Uncovering the Strategic Value of Information Technology...

Copyright UCT

i

UNCOVERING THE STRATEGIC VALUE

OF INFORMATION TECHNOLOGY

AUDITING

by

UREKA RANGASAMY

in partial fulfillment of the requirements for

Executive MBA

EMBA 11

March 2011

Confidential

UCT GSB

Embargo

Copyright UCT

ii

Plagiarism Declaration

1. I know that plagiarism is wrong. Plagiarism is to use another’s work and pretend that it is

your own.

2. I have used a recognised convention for citation and referencing. Each significant

contribution and quotation from the works of other people has been attributed, cited and

referenced.

3. I certify that this submission is all my own work.

4. I have not allowed and will not allow anyone to copy this essay with the intention of passing

it off as his or her own work.

Signature: Date: 07 March 2011

Copyright UCT

iii

Abstract

“When the White Rabbit asked the King where he should begin, the King, replied: ‘begin at the

beginning and go on till you come to the end: then stop.’ But explanation is not like that. His

advice is a good example of the failure to recognise when one is up against a large, complex

system” (Beer, 1981,p. xi).

As managers today, we are faced with increasing complexity and change. The traditional

management practice of dealing with problems simplistically and mechanistically is no longer

adequate. Two years ago as part of the EMBA programme, I began my journey into the systems

thinking world in an attempt to find new approaches. This dissertation is approached from a

systems thinking perspective and the purpose is to seek an understanding of the underlying

dynamics that impact on the strategic value of Information Technology (IT) Auditing, from an

internal audit department perspective, at the state-owned electricity utility, Eskom.

This research is viewed from my perspective as a student and researcher on the EMBA 11

programme, and as the role of Group Audit Manager at Eskom’s internal audit department. IT

Audit is one of the portfolios that I oversee.

Eskom, as a key player in the electricity industry, is facing enormous challenges with regard to

financial sustainability and continuity of supply which is aggravated by the global recession.

These increased risks and uncertainties call for insight from Internal Audit that goes beyond the

traditional assurance, and focuses IT Audit on providing strategic insight for Eskom.

Furthermore, the pace of technology changes is explosive, and IT Audit is struggling to adapt to

the changing requirements of Eskom.

Given this situation, the concern identified was the ability of IT Audit to deliver strategic value

to Eskom. My context of strategic value is that which is focused on building value for the future.

Copyright UCT

iv

Having identified this concern, a powerful research question was raised in order to understand

‘Why has IT Audit not been able to deliver strategic value to Eskom?’

To guide me to reach an answer to the research question raised, I developed an integrated

research framework using different system approaches in combination. Given the nature of my

problem context, a qualitative research process was undertaken. To mitigate against the risks of

bias in a qualitative study, a triangulation of data and methods was used. Various systems tools

were used to make sense of the situation and sweep in multiple perspectives from various

stakeholders. The data was gathered, interpreted and analysed using the Grounded Theory

methodology.

Through rigorous application of the Grounded Theory process, the level of Mindfulness, the

effectiveness of Shared value proposition and the level of Strategic skills and competencies

emerged as the three variables critical to driving the level of strategic value of IT Auditing. The

theory that developed from the Grounded Theory process was that the distinctive competencies

of Mindfulness, Strategic skills and competencies, and Shared value proposition, in their

mutually reinforcing interaction, drives the strategic value of IT Auditing and creates sustained

competitive advantage for IT Audit.

I refer to this as my ‘ladybird theory’ as it has a head of mindfulness, wings of competency and

adaptability, and supported by a body of shared value proposition.

I performed a literature review to establish my subject matter within the wider body of

knowledge. This literature review revealed current trends and debates on the wider context of

strategic management and generally supported my research results relating to the three core

variables of the level of Mindfulness, the effectiveness of Shared value proposition and the level

of Strategic skills and competencies.

Copyright UCT

v

This research is significant as it makes a contribution to the existing body of knowledge in three

areas. Firstly, it adds to the research of strategic value of IT Auditing, particularly in state owned

enterprises as based on my literature review, it was evident that existing literature in this area is

limited. Secondly, existing literature provide laundry lists of recommendations on improving IT

Auditing, my research is approached from a systems thinking perspective and goes further by

systemically integrating the variables that impact on the strategic value of IT Auditing. Finally,

existing literature indicate that certain models/theories on Strategic Management can

complement each other, my research findings show how three leading perspectives on Strategic

Management (viz. Resource Based View, Dynamic Capability and Strategy-as-Practice) can

systemically integrate with each other to drive the strategic value of IT Auditing.

To demonstrate the validity and trustworthiness of my research, I have critically evaluated my

research in terms of Relevance, Utility and Validity of my research findings. I have also given

due consideration to the ethical implications of my Research Answer through the use of

Velasquez’s (2006) ethical evaluation framework which focuses on Utilitarianism, Rights,

Justice and Caring.

The research was rewarding, not only in terms of the theory that was developed and the insight

gained into how systems thinking can be used to deal with complex and unstructured problems,

but also as a journey of growth as it required patience and tolerance to keep true to Tom Ryan’s

principles of ‘trusting the process’.

I now invite you:

Come, let us journey together, and I, unlike the King, will guide you to uncovering the strategic

value of IT Auditing by seeing with system thinking eyes….

Copyright UCT

Uncovering the Strategic Value of IT Auditing Confidential Page 1

TABLE OF CONTENTS

Chapter 1 - Introduction and Overview ......................................................................... 7

1.1 INTRODUCTION........................................................................................................... 7

1.2 APPROACH AND STRUCTURE OF THE RESEARCH PAPER ..................................................... 8

1.3 SETTING THE MANAGEMENT CONTEXT ........................................................................... 10

1.4 ESTABLISHING THE CONTEXT OF THE RESEARCH SITUATION ........................................... 12

1.4.1 Eskom – Keeping the Lights Burning ........................................................................ 12

1.4.2 Assurance and Forensic – Eskom’s internal audit department .................................. 15

1.4.3 IT Audit ................................................................................................................... 15

1.4.4 Using the Viable Systems Model ............................................................................... 17

1.4.5 Taking a closer look at the Audit function (S3*) ....................................................... 19

1.4.6 The Relevance of Strategic Value of IT Auditing to Eskom ........................................ 20

1.4.7 Understanding the different Stakeholders ................................................................. 21

1.4.8 Let’s take a ‘rich’ picture ......................................................................................... 23

1.5 THE RESEARCH PROBLEM ............................................................................................... 25

1.5.1 Force Field Analysis of factors impacting on Strategic value of IT Auditing ............. 26

1.5.2 Avoiding Errors in My Problem Formulation ........................................................... 27

1.6 RESEARCH QUESTION ...................................................................................................... 27

1.7 RESEARCH FRAMEWORK ................................................................................................. 29

1.8 THE ANSWER: THE THEORY THAT EMERGED THROUGH THE RESEARCH ........................... 29

1.9 THE RATIONALE FOR THE ANSWER ................................................................................. 31

1.10 EVALUATION OF THE ANSWER....................................................................................... 31

1.11 CONCLUSION ................................................................................................................. 31

Chapter 2 - Literature Review ....................................................................................... 33

2.1 LEVEL I LITERATURE REVIEW ......................................................................................... 34

2.1.1 Strategic Management ............................................................................................. 34

2.1.2 Strategic Management in Public Sector/ State-owned enterprises ............................. 35

2.1.3 Current Theories/Models on Strategic Management ................................................. 36

2.2 LEVEL II LITERATURE REVIEW ........................................................................................ 39

2.2.1 Internal Auditing ...................................................................................................... 39

2.2.2 Increasing Importance and Challenges of IT Auditing .............................................. 42

Copyright UCT


2.3 LEVEL III LITERATURE REVIEW....................................................................................... 43

2.3.1 Mindfulness ............................................................................................................. 43

2.3.2 Strategic Skills and Competencies ............................................................................ 46

2.3.3 Shared Value Proposition ........................................................................................ 50

2.4 CONCLUSION ................................................................................................................... 51

Chapter 3 - Research Framework ................................................................................. 53

3.1 INTRODUCTION ............................................................................................................... 53

3.2 THE NATURE AND PURPOSE OF MANAGEMENT RESEARCH .............................................. 53

3.3 ONTOLOGICAL POSITION – THEORY OF REALITY.............................................................. 54

3.3.1 Critical Realism (A model of the world) ................................................................... 55

3.4 EPISTEMOLOGICAL POSITION .......................................................................................... 56

3.4.1 Qualitative and Quantitative Research Methods ....................................................... 56

3.4.2 Choice of Systems methodologies ............................................................................. 58

3.4.3 Jackson’s System of Systems Methodologies (SOSM) ................................................ 59

3.3.4.4 Using the Viable Systems Model (VSM) ................................................................. 60

3.3.4.5 The Rationale for using Grounded Theory ............................................................. 61

3.4.4.6 Integration of Critical Realism with Grounded Theory .......................................... 65

3.3.4.7 Integration of Grounded Theory with Soft Systems Methodology ........................... 66

3.5 DATA COLLECTION ......................................................................................................... 67

3.6 ETHICAL CONSIDERATIONS .............................................................................................. 67

3.7 INTEGRATED RESEARCH FRAMEWORK ............................................................................ 68

3.8 CONCLUSION ................................................................................................................... 69

Chapter 4 - Research Results ......................................................................................... 70

4.1 INTRODUCTION ............................................................................................................... 70

4.2 DEVELOPING AN ANSWER TO MY RESEARCH ................................................................... 70

4.2.1 Stakeholder Identification ........................................................................................ 70

4.2.2 Conversational Interviews ........................................................................................ 71

4.2.3 Data Recording and Transcribing ............................................................................ 71

4.3 CONCEPT FORMATION: CODING AND EMERGENCE OF CATEGORIES ................................. 72

4.3.1 Level 1 coding (Substantive Coding) ........................................................................ 72

4.3.2 Level II Coding ........................................................................................................ 73

4.3.3 Theoretical Saturation ............................................................................................. 74

4.3.4 Concept Modification and Integration (Emergence of Core Variables) ..................... 75

Copyright UCT


4.3.5 Selective Sampling of Literature ............................................................................... 79

4.3.6 Triangulation of Data .............................................................................................. 79

4.4 SUBSTANTIVE THEORY GENERATION (EMERGENCE OF THEORY) ..................................... 80

4.4.1Theoretical coding .................................................................................................... 80

4.4.2 Storylines of the Loops - The Rationale .................................................................... 84

4.4.3 LadyBird Metaphor .................................................................................................. 90

4.5 CONCLUSION ................................................................................................................... 90

Chapter 5 - Conclusion and Evaluation ........................................................................ 92

5.1 SIGNIFICANCE OF THE RESEARCH RESULTS ..................................................................... 92

5.2 IMPLICATIONS AND CONSEQUENCES ................................................................................ 94

5.3 EVALUATION ................................................................................................................... 96

5.3.1 Relevance ................................................................................................................ 96

5.3.2 Validity .................................................................................................................... 97

5.4 ETHICAL CONSIDERATIONS ............................................................................................. 99

5.5 AREAS FOR FUTURE RESEARCH ...................................................................................... 101

5.6 PERSONAL REFLECTION AND LEARNING ........................................................................ 102

5.7 CONCLUSION ................................................................................................................. 102

BIBLIOGRAPHY ......................................................................................................... 103

Appendix A .................................................................................................................... 105

1. RESEARCH DESIGN ..................................................................................................... 105

2. THE CATWOE OF THE AUDIT SYSTEM ....................................................................... 106

3. INTERVIEW LOG ......................................................................................................... 107

4. CATWOES OF STAKEHOLDERS ...................................................................................... 109

5. GROUNDED THEORY RESULTS ........................................................................................ 112

Copyright UCT


List of Figures

Figure 1: Structure of Dissertation .................................................................................................. 9

Figure 2: Overlap between Competencies and Social Need ......................................................... 10

Figure 3: Levels of Management .................................................................................................. 11

Figure 4: Electricity - from power station to customer ................................................................. 13

Figure 5: Eskom recursion levels .................................................................................................. 14

Figure 6: Audit Work System ....................................................................................................... 16

Figure 7: VSM –Systems .............................................................................................................. 17

Figure 8: Eskom as a VSM ........................................................................................................... 18

Figure 9: VSM - Role of S3* ........................................................................................................ 19

Figure 10: Multiple Perspectives .................................................................................................. 22

Figure 11: Stakeholder analysis .................................................................................................... 23

Figure 12: Rich picture ................................................................................................................. 24

Figure 13: Concern behaviour over time ...................................................................................... 25

Figure 14: Force Field Analysis impacting on Strategic value of IT Auditing ............................ 26

Figure 15: Three Level Literature Review.................................................................................... 33

Figure 16: Traditional assurance (Source: ADR, 2010) ............................................................... 41

Figure 17: General Competencies (Source: IIA, 2010) ................................................................ 47

Figure 18: Behavioural Skills (Source:IIA, 2010) ........................................................................ 48

Figure 19: Technical skills (Source: IIA, 2010) ........................................................................... 49

Figure 20: Management Triad ...................................................................................................... 54

Figure 21: Ideal-type Grid ............................................................................................................ 58

Figure 22: Systems approaches related to SOSM ......................................................................... 60

Figure 23: VSM - O, E, M Interaction .......................................................................................... 61

Figure 24: Integration of Critical Realism with Grounded Theory .............................................. 65

Figure 25: Integrated Research Framework .................................................................................. 68

Figure 26: Inter-relationship Diagram .......................................................................................... 76

Figure 27: The Generic Business Idea (Source: v/d Heijden, 1996) ............................................ 82

Figure 28: Causal mechanisms driving the behaviour of strategic value of IT Auditing ............. 83

Figure 29: Comparison to Business Idea ...................................................................................... 83

Copyright UCT


Figure 30: Competency Loop ....................................................................................................... 85

Figure 31: Adaptability Loop........................................................................................................ 86

Figure 32: Mindfulness Loop........................................................................................................ 88

Figure 33: Shared Value Loop ...................................................................................................... 89

List of Tables

Table 1: Contradictions and Conflict in A&F Work System ………………………………….16

Table 2: Avoiding error of the 3rd kind ……………………………………………………….27

Table 3: Differences between Qualitative and Quantitative Research…………………………57

Table 4: SSM and Grounded Theory alignment ………………………………………………67

Table 5: Example of Property and Dimensions of Category…………………………………...72

Table 6: Categories – Data Collection Round 1 ……………………………………………….73

Table 7: Categories – Data Collection Round 2 ……………………………………………….74

Table 8: Saturated Categories ………………………………………………………………….75

Table 9: Results from Participant Observation ………………………………………………..80

Table 10: Business Idea Comparison ………………………………………………………….82

Copyright UCT


Acknowledgements

If the only prayer we ever say is ‘thank you’, it will be enough.

(Unknown)

Like a traveller exploring with fascination the streets of an unknown place – that’s what the

EMBA journey has been for me. It has been immensely rewarding, not just academically, but

also in terms of personal growth and self discovery.

I want to thank all those who made it possible for me to travel on this journey.

I am grateful to my husband, Ergie, whose unwavering support and encouragement, especially

when the going got tough, saw me through. To my four beautiful daughters, Shivana, Mikara,

Dhiya and Kimaya, thank you for your love, patience and understanding, especially during my

regular two week long absences. To my helper, I appreciate you playing the role of ‘second

mum’ during these absences.

To all my family and friends who have supported and encouraged me, I am very grateful.

To my colleagues of EMBA 11, each and every one you have taught me something which I have

added to my basket of lifelong learnings.

To Tom Ryan, who has taught me to deal with greater complexity and to ‘learn to trust the

process’ and the rest of the academic as well as the support staff for an excellent programme.

To my fellow colleagues at Eskom, I am grateful for the support, the insights and perspectives

provided.

Thank you all.

Copyright UCT


CHAPTER 1 - INTRODUCTION AND OVERVIEW

“The more we study the major problems of our time, the more we come to realize that they cannot be

understood in isolation. They are systemic problems, which mean that they are interconnected and

interdependent.”

- Capra (1996), as cited by Jackson (2003)

1.1 Introduction

Managers today are faced with increasing complexities and change. The traditional quick fix

solutions or panaceas are no longer adequate. The standard practice has been to view our

problems as isolated, having no interaction between them and approaching them as laundry lists

of problems to be dealt with. Jackson (2003) argues that managers require holistic approaches

which use systems ideas in a manner that enhances creativity. He defines holism as that which

‘puts the study of the whole before that of the parts’.

Taking this account, this dissertation has been approached from a systems thinking perspective.

The purpose of this dissertation is to seek an understanding of the underlying dynamics that

impact on the strategic value of Information Technology (IT) Auditing, from an internal audit

department perspective, at the state-owned enterprise, Eskom.

Internal Auditing, as a profession, has gained stature and there is increased recognition of its role

in delivering strategic value to an organization. As a result, there are increasing expectations

from Internal Audit to operate as a strategic partner to the organisation. The global PWC 2012

study (2010) indicates that there is growing pressure from Audit committees and executive

management for Internal Audit to provide more clear-cut strategic value. As the environment

changes, our traditional practices of Internal Auditing, including that of IT Auditing, is proving

less adequate to dealing with the complexities and increased risk faced by organisations.

