Copyright UCT i UNCOVERING THE STRATEGIC VALUE OF INFORMATION TECHNOLOGY AUDITING by UREKA RANGASAMY in partial fulfillment of the requirements for Executive MBA EMBA 11 March 2011 Confidential
Copyright UCT
i
UNCOVERING THE STRATEGIC VALUE
OF INFORMATION TECHNOLOGY
AUDITING
by
UREKA RANGASAMY
in partial fulfillment of the requirements for
Executive MBA
EMBA 11
March 2011
Confidential
Copyright UCT
ii
Plagiarism Declaration
1. I know that plagiarism is wrong. Plagiarism is to use another’s work and pretend that it is
your own.
2. I have used a recognised convention for citation and referencing. Each significant
contribution and quotation from the works of other people has been attributed, cited and
referenced.
3. I certify that this submission is all my own work.
4. I have not allowed and will not allow anyone to copy this essay with the intention of passing
it off as his or her own work.
Signature: Date: 07 March 2011
Copyright UCT
iii
Abstract
“When the White Rabbit asked the King where he should begin, the King, replied: ‘begin at the
beginning and go on till you come to the end: then stop.’ But explanation is not like that. His
advice is a good example of the failure to recognise when one is up against a large, complex
system” (Beer, 1981,p. xi).
As managers today, we are faced with increasing complexity and change. The traditional
management practice of dealing with problems simplistically and mechanistically is no longer
adequate. Two years ago as part of the EMBA programme, I began my journey into the systems
thinking world in an attempt to find new approaches. This dissertation is approached from a
systems thinking perspective and the purpose is to seek an understanding of the underlying
dynamics that impact on the strategic value of Information Technology (IT) Auditing, from an
internal audit department perspective, at the state-owned electricity utility, Eskom.
This research is viewed from my perspective as a student and researcher on the EMBA 11
programme, and as the role of Group Audit Manager at Eskom’s internal audit department. IT
Audit is one of the portfolios that I oversee.
Eskom, as a key player in the electricity industry, is facing enormous challenges with regard to
financial sustainability and continuity of supply which is aggravated by the global recession.
These increased risks and uncertainties call for insight from Internal Audit that goes beyond the
traditional assurance, and focuses IT Audit on providing strategic insight for Eskom.
Furthermore, the pace of technology changes is explosive, and IT Audit is struggling to adapt to
the changing requirements of Eskom.
Given this situation, the concern identified was the ability of IT Audit to deliver strategic value
to Eskom. My context of strategic value is that which is focused on building value for the future.
Copyright UCT
iv
Having identified this concern, a powerful research question was raised in order to understand
‘Why has IT Audit not been able to deliver strategic value to Eskom?’
To guide me to reach an answer to the research question raised, I developed an integrated
research framework using different system approaches in combination. Given the nature of my
problem context, a qualitative research process was undertaken. To mitigate against the risks of
bias in a qualitative study, a triangulation of data and methods was used. Various systems tools
were used to make sense of the situation and sweep in multiple perspectives from various
stakeholders. The data was gathered, interpreted and analysed using the Grounded Theory
methodology.
Through rigorous application of the Grounded Theory process, the level of Mindfulness, the
effectiveness of Shared value proposition and the level of Strategic skills and competencies
emerged as the three variables critical to driving the level of strategic value of IT Auditing. The
theory that developed from the Grounded Theory process was that the distinctive competencies
of Mindfulness, Strategic skills and competencies, and Shared value proposition, in their
mutually reinforcing interaction, drives the strategic value of IT Auditing and creates sustained
competitive advantage for IT Audit.
I refer to this as my ‘ladybird theory’ as it has a head of mindfulness, wings of competency and
adaptability, and supported by a body of shared value proposition.
I performed a literature review to establish my subject matter within the wider body of
knowledge. This literature review revealed current trends and debates on the wider context of
strategic management and generally supported my research results relating to the three core
variables of the level of Mindfulness, the effectiveness of Shared value proposition and the level
of Strategic skills and competencies.
Copyright UCT
v
This research is significant as it makes a contribution to the existing body of knowledge in three
areas. Firstly, it adds to the research of strategic value of IT Auditing, particularly in state owned
enterprises as based on my literature review, it was evident that existing literature in this area is
limited. Secondly, existing literature provide laundry lists of recommendations on improving IT
Auditing, my research is approached from a systems thinking perspective and goes further by
systemically integrating the variables that impact on the strategic value of IT Auditing. Finally,
existing literature indicate that certain models/theories on Strategic Management can
complement each other, my research findings show how three leading perspectives on Strategic
Management (viz. Resource Based View, Dynamic Capability and Strategy-as-Practice) can
systemically integrate with each other to drive the strategic value of IT Auditing.
