Research and Project Topics in IT Governance (2008 Fall)

List of Topics
Research and Project Description
Guest Lecturers

Center for IT and e-Business Management
Course Home
Sponsored By

Microsoft Trustworthy Computing Home


     Professor Michael J. Shaw
     Department of Business Administration
     College of Business, University of Illinois at Urbana-Champaign



      This course is partly sponsored by a grant from Microsoft. As Information Technology (IT) has become the foundation that supports the infrastructure, transactions, processes, and customer service of any business large or small, so has managing the trustworthiness of enterprise IT effectively emerged as a high priority for business administration. This focus on trustworthy computing is analogous to total quality management widely used in manufacturing and distribution a decade ago, except that the impact is potentially more pronounced because of the greater reliance on IT not only by businesses but also by the broader society. The course will provide students with a core body of knowledge-- for IT applications, management, and research-- concerning:

  • The state of research and business practice of trustworthy computing
  • Managerial issues for the prevention of business frauds and threats
  • The multiple perspectives of trustworthy computing and how to integrate them
  • The key technology for trustworthy computing for users and for businesses
  • Issues concerning integrity, privacy,ethics, risk management, and reliability
  • Best practices concerning regulatory compliance requirements
  • Enterprise information management issues, policies and practices
 List of Topics in Trustworthy Computing, Information Trust, and Management


  1. COBIT

  2. IFRS

  3. ISO

  4. Information Systems and Technologies

  5. IT Portfolio Management

  6. Project and Risk Management

  7. Sarbanes-Oxley

  8. SAS70


 Research and Project Description
COBIT by Ben Taso (report)

With information technology now a driving force in today’s high tech enterprises, there is a greater need for a more widespread understanding for how IT works. These companies need to practice good IT governance to ensure that the enterprise’s IT sustains and extends the organizations strategies and objectives.

2.  IFRS
IFRS Adoption Compliance Issues by Elaine Lau (report)

U.S. organizations and businesses use U.S. GAAP (Generally Accepted Accounting Principles) to prepare, present, and report financial statements. Creditors as well as potential and current investors use financial statements to help make investment, credit, and other financial decisions. Other countries either use country-specific GAAP or the International Financial Reporting Standards (IFRS).

3. ISO
A Survey of IT Governance through COBIT, ITIL, and ISO 17799 by Samantha Schreiner (report)

The use of IT is critical to an enterprise’s success in today’s world. In many organizations it is fundamental to support, sustain and grow the business (“About IT Governance’, 1). IT provides opportunities for competitive advantage and increases in productivity. It is fundamental for managing resources, suppliers, customers, and the transitioning of today’s market value from the tangible to intangible (“Board Briefing on IT Governance”, 13). An enterprise’s ability to leverage IT has become a universal business competency (“Board Briefing on IT Governance”, 13).

ISO27001, by Winnie Chan (report)

All Businesses have top secret data that are critical to an organization’s success. Those confidential data need to be properly protected to ensure that it is not leaked to unauthorized parties. Thus, information security management is very important. It attempts to protect a firm’s valuable assets from potential threats or leakage. A firm’s valuable assets range from digital information to its employees’ knowledge regarding its competitive advantage.

4. Information System and Technology
- Future IT Trends and Their Impact upon the Industry, by Bill Gambardella (report)

The field of information technology (IT) is an ever changing and increasingly dynamic part of corporate enterprises. What was once considered merely overhead has become an integral part of business for all organizations and is even considered a strategic priority for most successful companies.

- Software as a Service, by Jeff Siglin (report)

Software as a Service (SaaS) has been around for several years, helping companies reduce costs while still maintaining expertise within the IT function through outsourcing. SaaS applications allow companies to focus more attention on the processes that create value while still being efficient in every manner. The use of SaaS varies by industry and company, as there are various unique costs and benefits. Recently, SaaS usage has been growing and SaaS vendors are gaining market share.

 - Business Intelligence, by Jovany Chaidez (report)

Businesses go through many changes and challenges during its lifetime whether those changes threaten the stability of the business, improve its business processes, or even affect its internal structure. The changing market is constantly introducing new challenges for businesses every day whether it is through a shift in trends or a change in consumer behavior.

 - Assessing Key Controls and IT Alignment, by Kim Bigelow (report)

Iformation Technology is an increasingly important aspect of modern business. The companies that have it and use it efficiently are better able to adapt and grow with today’s changing environment. IT alignment helps an organization take advantage of all the benefits of Information Technology. This ongoing process maximizes the value of a business using IT’s effectiveness and establishes a relationship between the business and IT that allows for innovation and growth.

 - IT Governance and Control, by Mark Longo (report)

The ever-increasing competitiveness of modern business creates the need to utilize information technology to create efficiencies within the company. Information systems and related business processes require effective risk management, which can be achieved through appropriate use of control within the organization. CobIT 4.1 is a widely used IT Governance framework that takes a broad based best practices approach to linking IT to business goals, recognizing key IT process risks, and introducing more accountability into business and IT processes.