Copyright UCT


‘The expectations on the tomorrow’s internal auditor are huge. Not only are you expected to

juggle 10 balls at the same time, the balls themselves could actually change in priority of

juggling (meaning you need to switch ball positions in mid air!)…’

(Ivan Lee, Chief Internal Auditor, 2009)

My Interest in this topic

My goal for this dissertation is to improve my understanding of the strategic value of IT Auditing

at Eskom in order to address the current challenges we are facing. In the absence of systems

thinking, our previous management interventions in this area were approached as separate

activities and this has not has equipped us to address our current challenges.

This research is viewed from my perspective as a student on the EMBA 11 programme, and as a

practitioner for many years both in the IT as well as the internal auditing professions. I currently

fulfill the role of Group Audit Manager at Eskom’s internal audit department, known as

Assurance and Forensic (A&F). IT Auditing is one of the functions that I manage.

1.2 Approach and Structure of the Research Paper

This paper has further been approached using the SCQARE framework. As Ryan (2009)

indicates the SCQARE framework allows us to systematically construct and communicate our

mental maps which help us to make better sense of our world. This framework systematically

outlines the Situation or the Context, addresses the Concern relevant to the Situation, raises a

Question and Answer to deal with the Concern, provides a sound Rationale for the Answer, and

considers the Ethical implications of the Answer.

In addition, this dissertation has been further structured into five chapters as recommended by

Perry (2002) and shown in the diagram below.

Copyright UCT


Figure 1: Structure of Dissertation

The purpose of chapter 1 is to introduce the core research problem and the context, which sets

the foundation for the research. I specifically consider in detail the Research Situation, and the

practical Concern, to establish the relevance of the research. I set out the formulation of the

Research question in order to meet the research goal. A brief overview of the research

framework and Answer to the Research question, as well as an evaluation of the Answer

considering ethical implications, is provided.

Chapter 2 presents the Literature Review. This chapter aims to build a theoretical foundation

upon which the research is based by reviewing the relevant literature relating to strategic

management with particular emphasis on electricity utilities and IT Auditing, as well locating my

research results within this body of knowledge.

Chapter 3 discusses the Research Framework developed to answer the research question. This

chapter sets out the motivation for my research philosophy, paradigms, methods and major

methodology used to collect data.

Chapter 4 discusses my Answer to the Research question as a result of the application of the

research framework presented in Chapter 3.

Copyright UCT


In Chapter 5, I explore the significance and implications of my research results and make a

critical evaluation of the relevance, utility, validity and ethical implications of my research work.

I also discuss future areas of development and reflect on my personal learnings.

1.3 Setting the Management Context

Organisations today are facing increased change and to ensure sustainable wealth, organisations

have to adapt. As the broad social need of the customer changes, the distinctive competencies of

the seller’s value systems erode over time (Ryan, 2009). The intersection between the

customer’s needs and the seller’s offering is the value that is created as shown below.

Figure 2: Overlap between Competencies and Social Need

The value is diminishing as IT Audit is not adapting adequately to meet Eskom’s changing

needs.

Schwaninger (1989) states that organisations need to be managed at essentially three logical

levels of management, namely, Operational (concerned with creating value), Strategic

(concerned with building value for the future) and Normative (concerned with the question of

value itself). This is diagrammatically represented below.

Copyright UCT


Figure 3: Levels of Management

My research was located in the Strategic Management Domain, referred to by Hoebeke (2000) as

the Innovative Domain and within that focuses on the issue of strategic value of IT Auditing

within Eskom. My context of strategic value is that which is focused on building value for the

future in line with Hoebeke’s (2000) definition of the Innovative Domain.

Hoebeke (2000) defines the Innovative Domain as “Changes in values in the environment in

which the work system in the innovation domain is embedded are sensed and transformed into

new products, services and processes. The work system is involved in the discovery and the

creation of the added value of the future. “

Hoebeke (2000) further indicates that the output of the Strategic Management Domain creates

conditions for the Operation Management Domain.

Copyright UCT


1.4 Establishing the Context of the Research Situation

Ackoff as cited by Ryan (2009) refers to a mess as that which consists of complex systems of

strongly interacting problems. The problem of the strategic value of IT Auditing is quite messy

and I have used a combination of systems methods and tools to assist me in ‘making sense of the

situation’ and to develop a systemic understanding of the situation from multiple perspectives.

These are as follows:

• Activity Theory – to describe the activities and tensions within the IT Audit system

• Viable Systems Model - to understand the relevance of the concern of strategic value of

IT Auditing to Eskom

• Stakeholder Analysis – to understand the different stakeholders

• CATWOE (Customers, Actor, Transformation, Owner, Environment) – to frame the

perspectives of different stakeholders

• Rich picture – to creatively capture the mess

In this section, I first discuss the challenges facing Eskom, then focus on IT Audit within Eskom,

discuss the stakeholder analyses and finally present my Rich picture.

1.4.1 Eskom – Keeping the Lights Burning

Eskom is a state-owned enterprise and its primary purpose is to generate, transmit and distribute

electricity. Eskom generates approximately 95% of the electricity used in South Africa and

approximately 45% of the electricity used in Africa. Eskom business is undergoing major

change. Additional power stations and major power lines are being built to meet rising electricity

demand in South Africa. In an effort to meet the rising demand for electricity, Eskom has

embarked on a massive build programme of around R385 billion (in nominal terms) over the few

years to 2013, making it the largest infrastructure project in South Africa.

Copyright UCT


The electricity structure from the power station to the customer is illustrated below.

Figure 4: Electricity - from power station to customer

Source: Adapted from Eskom Annual Report (2010)

Eskom is regulated under subject licences granted by the National Energy Regulator of South

Africa (NERSA). Eskom, as a state-owned enterprise, has a greater role to play in

addition to the supply of electricity. It also supports South Africa’s growth and development

aspirations.

Over the past two years, Eskom had to manage in a turbulent environment, with key issues being

financial sustainability and “keeping the lights burning”. Eskom reported R 9.7 billion loss for

the year ending March 2009, the first financial loss in the history of Eskom. The images of load

shedding still remain etched in people’s minds. Being a state-owned enterprise, it has the

additional challenges of balancing its ‘public’ and ‘profit’ interests.

Eskom is on the ‘path to recovery’, but there are still huge challenges ahead. The recent budget

review (February 2011) has indicated that more than R1 trillion would be spent on public sector

Copyright UCT


infrastructure as a whole over the next four years from 2010/11 to 2013/14 to grow the economy

more rapidly. But as National Treasury Director-General, Lesetja Kganyago, reported in the

budget review ‘to meet present and future demand, South Africa needs sufficient power to run

factories, mines, schools and households, well-maintained road and rail networks to transport

people and goods and ports and pipelines to facilitate trade’.

Based on the increased complexities and risks in the environment, a Strategic Review Project has

been initiated in Eskom to address the key strategic priorities including:

• Becoming a high performance organisation

• Leading and partnering to keep the lights on

• Reducing Eskom’s carbon footprint and pursuing low carbon growth opportunities

• Securing future resource requirements, mandate, and the required enabling environment

• Ensuring financial sustainability

• Setting up for success

Using the concept of recursion levels, where every system is made up of subsystems and is part

of a larger system, the following diagram depicts Eskom on three levels of recursion.

Figure 5: Eskom recursion levels

Copyright UCT


1.4.2 Assurance and Forensic – Eskom’s internal audit department

Assurance and Forensic (A&F) is the internal audit department of Eskom. The purpose of the

Assurance and Forensic department is to provide independent and objective assurance and

consulting services in order to evaluate and improve the effectiveness and efficiency of Eskom’s

operations in the areas of internal control, risk management and governance.

The internal auditing profession is regulated by the international body, the Institute of Internal

Auditors (IIA), which sets out the standards and practices for internal auditing.

The IIA has recognised the evolving role of internal auditors and revised the internal auditing

definition to include consulting, which goes beyond assurance work, so as to allow auditors not

to just ‘sit on the fence’ but to make meaningful change in an organisation.

1.4.3 IT Audit

IT Audit is a function within A&F which focuses on the evaluation and improvement of IT

controls, risk management and governance within the IT environment. In addition, it subscribes

to the practices of ISACA, the international body for IT assurance professionals.

A work system as defined by Hoebeke (2000) is a set of meaningful activities designed to pursue

a particular purpose. I have made use of Activity Theory to depict the Audit work system and to

identify tensions and contradictions within this work system. The components of the Audit work

system is captured in the diagram below.

Copyright UCT


Figure 6: Audit Work System

The contradictions and conflicts that arise in this work system between the different components

are summarized in the table below.

Contradictions and conflicts

Conflicts with Rules, Community

and Object Objective of providing independent assurance could conflict with

the client especially when negative audit findings are identified as

client believes a negative perception of him. He may view the work of

Audit as being punitive and not necessarily adding to improvements or

strategic value.

Contradictions also arise as A&F reports administratively to divisional

executive, but reports functionally to the Eskom Audit Committee

(question of two bosses and perception of independence often arises). Conflicts with Subject, Tools and

Object Conflict with the Tools results as challenges with having the Audit

working paper and business monitoring tools to fully support its audit

methodology. Sufficient knowledge of tools also impacts

objective being reached. Conflicts with Subject, Rules and

Object

The IIA standards are sometimes misunderstood by auditors and

perceived as preventing flexibility. Also, auditors have not fully

embraced the consulting avenue.

The changing rules and legislation poses challenges in terms of auditors

constantly keeping abreast with changes in the environment. Table 1: Contradictions and Conflict in A&F Work System

Copyright UCT


1.4.4 Using the Viable Systems Model

I used Stafford Beer’s Viable Systems Model (VSM) to describe my current situation,

contextualize the concern of strategic value of IT Auditing and understand its relevance to the

situation of a state-owned enterprise having to survive and adapt in a changing environment. I

also made use of the Viable Systems Diagnosis (VSD) to X-ray the situation and ‘judge what is

going on the basis of what a healthy situation should look like’ (Jackson, 2003) in order to

diagnose my problem and concern.

The VSM essentially looks at an organisation interacting with its environment. The organisation

is seen as two parts: the Operation which does all the basic work (production, distribution,

earning the money) and the Metasystem which provide a service to the Operation by ensuring the

whole organisation works together in an integrated way.

The emphasis of the VSM is on the relations of the system as a whole, and not on the separate,

individual parts. A viable system has to ensure effective adaption, co-ordination and

implementation functions. It is also critical that information channels and control loops are

properly designed in the system. The Operation and Metasystem further sub-divide into five

interacting systems. The purpose of each of the system is captured below:

Figure 7: VSM –Systems

Copyright UCT


Beer (1992) essentially argues that for an organisation to be healthy and viable the five

subsystems have to be present and healthy.

The representation of Eskom as a VSM aids in understanding the mechanisms and functional

allocations. The following diagram depicts Eskom as a VSM.

Figure 8: Eskom as a VSM

Note that at the time of writing this dissertation, Eskom is undergoing a major strategic review.

The purpose of which is examine and redefine Eskom’s strategic objectives, which includes

revised functions and structuring of Eskom from its current form. The VSM above was based on

its current functions and role.

I performed a Viable System Diagnosis (VSD) to determine the high levels threats to the

viability of the organization, but to particularly focus on the concerns relating to the Auditing

System 3*.

Copyright UCT


Some of the possible threats at Eskom level which have been brought into sharp focus over the

past two years aim to be addressed through the current Strategic review implementation which is

focused on:

• Increasing the current level of autonomy of the operating units (Generation, Transmission

and Distribution)

• Strengthening the current weak and fragmented Intelligence function (which had resulted in

the collapse of the policy function onto the Control function)

• Strengthening the policy function through establishment of dedicated strategic management

function and focus on clear direction setting for the organisation

• Refocusing the Coordination functions to ensure that they are more aligned to service

delivery to the operating units

1.4.5 Taking a closer look at the Audit function (S3*)

I now focus more closely on the Auditing S3* function. System 3* interacts closely with

Systems 1, 2 and 3 as shown more clearly in the diagram below.

Figure 9: VSM - Role of S3*

Copyright UCT


A&F fulfills the role of the audit group System 3*, which is a crucial element of System 3

activities. System 3* is seen as a servant of System 3. Taking into account the work system

described above, the purpose of System 3* is to do audits and surveys in order to provide an

information service to System 3. This is to enable System 3 to have a thorough model of all that

it needs to know about the goings-on within the entire complex of interacting Operational units.

System 3* is often referred to as looking for signs of stress. In the original physiological model

by Beer (1981) System 3* was based upon a nerve called the vagus which reports back to the

base brain on signs of stress in the muscles and organs.

The role of S3* is to empower System 3 in performing its Control function. System 3 requires

feedback from S3* to change its input and strengthen control and cohesion to have the desired

output. Without Feedback, the organisation cannot adapt.

1.4.6 The Relevance of Strategic Value of IT Auditing to Eskom

The IT environment itself, by its very nature of rapid changes in technology, is dynamic. Stafford

Beer (1981) argues that it is to the rate, rather than the changes themselves, that we have to

adapt. The rate of change of technology has been exponential. Beer points out that computer

system today are more than a hundred million times faster than they were in the 1940s.

In addition, the King Report (2009) also highlights that information systems were used as an

enabler to business, but now ‘IT has become pervasive because it is an integral part of the

business and is fundamental to support, sustain and grow the business’. IT has become more

pervasive in Eskom. With the convergence of IT and Operational Technology (OT), the real-time

engineering systems, which Eskom is heavily dependent on for its 24*7, 365 days a year service,

are no longer ring-fenced systems. They are running on similar architecture as the more

traditional IT systems and are now susceptible to the same IT risks. As one of my interviewees

aptly remarked, “IT is like electricity, it cuts across all spheres of life’’.

Copyright UCT


Furthermore, looking at the current complexities in the Eskom environment and in particular

with relation to the IT environment, IT Audit can be criticized for providing fragmented or

‘scattered’ assurance that is unable to fulfill the information gaps required by System 3.

The complexity (or variety) that IT Audit has to deal with has increased. IT Audit is not

fulfilling the functions of a vagus. Questions were raised as to ‘where were the auditors?’ when

Eskom experienced load shedding countrywide. Furthermore, the perception exists that Audit

has become autonomous and dictates the audit plan which does not necessarily focus on fulfilling

the information gaps.

As a result of weak Control function (S3), there are increasing requests to A&F from

management relating to information that will enable/support strategic decision making. The weak

Intelligence function has also left a vacuum in terms of the trends internally as well as globally.

Management is looking to A&F to fill in some of these gaps. Furthermore, there is growing

expectation that Audit should signal signs of stress, referred to as emerging risks both from Audit

committee and Eskom.

By not providing the ‘right’ quality feedback in terms of strategic value to S3, the Auditing

System 3* impacts on the threats to viability of Eskom as S3 will be making decisions in

ignorance. Furthermore, the sustainability of A&F is threatened as there is a heightened risk of

being outsourced as external audit firms have strengthened their role of providing internal audit

services. In particular, an external audit firm is currently serving as an internal assurance

function at one of Eskom’s sister state-owned enterprises.

Having looked at the role of IT Audit within Eskom, I now will focus on understanding the

stakeholders in this situation.

1.4.7 Understanding the different Stakeholders

West Churchman as cited by Ryan (2009) captures that the systems approach begins when you

‘first see the world through the eyes of another stakeholder’. A perspective reflects a worldview

which is much broader than a theory. Any particular view is generally bound by a background

Copyright UCT


philosophy derived from the interaction of life experiences, value systems and worldviews

(Ryan, 2009). There are always several worldviews (or ‘weltanschauung’) as individuals

interpret the world differently. Based on our worldview, where we select only certain data and

ignore the rest, we are limited in our perspectives. In order to have a full appreciation of my

problem and improve my understanding of the situation, it was important for me to take into

consideration multiple perspectives from different stakeholders. In the figure below, it is only by

pulling the different perspectives together, are the blind men able to ‘see the whole elephant’.

Figure 10: Multiple Perspectives

Picking the Right Stakeholders

A number of stakeholders were identified and analysed and detailed in the Appendix. The

characteristics of the stakeholders were mapped onto Savage’s Topology as shown below.

Copyright UCT


Figure 11: Stakeholder analysis

CATWOEs (Customers, Actor, Transformation, Owner, Environment) are used to frame a

perspective which express how various stakeholders perceive the imperative for strategic value

of IT Auditing. The Appendix provides CATWOEs and root definitions for the key stakeholders

and illustrates the different perspectives that exist.

1.4.8 Let’s take a ‘rich’ picture

I have used a rich picture to creatively capture the mess. A rich picture is an artifact that

represents the real world problem situation which assists in providing a way of arriving at an

understanding of the situation. Durant-Law (2005) points out that the main benefit is derived

from its generation rather than the end result diagram.

Copyright UCT


Figure 12: Rich picture

Within the picture, there are multiple perspectives. This situation is viewed from an

organisational, technical and personal perspective.

From rich picture, several failures/issues were identified as summarised below:

• Institute of Internal Auditors (IIA) recognizing the evolving role of auditors

• Audit clients frustrated with the lack of business understanding of the auditor

• The IT auditor overwhelmed with the changes and complexities in the environment

• Concerns from Audit Committee regarding Audit’s ability to evolve to a strategic partner

• Growing competition from External Audit

• Audit management concerns around how to strengthen the long term position of IT Audit in

the wake of increasing threats around possible outsourcing of IT Audit

Copyright UCT


I am part of the senior management grappling with how to add strategic value to address

increased expectations of audit committee and audit clients.

1.5 The Research Problem

Strategy has as its main aim the continuation and growth of the organization. Based on the

current challenges and issues in Eskom and IT Audit as discussed above, my concern is the level

of strategic value of IT Auditing at Eskom.