To demonstrate the validity and trustworthiness of my research, I have critically evaluated my
research in terms of Relevance, Utility and Validity of my research findings. I have also given
due consideration to the ethical implications of my Research Answer through the use of
Velasquez’s (2006) ethical evaluation framework which focuses on Utilitarianism, Rights,
Justice and Caring.
The research was rewarding, not only in terms of the theory that was developed and the insight
gained into how systems thinking can be used to deal with complex and unstructured problems,
but also as a journey of growth as it required patience and tolerance to keep true to Tom Ryan’s
principles of ‘trusting the process’.
I now invite you:
Come, let us journey together, and I, unlike the King, will guide you to uncovering the strategic
value of IT Auditing by seeing with system thinking eyes….
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 1
TABLE OF CONTENTS
Chapter 1 - Introduction and Overview ......................................................................... 7
1.1 INTRODUCTION........................................................................................................... 7
1.2 APPROACH AND STRUCTURE OF THE RESEARCH PAPER ..................................................... 8
1.3 SETTING THE MANAGEMENT CONTEXT ........................................................................... 10
1.4 ESTABLISHING THE CONTEXT OF THE RESEARCH SITUATION ........................................... 12
1.4.1 Eskom – Keeping the Lights Burning ........................................................................ 12
1.4.2 Assurance and Forensic – Eskom’s internal audit department .................................. 15
1.4.3 IT Audit ................................................................................................................... 15
1.4.4 Using the Viable Systems Model ............................................................................... 17
1.4.5 Taking a closer look at the Audit function (S3*) ....................................................... 19
1.4.6 The Relevance of Strategic Value of IT Auditing to Eskom ........................................ 20
1.4.7 Understanding the different Stakeholders ................................................................. 21
1.4.8 Let’s take a ‘rich’ picture ......................................................................................... 23
1.5 THE RESEARCH PROBLEM ............................................................................................... 25
1.5.1 Force Field Analysis of factors impacting on Strategic value of IT Auditing ............. 26
1.5.2 Avoiding Errors in My Problem Formulation ........................................................... 27
1.6 RESEARCH QUESTION ...................................................................................................... 27
1.7 RESEARCH FRAMEWORK ................................................................................................. 29
1.8 THE ANSWER: THE THEORY THAT EMERGED THROUGH THE RESEARCH ........................... 29
1.9 THE RATIONALE FOR THE ANSWER ................................................................................. 31
1.10 EVALUATION OF THE ANSWER....................................................................................... 31
1.11 CONCLUSION ................................................................................................................. 31
Chapter 2 - Literature Review ....................................................................................... 33
2.1 LEVEL I LITERATURE REVIEW ......................................................................................... 34
2.1.1 Strategic Management ............................................................................................. 34
2.1.2 Strategic Management in Public Sector/ State-owned enterprises ............................. 35
2.1.3 Current Theories/Models on Strategic Management ................................................. 36
2.2 LEVEL II LITERATURE REVIEW ........................................................................................ 39
2.2.1 Internal Auditing ...................................................................................................... 39
2.2.2 Increasing Importance and Challenges of IT Auditing .............................................. 42
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 2
2.3 LEVEL III LITERATURE REVIEW....................................................................................... 43
2.3.1 Mindfulness ............................................................................................................. 43
2.3.2 Strategic Skills and Competencies ............................................................................ 46
2.3.3 Shared Value Proposition ........................................................................................ 50
2.4 CONCLUSION ................................................................................................................... 51
Chapter 3 - Research Framework ................................................................................. 53
3.1 INTRODUCTION ............................................................................................................... 53
3.2 THE NATURE AND PURPOSE OF MANAGEMENT RESEARCH .............................................. 53
3.3 ONTOLOGICAL POSITION – THEORY OF REALITY.............................................................. 54
3.3.1 Critical Realism (A model of the world) ................................................................... 55
3.4 EPISTEMOLOGICAL POSITION .......................................................................................... 56
3.4.1 Qualitative and Quantitative Research Methods ....................................................... 56
3.4.2 Choice of Systems methodologies ............................................................................. 58
3.4.3 Jackson’s System of Systems Methodologies (SOSM) ................................................ 59
3.3.4.4 Using the Viable Systems Model (VSM) ................................................................. 60
3.3.4.5 The Rationale for using Grounded Theory ............................................................. 61
