles and responsibilities.”

CHAPTER 4 89

“All these corporate governance principles should be applied at the highest level first and

then filtered down to lower levels. The degree of importance will be different depending

on the level.”

“All of these corporate governance principles should be applied at the highest level first

and then filtered down to lower levels. If not well defined and applied at the top level

first, then the organisation’s strategic goals cannot be attained.”

“Some of these principles will apply to all levels and others to one or the other level:

o Accountability and responsibility will apply to programme level

o Fairness will apply to portfolio level

o Leadership, corporate discipline and communication will apply to all three levels

o Transparency is not relevant

o Independence is also not relevant. However it can apply within agreed time and cost constraints.”

“They apply to all three levels. Accountability and responsibility are very important.

However, independence can be applied to a lesser extent.”


The first aspect to mention is that for many respondents, the portfolio office seemed to be

missing from the organisation’s structure; they could not picture its role. However, the

programme and project offices existed for them.

The second aspect is that most respondents did understand the difference between the three

layers of portfolio, programme and project offices. The project office seemed to have the

most impact on project managers and their day-to-day activities.

For most respondents, for corporate governance principles to have a major influence at the

project office level, it had to be properly applied at the highest level first and allowed to filter

down to the lower levels. The literature refers to this aspect in one of the COSO framework

components, ‘the control environment’ as the “tone at the top” (COSO, 2004).

4.4.6 The impact of using corporate governance principles in project management

The sixth question dealt with respondents’ views and understanding of whether or not the use

of corporate governance principles would have any impact on the project management

process. This question is important, as it allows us to evaluate the impact, if any, of

CHAPTER 4 90

implementing corporate governance principles in the project management space. This

question is also closely linked to this research topic, namely the holistic approach to the

auditing of IT projects using corporate governance principles.

Figure 4-6 (below) presents the code family “06 – The impact of using corporate governance

principles in project management”. This code family incorporates respondents’ views,

logically grouped into three categories according to the pattern of the answers Yes or No

provided to the question of knowing whether the application of corporate governance

principles to the project management process would have any impact.

Figure 4-6: Impact of using corporate governance principles in project management

As highlighted in Figure 4-6, ten (10) respondents (66.6%) said, “Yes, the application of

corporate governance principles would definitely improve the project management process.”

Four (4) respondents (26.7%) also believed that the application of corporate governance

principles would improve the project management process, depending on measurements used

in the process and a common understanding of the definition of the principles by all the

CHAPTER 4 91

resources involved in the project. For example, independence can mean completely different

things to different people.

One (1) respondent completely disagreed with all the others, stating that the impact depended

on whether the project governance principles and guidelines were adhered to in managing the

project.


“Yes, they would have an impact on the overall project management process depending

on the variables used to measure their application.”

“Yes. All these principles are about defining roles and people being accountable and

responsible, ensuring fairness within the project. A project is as successful as the people

working on it and corporate governance principles apply to people.”

“No. If the project manager follows the methodology, processes and procedures he/she

will be able to manage the project successfully. It is all about the application of the

methodology, processes and policies.”

“Yes, if used in project execution, these principles will have a huge impact on the running

of the project. However, a common understanding of the definition of each of the

principles is important. For example, fairness and transparency can mean different things

to different people.”

“Yes, it will have a positive impact on how the project is managed. However, this will

depend on everyone having a common understanding and interpretation of what these

principles mean. For example, everyone needs to have a common understanding of the

definition of each of these principles.”


The first aspect to mention is that almost all respondents recognised the importance of

corporate governance and the value the application of its principles would bring to the project

space. This was shown by fourteen respondents saying, “Yes, it would have an impact to the

project management process.”

With regard to the one respondent who disagreed with the views of the others, the reason

given was that it was not the application of corporate governance principles that would

CHAPTER 4 92

improve the project management process, but rather the application of project management

methodology, processes and policies that would determine the project’s success.

With regard to the level of importance of corporate governance principles that could have the

most and least impact on the project management process, three respondents mentioned

accountability and responsibility as the most important principles, followed by

communication, mentioned by two respondents, and leadership by one.

Fairness as well as independence was considered the least important of the principles by one

participant. No other respondent mentioned anything about the level of importance of

corporate governance principles. Following is one of the quotations highlighting this view:

“Communication is the most important for me.

Independence could be a problem. If not understood well it could affect the project

negatively but if used in a context of empowerment backed by accountability and

responsibility, then it would have a positive impact.

Yes, they will have a positive impact on the overall running of the project if applied to

the day-to-day running of the project”.

4.4.7 The impact of corporate governance principles on project success

The seventh question dealt with respondents’ views and understanding of whether or not the

use of corporate governance principles would have any impact on the successful delivery of

IT projects.

This question was important and linked to the previous question by looking at the impact on

the project management process. It allowed us to evaluate the impact, if any, of corporate

governance principles on the project success.

Figure 4-7 below presents the code family “07 – The impact of corporate governance

principles on project success”. This code family highlights respondents’ views, logically

grouped into two categories according to the pattern of the answers provided to the question

of knowing if the application of corporate governance principles would have any impact on

the project’s success.

CHAPTER 4 93

Figure 4-7: Impact of corporate governance principles on project success

As highlighted in Figure 4-7, 14 respondents (93.3%) agreed that the application of corporate

governance principles would definitely have a positive influence and contribute to the

successful delivery of IT projects. This view would be strongly strengthened if these

principles were properly applied with proper measurements in place and everyone had a

common understanding of the definition of these principles.

Only one (1) participant disagreed with the above views, stating that the application of

corporate governance principles would not determine and did not guarantee the successful

delivery of a project. However, the participant agreed that these corporate governance

principles were important and would add value to the way in which the project was managed.

He said, “No, I do not believe their application can guarantee and determine the success of

the project. However, they are all important and do add value in the running of the project.”

Four (4) respondents named accountability and responsibility as the most important corporate

governance principles likely to make the greatest impact on the delivery of a successful

project. Communication was also mentioned once as an important principle.

Also mentioned once as the least important principles were leadership and fairness.

CHAPTER 4 94


“Yes. They will definitely have an impact on the successful delivery of projects.”

“Communication is a key factor. Accountability and responsibility are also very

important. Yes, these principles will have a big impact on the success of the project.”

“Yes, if properly applied. If there is a framework for governing projects and everyone

knows what their responsibility is and what they are accountable for, then there is a

chance of successfully delivering a project on time, within the budget and to the required

quality.”

“Yes, everyone needs to have a common understanding of the definition of each of these

principles in their application, then it will contribute to the success of the project. For

example, accountability and responsibility can mean different things to different people.”

“Yes, they would if appropriate measurements used.”


The first aspect is that all respondents recognised the importance of corporate governance

principles. Secondly, all agreed about the added value and the impact their application could

have on the successful delivery of IT projects.

One (1) participant said that just applying corporate governance principles did not guarantee

the project’s success, but if combined with other project management processes it would

definitely increase the chances of successfully delivering projects.

Another important aspect mentioned by respondents was the common understanding and

interpretation or definition of what each of these corporate governance principles meant. If

there was the slightest misunderstanding of what, for example, accountability, responsibility

or independence meant, then it might be difficult to achieve the expected results. A certain

level of education on the meaning of what each of these corporate governance principles in

the project space mean is thus necessary.

4.4.8 Project monitoring mechanisms in place to attain project objectives

The eighth question dealt with respondents’ views and understanding of the monitoring

mechanisms currently put in place to insure that project objectives are attained.

This question is important in that it allows us to have an understanding of the project

CHAPTER 4 95

monitoring processes currently in place to ensure that projects remain on track and attain their

objectives.

Figure 4-8 below presents the code family “08 – Monitoring mechanisms in place to attain

project objectives.” This code family highlights respondents’ views, logically grouped into

three categories according to the pattern of the answers provided to the question of what

monitoring mechanisms are in place to ensure the project attains its objectives.

Responses for this question were also distributed across different categories, representing the

number of times an item was mentioned by respondents.

Figure 4-8: Monitoring mechanisms to attain project objectives

As highlighted in Figure 4-8, twelve (12) respondents (80%) mentioned that the project’s

progress was measured at different project milestones. The items were used to monitor the

project, including checking and tracking the project progress against the agreed deliverables,

business case, requirements, project plan, project execution plan, project schedule, scope of

work, time and budget.

CHAPTER 4 96

Nine (9) respondents (60%) mentioned that project progress was checked at different project

forum meetings, weekly reports and review sessions.

Seven (7) respondents (47%) mentioned the use of project software tools to check and track

the project’s progress as well as the balanced scorecard and the internal project quality

assurance audit team.

The project software monitoring tools mentioned most were Microsoft Project and the Project

Office Toolkit (POT).


“The Project Office Toolkit is used to measure the day-to-day project performance by

extracting data from various sources and independently evaluating things like cost, time,

risk management and the quality of the solutions being implemented. Project progress

meetings as well as weekly reports are used to track project deviations.”

“The project plan should be monitored and checked constantly to ensure that the project

deliver what it is expected to. If not, mitigate the risks and implement corrective measures

to address the issues.”

“There are different forums to approve the project movement from one phase to the other.

The project charter and project execution plan are documents used to track the project

artifacts and progress. Also, the project schedule and different tools are used to track the

project’s time, budget, progress and deviations in a life cycle.”

“The Project Product Quality Assurance (PPQA) audit team does project audits. The

Project Execution Plan (PEP) document defines roles and responsibilities. It is agreed

upon who should do what, by when and get signed off from all concerned stakeholders.

The PEP is also used to track and monitor the project’s execution and progress.”

“The project scope of work is also an essential element. The project schedule is the main

physical measurement tool for control.”

Observing respondents’ responses to this question it seemed all had divergent views, which

suggests that there was no common established process or monitoring mechanism for

checking and tracking the project progress. However, whichever process was mentioned by

respondents, they seemed to ensure that the project’s objectives were monitored.

CHAPTER 4 97


The main observation is that there is no one standard being used for all projects to monitor

their progress from one phase to the other. Even when there is a tool such as POT, which is

advocated and used by the project office as the standard for monitoring a project’s progress,

not every project manager complies with it.

4.4.9 Understanding the concept of project audit

The ninth question dealt with respondents’ views and understanding of the concept of

“project audit”; for example, how each participant defined “project audit”.

This question is closely connected to the topic of this research study. Respondents’

understanding of the project audit and its main objectives to the project effort are important if

we are to include corporate governance principles as part of the project audit processes.

Figure 4-9 below presents the code family “09 – Understanding of project audit”. This code

family highlights respondents’ views, logically grouped into four categories according to the

pattern of the answers provided to the question of their understanding of the concept of

“project audit”.

CHAPTER 4 98

Figure 4-9: Understanding of project audit

As highlighted in Figure 4-9, eleven (11) respondents (73.3%) defined the project audit as an

independent review process or an evaluation process, a tool or mechanism for checking

compliance to project governance rules, guidelines, processes and procedures.

Two (2) respondents defined the project audit by highlighting two different types of project

audits, namely at project office level and at group risk or internal audit level.

One (1) participant agreed with the above two groups’ views, stating that project audit was an

end-to-end review process. He agreed that there were two different types of audit, namely

audit that checks project deliverables and investigative audit that checks project deviation

reasons.

The last participant defined “project audit” by stating what it should and should not be. It

should be a proactive process that enables the project success, and not a reactive tool used for

apportioning blame when things go wrong.

The following are some of the quotations presenting the above-mentioned views of

respondents:

CHAPTER 4 99

“The project audit is a process that provides an opportunity to uncover issues, concerns

and challenges encountered in the project. It reports on what has gone wrong and needs to

be rectified. It is a tool that ensures that projects are run correctly.”

“The project audit is a process for reviewing the project against the original business and

project objectives. And it ascertains whether the project is meeting the required

deliverables and reports on deviations.”

“The project audit is an independent audit of a project to ensure that corporate governance

principles are followed and applied.

There are two types of audits:

o Checks for evidence of compliance to project management processes and project execution plan, as well as checks on the existence of artifacts and approvals

o An investigative audit checks for reasons for project’s deviations; for example, cost escalation or time overrun.”

“There are two types of project audits:

o From the project office level, the audit is used to check compliance with the

methodology, rules, guidelines and procedures for managing projects.

o From an internal audit level, the audit is used to check the content and quality of

the artifacts as well as how the budget is being managed.”

“The project audit should be a proactive mechanism or process to help or enable project

success. Shouldn’t be a reactive mechanism waiting for project to fail in order blame the

project manager.”


The main observation is that all respondents had a fairly good understanding of the concept

of “project audit”, as highlighted in the literature in chapter 2. Some highlighted the two

different types, namely compliance audits used to check for evidence of compliance and

investigative audits used to check for reasons of project deviations.

Amongst the many definitions of “project audit” highlighted in chapter 2, the definition by

the Project Management Institute (PMI) highlights best the views of many respondents.

Some respondents looked at the project audit as a tool used by management to control and

monitor risks to the organisation with regard to projects.

CHAPTER 4 100

Another aspect to mention is that for some respondents there were times when the project

audit was used as a tool for ‘shaming and blaming’ when things went wrong in a project.

4.4.10 Process followed during project audits

The tenth question dealt with respondents’ views on what processes were followed or used

during project audits.

Respondents’ views on how project audits were conducted were important in that it will help

us understand and find the best way to include corporate governance principles in that

process.