I have illustrated the past, current and potential behaviour of this concern over time as in the

graph below.

Figure 13: Concern behaviour over time

Overall, the strategic value of IT Auditing at Eskom is declining. The evidence for this behaviour

is based on Customer satisfaction surveys received from audit clients and executive

management. Analysis of these surveys indicate concerns around IT Audit not being able to

adequately meet clients changing expectations. There has been ‘pockets’ of value that has been

added that could be seen as strategic value, especially when the IT Auditors evaluated certain

Copyright UCT


engineering systems, but this has been fragmented and has not been sustainable. Furthermore, the

recent consideration of outsourcing as one of the options for assurance services for Eskom,

although not exercised, raises serious concerns.

The graph also predicts the future reference scenario if nothing is done to address the concern

raised. If nothing is done, the strategic value of IT Auditing will continue to decline, given the

rapid rate of change of technology and the increased complexities, change and diversity in the

Eskom environment. This will impact directly on the viability of Eskom as IT has become

pervasive in the organization. Eskom, in its fragile state of recovery cannot afford further threats

to its viability. In terms of a departmental impact, it could result in IT Auditing and A&F being

outsourced. The implications of this on a personal level is that staff (including myself) become

demotivated and leave the organisation. If there is outsourcing, it generally results in

retrenchments. Hence, action needs to be taken to address this concern.

1.5.1 Force Field Analysis of factors impacting on Strategic value of IT Auditing

Force Field analysis considers what the drivers and restrainers are to the level of strategic value

of IT Auditing as shown below.

Figure 14: Force Field Analysis impacting on Strategic value of IT Auditing

This highlights the complex nature of the problem.

Copyright UCT


1.5.2 Avoiding Errors in My Problem Formulation

Mitroff (1998) guards against making of an error of the 3rd

kind, an error of defining the

incorrect problem precisely. He warns against trying to make complex problems appear

simplistic in suggesting that there are simple or singular solutions. To avoid such errors, I have

paid attention to boundary judgments to analyse the boundaries that I have drawn around the

system of interest as shown in the table below.

Nature of error Application to this research

1. Picking the right

stakeholders

Stakeholder analysis was performed to

consider this.

2. Expanding options The concern is phrased to consider the

underlying dynamics of strategic value of IT

Auditing.

3. Phrasing the problem

correctly

The concern is phrased broadly to consider

human, technical and organizational variables.

4. Expand the problem

boundaries

Boundaries are expanded to focus around IT

Audit in Eskom.

5. Being prepared to

manage paradox

The relevance to Eskom, the broader system

in which the concern is situated, has been

considered.

Table 2: Avoiding error of the 3rd

kind

Raising the concern about the strategic value of IT Auditing poses a number of questions and in

the following section I focus on how to develop a powerful question to address this concern.

1.6 Research Question

‘Judge others by their questions rather than by their answers’. - Voltaire

The purpose of this section is to formulate a single clear Research Question whose answer will

address the concern raised within IT Auditing at Eskom.

Copyright UCT


I followed the brainstorming process recommended by Booth et al (2005) in order to general

several potential questions so as to cover a high degree of comprehensiveness. The results are

listed below:

• What are the drivers of strategic value of IT Auditing in Eskom?

• How can IT Audit move away from compliance to value add auditing?

• Why has IT Audit not been able to deliver strategic value to Eskom?

• Why is IT Audit not serving as a strategic function in Eskom?

• How can IT Audit be improved to deliver strategic value?

• What are the factors that impact on strategic value of IT Auditing?

Considering the questions above, and attempting to arrive at a powerful question, the question

chosen to be most appropriate was:

Why has IT Audit not been able to deliver strategic value to Eskom?

In evaluating the powerfulness of the question, to ensure that the research question adequately

addresses the concern of strategic value of IT Auditing arising from my situation, I made use of

the framework by Vogt, Brown and Isaacs (2003) which addresses the three dimensions of

Construction, Scope and Assumptions of the question.

In terms of construction, the use of Why makes it a searching question that is more powerful than

a question with a Yes/No answer. Asking Why has the potential to create useful insights (Vogt et

al, 2003) and one that provokes thoughtful exploration and evokes creative thinking.

I have used boundary management in keeping my question within “realistic boundaries

and needs of the situation” (Vogt et al, 2003). Hence, I am focusing on IT Audit within Eskom, a

more manageable scope than say IT Auditing in South African internal auditing functions.

Finally, the question assumes that there is more than one potential solution and that IT Audit has

not been able to provide strategic value to Eskom.

Copyright UCT


1.7 Research Framework

I have developed an integrated research framework using different system approaches in

combination to guide my research process to reach an answer to the research question raised.

This research was approached from a critical realist perspective. In order to identify the system

approaches and methodologies appropriate to my problem context, I made use of Jackson’s

(2003) framework for classifying systems methodologies, referred to as the System of Systems

Methodologies (SOSM). I therefore used the VSM, Activity Theory, Stakeholder analysis and

rich picture to understand the mess. In order to gather, interpret and analyse data to develop a

theory explaining the causal mechanisms impacting on the strategic value of IT Auditing at

Eskom, I have integrated the methodologies of Grounded Theory and Soft Systems Methodology

(SSM). The integrated research framework is discussed in Chapter 3.

1.8 The Answer: The Theory that emerged through the research

I applied the research framework to obtain my research results. In essence, having made sense of

the situation and understanding the relevance of the concern, and raising a powerful question, I

then made use of Grounded Theory to collect and interpret data to build a theory to explain the

casual mechanism driving the behaviour of strategic value of IT Auditing in Eskom.

Through rigorous application of the Grounded Theory process, the level of Mindfulness, the

effectiveness of Shared value proposition and the level of Strategic skills and competencies

emerged as the three core variables critical to driving the level of strategic value of IT Auditing

in Eskom. The findings relating to these variables are summarised below.

• Mindfulness

It emerged through the interviews that there is a need for auditors to move away from the

compliance mindset (“tick and bash” auditing) and instead to bringing in new fresh insight and

Copyright UCT


being able to rely on their sense of intuition more. It also surfaced that auditors need to be more

reflective and question assumptions as they audit.

• Shared Value Proposition

Many interviewees expressed the concern around the lack of a shared meaning and direction for

Audit. They felt that strategic planning is part of management’s tasks and do not feel a sense of

involvement in the process.

• Strategic skills and competencies

The majority of the interviews highlighted the concern around skills and competencies of IT

auditors that need to evolve beyond technical skills, and focus on the increasing importance of

behavioural competencies as well as the understanding of the business.

The main outcomes of my research process were found to be Effectiveness of

consulting/advisory, Level of Systems Auditing, and the Level of continuous learning and

adaptability.

Through the Grounded Theory process and comparison to the Business Idea archetype, I was

able to use these variables to develop a theory that explained the causal mechanisms driving the

behaviour of strategic value of IT Auditing.

My theory explains that the distinctive competencies of Mindfulness, Strategic skills and

competencies, and Shared value proposition, in their mutually reinforcing interaction, drives the

strategic value of IT Auditing and creates sustained competitive advantage for IT Audit. This

will enable it to adapt to the evolving needs of Eskom. The theory that emerged shows the causal

relationships between the variables in a causal loop diagram and resembles a ladybird. I have

used this as a metaphor to describe my ‘ladybird theory’, which has a head of mindfulness, wings

of competency and adaptability, and supported by a body of shared value proposition, all

interacting to drive the level of strategic value of IT Auditing in Eskom .

Copyright UCT


The results of my research are discussed further in Chapter 4.

1.9 The Rationale for the Answer

The theory that emerged as the answer to my research question is ‘grounded’ in the data gathered

and analysed. I build arguments, loop by loop to explain the causal relationships in the theory

that emerged to explain how the distinctive competencies of Mindfulness, Strategic skills and

competencies, and Shared value proposition, in their mutually reinforcing interaction, will drive

strategic value of IT Auditing and create sustained competitive advantage for IT Audit in Eskom.

This is discussed in Chapter 4.

1.10 Evaluation of the Answer

In Chapter 5, I reflect critically and evaluate my research in terms of Relevance, Utility, and

Validity of my research answer. Based on my arguments presented for the evaluation, I claim

that my research is relevant, has utility, is dependable, credible, confirmable and to a certain

extent transferrable. I also give due consideration to the ethical implications of my Research

Answer through the use of Velasquez’s (2006) ethical evaluation framework which focuses on

Utilitarianism, Rights, Justice and Caring. Furthermore, I reflect on the significance and

implications of this research, my learning, as well as provide insight as to how this research can

be developed further.

1.11 Conclusion

This chapter established relevance by demonstrating that the Concern of Strategic Value of IT

Auditing is relevant to Eskom. The increased challenges and complexity facing Eskom relating

to keeping the lights burning has resulted in increased risk for the organization. Hence, greater

assurance and consulting is required from IT Audit to mitigate against these risks. Therefore, by

Copyright UCT


IT Audit not providing strategic value to Eskom, it impacts on the threats to viability of Eskom if

strategic decisions are made in ignorance of IT governance, risk management and controls.

Furthermore, the sustainability of A&F is threatened due to the heightened risk of being

outsourced as external audit firms strengthen their role of providing internal audit services.

In Section 1, various system tools were used to capture the situation by understanding the mess

and bringing in multiple perspectives from different stakeholders relating to my concern, which

led to raising a powerful question to address the concern.

Thereafter, I provided an overview of the research framework and the theory that was developed

as an answer to the question of ‘Why has IT Audit not been able to deliver strategic value to

Eskom?’

Having provided an introduction and overview of my dissertation in Chapter 1, the next chapter

builds a body of knowledge based on relevant literature and locates my research results within

this body of knowledge.

Copyright UCT


CHAPTER 2 - LITERATURE REVIEW

This chapter establishes a body of knowledge based on existing literature related to my research

topic. I focus on building a body of knowledge relevant to Strategic Management and IT

Auditing from an internal auditing perspective as well as locating the research results in this

body of knowledge.

In order to achieve this, I performed the Literature Review on three conceptual levels as follows:

• The parent theory – Strategic Management (as my research is located within the strategic

domain of management, with a particular focus of this within state-owned enterprises)

• The immediate area of concern – Strategic Value of IT Auditing

• The core categories from my research findings –Mindfulness, Strategic skills and

competencies, and Shared Value Proposition

This is indicated in the diagram below.

Figure 15: Three Level Literature Review

Copyright UCT


To conduct the literature review, I have tried to use a wide sample of existing literature and

mainly made use of electronic sources, predominantly on academic and business databases. I

have also consulted books and EMBA class notes and handouts. I was able to locate a wide

source of literature relating to Strategic Management and Internal Auditing, but particularly how

this relates to Strategic Value of IT Auditing was more limited.

2.1 Level I Literature Review

This section reviews relevant literature on strategic management as part of the parent theory.

This is explored to gain an understanding of the key models, theories, debates and trends relating

to strategic management.

2.1.1 Strategic Management

Numerous authors concur that the fundamental question in the strategy field remains: ‘How do

organisations achieve sustainable competitive advantage?’ The literature points out that the

environment has changed and traditional approaches to strategic management are not adequate.

The reliance on the traditional application of rational, analytical strategy tools and techniques has

demonstrated to be inadequate when organisations are confronted by an uncertain business

environment (O’Shannassy, 2007). This view is shared by Bitar (2004) who highlights that early

strategy theories, which assumed that value existed somewhere outside the firm and that

strategy’s role was to design a fit between the organization and the environment, are limited in

turbulent environments.

Lamberg and Parvinen (2003) share similar views and have introduced a new metaphor for

strategic management, namely, that of the strategy river. This metaphor aims to emphasize the

evolutionary, dynamic and systemic nature of strategic management. They highlight that

strategic decisions, like rivers, are constrained not only by the historical decisions made but also

by issues related to timing and co-evolutionary interplay with the environment. Furthermore,

they see that strategic decision-making takes place in systemic, network-like settings, which

resemble the molecular structure and behaviour of water. Similar to water, they perceive the

Copyright UCT


future strategic direction of a company to be determined by its current velocity, mass and

direction. The river metaphor highlights the complexities associated with strategic management.

Price (2009) echoes similar sentiments that traditional strategic planning fails when this is

confused with operational planning. He indicates that strategic planning needs to be done in

phases and “treated as an ongoing process rather than an event, you weave your strategy into the

organisation’s culture”.

As part of my research findings, I have found that we are as management within A&F are

grappling with strategic management and currently treating strategic planning as events,

traditionally done bi-annually in order to submit strategic plans. We talk about having to improve

our strategy management to become an embedded process, but we not sure how to do this.

2.1.2 Strategic Management in Public Sector/ State-owned enterprises

Literature reviewed clearly indicates that there are challenges of strategic management in the

public sector. The challenges are heightened as this sector needs to balance their public interest

and their money interest. Davis (2007) emphasizes that a strong public sector is fundamental to

the strength of any society and points out further that globalization and demography are two

primary threats facing governments. Moore (1997) warns that most government organisations

see themselves as monopolies and treat competition as being out of place. Hence, they place little

emphasis on corporate strategy as in private sector. Overall, the writers generally agree that a lot

more emphasis needs to be placed on strategic management in the public sector.

As Eskom is the only major electricity player in South African, I have reviewed literature on

strategic management/challenges in other electricity utilities globally. The existing literature

highlights that the Electricity industry globally is experiencing severe challenges. Fatih Birol

(2007) highlights that the growing risk of disruptions to energy supply, the threat of

environmental damage caused by energy production and use, and persistent energy poverty are

the three strategic challenges facing the global energy system in the coming decades. Eskom,

currently, is plagued by these challenges which pose a threat to its viability. The issue of energy

Copyright UCT


poverty is particularly relevant in South Africa as it prevents merely raising tariffs to reduce

resource constraints, as Eskom also needs to take into account socio-economic factors.

2.1.3 Current Theories/Models on Strategic Management

Some of the current leading perspectives on Strategic Management that were reviewed are

discussed below:

2.1.3.1 Resource Based View

Resource Based View (RBV) takes an internal focus and assumes that organisations are unique

bundles of resources; that resources are relatively immobile, and that resources need capability,

capacity, durability and specificity. In terms of RBV, individual firms may exhibit sustained

performance advantages due to their superiority of their resources. Only value-adding resources

can lead to competitive advantage. Resources are defined as tangible and intangible assets that

include assets, capabilities, processes, attributes, knowledge and know-how that is possessed by

the firm, and that can be used to formulate and implement competitive strategies (Rivard, 2006).

Resource-based view (RBV) differs from the Industrial Organization (I/O) Model which largely

focuses on industry structure or attractiveness of the external environment rather than internal

characteristics of the firm.

Sustained competitive advantage requires that resources must be difficult to imitate or substitute.

From the resource based view perspective, resources and capabilities that are valuable (V),

relatively rare (R), and difficult to successfully imitate/substitute (IN) are at the core of

sustained, excellent firm performance. However, the writers contend that VRIN resources are

tough to find.

The resource based view had been criticised for presenting a very static view of what is

essentially a dynamic process. Furthermore, the lack of empirical validation as one of its core

propositions is a critical issue facing the development of the RBV view. Many of the

Copyright UCT


contributions have been theoretical to date and empirical measures are essential in order to

measure the value of the RBV approach.

One of the assumptions of RBV is that resources are relatively immobile. I argue that this is a

challenge in the IT Auditing industry. IT Auditing skills are transportable across internal and

external auditing sectors, both locally and globally and hence IT audit resources are generally

highly mobile. Jeurgens (2006) also points out that IT Auditors tend to be more mobile than

traditional auditors as there is a lack of skilled IT auditors in the marketplace and that the

challenge for Chief Audit Executives today is to hire and retain competent IT audit professionals.

Furthermore, in terms of my research results, the emphasis on having staff with superior

knowledge was highlighted during the interviews as being critical to deliver auditing that adds

value. But I would argue that having an internal focus on the superiority of resources alone does

not lead to a sustained competitive advantage as IT by its very nature is dynamic. As IT auditors,

we need to be in a position to respond to an ever-changing environment, which requires more

than just an internal focus.

2.1.3.2 Dynamic capability theory

More recently, the dynamic capability perspective has extended the Resource Based View to the

realm of evolving capabilities. Teece (2007) defines Dynamic Capability as organisation’s ability

to “integrate, build, and reconfigure internal and external competencies to address rapidly

changing environments.” The dynamic capability theory seeks to explain how firm achieve and

sustain competitive advantage despite an ever-changing environment (Ryan, 2009). Dynamic

Capabilities are those competencies that allow the firm to respond to and exploit changing

market environment.

Teece (2007) mentions that a firm must “sense” and “shape” an organisations success by

constantly scanning, searching and exploring across technologies and markets. The processes

above if coordinated and managed optimally will result in competitive advantage as long as a

unique approach is used. A number of writers have highlighted the need to match the internal

Copyright UCT


organisations capabilities to meet and master the requirements of managing the continuously

adapting variables within the external world. However, the writers all recommend that it is

crucial to bear in mind the history within the firm and decision made to take the organisation to

its current position. This has also been highlighted through the strategy as a river metaphor

discussed above.

The literature review pointed out that learning and uniqueness are the basis for developing

dynamic capabilities. Bitar (2004) takes this further and argues that dynamic capabilities as

organisational social learning processes are a result of the firm’s unique history, and that the

uniqueness of Dynamic Capability emerges through a concept known as ‘causal ambiguity’. This

means that the links between specific resources and skills and the results attained are hard to

identify and are not understood.