3.4.4.6 Integration of Critical Realism with Grounded Theory .......................................... 65
3.3.4.7 Integration of Grounded Theory with Soft Systems Methodology ........................... 66
3.5 DATA COLLECTION ......................................................................................................... 67
3.6 ETHICAL CONSIDERATIONS .............................................................................................. 67
3.7 INTEGRATED RESEARCH FRAMEWORK ............................................................................ 68
3.8 CONCLUSION ................................................................................................................... 69
Chapter 4 - Research Results ......................................................................................... 70
4.1 INTRODUCTION ............................................................................................................... 70
4.2 DEVELOPING AN ANSWER TO MY RESEARCH ................................................................... 70
4.2.1 Stakeholder Identification ........................................................................................ 70
4.2.2 Conversational Interviews ........................................................................................ 71
4.2.3 Data Recording and Transcribing ............................................................................ 71
4.3 CONCEPT FORMATION: CODING AND EMERGENCE OF CATEGORIES ................................. 72
4.3.1 Level 1 coding (Substantive Coding) ........................................................................ 72
4.3.2 Level II Coding ........................................................................................................ 73
4.3.3 Theoretical Saturation ............................................................................................. 74
4.3.4 Concept Modification and Integration (Emergence of Core Variables) ..................... 75
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 3
4.3.5 Selective Sampling of Literature ............................................................................... 79
4.3.6 Triangulation of Data .............................................................................................. 79
4.4 SUBSTANTIVE THEORY GENERATION (EMERGENCE OF THEORY) ..................................... 80
4.4.1Theoretical coding .................................................................................................... 80
4.4.2 Storylines of the Loops - The Rationale .................................................................... 84
4.4.3 LadyBird Metaphor .................................................................................................. 90
4.5 CONCLUSION ................................................................................................................... 90
Chapter 5 - Conclusion and Evaluation ........................................................................ 92
5.1 SIGNIFICANCE OF THE RESEARCH RESULTS ..................................................................... 92
5.2 IMPLICATIONS AND CONSEQUENCES ................................................................................ 94
5.3 EVALUATION ................................................................................................................... 96
5.3.1 Relevance ................................................................................................................ 96
5.3.2 Validity .................................................................................................................... 97
5.4 ETHICAL CONSIDERATIONS ............................................................................................. 99
5.5 AREAS FOR FUTURE RESEARCH ...................................................................................... 101
5.6 PERSONAL REFLECTION AND LEARNING ........................................................................ 102
5.7 CONCLUSION ................................................................................................................. 102
BIBLIOGRAPHY ......................................................................................................... 103
Appendix A .................................................................................................................... 105
1. RESEARCH DESIGN ..................................................................................................... 105
2. THE CATWOE OF THE AUDIT SYSTEM ....................................................................... 106
3. INTERVIEW LOG ......................................................................................................... 107
4. CATWOES OF STAKEHOLDERS ...................................................................................... 109
5. GROUNDED THEORY RESULTS ........................................................................................ 112
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 4
List of Figures
Figure 1: Structure of Dissertation .................................................................................................. 9
Figure 2: Overlap between Competencies and Social Need ......................................................... 10
Figure 3: Levels of Management .................................................................................................. 11
Figure 4: Electricity - from power station to customer ................................................................. 13
Figure 5: Eskom recursion levels .................................................................................................. 14
Figure 6: Audit Work System ....................................................................................................... 16
Figure 7: VSM –Systems .............................................................................................................. 17
Figure 8: Eskom as a VSM ........................................................................................................... 18
Figure 9: VSM - Role of S3* ........................................................................................................ 19