Figure 4-10 presents the code family “10 – Process followed in project audits”. This code

family highlights respondents’ views, logically grouped into four categories according to the

pattern of the answers provided to the question of the process currently being followed during

project audits.

Responses for this question were distributed across different categories, representing the


CHAPTER 4 101

Figure 4-10: Process followed in project audit

As highlighted in Figure 4-10, all 15 respondents (100%) agreed on the process that the

project audit team should follow. They mentioned that project audits should be performed at

project milestones, meaning at the end of a project phase or the beginning of a new project

phase.

All believed that the project audit team should check for evidence of documents and artifacts,

and for what was planned against what was delivered. The team should also check for

compliance with the application of processes and methodologies as well as approvals through

sign-offs.

Two (2) respondents said that in their environment the project audit team conducted

interviews with project managers selected for the project audit, discussed artifacts provided

and followed up on audit findings. However, this was not always done.

CHAPTER 4 102

Two (2) other respondents said that the project audit team was not really interested in the

quality of the artifacts content. Project audits were carried out in the form of a ‘tick in the

box’ exercise using a checklist.

One (1) participant mentioned that in his environment the project audit was not done.


“The Project and Product Quality Assurance (PPQA) audit team checks for evidence of

documents and artifacts – high-level design, business requirements specs, scope of work,

project budget etc. Their objective is to ensure that the project governing principles are

being applied.”

“The PPQA process uses a checklist for documents and artifacts - it is a kind of a tick in

the box exercise.

o The internal audit process uses interviews with project stakeholders involved in the

project. They follow the project through different iterations and provide feedback

and recommendations.

o It is done per project phase.”

“The project office audit team uses a checklist with standard questions, looking for the

evidence of artifacts or documents.

o They are not interested in the content of the documents.

o The internal audit team will request required documents and schedule the meeting

to discuss the content. However, this is not done often.”

“The project audit team identifies projects to be audited in a cycle and informs project

managers.

o The objective process checks for documentation, approvals, and artifacts.

o The subjective process involves interviews with project managers.

o They release audit findings and follow up.”

“The project audit team checks for evidence of artifacts the project must produce at the

current project phase.

o Extracts data and documents from different tracking tools and schedules and use

them as supporting document for the audit.”

CHAPTER 4 103

“Not performed in my environment.

o They were planned against what was delivered - what went wrong, why and how

to fix it?”


The main observation for this question is once again the lack of uniformity and consistency in

the application of the audit processes to all projects.

At project office level, the organisation has well-defined project standards, audit processes

and tools in place. However, on the ground at project management level, there is a gap

between the policies concerning the project audit and the application thereof.

For one project manager interviewed, the project audit was never done in his environment,

while for others if it was done it was often in the form of a tick in the box exercise.

Quotations highlighted in section 4.4.10 above show the views discussed in this section.

4.4.11 Project audit triggers

The eleventh question dealt with respondents’ views on what events currently triggered IT

project audits.

This question is important, as it allows us to understand the processes currently being used

and events that trigger project audits.

Figure 4-11 below presents the code family “11 – Project audit triggers”. This code family

highlights the respondents’ views, logically grouped into three categories according to the

pattern of the answers provided to the question of what events trigger IT project audits.

Responses for this question were also distributed across different categories, representing the

number of times an item was mentioned by respondents. A respondent could mention more

than one view on the question.

CHAPTER 4 104

Figure 4-11: Project audit triggers

As highlighted in Figure 4-11, fourteen (14) respondents (93.3%) believed that the project

audit governance had to define the criteria that would trigger the IT project audit; that is, to

define what and when to conduct a project audit.

The following are the five reasons that could most often trigger a project audit:

Project milestones

Project deviation from objectives

Project size

High priority projects

High cost projects.

One (1) respondent who was in agreement with the majority of respondents, mentioned that

not all of his projects had been audited. Another mentioned that in his environment, a project

audit was considered a quality control process triggered at the time of system hand-over or

integrated testing.

CHAPTER 4 105

The following are some of the quotations presenting the views of respondents for this

question:

“Project governance or methodology should have guidelines on when to do project audits.

o Audits should be done at the end of each project phase

o An audit should also be done at the end of the project

o An audit is also required at any time if the project has deviated from its objectives,

time, cost and quality, and to investigate why.”

“Every project will be audited at some point in time. However, the audit is often based

on:

o The size of the project

o Project life cycle

o Project duration/schedule

o Audit on request

o Project deviations.”

“Project audits can be done before, during or after completion of the project, depending

on pre-defined criteria. For example, projects that fall in the categories below must be

audited:

o Highest spending projects

o Biggest impact projects

o High priority projects”.

“Projects to be audited are randomly selected and checks are applied to identify

compliance and non-compliance with project processes – scope and budget”.

“End of project phase - proactive audit. To check for agreed artifacts in the phase.

o If something has gone wrong in the project, investigate - reactive audit

o Project governance determines the criteria that trigger the project audit.”

“Project manager can request an audit to ensure that the project is still on track.

o Close of project phase audit

o End of project audit.”

CHAPTER 4 106


The first observation is that most respondents highlighted what they believed should be the

project audit triggers and there were quite a few. For most it was the responsibility of the

project office to define the criteria that would trigger a project audit. From the responses it

can be concluded that currently random selection of projects to be audited and end-of-project-

phase audits seemed to be the most widely used triggers.

Another aspect is that, even though there were standards defined for auditing IT projects in

the organisation, there was no consistency in their application. From the respondents’

responses it seemed that a project audit was performed differently for different projects.

Quotations highlighted in section 4.4.11 above show respondents’ views.

4.4.12 Elements used during a project audit

The twelfth question dealt with respondents’ views on the type of elements that were used or

evaluated during an IT project audit.

As with previous questions on the IT project audit, this question is also important, as it allows

us to understand what elements are currently used during project audits. It answers the

question of at what areas of the project the audit looks.

Figure 4-12 below presents the code family “12 – Elements used during a project audit”. This

code family highlights respondents’ views, logically grouped into three categories according

to the pattern of the answers provided to the question of what elements are evaluated during a

project audit.

CHAPTER 4 107

Figure 4-12: Elements used during a project audit

As highlighted in Figure 4-12, fourteen (14) respondents (93.3%) mentioned that any element

related to the project activity could be included in the project audit.

The audit team had to request evidence of any artifact mentioned in the project plan at a

specific project milestone. They must request evidence of what was planned against what was

delivered in accordance with the project execution plan.

One (1) respondent stated that no project audit was performed in his project area. However,

before the new developed system was delivered to the users, testing of agreed project

deliverables was done to confirm whether the system was working according to the agreed

specifications.


“The project audit looks at all aspects of the project from beginning to the end – from the

concept evaluation through the implementation and close-out phase. It checks on:

o Evidence of what was planned versus what had been delivered as per the project

plan

o Evidence of documentation - scope of work, business case, project schedule

CHAPTER 4 108

o Budget utilisation - is the project over or under budget?

o Resource management - communication, reports, dashboards

o Compliance with changed control processes

o Risk management – were project risks identified, mitigated and addressed?”

“Audit elements will be different depending on the scope of the audit and whether it is

done by internal or external auditors.

o The project audit can involve anything related to the project. However, depending

on the project size, all or only some of the project’s elements can be audited. It

can include the documentation, testing, training plan, stakeholders’ involvement

or technical code audit.”

“Auditors use the project checklist to check some of the following:

o Evidence of proper project execution plan for moving from one project phase to

another

o Necessary documentation for each project phase

o Scope, budget and deliverables.”

“The project plan highlights all the necessary documents and the reason for any waiver.

o Time, quality and cost

o Checks for micro meetings minutes

o Communication with all stakeholders - the steering committee.”

“All elements within the Project Office Tool (POT) system are checked in the audit

process:

o Project weekly and monthly status

o Impact and dependencies on other projects

o Budget and project plan deviations

o Different approvals

o Risk management.”

CHAPTER 4 109


The first observation for this question is that in the cases where the Project Office Tool (POT)

was used, all elements related to a project are highlighted and can be used during the audit.

However, the question was whether this is consistently being used for every project.

According to respondents’ responses, not all projects were audited, while for those projects

that were, most respondents’ view was that it was a tick in the box exercise.

Another aspect that emerged from most respondents is that the quality of the documents or

artifact’ content was not evaluated. The use of a check-list was also highlighted.

4.4.13 Corporate governance principles that can be included in a project audit

The thirteenth question dealt with respondents’ views on which of the eight corporate

governance principles highlighted above could be included in project audits.

This question is important in that it is directly linked to this research study. It gives us the

necessary elements required to ascertain whether corporate governance principles can be

included in project audit.

Figure 4-13 presents the code family “13 – Corporate governance principles that can be

included in a project audit”. This code family highlights respondents’ views, logically

grouped into four categories according to the pattern of the answers provided to the question,

of which of the eight corporate governance principles could be included in a project audit.

The four categories are grouped in the following manner:

Those principles respondents feel can definitely be included in a project audit and that can

be measured objectively

Those principles respondents feel can be measured to some extent but that are open to

people’s perceptions

Those principles respondents feel can only apply to auditors

Those principles respondents feel are intangible audit criteria.

Responses for this question are distributed across these four categories representing the

number of times an item was mentioned by respondents. A respondent could mention more

than one view on the question.

CHAPTER 4 110

Some of the corporate governance principles mentioned by some respondents as part of

Category 1 were considered part of Category 2, 3 or 4 by others.

Figure 4-13: Corporate governance principles that can be included in a project audit

As highlighted in Figure 4-13, nine (9) respondents (60%) mentioned the following corporate

governance principles as tangible and strong audit criteria: accountability, transparency,

responsibility, leadership, corporate discipline and communication.

Eight (8) respondents (53.3%) mentioned the following corporate governance principles as

those that could be measured to some extent, but are difficult to measure objectively and

tangibly, since they are open to people’s perceptions: accountability, transparency,

responsibility, leadership and fairness.

Five (5) respondents (33.3%) believed that not one of these corporate governance principles

qualified for a project audit, as it could not be measured objectively or tangibly.

The following principles were mentioned as most intangible and immeasurable:

independence, leadership and fairness.

Two (2) respondents (13.3%) believed that some of these corporate governance principles of

those mentioned below only applied to auditors: accountability, responsibility, transparency,

fairness and independence.

CHAPTER 4 111

Table 4-3 provides a summarised view of responses to Question 13, showing which of the

eight corporate governance principles respondents felt were part of each of the four

categories highlighted in the CF 13.

Table 4-3: Corporate governance principles – project audit criteria (own table)

No

Corporate governance

principle

Tangible and strong

audit criterion

Intangible / to some extent

measurable

Intangible and not

measurable

Applicable only to the auditors

1 Accountability X X X

2 Transparency X X X

3 Responsibility X X X

4 Fairness

X X X

5 Independence

X X

6 Leadership X X X

7 Corporate discipline X

8 Communication X


“Corporate discipline is a strong audit criterion; for example, the use of PMBOK as the

philosophy for project management.

o Compliance with the PMBOK’s nine knowledge areas can be measured tangibly

o Fairness and independence are intangible and cannot be measured

o Accountability, responsibility, transparency, leadership, communication can be

measured. However, they are not tangible audit criteria.”

“Accountability and responsibility. From an audit point of view you always look at what

happened and who was responsible for it.

o Communication should be looked at the level of reporting

o Independence and fairness can be considered only with regard to auditors

o Audits should be done by an independent department, not from a business or

project office viewpoint.”

CHAPTER 4 112

“All of these corporate governance principles are important to the project. However, they

cannot all be measured.

o Accountability, responsibility, transparency, leadership can be used in some way.

They are open to people’s perceptions.”

“All these corporate governance principles are related to one another and important to the

project. Projects drive the company’s strategies.

o They can be used in an audit if they can be measured. Measurements can be

defined. Who is accountable and responsible to do what is defined in the project

scope. If there is a problem, then, accountability and responsibility can be

measured.”

“Most of these corporate governance principles are important to the project. However,

they are vague and difficult to measure.

o How do you measure accountability, independence or fairness?

o Transparency is relative because there are situations where you just cannot afford

to be transparent and communicate your strategic information to everyone”.


The first observation for this question is that most respondents had different and sometimes

opposing views on one or the other principle they considered important. This might have

been caused by the fact that most respondents had only a vague understanding of how each of

these principles could be measured.

The other important aspect is that, for most respondents, a principle could be included as a

project audit criterion, only if it can be tangibly and objectively measured.

4.4.14 Can corporate governance principles be used to measure project success?

The fourteenth question dealt with respondents’ views to the question whether, the eight

corporate governance principles highlighted above could be used to measure project success.

This question underlies an understanding by the respondents of what elements directly

contribute to the project success and if the level of application of corporate governance

principles in a project can be used to determine whether or not the project is successful.

CHAPTER 4 113

Figure 4-14 below presents the code family “14 – Can corporate governance principles be

used to measure project success?” This code family highlights respondents’ views, logically

grouped into two categories according to the pattern of the answers provided to the question

whether the eight corporate governance principles can be used to measure project success.

Figure 4-14: Can corporate governance principles be used to measure project success?

As highlighted in Figure 4-14, eleven (11) respondents (73.3%) believed that the application

of corporate governance principles could not determine the project success.

Four (4) respondents (26.6%) mentioned that if those principles could be defined properly at

the start of the project and monitored during the project execution, they could be used to

measure compliance and as a result increase the chances of project success.