2.1.3.3 Complementary Approaches

Bitar (2004) embraces previous research by Chandler and Porter (1992) whose theories focus on

internal capabilities and Andres (1971) whose SWOT model identified a focus on opportunities

and threats which gives an external view. By combining these approaches or frameworks,

Dynamic Capabilities leads to a tighter integration between these essential components of

strategy. The literature indicates that certain theories can be integrated and should not be

approached in isolation.

2.1.3.4 Strategy as practice

Strategy- as- practice is concerned with the doing of strategy; sees strategy as something that

people do. It brings in the human actors and their interactions to strategy research.

Strategy- as- practice has been proposed as furthering Resource Based View and Dynamic

Capability. Jarzabkowski and Spee (2009) suggest that ‘Strategy- as- practice furthers the study

of social complexity and casual ambiguity in Resource-based view, unpacks the dynamism in

dynamic capabilities theory and explains the theory that constitutes strategy process’.

Copyright UCT


Chia and Holt (year unknown) state that no strategy ever follows as planned because of the

necessarily live and reactive nature of strategic engagements. They argue that strategy-making

should not be viewed as a detached transcendent activity that relies predominantly on maps and

strategic models to guide the process.

My research findings support the literature that traditional approaches to strategic management

are not adequate and further that complementary approaches to strategic management are

required. My ladybird metaphor (discussed in Chapter 4) that I propose as a symbolic

representation of the underlying dynamics that impact on strategic value of IT Auditing

illustrates how Resource Based View, Dynamic Capability and Strategy-as-Practice can

systemically integrate with each other.

2.2 Level II Literature Review

This section discusses literature review on Internal Auditing with a specific focus on IT Auditing

and the strategic value thereof. The purpose is to review literature relating more closely to the

research question: Why has IT Audit not been able to deliver strategic value of IT Auditing to

Eskom?

2.2.1 Internal Auditing

“The internal auditors also need to establish themselves as vital cogs in their organizations,

rather than as observers who watch from the periphery and wait for events to impact them”

(Sawyer and Vinten, 1996).

Various sources of literature reviewed indicate that the Internal auditing profession has

undergone dramatic changes that have expanded its scope in a way that position it to make

greater contributions to the organisation it serves. As a result, there are increasing expectations

from Internal Audit to operate as a strategic partner to the organisation. From the literature

reviewed, auditing of risk management and strategic planning is emphasised. The KPMG paper

Copyright UCT


(2000) that focuses on new strategies and best practices in Internal Audit recommends that

Internal Audit not just focus on compliance testing, but incorporate integrity testing that evaluate

decision making in terms of the long term interests of the organisation.

There is consensus between the KPMG paper (2000) and the PWC 2012 survey (2007) that

although there is compelling evidences that “traditional” assurance is no longer adequate, many

Internal Audit functions have not adjusted to reflect this change. It was found that despite the

threat of strategy risks, the typical audit department continues to spend the majority of its time on

traditional assurance activities covering financial and compliance risks.

Strategic risk has become an increasingly important consideration. Over the past 10 years,

strategic risk failures accounted for 68% of the root causes responsible for significant market

capitalisation declines, but in many cases Audit assurance has not adjusted to reflect this change.

The following graph from the ADR paper (2010) that focuses on next generation Auditing

reflects this.

Copyright UCT


Figure 16: Traditional assurance (Source: ADR, 2010)

The PWC 2012 study (2007) concurs with this view that “Internal Audit is uniquely placed to

offer a wide and deep perspective from the organisation’s strategic view of risk and risk appetite

through to the way in which risk is being managed within the business. However, frequently

Internal Audit’s focus is on individual audits, rather than on the tremendous value it can bring by

looking across the organisation.”

The articles indicate that overall there is an opportunity for Internal Audit to take a whole

organisational view. Moreover, there is growing pressure from Audit committees and senior

management for internal audit to provide more clear-cut strategic value (PWC 2012 survey).

Copyright UCT


2.2.2 Increasing Importance and Challenges of IT Auditing

The literature reviewed indicate that IT Auditing is increasing in importance as organisations

become increasingly dependent on IT and that IT is changing the nature of the internal audit

function. Jeurgens (2006) points out that as organisations increase their reliance on IT: two key

issues emerge:

• Large % of key controls on which the organization relies, is likely to be technology driven

• Systems that have control deficiencies will have a larger impact on organisation’s operations

and competitive readiness, thereby increasing need for effective IT controls

Jeurgens (2006) puts forward that the Snowflake theory illustrates that each environment is

unique, and accordingly presents a unique set of risks. The difference in IT environments makes

it difficult to take a generic or checklist approach to IT Auditing. Furthermore, technology is

increasing rapidly; consequently IT risks are not static. These contribute to a more dynamic

environment.

As pointed out by a Chief Audit Executive in the PWC 2012 survey (2007) “ the lines separating

IT and non-IT audits will continue to blur over the next five years, given the need to leverage the

power of technology to enhance audit efficiency”.

The literature reviewed indicates strongly that IT Audit needs to move to beyond a technical

focus to add value to the organisation.

Views expressed in the literature review are congruent to my research findings in that the rate of

change of technology and the environment has added to our complexities, and although we know

that we have to change from our traditional audit focus and focus on strategic audits, we have

not. This is evident where in the past two years Eskom’s strategic risks relating to load shedding

and financial sustainability materialised, yet the IT Audit plan today is still predominantly

focused on traditional rather than strategic focus audits.

Copyright UCT


I claim that A&F, like other internal audit functions indicated in the literature review, has not

reflected the change required mainly due to not having a systemic understanding of how to add

strategic value. Thus far, we have been provided with various recommendations to strategically

position internal auditing for the long term, but without an understanding how the underlying

mechanisms interact to provide strategic value, we have been unable to implement meaningful

change. My research findings build on the body of knowledge by illustrating the causal

relationships between the categories that impact on strategic value of IT Auditing.

2.3 Level III Literature Review

In this section, I review literature related to the core categories that emerged through the research

as critical to driving strategic value of IT Auditing. The relevance is to discuss key arguments

from previous research on how Mindfulness, Strategic Skills and Competencies and Shared

Value Proposition impact on strategic value of IT Auditing. In order to reduce bias and

prejudgments, the literature review on these categories was only done after they emerged as core

categories through the grounded theory process.

2.3.1 Mindfulness

As Langer (2000) points out, mindfulness is not an easy concept to define, but can be understood

as “the process of drawing novel distinctions, which keeps us situated in the present”.

Mindfulness can be seen as containing components of (a) openness to novelty, (b) alertness to

distinction, (c) sensitivity to different contexts, (d) implicit, if not explicit, awareness of multiple

perspectives and (e) orientation in the present. Mindlessness is the lack of these attributes.

Studies by Langer (2000) and others have shown that mindfulness results in increase in

competence, creativity, decreased burnout and stress, and increased productivity. Mindlessness

can show up as the direct cause of human error in complex situations.

Copyright UCT


Langer (2000) further points out that through the simple process of ‘mindful learning - of seeing

the familiar in the novel and the novel in the familiar, we will be able to avert danger not yet

arisen and take advantage of new opportunities that may present themselves.”

Weick and Sutcliffe (2001) concur with this kind of self conscious auditing and have developed

a mindfulness audit that makes one more attentive to the moments when one or the organisation

is working on automatic pilot. They argue that mindful people are alert to unanticipated

possibilities, and view failures as symptoms that give clues about the health of the system as a

whole.

Perkins and Ritchhart (2000) take Langer’s ideas further and consider three high-leverage

practices of nurturing disposition of mindfulness that of “Looking closely, exploring possibilities

and perspectives, and introducing ambiguity”.

2.3.1.1 Mindfulness for Auditors

Dittenhofer et al (2010) concede that the behavioural dimensionals of internal auditing has

received little systemic exploration in the professional and academic literature for the past few

decades. This has been my experience when trying to search for similar literature. I have had to

rely mostly on Dittenhofer’s research.

Although the literature consulted, does not specifically refer to term mindfulness when

describing competences required in auditors, references are made to auditors having to develop a

“sixth sense” and becoming more alert and aware (Dittenhofer et al, 2010). The literature

reviewed recognises the need for auditors to possess high degrees of emotional and social

intelligence.

Furthermore, Dittenhofer et al (2000) argue that professional skepticism of internal auditors must

be continually developed and “listened to”. This relates to auditor’s sixth sense or gut instinct,

sometimes called the “smell test”. What happens at a subconscious level is the auditor’s

evaluation as to the credibility of what he or she is observing. He argues that the mental process

Copyright UCT


is not only cognitive but also an affective activity, a sensitivity or feeling that something is

amiss. He suggests that some would call it “intuitive process”. This can be linked to one of

Langer’s (2000) components of Mindfulness related to not taking things for granted and going

beyond assumptions.

The compliance mindset leads auditors to operate in auto-pilot mode. As Dittenhofer points out,

many auditors are exposed to the ‘strict inflexible dogma of existing auditing mantra’.

Karl Albrecht, as cited by Dittenhofer et al (2010), refers to a role as consisting of five categories

of competence, using the mnemonic S.P.A.C.E:

• Situational Awareness: “the ability to read situations and interpret the behaviour of people in

those situations”

• Presence: “a range of verbal and non-verbal patterns, one’s appearance, posture, subtle

movements”

• Authenticity: “various signals from our behavior that lead others to judge us as honest, open,

ethical , trustworthy, and well-intentioned – or inauthentic”

• Clarity: “ “our ability to explain ourselves, illuminate ideas, pass data clearly and accurately

• Empathy: “having a feeling for someone else….a shared feeling between two people

Dittenhofer et al contends that the above five dimension are directly applicable to the role that

internal auditors play.

Waddock (2005), as cited by Dittenhofer, takes a strong position that “if we want accountants

(auditors) who are capable of acting with integrity and understanding the broader system in

which they work, we must teach them to be mindful – aware of their belief systems, conscious of

consequences, and capable of thinking broadly about the impact of their actions and decisions”.

Considering the above in terms of what is expected of auditors behaviourally, I can see distinct

similarities between these and Langer’s meaning of Mindfulness. Components of Langer’s

mindfulness, although not explicitly referred to as Mindfulness, are embedded in the above

Copyright UCT


expectations of auditors. Therefore, the literature reviewed supports that auditors are required to

have a sense of Mindfulness to improve their value add.

2.3.2 Strategic Skills and Competencies

The literature reviewed emphasise that traditional auditing skills are not sufficient to keep up

with the changes in the environment and global economy. Even as an IT auditor, technical skills

alone would not suffice.

Dittenhofer et al (2010) states that Internal Auditing is very much a relationship and

communications business. They elaborate that there is a greater need for auditors to have soft

skills which include the ability to share information, make persuasive arguments, negotiate

agreements, while simultaneously understanding different roles and responsibilities, empathising

with others, acting with integrity, and relating well with others from all levels of the

organization.

The recent IIA Global Internal Audit Survey (2010) concurs with this. It indicates that

globalisation and the rapid pace of change have in many ways altered the critical skill framework

necessary for success of the internal audit function.

The survey results show that in the wake of the turbulent global economy, the following skills

emerged as the three top competencies:

• Communication skills (including oral, written, report writing, presentation)

• Problem identification and solution skills (including core, conceptual and analytical skills)

• Keeping up to date with industry and regulatory changes and professional standards.

Understanding the business ranked overall as the important technical skill. These results are

applicable for all auditors, including IT auditors.

The survey results ranked the importance of competencies in three categories: general

competencies, behavioural competencies and technical skills.

Copyright UCT


The results for general competencies (skills that are essential to perform certain tasks) are shown

below: Communication skills ranked as the most important competency for audit staff.

Figure 17: General Competencies (Source: IIA, 2010)

Copyright UCT


The results for behavioural skills are shown below: Confidentiality ranked as top behavioural

skill for audit staff.

Figure 18: Behavioural Skills (Source:IIA, 2010)

The results for technical skills are shown below: Understanding the business ranked as top

behavioural skill for audit staff. Other literature also emphasise that internal auditors must

understand the business well enough to be able to look beyond ‘surface facts’ and identify

problems' root causes.

Copyright UCT


Figure 19: Technical skills (Source: IIA, 2010)

These results are also echoed by Dittenhofer et al (2010) who highlight that while internal

auditors need to rely on their knowledge of audit technology, it is their behavioural competencies

that often determine the extent of successful outcomes of assurance and consulting activities.

The PWC 2012 survey (2007) also highlights similar findings. The survey participants recognize

that to operate effectively going forward, audit leaders must develop a mix of capabilities,

competencies, and experience levels. The Chief Audit Executives interviewed for this survey

also talked about a broader set of non-technical yet highly desirable characteristics for the

internal auditors of tomorrow. They cited the need for personable, well-rounded professionals

who could “think beyond the project” and who had the business knowledge and confidence to

engage in substantive conversations with senior and executive management and audit committee.

Baker (2010) agrees that auditors need to understand the business in order to be able to challenge

it. He raises that the difficult part is getting people to accept that they don’t know enough. He

Copyright UCT


suggests increasing business knowledge by bringing in specialists from the business, use of

“guest” auditors and rotating auditors into the business to build up experience.

In general, this concurs with my research findings that IT Auditors need to move beyond

technical skills and the heightened importance of behavioural skills. Moreover, additional insight

was provided from the literature into recent developments around established programmes for

rotational resourcing including guest auditors, as well as training of internal auditors in systems

thinking in an Internal Audit function in Colombia.

2.3.3 Shared Value Proposition

(Walz, 1997) emphasises that although Auditing has become a matter of survival especially in

these recessionary times, some internal auditors have little idea of how they add value. He argues

that without understandable constructs for explaining and demonstrating their value creation,

internal auditors risk being labeled by management as resource consumers, not value-adders.

Their survival depends on being value adders.

This view is shared by several writers who argue that if internal audit is to be a strategic

contributor to the organisation, its fundamental value proposition must shift. This involves

moving beyond the fundamentals of risk and controls to create a new internal audit value

proposition.

It is recognised that the creation of value propositions needs to involve employees. O’ Malley

(year unknown) states that “having a clearly articulated purpose that is understood and embraced

by all employees is the essential foundation upon which practical strategies, tactics, and action

steps can be built.”

He elaborates that the purpose of any business is to create value for customers, employees, and

investors, and that sustainable value cannot be created for one group unless it is created for all of

them.

Copyright UCT


In addition, Thakor and Bass (2000) highlight that strategy cannot be executed unless it is

understood. They further highlight that value creation is a journey, therefore a process of

constant evolution.

This confirms my research findings on value proposition, as it is typical of the experience in

A&F, where interviewees expressed that they do not feel a sense of buy-in and involvement in

A&F strategic processes, and that it is perceived as being done in isolation by the managers. As a

result, it impacts on the extent to which strategy is embedded in the department.

2.4 Conclusion

In summary, the literature review highlighted the inadequacies of traditional strategic planning to

deal with the complexities and changes in today’s environment. Taking into account the

evolving role of Internal Auditing, Internal Audit will be measured by its ability to drive positive

change and improvement. The literature review bears testimony that given the changing nature of

the environment, IT Audit would need to act quickly to improve its strategic value if it is to be

relevant.

Further, the literature review broadly supports my emergent theory in that Mindfulness, Strategic

Skills and Competencies, and Shared Value proposition impact on strategic value. However, in

understanding the gaps in my existing theory, I do not suggest that these are the only three

factors that affect strategic value, but given the scope of the paper, my intention was to locate my

findings within the existing body of knowledge.

I am concerned that the existing literature focuses mainly on strategic value of internal auditing

and that there is limited literature directly focusing on the strategic value of IT auditing. The

dynamics of IT Auditing, as discussed above, introduces further complexities into internal

auditing. Moreover, various recommendations are provided to increase the value of internal

auditing and strategically position itself for the long term. However, it does not address how the

underlying dynamics of strategic value interact together to drive strategic improvement.

Copyright UCT


Therefore, decisions and actions based on existing literature may not provide a holistic basis for

understanding and improving the strategic value of IT Auditing. But, I concede that the existing

literature provided further insight into actionable knowledge relating to the use of

multidisciplinary teams and training of auditors in systems thinking which can be used for action

taking on the emergent theory.

Copyright UCT


CHAPTER 3 - RESEARCH FRAMEWORK

3.1 Introduction

The purpose of this chapter is to discuss the research framework that I used to guide my research

in order to reach an Answer to the Research Question: Why has IT Audit not able to deliver

strategic value to Eskom? Crabtree and Miller (1992) capture that doing research is in many

ways like taking a descriptive and explanatory snapshot of reality. They draw the analogy that

‘for each particular photograph, the investigator must decide what kind of camera, what scene on

which to focus, through which filter, and with what intent’. I have used this analogy to guide me

in developing my research framework. This chapter therefore discusses the nature and purpose of

management research, the philosophical foundations that I have adopted, and justifications for

the research methods and system methodologies that I have used to develop my integrated

research framework.

3.2 The Nature and Purpose of Management Research

Management practice is an interactive process of Sense making (what can I know), Decision

taking (what might I do), and Action taking (what may I hope) in order to drive critical reflection

and improvement. This is illustrated below as the Management Triad (Ryan, 2009).

Copyright UCT


Figure 20: Management Triad

Sense-making entails understanding of the problem context. Having this understanding, one can

then make an informed decision. Thereafter, action can then be taken, taking effect within the

context of the problem.