Figure 10: Multiple Perspectives .................................................................................................. 22
Figure 11: Stakeholder analysis .................................................................................................... 23
Figure 12: Rich picture ................................................................................................................. 24
Figure 13: Concern behaviour over time ...................................................................................... 25
Figure 14: Force Field Analysis impacting on Strategic value of IT Auditing ............................ 26
Figure 15: Three Level Literature Review.................................................................................... 33
Figure 16: Traditional assurance (Source: ADR, 2010) ............................................................... 41
Figure 17: General Competencies (Source: IIA, 2010) ................................................................ 47
Figure 18: Behavioural Skills (Source:IIA, 2010) ........................................................................ 48
Figure 19: Technical skills (Source: IIA, 2010) ........................................................................... 49
Figure 20: Management Triad ...................................................................................................... 54
Figure 21: Ideal-type Grid ............................................................................................................ 58
Figure 22: Systems approaches related to SOSM ......................................................................... 60
Figure 23: VSM - O, E, M Interaction .......................................................................................... 61
Figure 24: Integration of Critical Realism with Grounded Theory .............................................. 65
Figure 25: Integrated Research Framework .................................................................................. 68
Figure 26: Inter-relationship Diagram .......................................................................................... 76
Figure 27: The Generic Business Idea (Source: v/d Heijden, 1996) ............................................ 82
Figure 28: Causal mechanisms driving the behaviour of strategic value of IT Auditing ............. 83
Figure 29: Comparison to Business Idea ...................................................................................... 83
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 5
Figure 30: Competency Loop ....................................................................................................... 85
Figure 31: Adaptability Loop........................................................................................................ 86
Figure 32: Mindfulness Loop........................................................................................................ 88
Figure 33: Shared Value Loop ...................................................................................................... 89
List of Tables
Table 1: Contradictions and Conflict in A&F Work System ………………………………….16
Table 2: Avoiding error of the 3rd kind ……………………………………………………….27
Table 3: Differences between Qualitative and Quantitative Research…………………………57
Table 4: SSM and Grounded Theory alignment ………………………………………………67
Table 5: Example of Property and Dimensions of Category…………………………………...72
Table 6: Categories – Data Collection Round 1 ……………………………………………….73
Table 7: Categories – Data Collection Round 2 ……………………………………………….74
Table 8: Saturated Categories ………………………………………………………………….75
Table 9: Results from Participant Observation ………………………………………………..80
Table 10: Business Idea Comparison ………………………………………………………….82
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 6
Acknowledgements
If the only prayer we ever say is ‘thank you’, it will be enough.
(Unknown)
Like a traveller exploring with fascination the streets of an unknown place – that’s what the
EMBA journey has been for me. It has been immensely rewarding, not just academically, but
also in terms of personal growth and self discovery.
I want to thank all those who made it possible for me to travel on this journey.
I am grateful to my husband, Ergie, whose unwavering support and encouragement, especially
when the going got tough, saw me through. To my four beautiful daughters, Shivana, Mikara,
Dhiya and Kimaya, thank you for your love, patience and understanding, especially during my
regular two week long absences. To my helper, I appreciate you playing the role of ‘second
mum’ during these absences.
To all my family and friends who have supported and encouraged me, I am very grateful.
To my colleagues of EMBA 11, each and every one you have taught me something which I have
added to my basket of lifelong learnings.
To Tom Ryan, who has taught me to deal with greater complexity and to ‘learn to trust the
process’ and the rest of the academic as well as the support staff for an excellent programme.
To my fellow colleagues at Eskom, I am grateful for the support, the insights and perspectives
provided.
Thank you all.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 7
CHAPTER 1 - INTRODUCTION AND OVERVIEW
“The more we study the major problems of our time, the more we come to realize that they cannot be
understood in isolation. They are systemic problems, which mean that they are interconnected and
interdependent.”
- Capra (1996), as cited by Jackson (2003)
1.1 Introduction
Managers today are faced with increasing complexities and change. The traditional quick fix
solutions or panaceas are no longer adequate. The standard practice has been to view our
problems as isolated, having no interaction between them and approaching them as laundry lists
of problems to be dealt with. Jackson (2003) argues that managers require holistic approaches
which use systems ideas in a manner that enhances creativity. He defines holism as that which
‘puts the study of the whole before that of the parts’.
Taking this account, this dissertation has been approached from a systems thinking perspective.
The purpose of this dissertation is to seek an understanding of the underlying dynamics that
impact on the strategic value of Information Technology (IT) Auditing, from an internal audit
department perspective, at the state-owned enterprise, Eskom.