“No. These principles cannot be tangibly measured.”

“No. The project success is dependent on and determined by how these principles are

implemented and measured.

CHAPTER 4 114

o All these corporate governance principles are already part of the project

o Every project manager should be applying them. But, if properly used, they will

increase the chances of the project’s success”.

“No. All of these principles are wonderful to have and need to be used in the project.

However, they are soft issues and cannot be measured objectively.

o It is It is important for an audit to create a template for evaluating and measuring

these soft issues, and apply them throughout the project life cycle”.

“Governance principles need to be defined right at the project start. Then, they can be

used to measure compliance. From the beginning a relationship should be established

between the audit and the project in order to have an impact on the successful delivery of

the project.”

“If correctly supervised and monitored, all these corporate governance principles could

increase the chances of the project’s success. Corporate disciples can have a positive or

negative impact if used with many red tapes around.”

4.4.14.1 Data Interpretation

The underlying aspect from this question was to find out from respondents what their

understanding was of how project success was measured. The most cited measurements for

project success, including the Standish Group, have been time, cost and quality based on

requirements (Dominguez, 2009; Eveleens & Verhoef, 2010).

Most respondents felt that, although corporate governance principles were important

contributors to the project’s success if used correctly, they were not as tangibly measurable as

time, cost and quality.

Another reason cited by respondents was that project success was more dependent on how

principles could be implemented and measured. Some of these principles were already part of

the project governance principles.

4.4.15 Project audit approach for positive impact on project success

The last question dealt with respondents’ views on what approach the IT project audit team

should use to bring about a positive impact on the project success.

This question asked respondents for views or feedback on what they believed was missing

CHAPTER 4 115

from the IT project audit process that could positively contribute to the project’s success.

Figure 4-15 below presents the code family “15 – Project audit approach for positive impact

on project success”.

This code family highlights respondents’ views, logically grouped into five categories

according to the pattern of the answers provided to the question what approach project audits

should adopt in order to have a positive impact on project success.

Answers to this question could be placed in many categories, as they could mention more

than one approach. The answers are distributed across different categories, representing the


Figure 4-15: Project audit approach for positive impact on project success

As highlighted in Figure 4-15, fourteen (14) respondents (93.3%) believed that if IT project

audit could adopt the following four approaches, it would impact project success positively:

CHAPTER 4 116

Must measure the content of documents and artifacts; not just be satisfied with using a

check box for a ticking exercise

Must align project objectives against the overall company objectives.

Must adhere to project governance standards

Must ask relevant questions.

Twelve (12) respondents (80%) believed that, if the project audit could adopt the following

three approaches, it would impact positively on the project’s success:

Must use a phased approach on milestones; will add no value to the current project if only

done at the end of the project

Must have an end-of-project review meeting

Lessons learned to help future projects.

Eleven (11) respondents (73.3%) believed that, if the project audit could adopt the following

four approaches, it would have a positive impact on project success:

Auditors must be impartial and remain independent

Auditors must get involved in an early stage in the project

Auditors must have expert knowledge to provide guidance and direction to the project

Auditors must have a good understanding of project objectives.

Seven (7) respondents (46.6%) believed that, if the project audit could adopt the following

four approaches, it would positively impact project success:

The project audit team must conduct interviews with key project stakeholders

The audit process should not be used as a shame-and-blame tool

The audit process must find a way of addressing soft governance issues throughout the

project life cycle

An audit has no way of addressing difficulties encountered because of a lack of

accountability or responsibility of other parties involved in the project.

Five (5) respondents (33.3%) believed that the project audit had to be viewed in a positive

way as a risk management tool used for trend evaluation and should not be used as a blame-

and-shame tool.

CHAPTER 4 117


“The audit will add no value to the current project if it is done at the end of the project.

The damage will have been done.

o The audit must be done at different project stages before the production migration

o Auditors must be impartial and remain independent

o Auditors must ask questions that are relevant to the project

o The audit must be done according to a set of agreed upon standards and

principles.”

“Understand the project objectives and align them with the overall objectives of the

company.

o Get involved early in the project

o Have a phased approach audit with follow ups to ensure findings have been

applied

o The audit can be used to pick up trends

o It is not a tick-in-the-box exercise.”

“Documentation - was everything documented and governance followed?

o Have an end-of-project review session to evaluate on requirements versus

deliverables, budget and time frame

o Look at important project phase close-up reports for problems in project phases

o Have sign-off documents for business and project sponsors approval

o Conduct interviews with key project stakeholders.”

“The project audit must be able to measure the content of the different project

deliverables and not only be a tick box exercise.”

“The audit shouldn’t be just about checking compliance with processes.

o The audit must find a way to address soft governance issues throughout the

project life cycle

o Auditors must be able to check the content of the documents whether they have

been conducted in accordance to standards

CHAPTER 4 118

o The audit has no way of addressing difficulties encountered because of lack of


o A phased approach to project auditing can add more value than when only done at

the end of the project.”


For most respondents there was a strong feeling that the IT project audit process was not

focused on checking the quality of the content of artifacts or documents being audited. One of

the reasons for this was believed to be a lack of expert knowledge by project auditors to

provide guidance and direction, should defects be found in those artifacts.

Another important aspect that was for the project audit to become involved early in the

project life cycle to acquire a broad and better understanding of the project deliverables; later

to be able to trace and audit at every project milestone. However, if project audit was only

done at the end of the project, many respondents felt this would not add any value to the

current project, as time and resources would already have been wasted.

Another aspect mentioned by respondents was for the project audit to be able to do more than

just use a checklist as a tick-in-the-box exercise.

4.5 SUMMARY

This chapter presented the actual end-to-end processes, procedures, methods and approaches

used – that is, how data were collected, transformed, organised, analysed and given meaning

through interpretation. This, in order to provide insight into the research questions and

determine whether the research problem could be resolved through the use of a holistic

approach that included corporate governance principles in the auditing of IT projects.

From the data analysis and interpretation process, the following aspects were identified:

There is a level of understanding of concepts; for example, governance, corporate

governance, IT governance, project governance, internal audit and project audit. The

majority of respondents had a fairly good understanding of these concepts. The lack of

understanding of these concepts would be a critical risk factor in addressing the problem.

Practical implementation: For the majority of respondents the implementation of

corporate governance principles would have a positive impact on the overall project

management process if it started with top management. It would increase the chances of

CHAPTER 4 119

project success. Most respondents also believed these principles were not objectively or

tangibly measurable to be included as audit criteria in an audit process.

Project auditing value: The majority of respondents believed the audit function would

contribute to project success if it were proactive, done at each project milestones, and

checked the evidence and quality of artifacts as part of an organisation’s quality strategy

plan.

The next chapter presents the key findings and conclusions.

CHAPTER 5 120

CHAPTER 5

KEY FINDINGS AND CONCLUSIONS

5.1 INTRODUCTION

This chapter presents the key research findings, highlights the main objectives this research

study has set out to achieve, and looks at the research problem statement as well as the main

research questions it strove to provide insight into. It draws conclusions, makes

recommendations and provides a brief overview of the previous chapters, the limitations and

the challenges encountered.

This research study takes a holistic approach to IT project management auditing. It argues

that, despite the use of new technologies, innovative methods, techniques and tools for

developing software and managing IT projects, little has changed in the past two decades in

the rate of failure of IT projects. Surveys and statistics show that more than half of all IT

projects are still overrunning their schedule and budget (Taylor, 2004; Lientz & Larssen,

2006; The Standish Group, 2009).

This research study has sought to establish whether corporate governance principles can be

incorporated into the traditional processes and procedures for auditing IT projects. It also

wants to establish if they can help improve the IT project management process by increasing

the chances of IT project success. This takes into consideration that corporate governance has

emerged as a worldwide recognised best practice and an effective mechanism that promotes

corporate efficiency, competitiveness and sustainability, while at the same time combating

corruption (Institute of Directors, 2009).

The relationship between corporate governance and the internal audit function is that the

latter has been identified as one of the main sub-sets of corporate governance (Institute of

Directors, 2009). Robust auditing has been identified as a cornerstone of modern corporate

governance (Puttick & Van Esch, 2007). The relationship between project management and

the internal audit is that the use of auditing in project management increases the probability

of project success (Helgeson, 2010). For Davis et al. (2011) effective project management

does not only ensure project success; it also improves the chances of project success.

CHAPTER 5 121

To attain the above-mentioned goal, the following were the main objectives:

To identify best practices and guidelines in the fields of corporate governance, IT

governance, IT project governance, project management, internal control and internal

audit.

To analyse and identify the gaps between guidelines from the above-mentioned best

practices and the industry’s actual implementation of these best practices.

To conclude by providing insight into the three research questions of:

a) whether the use of corporate governance principles in auditing IT projects can

increase the chances of project success

b) whether the use of corporate governance principles can improve the overall

project management process, and

c) whether corporate governance principles can be used as a measurement for

project success.

The next section briefly summarises the content of the chapters in this research study.

5.2 OVERVIEW OF CHAPTERS

This section provides a brief overview of the content of each chapter in this research study.

Chapter 1 presented the introduction to this research study . It highlighted the background

by positioning project management in history and showed the difference between former

projects and the technological complexity, competitiveness and uncertainty of modern day

projects. It provided data showing the current state of failure of IT projects. It indicated that

little has changed in the past decade or two in spite of the many resources that continue to be

invested in the overall field of information and communication technology. The chapter also

highlighted the global corporate scandals during recent years. They exposed corporate

malpractices, the demand by the public and governments for greater independence, a high

level of accountability, transparency, responsibility and integrity from those involved in the

running of corporations, signalling the importance of corporate governance and strengthening

the audit function. Also in chapter 1, the structure and the different stages of this research

study were presented as well as the definition of the research problem statement, objectives,

methodologies and design strategies.

CHAPTER 5 122

Chapter 2 reviewed relevant published literature. The choice of the topics and concepts of

interest to this research study was guided by the objectives set in chapter 1 which included

the following:

Governance: Definitions, characteristics of effective governance and its main sub-sets

Corporate governance: Definitions, characteristics of effective corporate governance,

compliance approaches and sub-sets

System of internal control: Definition and different frameworks

IT governance: Definitions, components, standards and frameworks

IT project governance and IT project management: Definitions, standards and

methodologies, relationship between governance and management of IT projects, how

project management related to corporate governance as well as the state of IT projects

failures and costs

Internal audit: Definitions, relationship with corporate governance, types and standards

IT project audit: Definitions and phases.

Chapter 2 helped attain the first objective of this research study, namely that of identifying

best practices and guidelines in the above highlighted fields.

Chapter 3 presented the research design. It highlighted the three main research questions and

the different steps to be followed in order to provide insight in to those research

questions. It presented in detail the research strategies and best approaches appropriate to this

research study. It also highlighted the different research methods and techniques for data

collection, data analysis and data interpretation. These included the following:

The choice of a qualitative research approach

The adoption of semi-structured interviews as the method for data collection

The use of purposive sampling techniques to select participants.

The work set out in this chapter helped attain the objective set for data collection through the

processes of interview preparation, identification of participants, conducting the interviews

and data analysis.

CHAPTER 5 123

Chapter 4 looked at the data. It presented the actual strategies and approaches defined in the

previous chapter in action. It presented the main objectives and the different stages of

qualitative data analysis. It also highlighted the data collection process and the procedures

used in conducting interviews. It presented the procedures and approaches used in the

process of analysing, coding and interpreting the data, using qualitative data analysis

software. It provided a detailed interpretation of the data collected from interviews and a

summary of the overall level of understanding by interview participants on the main concepts

discussed during the interviews. The chapter attained the main objective of collecting,

analysing and interpreting the collected data from this research study.

Figure 5-1below offers a graphical view of some of the main concepts mentioned throughout

the chapters in this research study.

Figure 5-1: Graphical view of some of the main concepts discussed (own figure)

Governance

Political Governance

Economic Governance


System of Internal Control

IT Governance

IT Project Management

Internal Audit

Administrative Governance

CHAPTER 5 124

5.3 KEY FINDINGS

This section looks at the research questions and problem statement. It ascertains whether the

objectives set to providing insight into the three main research questions as well as the

overall objectives for this research study, as defined in chapter 1 have been attained.

With regard to the research questions, the objective for the first question was to establish

whether the use of corporate governance principles had a positive impact on the IT project

management process. Details provided in chapter 4, section 4.4.6, provided insight into this

question. It showed that 14 out of 15 respondents (93.3%) agreed that the use of corporate

governance principles would definitely have a positive impact on projects and improve the IT

project management process. Only one respondent disagreed, stating that if the project

manager were to follow the methodology, processes and procedures for managing IT

projects, he/she would be able to manage the project successfully. On this point, Davis et al.

write that “proper project management techniques are essential elements in the success of

any company endeavour … good project management does not ensure success, but it

improves the chances of success” (Davis et al.,2010:367-368).

The objective for the second research question was to establish whether the use of corporate

governance principles in auditing IT projects could increase the chances for the project’s

success. Details given in chapter 4, section 4.4.7, provided insight into this question. It

showed that 14 respondents (93.3%) agreed that the use of corporate governance principles

would definitely influence project success. They added that it was important to ensure that

this was properly implemented, everyone had a common understanding of what these

principles meant and the context in which they were being used. Only one respondent

disagreed by stating that the application of these corporate governance principles in auditing

IT projects would not guarantee or determine a project’s success.