In the context of this dissertation, this involves making sense of the IT Auditing in Eskom, which

contributes to the development of a theory, which in turn provides the input for making decisions

to address the strategic value of IT Auditing and to take the relevant actions. Given the scope of

this dissertation, I have only focused on Sense-making and development of the theory which can

be used to guide decision making, and have also not incorporated Action Taking into this

dissertation.

3.3 Ontological Position – Theory of reality

Ontology is the philosophy of the worldview of reality (Durant-Law, 2005). For social sciences

and management research, in particular, there is a diversity of philosophical approaches or

ontological perspectives including that of positivism, hermeneutics, phenomenology and realism

(Chia, 2002). For the purposes of this study, I have adopted Critical Realism, which is part of the

Realism category, as my ontological perspective for the reasons discussed below.

Copyright UCT


3.3.1 Critical Realism (A model of the world)

Empiricism broadly refers to philosophies that see science as explaining events that can be

empirically observed. It holds the view that which cannot be observed, directly or indirectly,

cannot exist. Critical Realism was introduced as a critique to this philosophy.

The main feature of a critical realist approach to science is a ‘fundamental concern for

explanation in terms of independent underlying causal or generative mechanism which in

principle may be unobservable’ (Mingers, year unknown).

According to the philosophy of Critical Realism, reality exists independently of us or of our

knowledge and our perceptions. Bhaskar (1989) explains social reality as stratified into three

domains. These are the empirical, the actual and the real domain:

• the empirical is made up of experiences and events through observations

• the actual includes events whether observed or not

• the real consists of the processes, structures, powers and causal mechanisms that generate

events.

This multi-layered ontological representation helps in representing the complexity of the real

world phenomena. I therefore adopted a critical realist perspective with the aim to build a theory

to explain observable phenomena in IT Auditing with reference to underlying structures and

mechanisms. Bhaskar (1989) acknowledges that “we will only be able to understand, and also

change, the social world if we identify the structures at work that generate those events and

discourses”.

Copyright UCT


3.4 Epistemological Position

Epistemology refers to the theory of knowledge. In order to perform my research, I needed a

theory of knowledge in order to gather, and interpret data that would assist in developing an

answer to my research question. I first needed to establish whether the research method should

be qualitative or quantitative. I have then used Jacksons’ SOSM to guide in determining the

appropriate system methodologies and tools to gather knowledge on my situation and concern. I

have used Grounded Theory to gather data, interpret the data and build a ‘grounded’ theory of

what is driving the level of strategic value of IT Auditing in Eskom.

3.4.1 Qualitative and Quantitative Research Methods

Qualitative research is associated with research questions and phenomena of interest that require

exploration of detailed in depth data, aimed at description, comparison, or prescription

(Partington, 2002). Its focus is more theory oriented as compared to quantitative research which

focuses on surveys and questionnaires.

Easterby-Smith et al. (1991) as cited by Perry (2003) explains that exploratory research is

qualitative and asks `what are the variables involved?’; in contrast, explanatory research is

quantitative and asks ` what are the precise relationships between variables?'

Copyright UCT


The differences between qualitative and quantitative research as outlined by Mays & Pope

(1995) are shown in the table below.

Qualitative Quantiative

Social Theory: Action Structure

Methods: Observation, interview Experiment, survey

Question: What is X? (classification) How many Xs? (enumeration)

Reasoning: Inductive Deductive

Sampling Method: Theoretical Statistical

Strength: Validity Reliability

Table 3: Differences between Qualiative and Quantiative Research

They further point out that quantitative and qualitative research method can complement each

other and can be viewed as labels that describe two ends of a continuum.

However, considering the purpose of my research which was to explore why IT Audit is not able

to deliver strategic value by discovering relationships and causal mechanisms, qualitative

research was therefore deemed more suitable for my study than quantitative research.

Qualitative research is evaluated in terms of its validity. However, the problem inherent in

qualitative research is observer bias as the researcher is both the data collector and analyst. I

acknowledge my bias in this situation. I was cognisant of this and tried to reduce my bias

through:

• Searching for disconfirming evidence which involved both theoretical sampling and

prolonged engagement. This is explained further under Grounded Theory below.

• Triangulation – I have made use of a combination of different data sources and methods

during the research process.

Copyright UCT


I further made use of Maxwell’s model for qualitative research design. It is an iterative model

based on ‘interconnection and interaction among the different design components’ (Maxwell

2005). It allows for flexibility and I found myself going back and forth between the components

and having to refine my question through the research process. My research design is shown in

the Appendix A.

3.4.2 Choice of Systems methodologies

Jackson (2003) proposes that to deal with the complexity, diversity and change today, managers

require Creative Holism. He argues that using different systems approaches in combination

ensures for managers the benefits of both creativity and holism.

In order to identify the system approaches and methodologies appropriate to my problem

context, I made use of Jackson’s framework for classifying systems methodologies, referred to as

the System of Systems Methodologies (SOSM). I first located my problem context within

Jackson’s ‘ideal-type’ grid by taking into account the systems I have to deal with and the

participants involved.

This is shown in the table below.

Figure 21: Ideal-type Grid

Source: Adapted from Jackson (2003)

In terms of systems, my research problem lies more in the complex side of the continuum as it

has many subsystems which evolve and adapt over time as they are affected by their own

Copyright UCT


purposeful parts, and turbulent environment in which they exist. This is in contrast to simple

systems which tend not to change over time.

Regarding my participants in my research, they have both elements of unitary and pluralist

relationships. Some groups of participants have similar values, beliefs and interests (unitary), and

others, although their basic interests are compatible, they do not share the same values and

beliefs (pluralist).

My problem context therefore straddles the Complex-unitary and Complex-pluralist domains, as

Jackson indicates that the grid does not suggest that real world problems can be defined as fitting

exactly into any of these boxes.

3.4.3 Jackson’s System of Systems Methodologies (SOSM)

In order to choose methodologies appropriate to my problem context, I used Jackson’s SOSM,

but first taking into consideration the different paradigms. Jackson defines a paradigm as a world

view or way of seeing things and he indicates that four common paradigms in use in social

theory are as follows:

• the functionalist paradigm – wants to ensure that everything in the system is functioning well

so as to promote efficiency, adaptation and survival

• the interpretative paradigm – believes that social systems result from the purposes people

have which stem from interpretations they make of the situations they find themselves in

• the emancipatory paradigm – is concerned to emancipate oppressed individuals and groups in

organisations and society

• the postmodern paradigm – opposes modernist rationality that it sees present in all other three

paradigms (focuses on diversity)

My problem context has elements of both functionalist and interpretative paradigms. It is focused

on improving adaptation and survival of IT Auditing, but through taking into account the people

and their different interpretations of the situation.

Copyright UCT


Combining this into the ‘ideal type grid’ to take account of my problem context, I have selected

relevant system methodologies from those suggested by Jackson (2003) for the different

paradigms as shown below.

Figure 22: Systems approaches related to SOSM

Adapted from Jackson (2003)

I have used the Viable Systems Model (VSM) as part of organizational cybernetics in order to

gain an understanding of the relevance of my concern in the situation in order to improve

adaptability of IT Audit.

Checkland’s Soft System Methodology (SSM) is part of Soft Systems Thinking which takes into

the account the pluralist relationships among different participants. I have used SSM to gain a

richer understanding of the different viewpoints and interpretations of my participants. I provide

insight into the VSM next and discuss SSM further in this chapter.

3.3.4.4 Using the Viable Systems Model (VSM)

I have used the Stafford Beer’s Viable Systems Model (VSM) as part of understanding the mess.

In particular, I used the VSM to understand the role of IT Audit within a complex organisation

Copyright UCT


like Eskom as well to get an understanding of the threats impacting on the organisation’s

viability.

The three basic elements are the Operation, the Metasystem and the Environment. All three are

in continuous interaction as shown below:

Figure 23: VSM - O, E, M Interaction

Beer essentially argues that for an organization to be healthy and viable the five subsystems of

Operations, Coordination, Control, Intelligence and Policy activities have to be present and

healthy.

3.3.4.5 The Rationale for using Grounded Theory

Grounded Theory does not test a predefined hypothesis. Instead, it aims to understand the

research situation and to discover the theory implicit in the data (Locke, 2001). The researcher

starts with an area of concern or interest and allows the theory to emerge from the data. Given

this and that the purpose of my research was to explore the underlying dynamics impacting on

the strategic value of IT Auditing, I integrated Grounded Theory into my research framework.

I have made use of the Grounded Theory to collect my data, interpret the data and build a

‘grounded theory’ to explain the causal mechanisms impacting on strategic value of IT Audit at

Copyright UCT


Eskom. As Partington (2002) explains Grounded Theory is fundamentally about being

systematic with qualitative data.

Grounded theory is an inductive, theory discovery methodology that ‘allows the researcher to

develop a theoretical account of the general features of a topic while simultaneously grounding

the account in the empirical observations or evidence’ (Glaser and Strauss, 1967).

Grounded Theory was used to surface the key variables that drive the strategic value of IT

Auditing. To gain this understanding, it was necessary to obtain the various perspectives of all

the stakeholders. I used Grounded Theory to understand how the stakeholders interpret their

reality as Grounded Theory is effective in understanding how the stakeholders construct meaning

in their real experiences.

Partington (2002) describes the twin pillars of Grounded Theory as follows:

Constant Comparison

Each time a new instance of an existing category is found in the data, it is compared with

previous instances of the same category. If the new instance does not fit the definition, then

definition must be changed or a new category must be created.

Theoretical Sampling

Data collection process is not defined up front but is allowed to be driven by emerging ideas.

Theoretical sampling is different from statistical random sampling which is guided by rules of

statistical inference. Grounded Theorists are unrestricted by such rules. With theoretical

sampling, the data collection strategy is driven by emerging theoretical ideas. The role of

theoretical sampling is to enable the researcher to maintain control over the theory development

process by seeking to maximise or minimise selected differences and similarities between

instances of data. This increases the likelihood that new and unexpected data will be found

relating to a category.

Copyright UCT


Grounded Theory makes use of the following five different rigorous methods for data analysis:

• Open coding for conceptual understanding

• Constant comparison of codes, concepts and categories as they emerge from the data

• Memos for clarity of thought

• Discovery of the Core Category which becomes the focus for selective coding

• Theoretical coding that investigates the links between categories.

Conducting open-ended interviews early in the research process allowed me to get ‘sensitised’ to

what was important to my interviewees. In Grounded Theory, it is not about what is important to

me, but to understand the situation from the interviewee’s point of view.

The treads I discovered in earlier interviews determined how I conducted later ones. Data

collection, analysis, coding were done simultaneously. In addition, memos were used to keep a

record of my thoughts and ideas as they occurred and maintain my ideas pertinent to the

emerging theory.

Theoretical Saturation

Theoretical saturation is achieved when no new categories or properties are found, and all further

instances of data merely add to the bulk of specific instances of already discovered categories

and properties. The time has come to allow the emerging theory to solidify.

Partington (2002) points out that there can be temptation to close the analysis too soon, before

the full theoretical richness of the data has been allowed to inform the theory. Grounded Theory

aims to relentlessly search for instances which do not fit emerging categories. Therefore I was

careful about saturation, and concluded my interviews once fully convinced that the data was

saturated.

Copyright UCT


Selective Sampling of Literature

Stern (1980) as cited by Strubert et al (1999) suggests that reviewing literature before the

research study may lead to prejudgments. He suggests selective sampling of literature should

occur simultaneously with data analysis. I therefore performed selective sampling of literature

after my three core variables emerged in order to become familiar with existing literature on

these categories and identify gaps in my emerging theory.

Critique of Grounded Theory

‘There is an irony—perhaps a paradox—here: that a methodology that is based on

‘‘interpretation’’ should itself prove so hard to interpret’.

- Dey (1999) as cited by Larossa (2005)

As Suddaby (2006) points out Grounded Theory is neither perfect nor is it easy. It is inherently

messy and not an excuse not to follow any methodology and must be done with understanding of

an ontological position. I have therefore integrated Grounded Theory with Critical Realism and

other system methodologies to strengthen my research. I have also managed my bias through

careful consideration to theoretical sampling, constant comparison and the use of memos to

develop the emerging theory.

Copyright UCT


3.4.4.6 Integration of Critical Realism with Grounded Theory

By integrating Critical Realism with the Grounded Theory, I was able to collect data that was

grounded in the Empirical and Actual world. Through rigorous analysis of this data, I developed

a theory that attempts to explain the causal mechanisms in the Real world. This process is shown

further in the diagram below.

Figure 24: Integration of Critical Realism with Grounded Theory

Copyright UCT


3.3.4.7 Integration of Grounded Theory with Soft Systems Methodology

Soft Systems Methodology (SSM) was developed by Checkland (1996) for use in ill-structured

or messy problems where there is no clear view on what constitutes a problem or what action

should be taken to overcome the difficulties experienced. SSM believes that problem situations

arise when people have contrasting views on the same situation. SSM attempts to draw in and

explore a diversity of viewpoints as part of the decision making and intervention process. The

social theory implicit in SSM is interpretive rather than functionalist. Given that the nature of my

problem context also encompasses an interpretative paradigm, I have integrated SSM to take into

account the different worldviews of my key stakeholders. This was done by taking into account

human activity systems.

Jackson( 2003) defines a human activity system as a ‘model of notational systems containing

activities people need to undertake for a particular purpose’. Human Activity systems by their

very nature are complex as they act based on the different interpretations of the world. Root

definitions were created for relevant human activity systems to capture the essence of the human

activity system. I have made use of CATWOE (Customers, Actors, Transformation process,

World view, Owners and Environmental constraints) to ensure well formulated root definitions.

These are detailed in Appendix A.

As part of SSM, I also made use of the rich picture to express the problem situation. The rich

picture provides a creative understanding of the problem situation and highlights significant and

contentious issues.

To provide richer insight into my problem and to develop a sound theory grounded in the data, I

have decided to integrate Grounded Theory and SSM. Durant-Law (2005) recommends

integrating these methodologies as SSM draws data from the perspective of participants, while

Grounded Theory develops theory from the researcher. He shows how these two methodologies

are aligned as captured in the table below.

Copyright UCT


Steps Soft Systems Methodology Grounded Theory

1 The problem situation unstructured An unexplained phenomena or process

2 The problem situation expressed The phenomena or process identified

for study

3 Root definitions of relevant systems Data collection and coding

4 Conceptual model construction Theme extraction

5 Model and problem situation

comparison

Postulate generalisations

6 Feasible and desirable change

construction

Develop taxonomies

7 Actions to improve the situation Theory development

Table 4: SSM and Grounded Theory alignment

Source: Durant-Law (2005)

Therefore, by integrating these methodologies, I sought a more holistic answer to my research

question.

3.5 Data Collection

To ensure triangulation of data, I made use of a number and variety of participants. My main

source of data collection was through conversational interviews (which were recorded), but I also

used participant observations, document analysis and selective research of existing literature as

my part of my data collection.

3.6 Ethical considerations

Throughout the research process, I gave consideration to the ethical implications of my research.

I ensured that I had informed consent from my participants and handled any confidential data

sensitively.

In addition, I considered the ethical implications of my Research Answer using Velasquez’

model which deals with the following four questions:

Copyright UCT


1. Does the action, as far as possible, maximize social benefits and minimize social injuries?

2. Is the action consistent with the moral rights of those whom it will affect?

3. Will the action lead to a just distribution of benefits and burdens?

4. Does the action exhibit appropriate care for the well-being of those who are closely

related or dependent on oneself?

This is discussed in detail in Chapter 5.

3.7 Integrated Research Framework

Based on my ontological and epistemological positions justified above, my integrated research

framework developed to reach an answer to Why has IT Audit not been able to deliver strategic

value to Eskom is illustrated diagrammatically as shown below. This framework integrates

Critical Realism, Grounded Theory and Soft Systems Methodology in an attempt to provide a

more holistic explanation to answer my research question.

Figure 25: Integrated Research Framework

Copyright UCT


3.8 Conclusion

This chapter explored the research framework that I have develop in order to develop an answer

to my research question. The framework has incorporated a Critical Realism ontology and I used

an integration of system methodologies as part of my epistemology. This chapter provided a

justification for my research paradigms and my choice of system methodologies. The various

systems methods used to make sense of my situation were discussed. Furthermore, Critical

Realism was integrated with Grounded Theory and the integrated research framework was

presented. The next chapter, Chapter 4, discusses the research results and the theory that

emerged from the data, by application of this integrated research framework.

Copyright UCT


CHAPTER 4 - RESEARCH RESULTS

4.1 Introduction

The purpose of this chapter is to present and discuss the research results emanating from the

application of the integrated research framework described in Chapter 3.

As discussed in Chapter 1, my Concern relates to the “level of strategic value that is provided by

IT Auditing” and my research question is “Why has IT Audit not been able to deliver strategic

value to Eskom? “

This chapter discusses the data gathering, analysis and interpretation of the data. It integrates

Critical Realism with Grounded Theory and Soft Systems Methodology to produce an Answer to

my research question.

4.2 Developing an Answer to my Research

4.2.1 Stakeholder Identification

I first identified the relevant stakeholder that impact on the level of strategic value of IT Auditing

in A&F. In order to sweep in multiple perspectives to get a better understanding of my “messy”

problem, I considered multiple stakeholders as there may be very different views from the

stakeholders regarding what is impacting on the strategic value of IT auditing. Stakeholder

analysis was done as discussed in Chapter 1. The list of interviewee participants is provided in

Appendix A.