Internal Auditing, as a profession, has gained stature and there is increased recognition of its role
in delivering strategic value to an organization. As a result, there are increasing expectations
from Internal Audit to operate as a strategic partner to the organisation. The global PWC 2012
study (2010) indicates that there is growing pressure from Audit committees and executive
management for Internal Audit to provide more clear-cut strategic value. As the environment
changes, our traditional practices of Internal Auditing, including that of IT Auditing, is proving
less adequate to dealing with the complexities and increased risk faced by organisations.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 8
‘The expectations on the tomorrow’s internal auditor are huge. Not only are you expected to
juggle 10 balls at the same time, the balls themselves could actually change in priority of
juggling (meaning you need to switch ball positions in mid air!)…’
(Ivan Lee, Chief Internal Auditor, 2009)
My Interest in this topic
My goal for this dissertation is to improve my understanding of the strategic value of IT Auditing
at Eskom in order to address the current challenges we are facing. In the absence of systems
thinking, our previous management interventions in this area were approached as separate
activities and this has not has equipped us to address our current challenges.
This research is viewed from my perspective as a student on the EMBA 11 programme, and as a
practitioner for many years both in the IT as well as the internal auditing professions. I currently
fulfill the role of Group Audit Manager at Eskom’s internal audit department, known as
Assurance and Forensic (A&F). IT Auditing is one of the functions that I manage.
1.2 Approach and Structure of the Research Paper
This paper has further been approached using the SCQARE framework. As Ryan (2009)
indicates the SCQARE framework allows us to systematically construct and communicate our
mental maps which help us to make better sense of our world. This framework systematically
outlines the Situation or the Context, addresses the Concern relevant to the Situation, raises a
Question and Answer to deal with the Concern, provides a sound Rationale for the Answer, and
considers the Ethical implications of the Answer.
In addition, this dissertation has been further structured into five chapters as recommended by
Perry (2002) and shown in the diagram below.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 9
Figure 1: Structure of Dissertation
The purpose of chapter 1 is to introduce the core research problem and the context, which sets
the foundation for the research. I specifically consider in detail the Research Situation, and the
practical Concern, to establish the relevance of the research. I set out the formulation of the
Research question in order to meet the research goal. A brief overview of the research
framework and Answer to the Research question, as well as an evaluation of the Answer
considering ethical implications, is provided.
Chapter 2 presents the Literature Review. This chapter aims to build a theoretical foundation
upon which the research is based by reviewing the relevant literature relating to strategic
management with particular emphasis on electricity utilities and IT Auditing, as well locating my
research results within this body of knowledge.
Chapter 3 discusses the Research Framework developed to answer the research question. This
chapter sets out the motivation for my research philosophy, paradigms, methods and major
methodology used to collect data.
Chapter 4 discusses my Answer to the Research question as a result of the application of the
research framework presented in Chapter 3.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 10
In Chapter 5, I explore the significance and implications of my research results and make a
critical evaluation of the relevance, utility, validity and ethical implications of my research work.
I also discuss future areas of development and reflect on my personal learnings.
1.3 Setting the Management Context
Organisations today are facing increased change and to ensure sustainable wealth, organisations
have to adapt. As the broad social need of the customer changes, the distinctive competencies of
the seller’s value systems erode over time (Ryan, 2009). The intersection between the
customer’s needs and the seller’s offering is the value that is created as shown below.
Figure 2: Overlap between Competencies and Social Need
The value is diminishing as IT Audit is not adapting adequately to meet Eskom’s changing
needs.
Schwaninger (1989) states that organisations need to be managed at essentially three logical
levels of management, namely, Operational (concerned with creating value), Strategic
(concerned with building value for the future) and Normative (concerned with the question of
value itself). This is diagrammatically represented below.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 11
Figure 3: Levels of Management
My research was located in the Strategic Management Domain, referred to by Hoebeke (2000) as
the Innovative Domain and within that focuses on the issue of strategic value of IT Auditing
within Eskom. My context of strategic value is that which is focused on building value for the
future in line with Hoebeke’s (2000) definition of the Innovative Domain.
Hoebeke (2000) defines the Innovative Domain as “Changes in values in the environment in
which the work system in the innovation domain is embedded are sensed and transformed into
new products, services and processes. The work system is involved in the discovery and the
creation of the added value of the future. “
Hoebeke (2000) further indicates that the output of the Strategic Management Domain creates
conditions for the Operation Management Domain.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 12
1.4 Establishing the Context of the Research Situation
Ackoff as cited by Ryan (2009) refers to a mess as that which consists of complex systems of
strongly interacting problems. The problem of the strategic value of IT Auditing is quite messy
and I have used a combination of systems methods and tools to assist me in ‘making sense of the
situation’ and to develop a systemic understanding of the situation from multiple perspectives.