The objective for the third research question was to ascertain whether corporate governance

principles could be used to measure project success. Details in chapter 4, section 4.4.14,

provided insight into this question. It showed that 11 respondents (73.3%) believed that

corporate governance principles could not be used to measure project success. The main

reasons provided were that most of the principles could not be tangibly or objectively

measured and that they were open to peoples’ perceptions.

CHAPTER 5 125

Four out of 15 respondents (26.7%) thought it could. They stated it was possible to use these

corporate governance principles to measure the project success if the measurements could be

properly defined at the start of the project and monitored throughout its life cycle.

Looking at the problem statement, Brisbois et al. (2008:5) write that “without effective

governance, IT projects have a higher risk of failure”.

Tarantino (2008:162) writes that “the reasons for project failures have to do with failures of

project governance”. Taking a closer look at the concepts of governance, corporate

governance, IT governance and project governance as reviewed throughout this research

study. Information collected through interviews concluded that governance is an important

contributory factor to the success of IT projects. Auditing, which increases the probability of

project success, and effective project management, which improves the chances of a project

being successful are also important.

Taking all the above-mentioned into consideration, it can be said that it is not possible to

state conclusively that governance alone can resolve the problem of the high rate of failure of

IT projects. However, governance, auditing and effective project management together do

improve and increase the chances of project success.

5.4 CONCLUSIONS

This section looks at the overall objectives set for this research study, as highlighted in the

introductory section of this chapter, and ascertains whether or not they have been attained.

The first objective, namely to identify best practices, standards and guidelines in different

fields of interest to this research study, was attained through a review of published literature

in chapter 2. Various principles, standards and guidelines in different disciplines were

highlighted and analysed.

The second objective, namely to analyse and identify gaps between the guidelines provided

in the literature and actual field practice, was attained through interviews. It was possible to

ascertain the gaps and level of understanding participants had of the main concepts used in

this research study.

The third objective, namely to establish whether corporate governance principles could be

included in the processes for auditing IT projects, was attained through details provided in

section 5-3 (the key findings).

CHAPTER 5 126

From all the above findings it is possible to conclude that all the objectives set for this

research study have been attained successfully.

5.5 LIMITATIONS

This section highlights the challenges encountered in the course of producing this research

study.

Following are the main challenges and limitations encountered:

This research was carried out in one company only and could not take into account the

views of other companies’ project managers on the topic – it was a limitation.

The population sample was limited to 15 participants. It is also a limitation, as a larger

group of participants would have provided a broader view of the research topic.

The time available for undertaking this study was limited.

The difficulties encountered in the process of identifying willing participants in the study

caused a delay in the process of data collection – it was another limitation.

5.6 FUTURE RESEARCH

This research study helped look at the important problem of the high rate of failed IT projects

and the associated costs in different perspectives. The researcher used the central topic of

governance and specifically corporate governance principles. It highlighted governance in

ways that opened opportunities for further investigation on how corporate governance

principles could be used.

The topic of corporate governance, IT project auditing and IT project management that this

research study undertook is certainly wide. From what has been discovered, there are still

many areas for further research. One such area of research would be to investigate how to

measure people issues that have an impact on IT project success. Another research area

might investigate why many organisations that have corporate standards for managing

projects and project managers do not all seem to follow the same processes. This aspect was

obvious in this research study, as everyone had a different view of the organisation’s

processes for managing IT projects.

Another research area would include how to deal with different ways to measure corporate

governance principles in a tangible manner.

CHAPTER 5 127

5.7 LESSONS LEARNED

As I look back at this long research journey, I can admit that I underestimated the time,

efforts, discipline and sacrifices that go into doing research – which I have now learned and

understood.

REFERENCES 128

REFERENCES

Anderson, V. (2004). Research Methods in Human Resource Management. London: Charted

Institute of Personnel and Development.

Asian Development Bank (ADB). (1995). Governance: Sound Development Management

(Manila: ADB, Board Paper, August).

Association for Project Management (APM). (2006). APM Body of Knowledge: Definitions.

5th edition. Available from: http://www.apm.org.uk

(Accessed 8 March 2010).

Association for Project Management (APM). (2007). Directing Change – A guide to

governance of Project Management. Available from: http://www.apm.org.uk


ATLAS.ti Scientific Software Development GmbH, (2010). ATLAS.ti 6 Quick Tour.

Available from: http://www.atlasti.com/uploads/media/QuickTour_a6_en_01.pdf.

(Accessed 15 June 2011).

ATLAS.ti Scientific Software Development GmbH, (2011). ATLAS.ti 6: Concepts and

Functions. Available from:

http://www.atlasti.com/uploads/media/miniManual_v6_2011.pdf.


Auerbach, C.L. & Silverstein L.B. (2003). Qualitative data: An introduction to coding and

analysis. New York: New York University Press.

Babbie, E. (2010). The Practice of Social Research. 12th edition. Belmont: Cengage

Learning.

Basu, S.K. (2006). Auditing: Principles and Techniques. Delhi: Pearson Education India

Batten, L. (2008). CMMI 100 Success Secrets: Capability Maturity Model Integration 100

Success Secrets - 100 Most Asked Questions. Lulu.com.

Bernard, H.R. & Ryan, G.W. (2010). Analyzing Qualitative Data: Systematic Approaches.

California: SAGE Publications Ltd.

http://www.apm.org.uk/

http://www.apm.org.uk/

http://www.atlasti.com/uploads/media/QuickTour_a6_en_01.pdf

http://www.atlasti.com/uploads/media/miniManual_v6_2011.pdf

REFERENCES 129

Biemer, P.P. & Lyber, L. (2003). Introduction to Survey Quality. New Jersey: John Wiley

& Sons, Inc.

Bisoux, T. (2004). What is Good Governance? Journal, BizEd, March/April 2004.

Boeije, H. (2009). Analysis in Qualitative Research. London: SAGE Publications Ltd.

Brisebois, R. & La Salle, M. (2008). Progress Report for the Task Force on IT Governance –

17th meeting on the INTOSAI working group on IT Audit. Tokyo. Available from:

http://www.intosaiitaudit.org/17th_%20ITgovernance.ppt


Brisebois, R., Boyd, G. & Shadid, Z. (2008). Introduction to the Seminar: What is IT

Governance and Why is it Important? Available from:

http://www.intosaiitaudit.org/muscat/Canada-E_Governance.pdf

(Accessed 28 October 2011).

Cadbury, A. (1999). Corporate Governance: A Framework for Implementation – Overview.

Available from:

http://www.sovereignglobal.com/media/framework_for_implemenation.pdf


Calder, A. (2005). IT Governance Today: A Practitioner’s Handbook.

Cambs: IT Governance.

Calder, A. (2006). IT Project Governance and Prince2 Project Management.

Cambs: IT Governance.

Calder, A. (2011). The Calder-Moir IT Governance Framework. Available from:

http://www.itgovernance.co.uk/calder_moir.aspx (Accessed 29 October 2011).

Camilleri, E. (2011). Project Success: Critical Factors and Behaviours.

Burlinghton: Gower Publishing, Ltd.

Canadian International Development Agency (CIDA). (1997). Redefining the Concept of

Governance. Available from: http://www.acdi-

cida.gc.ca/INET/IMAGES.NSF/vLUImages/HRDG/$file/GovConcept-e.pdf

(Accessed 21 April 2010).

http://www.intosaiitaudit.org/17th_%20ITgovernance.ppt

http://www.intosaiitaudit.org/muscat/Canada-E_Governance.pdf

http://www.sovereignglobal.com/media/framework_for_implemenation.pdf

http://www.itgovernance.co.uk/calder_moir.aspx

http://www.acdi-cida.gc.ca/INET/IMAGES.NSF/vLUImages/HRDG/$file/GovConcept-e.pdf

http://www.acdi-cida.gc.ca/INET/IMAGES.NSF/vLUImages/HRDG/$file/GovConcept-e.pdf

REFERENCES 130

Cascarino, R.E. (2012). Auditor’s Guide to IT Auditing. 2nd edition. New Jersey: John Wiley

& Sons, Inc.

Charvat, J. (2003). Project Management Methodologies: Selecting, Implementing, and

Supporting Methodologies and Processes for Project.

New Jersey: John Wiley & Sons, Inc.

Commonwealth Association for Corporate Governance (CACG), (1999).

CACG Guidelines Principles for Corporate Governance in the Commonwealth: Towards

global competitiveness and Economic Accountability. Available from:

http://www.ecgi.org/codes/documents/cacg_final.pdf (Accessed 22 December 2008).

Comptroller of the Currency Administrator of the National Banks (CCANB). (2001).

Internal Control – Comptroller’s Handbook. Available from:

http://www.occ.treas.gov/handbook/%C4%B1ntcntrl2.pdf (Accessed 21 April 2010).

Cooke-Davies T. (2002). The "Real" Success Factors on Projects. International Journal of

Project Management vol.20. Available from:

http://www.uncg.edu/bae/people/amoako/ISM654/reading_%232.pdf.

(Accessed 22 May 2010).

Crawford, L. (2000). Competence for Prosperity through Partnership. In: Proceedings of

World Project Management Week Conference, Cairns, October 2000. Brisbane:

Eventcorp.

Crawford, L. (2004). Global Body of Project Management Knowledge and Standards.

Available from: http://pmcompetence.net/PPG/download/crawford_l_2004a.pdf.

(Accessed 25 February 2008).

Credit Lyonnais Securities Asia (CLSA), (2001). Corporate Governance in Emerging

Markets: Saints & Sinners-Who’s got religion?

Available from: http://www.webb-site.com/codocs/Saints&Sinners.pdf


Creswel, J.W. (2003). Research design: Qualitative, Quantitative and Mixed Method

Approaches. 2nd edition. California: SAGE Publications Ltd.

http://www.ecgi.org/codes/documents/cacg_final.pdf

http://www.occ.treas.gov/handbook/%C4%B1ntcntrl2.pdf

http://www.uncg.edu/bae/people/amoako/ISM654/reading_%232.pdf

http://pmcompetence.net/PPG/download/crawford_l_2004a.pdf

http://www.webb-site.com/codocs/Saints&Sinners.pdf

REFERENCES 131

Davis, C., Schiller, M. & Wheeler, K. (2011). IT Auditing: Using Controls to Protect

Information Assets. 2nd edition. New York: McGraw-Hill.

Dawson, C. (2002). Practical Research Methods: A User-friendly Guide to Mastering

Research Techniques and Projects. UK: How To Books Ltd.

De Haes, S. & Grembergen, W. V. (2004). IT Governance and Its Mechanisms. Information

Systems Control Journal Vol 1,2004.

Denzin, N.K. & Lincoln, Y. S. (2011). The SAGE Handbook of Qualitative Research.

California: SAGE Publications Ltd.

Dominguez, J. (2009). The Curious Case of the CHOAS Report 2009. Available from:

http://manipalitdubai.com/material/Reading_Material/MIT601/chaos_report2.pdf


Doyle, J.K. (1999). Introduction to Survey Methodology and Design. Available from:

http://www.sysurvey.com/tips/introduction_to_survey.htm.


Eveleens, J. L. & Verhoef, C. (2010). The Rise and Fall of the Chaos Report Figures.

Available from: http://www.cs.vu.nl/~x/chaos/chaos.pdf (Accessed 19 April 2012).

Faherty, V. E. (2010). Wordcraft, Applied Qualitative Data Analysis (QDA): Tools for Public

and Voluntary Social Services. California: SAGE Publications Ltd.

Flick, U. (2009). An Introduction to Qualitative Research. 4th edition. London: Sage.

Gill, M. (2002). Sample Governance policies. Available from:

http://www.iog.ca/publications/sample_policies.pdf (Accessed 21 April 2010).

Global Corporate Governance Forum (GCGF). (2005). Toolkit 2: Developing Corporate

Governance Codes of Best Practices. Maryland: Schmitz Press.

Gravetter, F.J. & Forzano, L.B. (2011). Research Methods for the Behavioral Sciences. 4th

edition. Belmont, CA: Wadworth, Cengage Learning.

Guion, A.L. (2008). Conducting an In-depth Interview.

Available from: http://edis.ifas.ufl.edu/fy393 (Accessed 30 May 2010).

http://manipalitdubai.com/material/Reading_Material/MIT601/chaos_report2.pdf

http://www.sysurvey.com/tips/introduction_to_survey.htm

http://www.cs.vu.nl/~x/chaos/chaos.pdf

http://www.iog.ca/publications/sample_policies.pdf

http://edis.ifas.ufl.edu/fy393

REFERENCES 132

Gumz, J. (2006). Project Manageri – Global Congress Proceedings, Madrid.

Available from:

http://www.projectauditors.com/Papers/Your_Project_Has_Been_Selected_for_an__Audit

.pdf (Accessed 5 December 2009).

Heldman, K. (2011). Project Management JumpStart: The Best First Step Toward a Career

in Project management. 3rd edition. SYBEX Inc.

Helgeson, J.W. (2010). The Software Audit Guide. Milwaukee: ASQ Quality Press.

Hendrikse, J. & Hendrikse, L. (2004). Business Governance Handbook: Principles and

Practices. Cape Town: Juta.

Henrischsen, L. & Smith M. T. (1997). Taming the Research Beast: Research Methods in

TESL and Language Acquisition. Available from:

http://linguistics.byu.edu/faculty/henrichsenl/researchmethods/RM_1_01.html. (Accessed

21 May 2010).

Hesse-Biber, S.N. & Leavy, P. (2011). The Practice of Qualitative Research. 2nd edition.