 - IT Governance, by Minghai Geng (report)

Information Technology (IT) Governance is a broad and emerging topic that currently encompasses many factors. Simply, IT governance is the process of making decisions about IT investments. The emergence of IT governance came about from concern over the performance and management of risk for IT systems. Demand for IT governance increased due to increases in required regulations and degrees of compliance. Specifically, companies in the United States dealt with increased regulations from the introduction of the Sarbanes-Oxley Act. European companies meanwhile dealt with similar circumstances to their IT governance from the Basel II Accord. Additionally, IT governance emerged when companies realized IT projects could easily get out of control and significantly affect the performance and finances of their organization.

 - Building an Effective Paperless Records Management Governance Structure, by Moh’d A. Obeidat (report)

The entire world is rapidly shifting its orientation into an Information Technology (IT) based environment, which emphasizes the use of technology for assembling, transferring, and analyzing information. This information era is made possible by the advent of affordable information technology and evolving computer, network, and software capabilities. In the midst of this technological shift, “Paperless Records” becomes a reality.

 - Enterprise Architecture, by Sunil Rajan (report)

Enterprise Architecture is a holistic view of an enterprise’s processes, information and information technology assets as a vehicle for aligning business and IT in a structured, more efficient and sustainable way. This practice has attracted significant attention over the past 2 or 3 years with a number of organizations implementing this practice to align their IT and business goals. The methodology encompasses all of the various IT aspects and processes into a single practice. However, realizing the full potential of Enterprise Architecture (EA) can be challenging. There are many aspects to EA, including architecture planning, governance, taxonomies and ontologies, all of which impact its success. Without the right guidance, tools, frameworks and methodologies EA can quickly become unwieldy.

5.  IT Portfolio Management
- IT Portfolio Management, by Edward Prusiecki (report)

Information technology (IT) has become a required core competency for almost all businesses to be successful. Businesses that successfully implement IT systems create value, drive growth, and strengthen competitive advantages. With many businesses investing anywhere from 1.5%-7% of revenue into IT systems, it is imperative that a clear IT Portfolio Management approach is followed to ensure their IT investments succeed. In today’s ultra-competitive environment, an effective IT system might be the key factor that makes or breaks a company’s performance against their competition.

- IT Portfolio Management, by Erik Selman (report)

IT Portfolio Management is an approach created to obtain the most value out of investments in information technology. IT investments are measured using both financial and non-financial measures that take into account the value, risks, useful life and interrelationships of the IT investment portfolio. Using this type of method is similar to that of what a financial investment professional would be using to make investments in financial markets. In order to improve operations, managers must make decisions whether to start projects, cancel existing projects, or continue searching for a project that has the right payoffs for the company.

6.  Project and Risk Management
- Enterprise Risk Management by Bahman Sheikholeslami (report)

Enterprise risk management is the process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the impacts of risk on an organization’s capital and earnings. Among the most important areas of risk covered in risk management are finance, operations, and strategy.

- ERM and the Pharmaceutical Industry by Britton Stotler (report)

Risks are an innate part of every aspect of life, and the business environment is of no exception. Nearly every industry and every individual organization, especially in today’s increasingly global environment, faces a myriad of risk factors that threaten their ability to operate effectively. Some of these risks may be common and systematic across all industries, such as those resulting from competitive pressures, general economic conditions, government regulation, or social concerns, while others may be industry specific, such as the political tensions that influence the oil industry, or the environmental forces that severely influence the various agriculture industries. However, in looking at the sheer impact of risk across various industries, the pharmaceutical industry in particular stands out as one of the most risk heavy industries.

- Top-Down, Risk Based Approach for Assessing Control by Carolyn Tsai (report)

Currently all companies are paying more attention to risk management, especially ever since the emergence of the Sarbanes-Oxley Act of 2002 (SOX). SOX require companies to implement and assess internal controls. Risk management is collaboration between different elements in business, such as business operation, finance, accounting and information technology (IT). The top-down risk based approach is a control framework that addresses the financial risks involved in a business. Ernst and Young (E&Y) developed its interpretation of the top-down, risk based approach, which follows the general layout described in the PCAOB’s guidance with additional components that it believes is critical for risk and control assessment.

Creating Sustainable Advantage Through IT Risk Management  by Greg Mitchell (report)

One of the most important things for a business is to create a sustainable advantage in their operations. Sustainable advantage means that a business is able to form a competitive advantage that they can use for a long period of time. It is an advantage that sets the business apart from its competitors and is the reason why it is able to attract consumers. An example of sustainable advantage for Coca-Cola is that they have a secret recipe that other cola manufacturers cannot duplicate. The unique Coca-Cola taste is what attracts consumers and they have been able to sustain this advantage over a long period of time. Another example of a sustainable advantage is the unique supply chain system employed by Walgreens.

