Organizations face the challenge of meeting multiple control regulations and reporting on their compliance with these. Information Systems for Governance, Risk Management, and Compliance (GRC IS) support organizations by integrating information throughout the organization with control mechanisms to ensure compliant behavior with organizational goals and external regulations. We argue that the current understanding of GRC IS is incomplete because of five challenges that have not been addressed in existing research: (1) conflicting findings on the impact of IT-enabled management control systems such as GRC IS, (2) Unclear value drivers of IT-enabled management control systems, (3) new technical developments in data analysis allow new forms of control, (4) the missing understanding of the role of IT in balancing exploitative and exploratory management control systems, and (5) organizational struggles in implementing IT-enabled management control systems. We address these challenges by examining how organizations adopt and use GRC IS.
This thesis followed an inductive and qualitative research approach to address the challenges mentioned above. We reviewed control regulations, guidelines, standards, and frameworks and conducted a review of the relevant literature in order to identify useful concepts for our analysis. The identified concepts were used within the following exploratory study to stimulate category development. The empirically grounded conceptual ideas were revised and extended in case studies. Throughout these studies, the primary data source was semi-structured interviews. Secondary data sources were archival data such as process and control descriptions, as well as project documentation.
The thesis provides several empirical findings. We review existing literature on IT-enabled management control systems and suggest a pattern catalogue for the evaluation of such systems. We identify four value drivers of GRC IS and develop a model that structures these value drivers. The model highlights the importance of a coherent design of control mechanisms. We extend a prominent taxonomy for designing management control systems and suggest ‘synchronicity’ and ‘certainty of actions’ as new antecedents for control mechanism design. We provide a description of the GRC IS implementation process that focuses on first improving existing control practices and then developing new controls to cope with uncertainty.
This thesis provides several contributions to theory and practice. We enhance management control research by suggesting how IT-enabled management control systems improve existing and enable new control mechanisms. We provide empirical evidence for exploratory control mechanisms and explain how IT supports these. We extend control theory by suggesting new antecedents that are based on timeliness of control information and certainty of derived activities. For practice, the developed pattern catalogue provides structure for analyzing and evaluating GRC IS. Vendors may use the developed value drivers to identify and develop new functionalities of their solutions. Organizations implementing GRC IS gain additional understanding of the technological capabilities of GRC IS and may use the value drivers for structuring the business value of such systems.
There are several limitations that have to be taken into account. The papers included in this thesis have been written over a period of four years and the concepts and thinking have developed considerably over that time. We focused on a particular class of IT-enabled management control systems, examined the balance of exploitation and exploration as a specific trade-off in management control systems, and selected control mechanisms as level of granularity. The data stems from a limited number of organizations in a small number of industries and thus our conceptual developments need further testing to ensure generalizability.
This thesis suggests several fruitful avenues for future research. Complementing the current concepts with additional data and with quantitative research methods could address the existing threats to validity. A deeper understanding of the dynamics of the technology behind IT-enabled management control systems would enhance the knowledge on this topic. It would be interesting to further examine information-intensive controls such as risk management and focus on external information provided for management control activities. Future research could provide further understanding of balancing management control activities by examining the concept of control coherence in more detail using existing theoretical work on ambidexterity and balance. It would be fruitful to examine human perspectives on IT-enabled management control systems on different levels, including management and employees. The perception of exploratory control mechanisms that are supported by IT and the development on workarounds could also be investigated further.
«
Organizations face the challenge of meeting multiple control regulations and reporting on their compliance with these. Information Systems for Governance, Risk Management, and Compliance (GRC IS) support organizations by integrating information throughout the organization with control mechanisms to ensure compliant behavior with organizational goals and external regulations. We argue that the current understanding of GRC IS is incomplete because of five challenges that have not been addressed in...
»
Login
BibTeX