Copyright UCT


4.2.2 Conversational Interviews

My primary data collection was through conversational interviews. I conducted 19 interviews, of

which 15 were face-to face and 4 were conducted telephonically. Each interview lasted between

45 to 60 minutes. Grounded Theory methodology recommends the use of unstructured

interviews in order not to influence interviewees’ thought process to a specific direction and

introduce bias in their responses. The interviews that I held were generally unstructured, but

explored key themes. In line with Grounded Theory, I followed up with some interviewees again

for further clarification after analysis of the interview data. To encourage interviewees to discuss

issues openly and frankly, I assured them of confidentiality and anonymity.

Conducting open-ended interviews early in the research process allowed me to get ‘sensitised’ to

what was important to my interviewees. I was cognisant that in Grounded Theory, it was not

about what is important to me, but to understand the problem from the different stakeholder’s

points of view.

Taking into account, Critical Realism, the aim of each interview was to get the interviewees to

surface what is happening in the empirical and actual world, that is, to give an account of what

they saw and heard and not their subjective interpretation of what it may have meant.

4.2.3 Data Recording and Transcribing

Interviews were audio-taped. Recording the interviews allowed me to focus on listening and

understanding the views of the participants.

I did the transcription process myself. Although, I found this to be extremely tedious and time

consuming, I realised that this joint process of transcription, coding and analysis, afforded me the

opportunity to become sensitised to the full richness of the data. The slowness of the process

helped to contribute to theoretical depth. Initially, I started off transcribing almost every word.

Copyright UCT


As I became more sensitised to the data and emerging theories, I was more selective as to what I

transcribed in full and what I paraphrased.

In addition to the voice recording, I took my own notes which guided me as memos as well. I

used these memos to freely record my thoughts and ideas as they occurred. I noted down my

ideas and reflections throughout the coding process in the memos as well.

4.3 Concept formation: Coding and Emergence of Categories

4.3.1 Level 1 coding (Substantive Coding)

As part of this process, I made some use of ‘invivo’ codes – where words of participants were

used to ‘stay close to the data’, which is an essential feature of grounded theory. I did the data

collection, coding and analysis jointly from the beginning.

I allocated properties and dimensions to categories to allow me to becoming sensitised to the

extreme characteristics in the data and to drive theoretical sampling. An example is shown

below.

Category Property Dimension

Systems Auditing Understanding of the

business

Limited Extensive

Table 5: Example of Property and Dimensions of category

4.3.1.1Theoretical Sampling

Theoretical sampling is different from statistical random sampling which is guided by rules of

statistical inference. With theoretical sampling, the data collection strategy is driven by emerging

theoretical ideas. It increases the likelihood that new and unexpected data will be found relating

to a category. In addition, early interviews led to identification of additional interviewees who I

had not initially considered.

Copyright UCT


4.3.1.2 Emergence of Categories

The following categories emerged from my first round of Interviews:

Ref. Categories

1 Focus of IT Audit on Advisory/Consulting

2 Intelligence (Internal & External)

3 Quality of Skills

4 Organisational Structure and design

5 Understanding the business as a whole

6 Shared value proposition

Table 6: Categories – Data Collection Round 1

The emergent codes, categories and concepts from this round of interviews were used as a basis

for coding the next round of interviews.

4.3.2 Level II Coding

Level II coding makes use of the constant comparative method. As I coded the data, each time a

new instance of an existing category was found, I compared this with previous instances of the

same category. If the new instance did not fit the existing category, I either changed the category

to fit the new instance and all previous instances, or created a new category. Through the second

round of interviews, in some instances, the data revealed new codes that required to be assigned

to a different category.

Copyright UCT


From the analysis of the data from the second round, there was a sense that new categories were

emerging. I therefore created additional categories as shown below:

Ref. Categories

7 Understanding of strategic value

8 Mindfulness

Table 7: Categories – Data Collection Round 2

Furthermore, the existing category Understanding of the business as a whole was broadened to

be that of Systems Auditing to be more inclusive of the additional codes that emerged during this

round of interviews. In addition, the category Quality of skills was modified to Strategic skills

and Competencies as this round of data emphasised the importance of behavioural competencies

as well. The other codes emerged to strengthen the existing categories. As the concepts were

still emerging from my interviews, I had not yet reached saturation. Hence, I scheduled further

interviews.

Elliot and Lazenbatt (2004) highlight that an important feature of grounded theory is that it does

not require that the researcher return to the original participants to check if participants agree

with the researcher’s interpretation of data. Instead, I made use of theoretical sampling and

constant comparison to move on to involve other people who have different experiences to see if

the findings hold if new data is collected.

4.3.3 Theoretical Saturation

Theoretical saturation is achieved when no new categories or properties are found, and all further

instances of data merely add to the bulk of specific instances of already discovered categories

and properties. There can be temptation to close the analysis too soon. Therefore I was careful

about saturation, and performed an additional three interviews to be fully convinced that the data

was saturated. This round of interviews did not lead to any new categories, although concepts

emerged to strengthen the existing categories.

Copyright UCT


4.3.4 Concept Modification and Integration (Emergence of Core Variables)

After my final round of interviews, the following emerged as the saturated categories (detailed

concepts provided in the Appendix):

Ref. Categories

1 Level of Involvement in consulting/advisory

2 Level of Strategic skills and competencies

3 Level of Mindfulness

4 Level of Systems Auditing

5 Effectiveness of Shared Value Proposition

6 Level of internal and external Intelligence

7 Level of Continuous learning and adaptability

8 Effectiveness of Organisational structure and design

Table 8: Saturated Categories

Once I obtained the final saturated categories, it became necessary to reduce the number of

categories in order to determine the core categories or variables. In order to reduce to three

variables or key drivers, I made use of Inter-relationship diagraph (ID) for this. The key variables

that resulted through this process were the level of Mindfulness, level of Strategic Skills and

Competencies, effectiveness of Shared value proposition. The variables that emerged as the main

outcomes were found to be effectiveness of consulting/advisory, level of Systems Auditing and

level of continuous learning and adaptability.

Copyright UCT


The ID is shown below.

Figure 26: Inter-relationship Diagram

The following data expands on my research findings relating to the above concepts/variables.

Strategic skills and competencies

The majority of the interviews highlighted the concern around skills and competencies of IT

auditors that need to evolve beyond technical skills, and focus on the increasing importance of

behavioural competencies as well as understanding of the business. The following extract of

quotes illustrates this sentiment:

“IT Auditors can’t get by anymore with having just technical expertise, we need a package of

skills”

“Specialist knowledge in IT is not enough, we need to be able to think and converse

strategically”

“We have to get away from IT jargon and speak the business language”

“We have to understand how the IT systems impact on the business objectives”

Copyright UCT


“We don’t have the mindset of how IT systems impact at the strategic level”

“Auditors need to be able to ask insightful questions”

Mindfulness

It emerged through the interviews that there is a need for auditors to move away from the

compliance mindset (“tick and bash” auditing) and instead to bringing in new fresh insight and

being able to rely on their sense of intuition more. It also surfaced that auditors need to be more

reflective and question assumptions as they audit. This is evident in the quotes below:

“It’s like we have blinkers on, rigidly following the audit programme”

“We are taught to look for evidence, therefore we hardly rely on our instinct”

“Auditors need to develop greater awareness in scanning the internal and external

environment”

“We have to be able to think out of the box”

“We don’t have time to sit back and diagnose. We chase one audit after the other”

Shared Value Proposition

Many interviewees expressed the concern around the lack of a shared meaning and direction for

Audit. They feel that strategic planning is part of management’s tasks and do not feel a sense of

involvement in the process, all shown below.

“There must visible and felt leadership in driving strategy”

“We don’t have a shared meaning of what adding value is”

“Strategy planning is done by the managers in isolation”

“We need to create awareness so that auditors understand what it means to give strategic value”

Copyright UCT


Systems Auditing

Systems auditing involves having a systemic view of an organisation. It was evident from the

interviews that there is a lack of understanding of the organisation as a whole. As a result

auditors are auditing the organisation in functional silos, without understanding the systemic

nature of the organisation. They are particularly not focused on the interdependencies and

implications of IT systems across the whole organisation as illustrated below.

“IT auditors need to understand the bigger picture”

“It’s like we are playing ping-pong, we audit one IT system here and another there”

“We don’t have an understanding of the value chains across Eskom”

“IT Auditors are digging in the trenches, but we need a helicopter view from them”

“IT is like electricity – cuts across all spheres of life”.

Continuous learning and Adaptability

Another key concept that emerged was the perception of a lack of a continuous learning culture

and Audit not easily adapting to change. This perception seems to be driven by there being so

much of change in Eskom and the environment, but Internal Audit has not changed much in

responding to these changes.

“There is no robust market intelligence that Audit provides”

“I pay for ADR (Audit Director Roundtable) and other subscriptions, but auditors are not

continuously updating themselves”

“We are reactive and not forward looking”

“We do not have a culture of continuously updating ourselves”

Copyright UCT


4.3.5 Selective Sampling of Literature

Stern (1980) as cited by Strubert et. al (1999) suggests that reviewing literature before the

research study may lead to prejudgments. He suggests selective sampling of literature should

occur simultaneously with data analysis. I performed selective sampling of literature around my

three core variables that emerged, that is, Degree of mindfulness, Effectiveness of Shared Value

Proposition, and Level of strategic skills & competencies. The purpose of this was to become

familiar with existing literature on these categories and to fill in the missing pieces in my

emerging theory. The results thereof have been captured in Chapter 2.

4.3.6 Triangulation of Data

To add more rigour to my data and test the validity of what has surfaced, I considered other

sources to ensure that I had a triangulated body of data.

I also made use of participant observation by attending the Strategic Risk Assessment workshop.

The top risks for A&F identified at the workshop were:

• Lack of strategic direction – There is no strategic roadmap. Strategic management is not

embedded in daily activities and treated as separate exercise.

• Skills and competencies – Recognition that a different skills set (beyond technical skills)

is required to meet the current challenges.

These two relate risks relate directly to my two core variables of Shared value proposition and

strategic skills and competencies. Mindfulness did not explicitly emerge as a key risk. However

references to mindfulness were made in terms of resilience and adaptability of the department.

Discussions focused around having to move away from a compliance mindset and evolving to

become a trusted advisor. This focused on how to make Internal Audit more proactive to be able

to adequately highlight emerging risks.

Copyright UCT


I performed another participant observation by attending a Team Quality Circle meeting. The

findings were as shown below.

Core variable Finding

Mindfulness Auto-pilot mode – Compliance mindset when

performing the audit. Very little attention was paid

to seeing the audit from a different angle.

Shared Value Proposition Risk regarding lack of “compelling sense of the

future”. Auditors’ level of understanding of how to

add value to client is questionable.

Strategic skills and competences Problem with scoping and not understanding the

bigger picture of Eskom.

Conflict with client – having strategic foresight to

minimize these conflicts and the importance of

communication as a skill

Table 9: Results from Participant Observation

Further, to strengthen triangulation around Mindfulness, I surveyed a few auditors and managers

using the Mindfulness Audit developed by Weick and Sutcliffe’s (2001). The results showed that

Mindfulness needs to be improved at both a personal and organizational level in A&F. This

supported my findings related to Mindfulness.

4.4 Substantive Theory Generation (Emergence of Theory)

4.4.1Theoretical coding

Having established the saturated categories, I now focus on theoretical coding. Glaser (1978,

1992) advocates that theoretical coding examines the saturated categories and provides the

researcher with analytic criteria, which assists in the development of conceptual relationships

between categories and relevant literature.

Copyright UCT


For the purposes of this research, I have found it more suitable to use an already established

archetype as my theoretical code, instead of the coding families. As I am focusing on strategic

management and specifically on creating a sustained competitive advantage for IT Auditing, I

researched relevant archetypes and models in this field. After considering numerous models, I

found that the Business Idea model was most suitable to my situation.

The Business Idea Archetype

The Business Idea model provides a method to consider the “future viability of a business

proposition in all basic aspects that together make for longer-term success'' (Van der

Heijden,1996). He describes the Business Idea as the organisation's mental model of the forces

behind its current and future success.

The Business Idea comprises the following four elements:

1. The societal/customer value created.

2. The nature of the Competitive Advantage exploited.

3. The Distinctive Competencies which, in their mutually reinforcing interaction, create

Competitive Advantage.

The three elements must be configured into the fourth element:

4. A positive feedback loop, in which resources generated drive growth.

Copyright UCT


The Generic Business Idea is represented systemically as follows:

The Business Idea (BI – v/d Heijden)

Figure 27: The Generic Business Idea (Source: v/d Heijden, 1996)

By analysing my variables, I have made the following comparisons to the elements of the

Business Idea.

Elements of Business Idea Comparison to my Categories/variables

Customer Value Created Strategic Value of IT Auditing

Distinctive Competencies Level of Strategic Skills, level of mindfulness,

effectiveness of Shared Value Proposition

Nature of Competitive Advantage exploited Differentiation, through level of Adaptability and

level of Systems auditing

Dominant loop (that creates barrier to entry) Mindfulness � Shared Value proposition �

Adaptability � Systems auditing �

Mindfulness

Table 10: Business Idea Comparison

Using this archetype to inform the relationship between my variables, a Concern Causal loop

diagram was created to link the variables from my Grounded Theory. Jackson (2003) states that

Causal Loop Diagrams (CLDs) are system tools which can provide a holistic system description

of “what is going on” within a system of interest. The Concern Causal loop diagram shows the

Copyright UCT


casual mechanism driving the behaviour of strategic value of IT Auditing. The rationale is

explained loop by loop further in this chapter.

Level of strategic value

of IT Auditing

Level of strategic skills

and competencies

Effectiveness of Shared

value proposition

Level of Systems

Auditing

Level of adaptability

and continous learning

Level of

Mindfulness

SS

S

S

S

SS

R2

R1

SR3

S

R4

Figure 28: Causal mechanisms driving the behaviour of strategic value of IT Auditing

The following is a representation of how it aligns to the Business Idea archetype.

Figure 29: Comparison to Business Idea

Copyright UCT


The Competitive advantage exploited :

Mindfulness –> Leadership Value proposition –> Adaptability –> systems auditing – >

Mindfulness (Dominant loop)

This creates a differentiator and the relationships are explained below to show how this creates a

barrier to entry for newcomers. This loop is strengthened by the Distinctive Competencies.

My Concern Causal loop diagram has the following loops:

The mindfulness loop focuses on creating a more mindful culture in IT Auditing that allows

auditors to become more alert and develop a heightened sense of awareness when auditing.

The competence loop is concerned with developing the right mix of skills and competencies that

are required to take auditing to the next level (allows auditors to consistently deliver value add to

the client, enable decision making).

The Adaptability loop deals with creating an organization that is adaptable to change.

The Shared value loop focuses on leadership working collectively with employees to define and

understand the value proposition of IT Auditing.

4.4.2 Storylines of the Loops - The Rationale

To demonstrate the rationale, I discuss the Concern Causal loop diagram, loop by loop below.

Copyright UCT


Reinforcing loop R1 – Competency loop


of IT Auditing


and competencies

Level of Systems

Auditing

SS

S

R1

Figure 30: Competency Loop

The level of strategic skills and competencies impact on the level of systems auditing that is

done. The reason for this is that auditors possessing mainly IT technical skills may produce good

technical audits which are however not contextualized in terms of Eskom’s business. The

interviews revealed that the right mix of skills, which encompass behavioural competencies such

as the ability to ask insightful questions, will allow the IT auditor to surface real root causes of

problems and improves his ability to understand the business organisation as a whole. The

increase in the competence allows for a better understanding of the organisation and the

complexities in the environment. This understanding of the organisation as a system, with key

links and interdependencies therefore reinforces systems auditing, and moves away from

auditing in functional silos.

I further claim that the increase in the level of systems auditing increases the level of strategic

value of IT Auditing. My memos show that auditing Eskom at a systemic level will provide

auditing that is more aligned with Eskom’s strategic objectives and will also surface gaps in

information flows across the functional areas. Hence the strategic value of the IT audit is

increased as it now focuses on understanding how the IT processes and systems support the

strategic objectives.

Copyright UCT


The level of strategic value in turn leads to the increase in strategic skills and competencies.

Based on our experience, as Eskom executive management recognises the value of IT Auditing

and its role in enabling sound decision making, it is more open to Audit’s resourcing needs. This

allows for greater investment in skills development, increasing the skills and competencies.

Furthermore, as the strategic value improves, there will greater support from business

management to second people to Audit to provide specialist expertise. In addition, as IT Audit

strategic value increases, it becomes easier to retain talent and recruit new talent. Auditors have

indicated in the interviews that they are more motivated to work for an organization that is seen

to add value.

Reinforcing loop R2 – Adaptability loop


of IT Auditing


and competencies


value proposition

Level of Systems

Auditing



Level of

Mindfulness

SS

S

S

S

SS

R2

R1

Figure 31: Adaptability Loop

The level of mindfulness impacts on the effectiveness of shared value proposition. A high degree

of mindfulness leads to an effective shared value proposition that is collectively created and

understood by leadership, audit clients and audit staff.