-Enterprise Risk Management & IT Implications by Megan Kasbohm (report)

All companies in all industries face risks to successfully running a business. A risk is any factor that can hinder the ability for a company to be successful. Companies have to be aware of both internal and external risks to effectively manage them. Enterprise risk management is an ongoing process that deals with handling the risks a particular company faces. It uses a combination of business processes and methods to better minimize risks and maximize potential opportunities. ERM provides a framework that companies can use within their own business internal control system and model to fit their individual needs. When a company is more aware of the risks it faces, potential losses can be prevented.

7.  Sarbanes-Oxley
-SOX by Chang-Tao Wu (report)

Sarbanes-Oxley Act was named after Senator Paul Sarbanes and Representative Michael Oxley, which was signed into law on July 30, 2002 by President Bush. Besides a series of corporate frauds, Sarbanes and Oxley found that there were still many reasons that this country urgently needed an effective law to regulate companies, including:Auditor conflicts of interest—although before SOX, there were many auditing firms that supervised companies’ performances for investors, those auditing firms usually performed consulting or non-audit work for the companies they audited. To those auditing firms, the consulting work was more profitable than their auditing engagement. There, the auditing firms could not function well before SOX.

- Sarbanes-Oxley, by Mark Nelson (report)

In general, many people may not know what the name Sarbanes-Oxley, or SOX, means, but most people are able to recognize the names WorldCom or Enron. These famous debacles in business are what initiated the development of SOX. SOX is a U.S. federal act that was passed in 2002. Its name is derived from the two of the men who helped in its creation, Senator Paul Sarbanes and Representative Michael G. Oxley. The act was approved with a vast majority vote in the House of 334-90 and in the Senate of 99-0. The main goal or SOX is to minimize any events similar to Enron or WorldCom from ever happening again. It “…fundamentally stipulated that the information being reported on corporate performance within publicly traded companies must be an accurate depiction of corporate performance” (Maizlish 74). After its enactment, President was quoted as saying: “It included the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt.”

8.  SAS70
-SAS by Christa Unangst (report)

Statement on Auditing Standards (SAS) No. 70, Service Organizations, is gradually becoming a more significant standard for companies. The increasing trend towards the outsourcing of business processes, coupled with greater demands from stakeholders for transparency and the importance of managing and reducing risks, has made SAS 70 examinations a strategic priority for service-oriented organizations. In this paper, I intend to investigate what SAS 70 is, what is disclosed in a typical SAS 70 audit, the objectives of the standard, and companies’ approaches and/or views on the standard. In addition, I will address the impact of SAS 70 – what its criticisms and benefits are, and what its future outlook is.

- Sarbanes-Oxley Act (SOX), by Hiroshi Tachibana (report)

Sarbanes-Oxley Act (SOX) was established in 2002 in order not to repeat company and accounting scandals which occurred from later 1990’s to early 2000’s, such as that of Enron and WorldCom. To avoid these scandals, the purpose of SOX is to increase the transparency and accuracy of the financial report and business accounting. Additionally, SOX requires the company to reform the corporate governance and audit system and defines the duty and responsibility for business executives. It is composed of 11 titles and 69 sections and is including the installation of Public Company Accounting Oversight Board (PCAOB), the independent of the auditing firm, the expansion of financial disclosure, the mandatory of internal control, stricter penalties for business executives who committed a fraud, the regulation for investment analysts, the protection for whistle-blower and so on. We should take particular note of SOX section 404. It is regarding the assessment of internal control. The internal control is one of the biggest parts and that company takes much time to do it.

- SAS70, by Jong Choi  (report)

Service users are constantly looking for more assurance in order to make a better, more informed decision in this ever-changing business environment. As a consequence, reliability of company service and its internal controls have been a critical source of the service users’ confidence. In 1992, American Institute of Certified Public Accountants (AICPA) developed Statement on Auditing Standards No. 70 (SAS 70) to provide more assurance on the service organization’s control to these service users or also called as user organization.

  Guest Lecturers

Name Institution Topic

Jason Weile Manager, Systems and Process Assurance, PWC Risk Management

Andrew Petrum Protiviti IT Governance and Control
  Nick Kula
Protiviti IT Governance and Control

Jon Herzburg
Principal, Grant Thronton
IT Management and Control

Ronald Markham
IT Management and Control

Dean Haacker
Motorola Security and Privacy
  Mark Showers
CIO, Monsanto
IT Governance: CIO Perspective
  Sam Howard
State Farm IT Governance at State Farm
  Jason Weile Manager, Systems and Process Assurance, PWC Risk Management
  Carol Waldron
State Farm IT Portfolio Leadership at State Farm

Deron Grzetich
IT Security Manager, Sidley Austin Law Firm
Vulnerability Management

Richard Jaehne Director, the Illinois Fire Service Institute Emergency Response and Unified Command Systems

Dan Swartwood Motorola Privacy Issues and Regulation

Grant Hellwarth Partner, PWC
The Enterprise and Auditor Perspectives

John Heller
CIO, Caterpillar
The Enterprise and Auditor Perspectives

Andrew Smith
Managing Partner, Protiviti IT Serivice and Governance

John Bingham
Protiviti IT Serivice and Governance