In our increasingly digitised economy, IT has
become fundamental to support, sustain and grow
organisations. Successful organisations leverage the
potential of digital innovation and understand and
manage the risk and constraints of technology.
Previously, the governing board could delegate,
ignore or avoid IT-related decisions, but the
disruptions from new technologies (e.g., cloud,
Internet of Things, big data) are increasingly
being felt at the board level. Emerging research
calls for more board-level engagement in
enterprise governance of IT and identifies serious
consequences for digitised organisations in case the
board is not involved.
2 Yet, it appears that enterprise-technology governance competence remains
the ‘elephant in the boardroom’ for more than 80
percent of boards of directors (BoDs).
In this context, a co-created research project was
established by the Antwerp Management School,
Cegeka, KPMG and Samsung, to focus on the
role of the BoD in governance of enterprise IT
(GEIT). The 2015–2018 research project explores
contemporary best practices and competencies
for BoD involvement in IT to realise technological
innovation potential and ensure control over the
associated risk. By offering BoDs a clearer path to
reach their IT governance objectives, the project
aims to strengthen their involvement and obtain a
true end-to-end GEIT.
This article reports on one of the investigations
being done, specifically, how nonexecutive boards
are reporting on their accountability for IT in their
yearly reports. As such, it immediately relates to
the COBIT® 5 Evaluate, Direct and Monitor (EDM)
process EDM05 Ensure stakeholder transparency,
which expects the board to ‘make sure that the
communication (on IT governance) to stakeholders is
effective and timely and that the basis for reporting
is established to increase performance’.
From this research, it appears that, notwithstanding
the pervasive role of IT, the disclosure on IT
governance is still limited and rather focused on
reactive elements—for example, in response to
IT-related risk events happening. More reporting in
high IT-intense sectors, as well as in publicly listed
companies was observed. The latter is probably a
result of investors being more willing to invest more
in organisations that have their digitised assets
Do you have
to say about
Visit the Journal
pages of the ISACA
web site ( www.isaca.
article and click on
the Comments link to
share your thoughts.
Steven De Haes, Ph.D.
Is a full professor of information systems
management at the University of Antwerp—
Faculty of Applied Economics and at the Antwerp
Management School (Belgium). He acts as
the academic director of the IT Alignment and
Governance (ITAG) Research Institute.
Is a Ph.D. post-doctoral researcher at the University
of Antwerp and Antwerp Management School
(Belgium), and a lecturer at Maastricht University
Is a Ph.D. candidate in IT governance at the
department of Management Information Systems of
the Faculty of Applied Economics at the University
of Antwerp (Belgium).
Is a business engineer in management information
systems and a consultant at KPMG Advisory in
feature feature How Boards Realise IT Governance Transparency
A Study Into Current Practice of the COBIT EDM05 Process
potential of digital