London: SAGE Publications Ltd.

Information Age, (2006). Most IT Projects Fail - KPMG report reveals. Available from:

http://www.information-age.com/articles/301316/most-it-projects-fail-kpmg-report-

reveals.thtml. (Accessed 20 April 2012).

Institute of Directors in Southern Africa (IoD), (2009). KING Report on Governance for

South Africa 2009. Cape Town: Juta & Co. Ltd.

International Corporate Governance Network (ICGN), (2009). ICGN Global Corporate

Governance Principles: Revised 2009. Available from:

http://www.icgn.org/files/icgn_main/pdfs/best_practice/global_principles/short_version_-

_icgn_global_corporate_governance_principles-_revised_2009.pdf.


International Data Corporation (IDC). (2011). Government Investments to Drive IT Spending

in South Africa in 2011, with eGovernment Initiatives a Key Factor, According to IDC.

Press Release published on April 12, 2011. Available from:

http://www.idc-cema.com/?showproduct=41054 (Accessed 17 September 2011).

http://www.projectauditors.com/Papers/Your_Project_Has_Been_Selected_for_an__Audit.pdf

http://www.projectauditors.com/Papers/Your_Project_Has_Been_Selected_for_an__Audit.pdf

http://linguistics.byu.edu/faculty/henrichsenl/researchmethods/RM_1_01.html

http://www.information-age.com/articles/301316/most-it-projects-fail-kpmg-report-reveals.thtml

http://www.information-age.com/articles/301316/most-it-projects-fail-kpmg-report-reveals.thtml

http://www.icgn.org/files/icgn_main/pdfs/best_practice/global_principles/short_version_-_icgn_global_corporate_governance_principles-_revised_2009.pdf

http://www.icgn.org/files/icgn_main/pdfs/best_practice/global_principles/short_version_-_icgn_global_corporate_governance_principles-_revised_2009.pdf

http://www.idc-cema.com/?showproduct=41054

REFERENCES 133

IT Governance (n,d). Understanding Corporate Governance Concepts. Available from:

http://www.itgovernance.co.uk/corporate_governance.aspx.


IT Governance Institute. (2007). CobiT 4.1 Framework, Control Objectives, Management

Guidelines, Maturity Models. Available from: http://www.itgi.org. (Accessed 28 March

2008).

IT Service Management Forum (ITSMF). (2004). Aligning COBIT, ITIL and ISO 17799 for

Business Benefit. A Management Briefing from ITGI and OGC. Available from:

https://my.isaca.org/ContentManagement/ContentDisplay.cfm?ContentID=32757.


Jenner, S. OGC & Kilford, C. (2011). Management of Portfolios. Belfast: The Stationery

Office.

Kadre, S., (2011). Going Corporate: A Geek’s Guide. New York: Apress.

Kerzner, H. (2009). Project Management: A Systems Approach to Planning, Scheduling and

Controlling. 10th edition. New Jersey: Wiley & Sons, Inc.

Kjaer, A.M. (2004). Governance. Maldren: Polity Press.

Kousholt, B. (2007). Project Management: Theory and Practice. Copenhagen:

Nyt Teknisk Forlag.

KPMG, (2005). Global IT Project Management Survey: How committed are you? Available

from: http://www.totalmetrics.com/function-points-downloads/IT-Project-

Governance.pdf. (Accessed 22 May 2010).

KPMG. (2006). Fraud Risk Management. Developing a Strategy for Prevention, Detection,

and Response. Available from:

http://www.kpmg.co.th/service/advisory/Developing%20a%20strategy%20for%20prevent

ion%20and%20detection.pdf. (Accessed 2 June 2008).

Kumar, R. & Sharma, V. (2005). Auditing: Principles and Practice.

New Delhi: PHI Learning Pvt. Ltd.

http://www.itgovernance.co.uk/corporate_governance.aspx

http://www.itgi.org/

https://my.isaca.org/ContentManagement/ContentDisplay.cfm?ContentID=32757

http://www.google.co.za/search?tbo=p&tbm=bks&q=inauthor:%22Stephen+Jenner%22

http://www.google.co.za/search?tbo=p&tbm=bks&q=inauthor:%22Office+of+Government+Commerce%22

http://www.google.co.za/search?tbo=p&tbm=bks&q=inauthor:%22Office+of+Government+Commerce%22

http://www.totalmetrics.com/function-points-downloads/IT-Project-Governance.pdf

http://www.totalmetrics.com/function-points-downloads/IT-Project-Governance.pdf

http://www.kpmg.co.th/service/advisory/Developing%20a%20strategy%20for%20prevention%20and%20detection.pdf

http://www.kpmg.co.th/service/advisory/Developing%20a%20strategy%20for%20prevention%20and%20detection.pdf

http://www.google.co.za/search?tbo=p&tbm=bks&q=inauthor:%22Ravinder+Kumar%22

http://www.google.co.za/search?tbo=p&tbm=bks&q=inauthor:%22Virender+Sharma%22

REFERENCES 134

Kvale, S. (1996). Interviews: An Introduction to Qualitative Research Interviewing. Newbury

Park, CA: Sage Publications.

Levin, G. & Ward, J.L. (2012). PgPM Exam Practice Test & Study Guide. 3rd edition. CRC

Press.

Lewis, P.J. (2001). Fundamentals of project management: Developing core competencies to

help outperform the competition. 2nd edition. New York: McGraw-Hill.

Lewis, P.J. (2007). The Project Manager’s Desk Reference.3rd edition. New York: McGraw-

Hill.

Lewins, A. & Silver, C. (2007). Using Software in Qualitative Research: A Step-by-Step

Guide. London: SAGE Publications Ltd.

Lientz, B. P. & Larssen, L. (2006). Risk Management for IT Projects: How to deal with over

150 Issues and Risks. Burlington: Butterworth-Heinemann.

Lincoln, S.Y. & Guba, G.E. (1985). Naturalistic Inquiry. Newbury Park, CA: Sage

Publications.

Mack, N., Woodsong, C. & MacQueen, K.M. (2005). Qualitative Research Methods:

A Data Collector’s Field Guide. Available from:

http://www.fhi.org/en/rh/pubs/booksreports/qrm_datacoll.htm (Accessed 28 May 2010).

Macnee, L.C. & McCabe, S. (2008). Understanding Nursing Research: Reading and Using

Research in Evidence-Based Practice. 2nd edition. China: Lippincott Williams & Wilkins.

Mallin, A. C. (2007). Corporate Governance. 2nd edition. New York: Oxford University

Press Inc.

Marchewka, J.T. (2006). Information Technology Project Management: Providing

Measurable Organisational Value. 2nd edition. New York: John Wiley & Sons, Inc.

Marshall, C. & Rossman, G.B. (2010). Designing Qualitative research. 5th edition. London:

SAGE Publications Ltd.

McKusker, J. & Crair, L. (2006). Establishing Project Governance - A Practical

Framework to Manage Risk, Provide Verification and Validation Processes and Ensure

Compliance with Sarbanes-Oxley. International Conference Practical Software Quality

& Testing. London.

http://www.fhi.org/en/rh/pubs/booksreports/qrm_datacoll.htm

REFERENCES 135

Melton, T. (2007). Project Management Toolkit: The basics for Project Success.

2nd edition. Oxford: Butterworth-Heinemann.

Miller, J. (2008). Catapulting Productivity with IT Project Management and Corporate

Governance. Available from: http://www.pmforum.org/library/papers/2008/PDFs/Miller-

5-08.pdf

(Accessed 28 October 2008).

Mills, A.J., Eurepos, G. & Wiebe, E. (2010). Encyclopedia of Case Study Research. Volume

1 and 2. California: SAGE Publications Ltd.

Millstein, I.M. (1998). Corporate Governance: Improving competitiveness and access to

capital in global markets. A Report to the OECD by the Business Sector Advisory Group

on Corporate Governance. OECD.

Moeller, R.R. ( 2004). Sarbanes-Oxley and the New Internal Auditing Rules. New Jersey:

John Wiley & Sons Inc.

Monette, D.R., Sullivan, T.J. & DeJong C.R. (2011). Applied Social Research: A Tool for the

Human Service. 8th edition. California: Cengage Learning.

Murray, A. & Ward, M. (2007). Improving Project Performance Using the PRINCE2

Maturity Model (P2MM). London: The Stationery Office.

Nandyal, R. (2004). CMMI: A Framework for Building World-Class Software and Systems

Enterprises. New Delhi: Tata McGraw-Hill.

Nasir, M. H. N. & Shahibuddin, S. (2011). Critical Success Factors for Software Projects:

A comparative study. Available from

http://www.academicjournals.org/sre/PDF/pdf2011/18May/Nasir%20and%20Sahibuddin.

pdf (Accessed 1 October 2011).

Newman, I. & Benz, C.R. (1998). Qualitative-Quantitative Research Methodology:

Exploring the Interactive Continuum. Southern Illinois University.

Nicholas, J.M. (1990). Managing Business and Engineering Projects: Concepts and

Implementation. New Jersey: Prentice-Hall, Inc.

OECD. (2004). OECD Principles of Corporate Governance.

Available from: http://www.oecd.org/DATAOECD/32/18/31557724.pdf

(Accessed 30 September 2008).

http://www.pmforum.org/library/papers/2008/PDFs/Miller-5-08.pdf

http://www.pmforum.org/library/papers/2008/PDFs/Miller-5-08.pdf

http://www.academicjournals.org/sre/PDF/pdf2011/18May/Nasir%20and%20Sahibuddin.pdf

http://www.academicjournals.org/sre/PDF/pdf2011/18May/Nasir%20and%20Sahibuddin.pdf

http://www.oecd.org/DATAOECD/32/18/31557724.pdf

REFERENCES 136

Office of Government Commerce (OGC). (2006). Portfolio, Programme & Project

Management Maturity Model (P3M3). Available from:

http://www.outperform.co.uk/Portals/0/PRINCE2_Maturity_Model_Version_1.pdf


Office of Government Commerce (OGC). (2008). Portfolio, Programme and Project Offices

Pocketbook. Edinburgh: The Stationery Office.

Offredy, M. & Vickers, P. (2010). Developing a Healthcare Research Proposal: An

Interactive Student Guide. Chichester: John Wiley & Sons, Ltd.

Olivier , S.M. (2009). Information Technology Research: A Practical Guide for Computer

Science and Informatics. 3rd edition. Pretoria: Van Schaik Publishers.

Pequegnat, W., Stover, E. & Boyce, C. A. (2011). How to Write a Successful Research Grant

Application: A Guide for Social and Behavioral Scientists. 2nd edition. New York:

Springer.

PM4DEV. (2007). Fundamentals of Project Management. Lulu Enterprises, Inc

PMThink. (2005). Failed IT Projects Cost Businesses Millions, says Survey.

Available from: http://www.pmthink.com/2005/09/failed-it-projects-cost-businesses.htm.


PricewaterhouseCoopers (PWC). (2004). Boosting Business Performance through

Programme and Project Management. Available from:

http://www.mosaicprojects.com.au/PDF/PwC_PM_Survey_210604.pdf


Project Management Institute (PMI). (2003). Organizational Project Management Maturity

Model (OPM3): Knowledge Foundation. Newtown Square, PA: Project Management

Institute.

Project Management Institute (PMI). (2008a). A Guide to the Project Management Body of

Knowledge. 4th edition. Newtown Square, PA: Project Management Institute.

Project Management Institute (PMI). (2008b). The Standard for Program Management. 2nd

edition. Newtown Square, PA: Project Management Institute.

http://www.outperform.co.uk/Portals/0/PRINCE2_Maturity_Model_Version_1.pdf

http://www.pmthink.com/2005/09/failed-it-projects-cost-businesses.htm

http://www.pmthink.com/2005/09/failed-it-projects-cost-businesses.htm

http://www.mosaicprojects.com.au/PDF/PwC_PM_Survey_210604.pdf

REFERENCES 137

Punch, K. (2005). Introduction to Social Research: Quantitative and Qualitative Approaches.

2nd edition. London: Sage Publications.

Punch, K. (2006). Research Proposals. 2nd edition. London: Sage Publications.

Puttick, G. & Van Esch, S. (2007). The Principles and Practice of Auditing. 9th edition. Cape

Town: Juta & Co. Ltd.

Rad, P.F. & Levin, G. (2006). Project Portfolio Management Tools and Techniques.

New York: International Institute for Learning. Inc.

Remenyi, D. (2008). Proceedings of the 2nd European Conference on Information

Management and Evaluation. Reading: Academic Publishing Ltd.

Robinson, W.C. (2006). IS 540: Research Methods. Available from:

http://web.utk.edu/~wrobinso/540_lec_interview.html. (Accessed 7 February 2008).

Sapsford, R. & Jupp, V. (2006). Data Collection and Analysis. 2nd edition. London: SAGE

Publications.

Schwalbe, K. (2010). Information Technology: Project Management. 6th edition.

Massachusetts: Course Technology - Cengage Learning.

Sessions, R. (2009). The IT Complexity Crisis: Danger and Opportunity. Available from:

http://www.objectwatch.com/whitepapers/ITComplexityWhitePaper.pdf


Solomon, J. (2007). Corporate Governance and Accountability. 2nd edition. Chichester: John

Wiley & Sons, Ltd.