The reason for this claim is that an increase in the level of mindfulness creates a greater

awareness of the external environment and the need to add value and be sustainable as an

Copyright UCT


organisation. This will drive the development of a shared value proposition, ensuring common

understanding with customers, audit management, and all audit staff. As an interviewee pointed

out “a compelling sense of the future is created”. Furthermore, as revealed in my memos, if

auditors are more aware and alert, they become more adaptable and realise that strategic

management is dynamic and that value proposition is not a once-off event, but requires constant

monitoring and adapting thereof.

I further claim that effective shared value proposition leads to an increase in adaptability in the

organisation. From my memos, there was a sense that auditors resisted change to a degree as

they didn’t have a single clear view of what A&F’s intent is for the future. When there is a

shared assumption and understanding of value creation, employees have a greater sense of

purpose and are more open to change and adaptable.

An increase in continuous learning and adaptability leads to an increase in the extent of systems

auditing. The reason for this is as employees become more adaptable, they are more flexible in

their thinking and better able to understand the complexities in the organisation. Hence, they are

more open to holistic systems auditing as compared to traditional compliance auditing.

I finally claim that Systems auditing reinforces the degree of mindfulness. As auditors start to

understand the organization as a whole, they become insightful and look beyond the surface

problems. This leads to them being more aware of and open to potential “failures of the system”,

a key characteristic of mindfulness as indicated in the literature review.

Copyright UCT


Reinforcing loop R3 – Mindfulness loop


of IT Auditing


and competencies


value proposition

Level of Systems

Auditing



Level of

Mindfulness

SS

S

S

S

SS

R2

R1

SR3

Figure 32: Mindfulness Loop

I claim that an increase in the level mindfulness results in an increase in strategic skills and

competencies. As an auditor remarked “if we are more aware of our environment, we will be

able to provide more value to the business by uncovering real root causes”. As auditors become

more mindful and sensing auditors, they develop a heightened awareness and understanding of

the complexities in the environment. This increases strategic skills and competencies, not only at

individual level but also at organizational level.

The relationship between the three variables Strategic skills and competencies, Systems auditing

and Mindfulness have already been discussed above as part of the Competency and Adaptability

loops.

Copyright UCT


Reinforcing loop R4 - Shared Value loop


of IT Auditing


and competencies


value proposition

Level of Systems

Auditing



Level of

Mindfulness

SS

S

S

S

SS

R2

R1

SR3

S

R4

Figure 33: Shared Value Loop

My final claim is that an increase in the effectiveness of Shared Value Proposition leads to an

increase in the strategic value of IT Auditing. There was consensus amongst most of the

interviewees that the effectiveness of strategic outcomes is largely dependent on buy-in to the

compelling vision of the future created. This was supported by the literature review as well. The

shared understanding of value creation will focus IT Auditing on the role of IT in enabling

strategic objectives of Eskom, therefore increase strategic value.

By combining the above variables and the relationships between them, I am able to access the

Actual World and combine it with the Empirical World to develop a more trustworthy theory

that accounts for what is happening in the Real World and in turn driving the behaviour of the

low levels of strategic value.

Copyright UCT


4.4.3 LadyBird Metaphor

Jackson (2003) highlights the importance of metaphors in enabling us to be more creative.

I have created my own metaphor for the Concern CLD above. It resembles that of a ladybird. My

ladybird has wings of competency and adaptability, built on a foundation on value proposition

which is spearheaded by mindfulness. Coincidentally, research has shown that ladybirds are used

as pest control insects as they highly adaptable and able to sustain themselves even though the

environment changes. Linking back to the business idea archetype, ensuring adaptability is

essential to survival. Therefore, IT Audit, similar to the ladybird, by having a head of

mindfulness and wings of competency and adaptability, and supported by a body of shared value

proposition, and having positive feedback (or reinforcing loops) will be able to survive and adapt

in a changing environment.

4.5 Conclusion

In this chapter, data was presented and analysed as per application of the research framework

developed in Chapter 3. The core categories or variables that emerged from the Grounded

Theory process were the level of Mindfulness, the effectiveness of Shared Value Proposition,

and the level of Strategic skills and competencies. The Grounded Theory process resulted in an

emergent theory which is context specific and grounded in the data. The rationale for the Answer

was discussed loop by loop.

One of the reasons that the legacy of Glaser and Strauss has become dimmed and diluted is that

their approach is difficult to grasp, particularly for novice qualitative researchers. (Partington)

I found that my experience with grounded theory was not an easy one. I have had to ‘wrestle’

with the data (Ryan, 2009). At the beginning of the process, I experienced feelings of lack of

control and required patience. But the process was rewarding at the end as the theory solidified.

My theory seemed powerful and realistic as it was grounded in the data.

Copyright UCT


Chapter 5 will now provide a critical evaluation of the research results. The significance and

implications of this research, together with ethical considerations and future areas for

development will also be explored.

Copyright UCT


CHAPTER 5 - CONCLUSION AND EVALUATION

Having analysed the data and developed a theory that explains the causal mechanisms driving the

behaviour of the strategic value of IT Auditing, this chapter now discusses the Significance and

Implications of my Research and critically evaluates the research in terms of Relevance, Utility,

Validity and Ethical considerations. It concludes with a discussion of my personal learnings and

areas for future research.

5.1 Significance of the Research Results

This research has significance and makes a contribution to the broader research context and the

parent discipline covered in Chapter 2 in three areas as discussed below.

• Adding results derived from system thinking to the existing literature

The literature review indicated that although internal audit functions are aware that they need to

change to meet the evolving role of internal auditors, they have not reflected this change. The

literature has shown that over sixty percent of internal audit work is still focused on traditional

assurance. Based on my experience, I claim that A&F, like other internal audit functions

indicated in the literature review, has not reflected the change required mainly due to not having

a systemic understanding of how to add strategic value. Thus far, as the literature review has

shown, we have been provided with various recommendations to strategically position internal

auditing for the long term, but without understanding causal mechanisms driving the behaviour

of strategic value of IT Auditing. My research builds on the body of knowledge by using a

systems thinking perspective that results in understanding these causal mechanisms. By now

having this insight, it can lead to more effective decisions and actions taken to improve the

strategic value of IT Auditing. To re-iterate the words of Bhaskar ”we will only be able to

understand, and also change, the social world if we identify the structures at work that generate

those events and discourses”.

Copyright UCT


• Adds to literature on Strategic Management in State-owned Electricity Utilities

I was unable to find literature relating to Strategic value of IT Auditing in an electricity utility,

let alone that of a state-owned electricity utility. This research is therefore significant for

electricity utilities that are facing global strategic challenges and rely on technology to meet their

strategic objectives. This is even more significant for state-owned electricity utilities that have

the additional challenge of balancing the public interest with the ‘money’ interest. State-owned

electricity utilities operating in developing countries, similar to South Africa, have to ensure that

socio-economic objectives are taken into consideration rather than just plain pursuit of profits.

• Integrates Strategic Management Theories

Existing literature indicate that the traditional approaches to strategic management are not

adequate. In addition, it highlights that some of the leading perspectives and models of strategic

management should not be treated in isolation as they can actually complement each other. My

research findings adds insight into this by not only showing how three leading perspectives on

Strategic Management (viz. Resource Based View, Dynamic Capability and Strategy-as-

Practice) complement each, but also how they can systemically integrate with each other to drive

strategic value of IT Auditing. As discussed in Chapter 4, as part of my ladybird metaphor, the

competency wing supports the theory of Resource Based View, while the Adaptability wing is

linked to dynamic Capabilities. This is integrated with the Shared Value loop which can be

likened to Strategy-as-practice as it focuses on embedding strategy in the organization.

I see this as an example of Jackson’s Creative Holism in action that using methods in isolation is

not sufficient to deal with complex problems, but a combination of methods or system

approaches is required.

Copyright UCT


5.2 Implications and consequences

Having looked at the significance of the results to the broader research context, I now consider

the implications and consequences of the research results for IT Audit (and A&F) in Eskom.

This considers the Utility to establish how adequately the research Answer answers the question

raised and addresses the concern of strategic value of IT Auditing.

Establishing Utility

The first step in establishing Utility deals with the Question that is to be asked. In framing my

research, as demonstrated in Chapter 1, I ensured that I ask a powerful question so that it deals

with my Concern.

I have discussed in Chapter 4, the rationale loop by loop of how the research findings will

address the Concern regarding the level of strategic value of IT Auditing. To summarise, my

theory developed explains that the distinctive competencies of Mindfulness, Strategic skills and

competencies, and Shared value proposition, in their mutually reinforcing interaction, drives the

strategic value of IT Auditing.

The mutually reinforcing interaction enhances competencies, creates adaptability and creates

focus on the people aspects of strategy and the embedding thereof. It therefore increases IT

Audit’s ability to sense changes in the environment and transform these into new products,

services and processes to build added value for the future. This will lead to understanding the

trends in external environment will provide insight into emerging risks and indicate where the

organization is likely to experience stress. This positions IT Audit to fulfill the role of a true

System 3* function. This improves its strategic value and places it in a position to advise Eskom

on its strategic objectives by feeding the Control function with the required information it needs

to improve Control and Cohesion.

Copyright UCT


In considering the Business Idea, the key question is “What is unique about this formula, and

why are others unable to emulate it?” (van der Heijden, 1996). The answer shows how the

distinctive competencies of Mindfulness, Strategic skills and competencies, and Shared value

proposition, in their mutually reinforcing interaction, drives the strategic value of IT Auditing. It

is through the mutually reinforcing interaction that creates the uniqueness and creates sustained

competitive advantage for IT Audit.

I therefore conclude that in ensuring I asked a powerful question to deal with my concern, and

developing my Answer as the theory that emerged through rigorous application of the Grounded

Theory methodology, it is plausible that the Answer addresses the Question to deal with the

Concern. Furthermore, research findings on my core variables were supported by the literature

review.

I must clarify that my intent is not to present the Answer as a panacea, but taking into

consideration the above, I provide sufficient evidence that the Answer is plausible. However, the

Answer requires a mindset change. Firstly, mindfulness in auditing is a new concept.

Traditionally auditors have been schooled in a compliance mindset, and were not encouraged to

think out of the box, but to rigidly follow established audit programmes. There is also the risk

that mindfulness could be confused with some sort of meditation and religious connotation

which could increase resistance to embracing mindfulness.

Furthermore, my theory shows that developing strategic value is not a quick fix, and requires

constantly working at it and embedding it into day to day activities. Those managers in audit

looking for quick fixes will be discouraged with this Answer.

Copyright UCT


5.3 Evaluation

In the following section, I evaluate my research in terms of Relevance and Validity of my

research findings. The Utility has been discussed under Implications above.

5.3.1 Relevance

The purpose of Relevance is to establish if the concern of strategic value of IT Auditing is

relevant to the research context, that of Eskom.

With respect to the evolving role of Internal Auditing, including that of IT Auditing, my research

has relevance as auditing functions are pressurised to deliver strategic value amidst increase

change and complexities facing their organisations. The changes in technology and the demand

for assurance in specific areas, like IT governance, add to complexities and uncertainties that an

IT auditor has to deal with.

This is especially true in the case of IT Audit at Eskom. IT Audit’s future viability is dependent

on the strategic value that it offers. Eskom is dependent on Information technology to run its

business. Eskom has a huge responsibility towards providing electricity for the country. With the

numerous challenges being experienced in Eskom, it requires IT assurance and consulting that

offers strategic value, signal signs of stress for the organisation and provide information that is

lacking. If IT Audit is unable to fulfill its role, it poses threats to the viability of Eskom as a

whole.

Furthermore, with Eskom streamlining its processes and focusing on effectiveness and efficiency

thereof on its path to regaining its image to that of a reputable global company, the pressure for

IT Auditing to demonstrate its value add, is heightened. This also increases the threat of IT

Auditing being outsourced if is not be able to improve its strategic value.

Copyright UCT


In Chapter 1, I have made use of system tools which collectively highlight the relevance of the

Concern to the Situation. The application of Beer’s VSM revealed weaknesses in IT Audit in its

role as S3* in serving Eskom. The stakeholder analyses and root definitions highlighted the

different perspectives on the situation. The rich picture enhanced my understanding of the

concern within the situation.

I therefore conclude that relevance of the concern of strategic value of IT Auditing to Eskom has

been established.

5.3.2 Validity

To ensure Validity and provide a rationale for my research findings, I paid particular attention to

the Dependability and Credibility of the answer, as well as its Confirmability and Transferability.

5.3.2.1 Dependability and Credibility

I have followed a rigorous process for this research study. In Chapter 3, I have provided

motivation for the approaches, tools and methods that I had selected to use. The evidence of the

application thereof are detailed in the others chapters as well as the Appendix.

In ensuring that my research findings are valid, I focused on the following:

• Use of unstructured conversational interviews with key stakeholders

• Interviewing different stakeholders to sweep in multiple perspectives

• Consideration to boundary judgements

• Use of theoretical sampling to guide solidifying of theory

• Saturation process to strengthen validity

• Triangulation of interviews with participant observation, document review and mindfulness

survey

• Sourcing of literature from credible and reputable sources

Copyright UCT


Furthermore, I made a careful selection of system methodologies based on Critical Holism

(Jackson, 2003). I have made use of system tools appropriate for the functional and interpretative

paradigms relevant to my problem context. The justifications for these paradigms and selection

of system methodologies have been provided in Chapter 3.

In addition, my 16 years of experience spanning both IT and Auditing professions lends

credibility to the research. The past two years on the EMBA programme has enhanced my

understanding of and application of systems thinking.

5.3.2.2 Confirmability

I claim that my research has confirmability as I have reasonably provided sufficient information

for a third party to follow and confirm the process that I have followed. Evidence and audit trails

of work done are contained in the Appendices. The rationale for the findings is discussed loop by

loop in Chapter 4. Finally, memos and transcriptions of the interviews conducted are available on

request.

5.3.2.3 Transferrability

The learning from this research is transferrable to other aspects of my management practice. The

use of the SCQARE framework and the Management Practice Triad has provided me with

insight into using systems thinking to tackle other messy and ill constructed problems.

However, I cannot claim with certainty that the researching findings are transferrable to other

internal auditing functions as this was a qualitative research and was limited to the internal IT

audit function in Eskom. Although it is evident in the literature review that the Internal Auditing

profession as a whole, shares similar concerns, the research findings cannot be just generalized

to internal auditing functions in other organisations.

Copyright UCT


5.4 Ethical Considerations

In formulating my Answer CLD strategy, I took into account the ethical implications of my

answer. Using the Velasquez (2006) approach, I considered the following questions:

• Does the action, as far as possible, maximize social benefits and minimize social

injuries?

In terms of utilitarian theory, this means that we need to consider all the costs and benefits that

will follow from an action and weigh these up against one another. With regard to implementing

my answer to improve the level of strategic value of IT Auditing, I believe that the action would

“generate the greatest good for the greatest number” (Velasquez,2006).

Exploiting distinctive competencies of mindfulness, strategic skills and competencies, and shared

value proposition will increase the extent of systems auditing as auditors will now have a holistic

understanding of the business. This will lead to understanding of the complexities in the business

and external environment and will positively impact on the strategic value of IT Auditing.

Hence, having the key information required to enable strategic decision making will direct

improve the viability of Eskom.

In addition, this will help to restore the credibility of A&F and prevent outsourcing and avoid

possible retrenchments. This impacts directly on employees and their families. In addition,

enhanced competencies lead to more confident and motivated employees, possibly having a

positive influence on their remuneration.

Furthermore, taking into account Eskom as a key stakeholder, the greater good that will result to

Eskom, will be improving its viability. This will enhance effectiveness and efficiency of

operations, ultimately benefiting the community and the country as a whole. The larger society

benefits from Eskom’s risks being well mitigated.

Based on the above, I believe that overall implementation of the answer would maximize social

benefits while minimizing social injuries. In fact by not doing anything to improve the level of

Copyright UCT


strategic value of IT auditing, greater social injuries would result to employees, customers, and

ultimately the community at large.

• Is the action consistent with the moral rights of those whom it will affect?

In terms of the argument of John Locke (1632-1704) as cited by Velasquez (2006), individuals

have moral rights irrespective of the needs of society as whole. In considering my Answer, I took

into account whether any of the decisions went against employees’ moral rights. None of my

actions violate employees’ moral rights. In fact, it helps to protect their right to employment as

their mindfulness and their skills and competencies increase, making them more valued

employees.

In terms of the rights of the consumers, one can argue whether consumers have a right to

electricity as a “societal need” in terms of the government’s development targets or should it be

provided to only those privileged enough to afford electricity. Eskom is facing challenges with

keeping the lights burning. Implementation of the Answer improves the strategic value of IT

Auditing which will assist in increasing the viability of Eskom as threats and risks will be

identified earlier, thereby helping to protect the right to electricity.

However, if the concept of mindfulness is perceived to be that of meditation and having religious

connotations, it could be seen as infringing on people’s right to freedom of religion. This needs

to be carefully managed as this not the intent behind encouraging mindfulness in auditing.

• Will the action lead to a just distribution of benefits and burdens?

The distribution of benefits would be just as all stakeholders will benefit from improved strategic

value of IT auditing. There is no intention of placing burdens on any stakeholder. However,

management could be seen as being more burdened in implementation of the Answer as the

Answer provided does not propose a quick fix solution and will initially require effort and

mindset change. But, this is compensated for in the long run as implementation of the Answer

improves sustainability of IT Audit.

Copyright UCT


• Does the action exhibit appropriate care for the well-being of those who are closely

related to or dependent on oneself?