Sonnekus, R. & Labuschagne, L. (2003). IT Project Management Maturity versus Project

Success in South Africa: RAU Standard Bank Academy for Information Technology.

Accessed from:

http://www.uj.ac.za/EN/Faculties/management/departments/bit/research/Documents/Prosp

erus%20Report.pdf. (Accessed 17 September 2011).

Stanleigh, M. (n,d). Undertaking a Successful Project Audit. Available from:

http://www.bia.ca/articles/UndertakingaSuccessfulProjectAudit.htm


http://web.utk.edu/~wrobinso/540_lec_interview.html

http://www.objectwatch.com/whitepapers/ITComplexityWhitePaper.pdf

http://www.uj.ac.za/EN/Faculties/management/departments/bit/research/Documents/Prosperus%20Report.pdf

http://www.uj.ac.za/EN/Faculties/management/departments/bit/research/Documents/Prosperus%20Report.pdf

http://www.bia.ca/articles/UndertakingaSuccessfulProjectAudit.htm

REFERENCES 138

Tarantino, A. (2008). Governance, Risk and Compliance Handbook: Technology, Finance,

Environment and International Guidance and Best Practices. New Jersey: John Wiley &

Sons, inc.

Taylor, J. (2004). Managing Information Technology Projects: Applying Project

Management Strategies to Software, Hardware and integration initiatives.

New York:AMACOM.

The Committee of Sponsoring Organisations of the Treadway Commission (COSO). (1994).

Internal Control - Integrated Framework. Two-Volume edition. Jersey City.

The Committee of Sponsoring Organisations of the Treadway Commission (COSO). (2004).

Enterprise Risk Management - Integrated Framework. Executive Summary. Available

from: http://www.coso.org/IC-IntegratedFramework-summary.htm.


The CPA Journal. (2000). The Components of a Comprehensive Framework of Internal

Control. Available from: http://www.nysscpa.org/cpajournal/2000/0300/d64300a.htm


The Institute of Internal Auditors (IIA). (2001). International Standards for the Professional Practice of Internal Auditors. Florida: IIA.

The Standish Group. (2001). Extreme Chaos. Available from:

http://www.smallfootprint.com/Portals/0/StandishGroupExtremeChaos2001.pdf.


The Standish Group. (2009). Chaos Report. Available from:

http://www1.standishgroup.com/newsroom/chaos_2009.php

(Accessed 1February 2010).

The United Nations Development Programme (UNDP). (1997). Governance for

Sustainable Human Development – A UNDP Policy Document. Available from:

http://www.pogar.org/publications/other/undp/governance/undppolicydoc97-e.pdf


The United Nations Economic and Social Commission for Asia and the Pacific (UNESCAP).

(2010). What is good Governance? Available from:

http://www.unescap.org/pdd/prs/ProjectActivities/Ongoing/gg/governance.asp


http://www.coso.org/IC-IntegratedFramework-summary.htm

http://www.nysscpa.org/cpajournal/2000/0300/d64300a.htm

http://www.smallfootprint.com/Portals/0/StandishGroupExtremeChaos2001.pdf

http://www1.standishgroup.com/newsroom/chaos_2009.php

http://www.pogar.org/publications/other/undp/governance/undppolicydoc97-e.pdf

http://www.unescap.org/pdd/prs/ProjectActivities/Ongoing/gg/governance.asp

REFERENCES 139

The World Information Technology and Services Alliance (WITSA). (2010). DIGITAL

PLANET 2010: EXECUTIVE SUMMARY. The Global Information Economy.

Available from:

http://www.witsa.org/v2/media_center/pdf/DP2010_ExecSumm_Final_LoRes.pdf,


Thornton, G. (2009). Internal Audit, Risk Management and Internal Control. Available from:

http://www.gt.co.za/Publications/Effective-directors-guide/int_audit.asp

(Accessed 23 January 2010).

Trochim, W.M.K. (2006). Research Methods: Knowledge Base. Available from:

http://www.socialresearchmethods.net/kb/index.php (Accessed 26 May 2010).

Van Bon, J. & Verheijen, T. (2006). Frameworks for IT Management. Amersfoort: Van

Haren.

Veasey, E.N. (2000). The Role of the Judiciary in Corporate Law, Corporate Governance

and Economic Goals: Company Law Reform in OECD Countries A Comparative Outlook

of Current Trends. Available from: http://www.oecd.org/dataoecd/40/5/1857539.pdf.


Walliman, N. (2005). Your Research Project: A Step-by-step Guide for First-time

Researcher. 2nd edition. London: Sage Publications.

Weaver, P. (2005). Effective Project Governance – The tools for success. Available from:

http://www.mosaicprojects.com.au/resources_papers.html#Governance.


Whittaker, B. (1999). What went wrong? Unsuccessful Information Technology Projects.

Journal: information Management & Computer Security 7(1):23-30. (MCB University

Press).

Wysocki, R. (2011). Executive's Guide to Project Management: Organizational Processes

and Practices for Supporting Complex Projects. New Jersey: John Wiley & Sons.

http://www.witsa.org/v2/media_center/pdf/DP2010_ExecSumm_Final_LoRes.pdf

http://www.gt.co.za/Publications/Effective-directors-guide/int_audit.asp

http://www.socialresearchmethods.net/kb/index.php

http://www.oecd.org/dataoecd/40/5/1857539.pdf

http://www.mosaicprojects.com.au/resources_papers.html#Governance

APPENDIX A 140

APPENDIX A

APPENDIX A 141

APPENDIX B 142

APPENDIX B INTERVIEW GUIDE

A research project towards Masters of Technology (MTech) – for the University of Johannesburg

PROJECT TOPIC

“A HOLISTIC APPROACH TO IT PROJECT MANAGEMENT AUDITING”

OBJECTIVES

The project is concerned with a holistic approach to IT project management auditing that includes over and above the traditional elements for auditing IT projects, corporate governance principles.

The purpose of the interviews is to establish whether:



2 Can the use of corporate governance principles improve the overall IT

project management process?

3 Can corporate governance principles be used to measure project success?

ETHICAL CONSIDERATIONS

All interviews are confidential and no one is mentioned separately in the final

results.

All answers are typed out and rechecked with individual interviewees for

completeness.

Data analysis is considered as a whole to extract trends, views etc.

Any extra ideas are welcomed.

APPENDIX B 143

INTERVIEW QUESTIONS The interview questions cover topics in the following areas, namely corporate governance, project management and project audit. There is no right or wrong answers to these questions. I am more interested in your honest views and understanding as well as the processes, guidelines and documents you use in auditing your projects. 1 What is your understanding of the concept of “corporate governance”? 2 What is your understanding of the concept of “IT governance”? 3 What is your understanding of the concept of “project governance”? 4 What are the IT project critical success factors? 5 At which level in the portfolio, programme and project offices would corporate

governance principles be best applied? 6 Would the application of corporate governance principles have any impact on the

project management process? 7 Would the application of corporate governance principles have any impact on the

project success? 8 What monitoring mechanisms are currently in place to ensure the attainment of the

project’s objectives? 9 What is your understanding of the concept of “project audit”? 10 What is the process followed during a project audits? 11 What events trigger a project audit? 12 What elements are used in a project audit? 13 What corporate governance principles can be included in a project audit? 14 Can corporate governance principles be used to measure project success? 15 What approach the project audits should use to bring about a positive impact on project

success?

APPENDIX B 144

Summary of the main corporate governance principles as per the below organisations

PRINCIPLE OECD CACG CLSA King III Report

Combined Code

1 Accountability X X X X X

2 Transparency X X X X X

3 Responsibility X X X X X

4 Fairness X X X X X

5 Independence X X X X X

6 Leadership X X X X X

7 Corporate discipline X X X X X 8 Communication X X X X

Definitions of the above-mentioned corporate governance principles:

1 Accountability refers to a mechanism by which those who make decisions and those

who take actions on specific issues must be accountable for their decisions and actions.

2 Transparency refers to the ease with which an organisation is able to conduct its

activities and provide information in an open, candid and accurate way.

3 Responsibility refers to the state of having control or authority and being accountable

for one’s actions and decisions.

4 Fairness refers to the condition of being free from any discrimination or dishonesty

and in conformity with rules and standards.

5 Independence refers to the absence of undue influence and bias, which can be affected

by the intensity of the relationship between the director and the company.

6 Leadership refers to the ability to successfully integrate and maximise available

resources for the attainment of organisational goals.

7 Corporate discipline refers to the commitment – mainly by the organisation’s senior

management to adhere to behaviour that is universally recognised and accepted as

correct.

8 Communication refers to a timely, accurate and honest sharing of relevant

information – whether in writing or orally with all concerned stakeholders.

APPENDIX C 145

APPENDIX C

INTERVIEW TRANSCRIPT Following are quotations or views of all 15 participants on each of the 15 questions asked

during the interviews:

Question 01

What is your understanding of the concept of “corporate governance”?

1 Corporate governance is a set of measures and guiding principles that protect an

organisation by looking at how policies and procedures are executed.

2 Corporate governance is about the protection of stakeholders investments in a

company. It deals with rules, procedures, policies and fundamental principles that

guide all stakeholders on how the company must be run. It is about how the company

is managed and directed.

3 Corporate governance is a framework or a set of rules, regulations, policies, guidelines

and procedures that govern an organisation as to how things should and should not be

done.

4 Corporate governance is a set of rules, measurements, processes and procedures set up

by the company, and have to be followed and adhered to.

5 Corporate governance is about setting rules, regulations and procedures for governing

the corporation. It covers things like ethics and integrity.

6 Corporate governance is the requirements laid down by the organisation to compare,

judge and measure adherence to corporate standards.

7 Corporate governance is the end-to-end governing of defined processes, laws and

procedures to ensure that what people say and portray is what they do, and are aligned

to.

8 Corporate governance is a set of processes, measurements and procedures put into

place by the organisation in order to enable and ensure governance in terms of

compliance and ethics.

9 Corporate governance is a set of rules, regulations, guidelines and practices we adopt

for running our business. In other words, it is a framework that governs how we should

run our business.

APPENDIX C 146

10 Corporate governance is a set of rules, processes and laws, implemented to ensure that

the organisation runs properly and achieves its strategic goals.

11 Corporate governance is concerned with rules and regulations, ethical behaviours and

the protection of the integrity of business operations.

12 Corporate governance is a set of rules, guidelines and procedures established to

monitor and control how, what and when to do things.

13 Corporate governance is about setting the rules of the organisation and how we run our

business. It is to do with ethics and how people from outside the organisation see us.

14 Corporate governance is the way an organisation operates or conducts its business at

all levels and how it comes to the decisions they make.

15 Corporate governance is a set of rules, principles, guidelines and boundaries put into

place within which people in the organisation have to function or operate. It is also the

measurements used against compliance to those established rules, principles and

guidelines.

APPENDIX C 147

Question 02

What is your understanding of the concept of “IT governance”?

1 IT governance is a set of measures, procedures and guiding principles applicable at an

IT level.

2 IT governance is about how to manage the IT investments for the benefit of all

stakeholders. It is governance principles, rules and policies applicable to the IT

environment.

3 IT governance is a set of rules, regulations, policies, guidelines and procedures that

govern the IT cluster in an organisation. Can include things such as software

development, testing, deployment, system support, procurements etc.

4 IT governance is a breakdown of high-level corporate governance rules,

measurements, processes and procedures at an IT department level.

5 IT governance is a set of rules and guidelines for the governance of IT.

6 IT governance is the governance requirements that are applicable to the IT

environment.

7 IT governance is a set of rules, disciplines, policies, and governance processes and

procedures put into place from an IT perspective.

8 IT governance is a set of processes, procedures and measurements put into place so

that IT can operate within a framework.

9 IT governance is a framework or a set of rules that govern how we run our IT business

- it deals with things such as access security and control of systems, change in

management, deployment, compliance, etc.

10 IT governance is the ability to measure and track the organisation’s objectives for the

purpose of reducing costs or minimising risks within the IT space. It also ensures that

the organisation follows the right path from an IT perspective.

11 IT governance is concerned with setting up standards and benchmarks for IT

operations in order to ensure system security, scalability and stability.

12 IT governance is a set of rules, guidelines and methodologies we use for software

development life cycle, testing and implementation.

13 IT governance is about setting up guidelines and standards for governing IT processes.

14 IT governance defines how decisions are made at an IT level. It is a sub-set of

corporate governance.

APPENDIX C 148

15 IT governance relates to the ground rules, principles, guidelines and boundaries to

which technology is applied to make the organisation attain its strategic goals.

APPENDIX C 149

Question 03

What is your understanding of the concept of “project governance”?

1 Project governance is a set of governing principles, processes and procedures to be

complied with when running projects.

2 Project governance is about rules, policies and guidelines on how projects must be run

to produce expected returns on investment.

3 Project governance is a set of rules, regulations, policies, guidelines and procedures

that specifically govern how a project is run and implemented.

4 Project governance is a breakdown of high-level corporate governance rules,

measurements, processes and procedures applicable to a project.

At the project level your project methodology becomes your project governance

The methodology dictates your policies, guidelines, measurements, processes and

procedures.

5 Project governance is a set of rules, principles and standards that need to be adhered to

when managing projects. For example PMBOK principles.

6 Project governance is the governance requirements that are applicable to the project

environment.

7 Project governance is a set of processes and procedures for defining and delivering

project requirements.