My Answer takes into account the well-being of all key stakeholders. The shared value

proposition promotes greater care by encouraging closer engagement with staff who are currently

left out of the strategic management process. The Answer also promotes greater care towards

audit clients as mindfulness, in particular, will encourage auditing in a cordial environment,

away from that of a ‘policeman’ mentality.

5.5 Areas for future research

Based on the evolving role of internal auditing, it would also be useful to extend the research

wider to IT Audit functions in other organisations, and perhaps to even research IT Audit

functions in external audit assurance providers to test how generalizable these research findings

are to other organisations.

In addition, further research could be done on developing actionable interventions to improve the

strategic value of IT auditing. Furthermore, this research was approached from a qualitative

perspective and certain aspects of the research could be extended by performing a quantitative

research to validate the research findings.

‘I like to think of the end result of a qualitative study not as an end but as a beginning. I

anticipate quantiative follow-up for many of the discoveries of qualitative research.’ (Zyanski as

cited by Crabtree & Miller, 1992)

Copyright UCT


5.6 Personal Reflection and Learning

I found that I have derived immense value from this research, and gained new insight into

theories and practices. I have been able to make better sense of my Auditing world and learnt to

see this world through the eyes of others. The ladybird theory that emerged enriches my

understanding of how to improve the strategic value of IT Auditing in Eskom. In general, the

system thinking perspective has provided me with a more holistic approach to tacking similar ill-

structured problems in future.

5.7 Conclusion

This chapter discussed the significance of this research to the broader research context.

Furthermore, based on the arguments presented, I demonstrated that my research has more than a

reasonable level of relevance, utility and validity. The careful consideration of ethics also shows

that the Answer does not violate any ethical principles. In addition, this research has provided a

basis for future research.

Finally, I too like to think of the end of the EMBA journey not as an end, but as a beginning; a

beginning of endless possibilities when seeing through systems thinking eyes…

Copyright UCT


BIBLIOGRAPHY

ADR. (2010). Next Generation Auditing: Building the Audit plan from Strategic Objectives from

Audit Director Roundtable. Retrieved December 2010, from Audit Director Roundtable:

www.adr.executiveboard.com

Bailey, J. A. (2010). Global Internal Audit Survey: Core Competences for Today’s Internal

Auditor – Report II. Florida: IIA.

Beer, S. (1981). Brain of the Firm. Chichester: John Wiley & Sons.

Birol, F. (2007). Energy Economics: A place for energy poverty in the agenda? The Energy

Journal, 1-6.

Bitar, J. (2004). A contingency View of Dynamic Capabilities. HEC Montreal.

Crabtree, L., & Miller, W. (1992). Doing Qualitative Research - Research Methods for Primary

Care. London: Sage Publications.

Davis, I. (2007). Government as a business. McKinsey Quarterly.

Dittenhofer, M. A., Evans, R. L., Ramamoorti, S., & Ziegenfuss, D. E. (2010). Behavioral

Dimesions of Internal Auditing: A practical guide to professional relationships in

internal auditing. IIA.

Durant-Law, G. (2005). The Philosophical Trinity: Soft Systems Methodology & Grounded

Theory. University of Canberra, 2-30.

Heijden, K. v. (1996). Scenarios - The Art of strategic Conversation. Wiley.

Hoebeke, L. (2000). Making Work Systems Better - Internet Edition.

Jackson, M. C. (2003). Systems Thinking - Creative Holism for Managers. Chichester: John

Wiley & Sons.

Jarzabhowski, P. (2002). Centralised or decentralised? Strategic Implications of resource

Allocation Models. Higher Education Quarterly, 5-32.

Jeurgens, M. (2006). Global Technology Audit Guide: Management of IT Auditing. Florida: The

Institute of Internal Auditors.

K Weick, K. S. (2001). Managing the Unexpected.

King Report on Governance for South Africa. (2009). Institute of Directors (Southern Africa).

KPMG. (2000). New Strategies and best practices in Internal audit: An emerging model for

building organizational value focusing on risk. KPMG Assurance and Advisory Services

Center.

Lamberg, J., & Parvinen, P. (2003). The River Metaphor for Strategic Management. Eurpoen

Managent Journal, 549-557.

Langer, E. J. (2000a). Mindful Learning. Current Dimensions in Psychology, 220-223.

Langer, E. J. (2000b). The Construct of Mindfulness. Journal of Social Isssues.

Lee, I. (2009, July 29). Internal Audit - increasing its value in recessionary times., (p. 8).

Wellington New Zealand.

Mays, N., & Pope, C. (1995). Reaching the parts other methods cannot reach: an introduction to

qualiatative methods in health and health services research. BMJ, 311(1), 42-45.

Moore, M. H. (1997). Creating Publc Value - Strategic Management in Government.

Cambridge: Harvard University Press.

P Jarzabkowski, A. P. (2009). Strategy-as-practice: A review and future directions for the field.

International Journal of Management Reviews, 11(1), 69-95.

Copyright UCT


Partington, D. (2002). Essential Skills for Management Research. London: Sage Publications.

Perkin, D. N., & Ritchhart, R. (2000). Life in the Mindful Classroom: Nurturing the Disposition

of Mindfulnes. Journal of Social Issues, 56(1), 27-47.

Perry, C. (2002). A Structured approach to presenting theses: Notes for students and their

supervisors. Australian Marketing Journal, 6(1), 63-86.

PWC. (2007). Internal Audit 2012: A study examining the future of internal auditing and the

potential decline of controlc centric approach.

R Chia, R. H. (n.d.). Strategy as Wayfinding. Scotland: University of Aberdeen Business School

and University of Liverpool Management School.

Rivard, S., Raymond, L., & Verreault, D. (2006). Resource-based view and competitive strategy:

An integrated model of the contribution of It to firm performance. Journal of Strategic

Information Systems, 29-50.

Ryan, T. (2009). Multiple Perspectives - EMBA Class Slides.

Ryan, T. (2009). SCQARE: A Framework for Systemic Sense Making - EMBA Class Notes.

University of Cape Town.

Ryan, T. (2009a). EMBA Module 1 Course Readings. University of Cape Town: SYSTAL.

Ryan, T. (2009b). EMBA Module 2 Course Readings. university of Cape Town: SYSTAL.

Ryan, T. (2009c). EMBA Module 3 Course Readings. University of Cape Town: SYSTAL.

Ryan, T. (2010a). EMBA Module 4 Course Readings. University of Cape Town: SYSTAL.

Ryan, T. (2010b). EMBA Module 5 Course Readings. University of Cape Town: SYSTAL.

Ryan, T. (2010c). EMBA Module 6 Course Readings. University of Cape Town: SYSTAL.

Schwanginger, M. (1998). A Concept of Organisational Fitness. Switzerland: University of St

Gallen.

Strauss, A. C. (1967). Basics of Qualiatative Research: Grounded Theory procedures and

techniques. Newbury Park: Sage .

Struebert, H. J., & Carpenter D, R. (1999). Qualiative research in nursing. Lippincott.

Suddaby, R. (2006). From the Editors: What Grounded Theory is Not. Academy of Management

Journal, 633-642.

T Bogdan, S. T. (1984). Introduction to Qualitative Research Methods - The Search for

Meanings. Chichester: John Wiley & Sons.

Teece, D. J., Pisano, G., & Shuen, A. (1997). Dynamic Capabilities and Strategic Management.

Strategic Management Journal, 509-533.

V Thakor, J. B. (2000). Becoming a Better value creator.

Velasquez, M. G. (2006). Business Ethics (Concepts and Cases). New York: Pearson Prentice

Hall.

Walz, A. (1997). Adding value: creating value has become a matter of survival. Internal Auditor.

Whittington, R., Johnson, G., & Meilen, L. (2004). The Emerging Fields of Strategy Practice:

Some links, a trap, a choice and a confusion. Slovenia: EGOS Colloquiuim.

Copyright UCT


APPENDIX A

1. Research Design

I made use of Maxwell’s model for qualitative research design. It is an iterative model based

on ‘interconnection and interaction among the different design components’ (Maxwell 2005).

It allows for flexibility and I found myself going back and forth between the components and

having to refine my question through the research process.

My initial Research Design, using Maxwell’s Framework is shown below.

Copyright UCT


2. The CATWOE of the Audit System

The CATWOE of the Audit system is shown below.

C A T W O E of Audit System

CUSTOMER

Eskom business units and Audit Committee

ACTOR Auditors (Assurance and Forensic Department)

TRANSFORMATION Inputs: IIA Standards that govern the audit process, including methods of work and professional practices guidelines by IIA and the department’s audit manual. Business knowledge and processes required to gain understanding of business area. Outputs: Assurance, Forensic Services and Technical Investigations Process: Audit planning, execution, reporting and monitoring

WORLDVIEW A system to provide independent assurance, consulting and forensic services to improve Eskom’s operations in the areas of risk management, control and governance as directed by professional auditors who uphold ethical standards

OWNER Head of Internal Audit and audit senior managers

ENVIRONMENT Institute of Internal Auditors (IIA), IIA Standards and Practice Advisories, ISO standards, Association of Certified Fraud Examiners (ACFE)

ROOT DEFINITION: This is a system run by professional auditors, and owned by management to provide independent assurance, consulting and forensic services to Eskom business groups, within the constraints of the IIA, ACFE and ISO.

Copyright UCT


3. Interview Log

The following stakeholders were interviewed:

No. Stakeholder

Category

Role Date Informed

Consent

1 Audit Staff

Snr Audit

Advisor

20/10/2010 Y

2 IT Audit

Management

Snr Audit

Manager

22/10/2010 Y

3 Customer

IM Manager 21/10/2010 Y

4 Audit Staff

Snr Audit

Advisor

25/10/2010 Y

5 Customer

IM Manager 25/10/2010 Y

6 Senior

Management -

A&F

Group Audit

Manager

31/10/2010 Y

7 Executive

Management –

Eskom

Divisional

Executive –

Corporate

09/11/2010 Y

8 External Audit

Partner 12/11/2010 Y

9 Customer IM Manager 14/11/2010 Y

10 Senior

Management

Chief Audit

Executive

12/11/2010 Y

11 Executive

Management –

Eskom

Divisional

Executive

16/11/2010 Y

12 Audit Committee

Member of

Audit

19/11/2010 Y

Copyright UCT


Committee

13 Audit

Management

Snr Audit

Manager

26/11/2010 Y

14 Customer

Risk Manager 20/10/2010 Y

15 Customer Information

Security

22/11/2010 Y

16 Audit Staff

Snr Audit

Advisor

22/11/2010 Y

17 Customer

Acting Chief

Information

Officer

02/12/2010 Y

18 Audit

Management

Snr Audit

Manager

07/12/2010 Y

19 Quality

Assurance

QAR Manager 25/10/10 Y

Copyright UCT


4. CATWOES of Stakeholders

CATWOEs (Customers, Actor, Transformation, Owner, Environment) are used to frame a perspective which express how various

stakeholders perceive the imperative for strategic value of IT Auditing. The following table provides CATWOEs and root definitions

for the key stakeholders and illustrates the different perspectives that exist.

Stakeholder Group

Customers Actors Transformation Worldview Owner Environment

Auditors Audit supervisors, Business units

Auditors, Audit supervisors

I = Knowledge, skills, tools/techniques, T = auditing process, O = Correct/incorrect Audit opinion

Audit projects need to be completed within time, budget constraints and Audit projects need to executed in line with IIA, ISACA standards. Management has to worry about strategic management.

Supervisory and executive management

Inherent complexities in performing audits

Root definition An Executive Audit Management owned system, operated by audit supervisors and auditors to perform audit projects in order to provide assurance and consulting services to the organisation, amidst growing complexities and technological changes and time budget constraints whilst complying to IIA standards.

Supervisory management/ Audit supervisors

Executive management, Business units

Auditors, Audit supervisors

I = Knowledge, skills, tools/techniques, T = auditing process, O = Correct/incorrect Audit opinion

Audit projects need to be completed within time, budget constraints and meet quality requirements

Executive audit management

Inherent complexities in performing audits

Copyright UCT


Root definition An Executive Audit Management owned system, operated by audit supervisors and auditors to review and manage audit projects in order to provide assurance and consulting services to the organisation, amidst growing complexities and time budget constraints whilst meeting quality requirements.

Senior audit management

Executive management, Audit Committee

Chief Audit Exec (CAE) and E Band managers

I = Strategies, resources, T = general management process, O = implemented strategies

Auditors/staff will perform well if they follow the manager’s leadership Strategic Management is complex in ever changing environment

Executive Management, Audit committee

Increased complexities and expectations creates uncertainty for A&F

Root definition An executive management owned system, operated by CAE and E Band Managers, through a general management process to ensure that staff perform audits well, amidst challenges and complexities in the environment, and consistently deliver value add and to ensure viability of Audit for the future.

Customers/ Clients

Business unit and executive management of Eskom

Business unit managers

I = Request, Audit plan, T = auditing process, O = correct/incorrect audit opinion

Auditors will provide a fair assessment and unbiased opinion to assist in improving controls and warning of stress in the system. Auditors are looking at the past.

Executive management

With increased risk and governance requirements, greater assurance is required as well as emerging risks.

Root definition An executive management owned system, operated by business unit managers, through an audit engagement process to obtain assurance on controls, in the midst of increased risks and complexities in the business.

Audit Committee Eskom executive management

Independent executives

I = experience and knowledge in good governance, T = advisory process on governance and risk management, O = independent oversight

Audit is our “eyes” and “ears” of the state of the organisation’s controls , governance and risk management.

Executive management

With recent corporate scandals and failures, focus on risks, controls and governance is even more critical.

Root definition An independent executive owned system, operated by Board, through an advisory process to provide oversight and guidance on controls, risk management and governance in the midst of increased risks and investments in the business.

Institute of Internal Auditors

Internal Auditing departments

IIA I = Knowledge and experience, T =

Internal auditors require guidance

Institute of Internal Auditors

Evolving role of internal audits

Copyright UCT


(IIA) advisory process strategic value, O = IIA Standards and advisories

when facing how to deliver value add.

creates increased challenges and opportunities for auditors.

Root definition A professional association owned system, operated by the IIA, through an advisory process to provide direction on professional standards, amidst changing role expected of internal auditors.

Copyright UCT


5. Grounded Theory Results

The following table shows the Affinity Diagram for the Saturated Categories that emerged

through the data collection process. The concepts that made up the categories are as follows:

Involvement in Consulting/Advisory Role

Intelligence (Internal & External)

Systems Auditing

Focus on IT on engineering environment

Access to market intelligence Understanding the organisation as a whole

Focus of IT Auditing Continuous learning "culture" is lacking Ability to see systemic patterns in organisation.

Involvement in IT Strategy Benchmarking should be provided Need for a helicopter view of the business

Involvement in risk management Need for Intelligence - internal & external

Looking at Eskom as a whole organisation

Involvement in IT Governance

Need industry specialisation Seeing beyond silos

Focus on advisory role

IT Audit needs something like a knowledge centre

Integrated audits

Move away from compliance mindset auditing

We are engineering company. We need industry base first, then IT.

Value chain auditing

Greater focus on the engineering environment and systems

Auditors need to get more business knowledge.

Systems monitoring.

Auditing of Project management processes

Auditors need knowledge so can apply and give advice.

Adequacy type of audits

Monitoring of environment is lacking.

Shared value proposition

Link to organisation’s strategic purpose

to advise on what’s going on globally to advise CIO.

Common shared vision and change management as well

Move away from compliance mindset auditing

Need experience around business issues.

Involvement of staff in strategy

Involvement in IT strategy – advisory services

Uunderstanding the value of your work

Auditors are the eyes and ears of organisation.

Strategic Skills and Competencies Visible and felt leadership

IT Audit to be a conduit to communicate info to CIO.

Ability to think strategically

Embedding of strategy

IT Audit to provide improvements

Ability to converse strategically

Beyond mission and vision

No shared assumptions/ purpose

Mindset of strategic value

Ability to ask key questions.

Mindfulness

Copyright UCT


Move away from reactionary approach

Basic skills for auditors (communication, conflict management

Sense of awareness

Proactive services Fresh, naïve approach, but with deep insight & understanding of business.

Building up resilience

Sensing signs of stress

Technical skills/knowledge combined with a large arsenal of soft skills.

Sixth sense auditing

Move away from execution focus to strategic focus

Continous learning/adaptability Compliance focussed Sensing auditors

Link to organisation’s strategic objectives

Courage to try new things

Rigid audit programmes

Trusted advisor role Better ways of doing things.

Smelling a rat

Move away from audit as “police” mentality

Innovation Thinking space

Consulting must be linked to reach these strategic goals.

Need to know what’s the latest trends Ability to reflect

Adapt to change Having a constantly enquiring mind

Continuous learning "culture" is lacking Alertness as an auditor

Organisational factors Intelligence (Internal & External)

Forums for auditors to disseminate information.

Access to market intelligence

Not competing for services in Eskom.

Benchmarking should be provided

Board & Exco not that well informed about IT

Need for Intelligence - internal & external

Limited control awareness in the business

Industry specialisation

Need everyone to be IT savy.

Knowledge centre

Mindset that IT is too complex. Business audit does not want to know about IT.

Engineering company industry base first, then IT.

In depth knowledge of the business Auditors need knowledge so can apply

and give advice. Cannot consult if don’t know the business.

Monitoring of environment

Date post:	27-Apr-2018
Category:	Documents
Upload:	lamcong
View:	220 times
Download:	1 times

Uncovering the Strategic Value of Information Technology...

Documents