8 Project governance is a set of rules, processes and procedures - a framework or a

model that governs the management of projects.

It is not a sub-set of IT governance because projects span beyond IT.

9 Project governance is a framework or set of rules that governs how we must run

projects.

10 Project governance is a management framework that tells how decisions are made on

projects and if they are made in the correct way. It talks about responsibility and

accountability of resources from all project stakeholders.

11 Project governance is a set of rules and principles for managing projects. However, by

their nature projects are different and how they are governed depends on the field

within which they are managed - for example Construction, IT, etc.

12 Project governance is concerned with rules, guidelines and methodologies used for

delivering projects.

APPENDIX C 150

13 Project governance is concerned with the guidelines and standards set for running

projects.

14 Project governance defines how projects must be managed and how decisions around

projects must be made. It is also a sub-set of IT governance and corporate governance.

15 Project governance is a set of rules, guidelines and boundaries that governs the

delivery of projects to attain the organisation’s strategic goals or objectives.

APPENDIX C 151

Question 04

What are the IT project critical success factors?

1 Projects’ critical success factors should be determined and defined right at the

beginning or start of the project.

2 Methodology - guidelines, procedures, templates, processes to assist the project

manager.

Right human resources - people, sponsors, stakeholders and tools for measuring

project output

Proper structure for running a project - roles and responsibilities definition,

sponsors.

3 Time, cost and quality.

Project success factors and criteria must be defined up-front before the project

starts.

4 Project critical success factors must be determined from the business case

requirements.

5 Right resources working on the project.

Adherence to project management standards and guidelines

Understanding of stakeholders’ mandate - their responsibility and accountability in

the project

Clearly defined and agreed upon scope of work.

6 Proper quality project planning - all decisions and assumptions for project success are

made at the planning level.

7 Critical success factors for a project are defined by business requirements and

expectations.

Sponsors meetings and user acceptance testing

Delivery of artifacts defined as critical to the project - scope of work, project plan,

etc.

8 It can be defined for some projects within budget or on time or of a good quality.

The project team - how well do they work together? Very important for the project

manager

The project’s critical success factors must be defined up-front by project sponsors,

customers and senior stakeholders.

APPENDIX C 152

9 Meeting customer requirements - quality of what was delivered.

Did we deliver on time?

Did we deliver according to the budget?

Constant communication.

10 Customer satisfaction on the end product

Clear understanding by the project team of what needs to be delivered and how

Having a clearly defined project scope.

11 Right human resources working on the project - people who understand what needs to

be done.

Access to the right tools - required software for project development

Leadership and support from top management - management focus on the project

Project sponsors - who understand and can adapt to the changing dynamics of IT

project processes.

12 Time, cost, and quality.

Depending on the project requirements, any of these three factors can be

considered more important than the others.

13 I often manage release projects which are different from standard projects.

Managing deliverables dependencies from other teams in the project

Time constraints

Meeting business requirements expectations

Testing and training.

14 User involvement

Executive involvement

Methodology used

Good project manager.

15 Executive sponsorship - executive support and buy-in

Right human resources that know and understand what needs to be done

Customer expectation - aligned to the project scope

The Budget - realistic finances

Fit for the purpose

Project size - must be manageable and measurable.

APPENDIX C 153

Question 05

At which level in the portfolio, programme and project offices would corporate

governance principles be best applied?

1 They can be applied differently to all three levels.

2 All these corporate governance principles should be applied at the highest level first

and then filtered down to lower levels. The degree of importance will be different

depending on the level.

3 These corporate governance principles should be applied at all three levels starting

from the top level filtering down to the lower levels. If not applied at the top, at some

point the company’s objectives will not be attained.

4 These corporate principles should be applied at all three levels starting from the top

level filtering to lower levels.

5 They apply at all three levels. Accountability and responsibility are very important.

However, independence can be applied to a lesser extent.

6 At all three levels, the application of these principles is very important.

7 All of these corporate governance principles should be applied at all levels.

8 All of these corporate governance principles should be applied at the highest level first

and then filtered down to lower levels.

9 All of these corporate governance principles should be applied at all the three levels.

10 All of these corporate governance principles should be applied at the highest level first

and then filtered down to lower levels. If not well-defined and applied at the top level

first, then the organisation’s strategic goals cannot be attained.

11 Some of these principles will apply to all levels and others to one or the other level.

Accountability and responsibility will apply at a programme level

Fairness will apply at a portfolio level

Leadership, corporate discipline and communication will apply at all three levels

Transparency is not relevant

Independence is also not relevant. However, it can apply within agreed time

and cost constraints.

12 These principles can be applied at all three levels.

13 They can be applied at all three levels, starting from the top at portfolio level and

allowed to filter down the other levels.

APPENDIX C 154

14 All of these corporate governance principles are applicable to all levels at different

degree of roles and responsibilities.

15 All these corporate governance principles can be applied at all three levels.

APPENDIX C 155

Question 06

Would the application of corporate governance principles have any impact on

the project management process?

1 Yes, they would have an impact on the overall project management process depending

on the variables used to measure their application.

2 Yes, if correctly applied, these principles will ensure that the project is run within and

in accordance with the project management principles.

3 Yes. All these principles are about defining roles and people being accountable and

responsible, ensuring fairness within the project. A project is as successful as the

people working on it and corporate governance principles apply to people.

4 No. If the project manager follows the methodology, processes and procedures he/she

will be able to manage successfully the project. It is all about the application of the

methodology, processes and policies.

5 Yes, they will improve the project management process.

6 Yes, they will improve the project management process.

7 Yes, they would have an impact on how the project is managed.

8 Yes, if used in project execution, these principles will make a huge impact on the

running of the project. However, a common understanding of the definition of each of

the principles is important. For example fairness and transparency can mean different

things to different people.

9 Communication is the most important for me.

Independence could be a problem. If not understood well, it can affect the project

negatively but, if used in a context of empowerment backed by accountability and

responsibility, then it will have a positive impact

Yes, they will have a positive impact on the overall running of the project if

applied in the day to day running of the project.

10 Yes, if applied from the top level down, everyone will be aware of what they need to

do and follow.

11 Yes. The application of corporate governance principles would give the project

credibility.

12 Yes, especially leadership and communication.

13 Yes, we do use these principles in our day-to-day running of projects. They will add

value to how the project is run. At the bottom of this list I will put fairness.

APPENDIX C 156

14 Yes, it will have a positive impact on how the project is managed. However, this will

be dependent on everyone having a common understanding and interpretation of what

these principles mean.

15 Yes. They will improve the project management process. If, for example, everyone in a

project applies accountability and responsibility, this will have a huge positive impact

on the project.

APPENDIX C 157

Question 07 Would the application of corporate governance principles have any impact on

the project’s success?

1 Yes, they would, if appropriate measurements are used.

2 No, I don’t believe their application can guarantee and determine the success of the

project. However, they are all important and add value to running the project.

3 Yes, if properly applied. If there is a framework for governing projects and everyone

knows what their responsibility is and what they are accountable for, then there is a

chance of successfully delivering a project on time, within the budget and to the

required quality.

4 Yes, it would increase the chances of delivering the project successfully.

5 Yes, it would increase the chances of delivering the project successfully, if used

properly.


7 Yes, these principles will have an influence on the success of the project.

8 Communication is a key factor. Accountability and responsibility are also very

important.

Yes, these principles will have a big impact on the success of the project.


10 Yes, these principles will have a big impact on the success of the project. If they can

ensure within a project, accountability, responsibility.

11 Yes. It would increase the chances of delivering the project successfully.

12 Yes, it would increase the chances of delivering successfully the project if properly

used - especially accountability and responsibility.

13 Yes, most of these principles will lead to a successful delivery of a project.

Communication, accountability, leadership and fairness to a lesser extent.

14 Yes, everyone needs to have a common understanding of the definition of each of

these principles in their application. Then it will contribute to the success of the

project. For example accountability and responsibility can mean different things to

different people.

15 Yes. They will definitely have an impact on the successful delivery of projects.

APPENDIX C 158

Question 08

What monitoring mechanisms are currently in place to ensure the project

objectives are attained?

1 The project scope of work is also an essential element.

The project schedule is the main physical measurement tool for control.

2 The project office tool kit is used to measure the day-to-day project performance by

extracting data from various sources and independently evaluating things like cost,

time, risk management and the quality of the solution being implemented.

Project progress meetings are also used to track project deviations

Weekly reports.

3 Check and track the project progress at different project milestones against original

business case and requirements.

4 The project plan should be used to monitor and track the project deviations, if any.

5 The project plan should be monitored and checked constantly to ensure that the project

is delivering what it is expected to. If not, mitigate the risks and implement corrective

measures to address the issues.

6 The project plan should be constantly used to check and monitor the project

performance - what should be delivered by whom and when.

7 The Project Office Tool Kit (POT) is used to track the project’s progress on a phased

basis.

Many other processes are being used for project monitoring - weekly risk reports,

budget, change requests, monthly senior management review sessions etc.

8 There are different forums to approve the project movement from one phase to the

other.

Project charter and project execution plan are also documents used to track the

project artifacts and progress

Project schedule and different tools are used to track the project’s time, budget,

progress and deviations in a life cycle.

9 Microsoft Project is used to trace the project’s progress on every milestone or phase

deliverables.

Weekly meetings are also held with the project team to monitor the project’s

progress.

APPENDIX C 159

10 Weekly project meetings and dashboard help track the project’s progress.

Project schedule

11 Project schedule is used to control and track agreed project deliverables.

12 The Project Office Tool Kit (POT) is used to trace key project deliverables on each

project phase movement as well as the project audit governance check-list.

13 The Project Office Tool Kit (POT) is used to trace key project deliverables and

documentation on each project phase movement. Weekly project progress reports are

extracted and generated.

14 The Project Product Quality Assurance (PPQA) audit team does the project audit.

The Project Execution Plan (PEP) document defines roles and responsibilities, and

agree on who should do what, by when and get a sign-off from all concerned

stakeholders

The PEP is used to track and monitor the project’s execution and progress.

15 Balanced scorecard - project time and budget.

Minimum critical deliverables - defined deliverables per project phase

Monthly senior management project review

Post-implementation review

Troubled projects analysis - what projects are in trouble and why.

APPENDIX C 160

Question 09

What is your understanding of the concept of “project audit”?

1 Audit is a tool for instilling corporate disciple. That is, instilling the governance

structures to which one is committed.

2 Project audit is an independent evaluation of a project to ensure that corporate

governance principles are followed and applied.

3 Project audit is a process for reviewing the project against the original business and

project objectives, to ascertain whether the project meets the required deliverables and

to report on deviations.

4 It is a process for reviewing project deliverables and reporting on deviations. It should

be centred around the actions, responsibility and accountability.

5 Project audit is a review process for ensuring that the rules, principles, guidelines and

standards set for managing a project are being followed or applied.

6 It is a review process for ensuring that the project manager has followed or applied the

rules, principles, guidelines and standards set for managing a project.

7 There are two types of project audits:

Project and Product Quality Assurance (PPQA) audits which check on artifacts

and how the project is being delivered

Group risk audit, which takes the big picture of risk to the organisation as a whole.

It involves things that have an impact on the organisation’s reputation, clients, etc.

8 Project audit is an independent audit of a project to ensure that corporate governance

principles are followed and applied.

There are two types of audits.

Checks for evidence of compliance to project management processes and project

execution plan. Also checks on the existence of artifacts and approvals

Investigative audit checks for reasons of project deviations. For example, cost

escalation or time overrun.

9 There are two types of project audit:

From the project office level, an audit is used to check compliance with the

methodology, rules, guidelines and procedures for managing projects

From an internal audit level, an audit is used to check the content and quality of

the artifacts as well as how the budget is managed.

APPENDIX C 161

10 Project audit is a process that provides an opportunity to uncover issues, concerns and

challenges encountered in the project. It reports on what has gone wrong and needs to

be rectified. It is a tool that ensures that projects are run correctly.

11 Project audit is an end-to-end review of agreed commitments on deliverables with

regard to time, cost and quality - planned versus delivered.

12 Project audit is a process for reviewing if the project manager is following the

standards set for managing a project. It is a review of deliverables planned vs.

delivered, taking into account time, cost and quality.

13 Project audit is a process for checking whether the rules and procedures set in place for

running a project are being followed.

14 Project audit is a process for highlighting issues and challenges encountered or being

experienced in the running of the project.

15 Project audit should be a pro-active mechanism or process to help or enable project

success. Shouldn’t be a re-active mechanism waiting for the project to fail in order to

blame the project manager.

APPENDIX C 162

Question 10

What is the process followed during a project audits?

1 The Project and Product Quality Assurance (PPQA) audit team checks for evidence of

documents and artifacts – high-level design, business requirements specs, scope of

work, project budget etc. Their objective is to ensure that the project governing

principles are being applied.

2 The PPQA process uses a check list for documents and artifacts - it is a kind of a tick-

in- the-box exercise.

The internal audit process uses interviews with project stakeholders involved in the

project. They follow the project through different iterations and provide feedback

and recommendations

It is done per project phase.

3 Each project has a project plan with agreed deliverables and milestones. These have to

be audited.

4 Agreed deliverables and milestones will be audited.

5 Project audit is a process used by auditors to check for specific project deliverables and

artifacts by using a check-list.

6 At different phases of the project, auditors check for specific deliverables by using a

check-list.

7 The PPQA team uses details highlighted in the Project Office Tool Kit (POT) and audit

against those elements.

8 The Project and Product Quality Assurance (PPQA) process checks for evidence of

documents and artifacts, as defined in the Project Execution Plan (PEP) at the current

project phase.

9 The project office audit team uses a check list with standard questions, looking for the

evidence of artifacts or documents.

They are not interested in the content of the documents

The internal audit team will request the required documents and schedule the

meeting to discuss the content. However, this is not done often.

10 The Project and Product Quality Assurance (PPQA) process checks for evidence of

documents and artifacts, as defined in the Project Execution Plan (PEP) at the current

project phase.

APPENDIX C 163

11 Not performed in my environment.

What was planned against what was delivered - what went wrong, why and how to

fix it

12 The project audit process checks the project execution plan, scope, necessary approvals

and documentation required before the project moves from one phase to another.

13 The project audit team checks for evidence of artifacts the project must produce at the

current project phase.

Extracts data and documents from different tracking tools and schedules, and uses

them as supporting documents for the audit.

14 The PPQA auditors use the PEP document to ascertain compliance with the project

plan. They also use processes highlighted in the PMBOK for running projects, and

strive to identify areas of compliance and deviations towards the methodology.

15 Project audit team identifies projects to be audited in a cycle and informs project

managers.

The objective process checks for documentation, approvals, and artifacts

The subjective process involves interviews with project managers

Release audit findings and follow-up.

APPENDIX C 164

Question 11 What events trigger a project audit?

1 Project audit can be done before, during or after completion of the project, depending

on pre-defined criteria. For example, projects that fall in the categories below must be

audited:

Highest spending projects

Biggest impact projects

High priority projects.

2 Project audit governance must define criteria that trigger a project audit.

Not all of my projects have been audited.

3 Project governance or methodology should have guidelines on when to do audit.

Audits should be done at the end of each project phase

Audits should also be done at the end of the project

Audits are also required at any time if the project has deviated from its objectives -

time, cost and quality, and to investigate why.

4 Project milestones

Report on project deliverables deviations - time and cost.

5 End of each project phase - pro-active audit. To check for agreed artifacts in the phase.

If something has gone wrong in the project and needs to be investigated - re-active

audit.

6 Project governance determines the criteria that trigger the project audit.

7 At some point in time every project will be audited. However, the audit is often based

on:

The size of the project

Project life cycle

Project duration/schedule

Audit on request

Project’s deviations can initiate an audit.

8 Project manager can request an audit to ensure the project is still on track.

Close-of-project phase audit

End-of-project audit.

APPENDIX C 165

9 There is a phased audit - done at the end of each project phase.

There is a three month audit cycle for every project to be audited.

10 Project close-out phase. At the end of the project implementation.

11 In my environment it is performed as a quality process at the time of system hand-over

and testing.

12 Project governance guidelines, rules and policies determine the criteria that trigger the

project audit.

Projects are randomly selected for audit.

13 Projects to be audited are randomly selected and checks applied to identify compliance

and non-compliance to project processes - scope, budget.

14 At the end of each project phase, before moving to the next phase.

End of project audit.

15 Project life cycle should trigger audit.

When project is not delivering on requirements

There are guidelines criteria that triggers an audit.

APPENDIX C 166

Question 12

What elements are used in a project audit?

1 Audit elements will be different depending on the scope of the audit and whether it is

done by internal or external auditors.

Project audit can involve anything related to the project. However, depending on

the project size, all or only some of the project’s elements can be audited. This can

include documentation, testing, stakeholders’ involvement, training plan, technical

code audit etc.

2 Time, budget, business requirements, artifacts and risk management.

3 The audit is conducted against the elements in the project plan.

Planned budget versus actual budget used. Under or over budget and why?

Necessary documentation deliverable at different milestones or project phases

Sign-offs.

4 Project plan and business requirements.

Necessary documentation deliverable at different milestones or project phases.

5 Auditors check for evidence of items in the project plan:

Project plan

Project scope

Business case

Documentation to be delivered at different phases.

6 All elements within the POT system are checked in the audit process:

Project weekly and monthly status

Impact and dependencies on other projects

Budget and project plan deviations

Different approvals

Risk management.

7 Evidence of what was planned versus what has been delivered as per the project

execution plan.

Evidence of different approvals.

Evidence of compliance to change control processes.

Risk management.

APPENDIX C 167

8 The project plan highlights all the necessary documents and the reason for any weaver.

Time, quality and cost

Checks for micro meetings minutes

Communication with all stakeholders - the steering committee.

9 The project audit looks at all aspects of the project from beginning to the end - from

the concept evaluation through the implementation and close-out phase.

Evidence of what was planned versus what has been delivered as per the project

plan

Evidence of documentation - scope of work, business case, project schedule

Budget utilisation - is the project over or under budget?

Resource management - communication, reports, dashboards

Compliance with change control processes.

Risk management - were project risks identified, mitigated and addressed?

10 No project audit performed. The user tests the system on agreed project deliverables.

11 Auditors use the project check list to check some of the following:

Proper project execution plan for moving from one project phase to another is

present

Necessary documentation for each project phase

Scope, budget and deliverables.

12 Auditors use the project check-list to check evidence of the following:

Project execution plan for moving from one project phase to another

Necessary documentation and artifacts for each project phase

Is the project still running within the scope, budget and deliverables?

13 Evidence of what was planned against what has been delivered as per the Project

Execution Plan.

14 Compliance to processes and artifacts.

15 Project plan.

Project schedule

Documentation.

APPENDIX C 168

Question 13

What corporate governance principles can be included in a project audit?

1 Corporate discipline is a strong audit criterion. For example, the use of PMBOK as the

philosophy for project management.

Compliance with the PMBOK’s nine knowledge areas can be measured tangibly

Fairness and independence are intangible, and cannot be measured

Accountability, responsibility, transparency, leadership and communication can be

measured. However, they are not tangible audit criteria.

2 All of these corporate governance principles are important to the project. However,

they cannot all be measured.

Accountability, responsibility, transparency and leadership can be used in some

way. They are open to people’s perceptions.

3 Accountability and responsibility. From an audit point of view, you always look at

what happened and who was responsible for it.

Communication should be looked at, at the level of reporting.

Independence and fairness can be considered only with regard to auditors.

Audit should be done by an independent department, not from a business or project

office view-point.

4 Even though these principles are all very important in a project, they are difficult to

measure. Some of them can be measured to some extent.

Responsibility - did the project manager take responsibility in producing a project

plan?

Corporate discipline - if too rigid, it can have a negative impact.

5 Although all these corporate governance principles are important for the project,

concretely measuring them in an audit process will be difficult.

Accountability and responsibility can be measured to some extent. They can

address things like who is responsible and accountable to deliver what and by

when in the project.

6 Although all these corporate governance principles are important to the project,

concretely measuring them in an audit process will be difficult.

APPENDIX C 169

7 All these corporate governance principles are related to one another and are important

to the project. Projects drive the company’s strategies.

They can be used in an audit if they can be measured. Measurements can be

defined. Who is accountable and responsible to do what is defined in the project

scope. If there is a problem, then, accountability and responsibility can be

measured.

8 Most of these corporate governance principles are important to the project. However,

they are vague and difficult to measure.

How do you measure accountability, independence or fairness?

Transparency is relative because there are situations where you just cannot afford

to be transparent and communicate your strategic information to everyone.

9 Yes - accountability, responsibility, transparency, fairness and communication.

Corporate discipline is already part of the project governance.

No - Leadership and independence.

10 Most of these corporate governance principles are important to the project and can be

used for a project audit.

Accountability and responsibility can be used.

Communication - how was it done at all levels with the team and all stakeholders?

Corporate discipline - was the organisation’s project discipline adopted? If there

was red tapes, involved, then this principle can slow down the project delivery.

Leadership - is he/she a good example for the project team?

Transparency - was the person transparent in running the project?

Independence is a bit difficult to measure.

11 Accountability, responsibility, corporate discipline and communication can be used.

Independence, fairness, transparency is mainly required on the side of those

auditing.

Leadership cannot be audited.

12 Corporate discipline is the most important as it determines what needs to be done.

Accountability and communication can also be added.

13 Accountability and responsibility.

14 Most of these corporate governance principles are important to the project.

However, they are subjective factors and cannot be measured easily

How do you measure leadership, independence, etc. objectively?

APPENDIX C 170

15 All these principles are good to have; however, they are difficult to measure

objectively:

Communication, leadership, accountability, responsibility, transparency

Leadership - a survey can be used

Fairness is intangible and cannot be measured.

APPENDIX C 171

Question 14

Can corporate governance principles be used to measure project success?

1 No. These principles cannot be measured tangibly.

2 No. The project success is dependent on and determined by how these principles

are implemented and measured.

All these corporate governance principles are already part of the project.

Every project manager should be applying them. But, if properly used, they will

increase the chances of the project’s success.

3 Corporate governance principles should dictate what should be audited and when.

4 No. They need to be able to be measured. You have to be able to measure things that

impact your business case requirements.

5 No. Governance principles and guidelines are important to a project, and their

compliance has to be audited. However, if too rigid and not dynamically applied to

projects, they can slow the project’s delivery and have a negative impact on the project

success.

6 Governance principles need to be defined right at the project start. Then they can be

used to measure compliance. A relationship should be established from the beginning

between audit and project in order to have an impact on the successful delivery of the

project.

7 No. All of these principles are wonderful to have and need to be used in the project

execution. But they are difficult to use in an audit process because they cannot be

measured accurately.

8 No. All these corporate governance principles are already part of the project process.

Every project manager should apply these principles but, if properly used, they will

increase the chances of the project’s success.

9 If correctly supervised and monitored, all these corporate governance principles can

increase the chances of the project’s success. Corporate disciple can have a positive or

negative impact if used with much red tapes.

10 If they can be measured and are applied, accountability, responsibility and

communication can increase the chances of the project’s success.

11 Leadership commitment and transparency in the audit process.

12 If properly used, they can lead to project success.

APPENDIX C 172

13 No. All of these principles are wonderful to have and need to be used in the project.

However, they are soft issues and cannot be measured objectively.

14 It is important for audit to create a template for evaluating and measuring these soft

issues, and apply them throughout the project life cycle.

15 If these principles can be measured practically, they will definitely increase the

chances of project success.

APPENDIX C 173

Question 15

What approach the project audit should use to bring about a positive impact on

project success?

1 Audit will add no value to the current project if done at the end of the project. The

damage would have been done.

Audit must be done at different project stages, before the production migration

Auditors must be impartial and remain independent

Auditors must ask questions that are relevant to the project

Audit must be done upon a set of agreed on standards and principles.

2 Understand the project objectives and align them with the overall objectives of the

company.

Get involved early in the project

Have phased approach audits with follow-ups to ensure findings have been applied

Audit can be used to pick up trends

Not a tick-in-the-box exercise.

3 Documentation - was everything documented and governance followed?

Have end of project review session to evaluate on requirements vs. deliverables,

budget and time frame

Look at important project phase close-up reports for problems in project phases

Have sign-off documents for business and project sponsors’ approval

Conduct interviews with key project stakeholders.

4 Project audit must be able to measure the content of the different project deliverables

and not only be a tick-in-the-box exercise.

5 Audit should be used as a tool for project risk management - If critical phase

deliverables have not been produced, audit should highlight the risks to the project

success.

6 Will have no added value to the current project if only done at the end of the project.

Be used as a tool for project risk management

Done at the end of each project phase

By asking relevant questions related to the project - not tick-in-the-box process.

7 If audit is only done at the end of the project and just before the project

implementation, this will have no impact on the project success.

APPENDIX C 174

Must be able to check and validate artifacts or document contents

Auditors must have detailed project knowledge to be able to make an impact on

the projects

A need for an understanding of the project deliverables from start to end of project

Audit must be part of and become involved early in the project life cycle to assist.

All governance requirements should be agreed upon from the start to facilitate the

audit process through the project cycle.

8 Audit cannot add any value to the project if done after the project’s completion.

Audit should not be used as a shame and blame tool - communicate the purpose of

the audit before it is done.

Auditors must be experts and mentors giving guidance and direction to the project.

Auditors must have a good understanding of the project’s objectives.

9 Project audit should play a directional or guiding role.

Audit must adopt a partnership approach to the project.

Audit must measure projects based on a defined set of criteria.

10 If project audit is done at the end of the project, it will not add much value to the

current project.

A phased approach to project audit will add value to the current project.

Get key project team resources to be part of the audit feedback process as well.

11 End-of-project review meeting to ascertain tasks planned against those delivered.

Lessons learned to help future projects.

12 Better understanding of how the project audit process fits into project management and

implement stricter mechanisms for auditing projects.

The tick-in-the-box process does not add much value to the project success.

13 Audit should be viewed as something positive, even though most people don’t like

criticism.

Audit is needed to keep project managers focused on their responsibilities.

14 Audit shouldn’t be just about checking compliance with processes.

Audit must find a way to address soft governance issues throughout the project life

cycle.

Auditors must be able to check the content of the documents if done in accordance

with standards.

APPENDIX C 175

Audit has no way of addressing difficulties encountered because of a lack of


Phased approach to project auditing can add more value than if only done at the

end of the project.

15 Become involved early in the project - build a relationship with the project.

Communication is key.

Audit with feedback and suggestions for correction.

Date post:	23-Dec-2021
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times