These are as follows:
• Activity Theory – to describe the activities and tensions within the IT Audit system
• Viable Systems Model - to understand the relevance of the concern of strategic value of
IT Auditing to Eskom
• Stakeholder Analysis – to understand the different stakeholders
• CATWOE (Customers, Actor, Transformation, Owner, Environment) – to frame the
perspectives of different stakeholders
• Rich picture – to creatively capture the mess
In this section, I first discuss the challenges facing Eskom, then focus on IT Audit within Eskom,
discuss the stakeholder analyses and finally present my Rich picture.
1.4.1 Eskom – Keeping the Lights Burning
Eskom is a state-owned enterprise and its primary purpose is to generate, transmit and distribute
electricity. Eskom generates approximately 95% of the electricity used in South Africa and
approximately 45% of the electricity used in Africa. Eskom business is undergoing major
change. Additional power stations and major power lines are being built to meet rising electricity
demand in South Africa. In an effort to meet the rising demand for electricity, Eskom has
embarked on a massive build programme of around R385 billion (in nominal terms) over the few
years to 2013, making it the largest infrastructure project in South Africa.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 13
The electricity structure from the power station to the customer is illustrated below.
Figure 4: Electricity - from power station to customer
Source: Adapted from Eskom Annual Report (2010)
Eskom is regulated under subject licences granted by the National Energy Regulator of South
Africa (NERSA). Eskom, as a state-owned enterprise, has a greater role to play in
addition to the supply of electricity. It also supports South Africa’s growth and development
aspirations.
Over the past two years, Eskom had to manage in a turbulent environment, with key issues being
financial sustainability and “keeping the lights burning”. Eskom reported R 9.7 billion loss for
the year ending March 2009, the first financial loss in the history of Eskom. The images of load
shedding still remain etched in people’s minds. Being a state-owned enterprise, it has the
additional challenges of balancing its ‘public’ and ‘profit’ interests.
Eskom is on the ‘path to recovery’, but there are still huge challenges ahead. The recent budget
review (February 2011) has indicated that more than R1 trillion would be spent on public sector
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 14
infrastructure as a whole over the next four years from 2010/11 to 2013/14 to grow the economy
more rapidly. But as National Treasury Director-General, Lesetja Kganyago, reported in the
budget review ‘to meet present and future demand, South Africa needs sufficient power to run
factories, mines, schools and households, well-maintained road and rail networks to transport
people and goods and ports and pipelines to facilitate trade’.
Based on the increased complexities and risks in the environment, a Strategic Review Project has
been initiated in Eskom to address the key strategic priorities including:
• Becoming a high performance organisation
• Leading and partnering to keep the lights on
• Reducing Eskom’s carbon footprint and pursuing low carbon growth opportunities
• Securing future resource requirements, mandate, and the required enabling environment
• Ensuring financial sustainability
• Setting up for success
Using the concept of recursion levels, where every system is made up of subsystems and is part
of a larger system, the following diagram depicts Eskom on three levels of recursion.
Figure 5: Eskom recursion levels
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 15
1.4.2 Assurance and Forensic – Eskom’s internal audit department
Assurance and Forensic (A&F) is the internal audit department of Eskom. The purpose of the
Assurance and Forensic department is to provide independent and objective assurance and
consulting services in order to evaluate and improve the effectiveness and efficiency of Eskom’s
operations in the areas of internal control, risk management and governance.
The internal auditing profession is regulated by the international body, the Institute of Internal
Auditors (IIA), which sets out the standards and practices for internal auditing.
The IIA has recognised the evolving role of internal auditors and revised the internal auditing
definition to include consulting, which goes beyond assurance work, so as to allow auditors not
to just ‘sit on the fence’ but to make meaningful change in an organisation.
1.4.3 IT Audit
IT Audit is a function within A&F which focuses on the evaluation and improvement of IT
controls, risk management and governance within the IT environment. In addition, it subscribes
to the practices of ISACA, the international body for IT assurance professionals.
A work system as defined by Hoebeke (2000) is a set of meaningful activities designed to pursue
a particular purpose. I have made use of Activity Theory to depict the Audit work system and to
identify tensions and contradictions within this work system. The components of the Audit work
system is captured in the diagram below.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 16
Figure 6: Audit Work System
The contradictions and conflicts that arise in this work system between the different components
are summarized in the table below.
Contradictions and conflicts
Conflicts with Rules, Community
and Object Objective of providing independent assurance could conflict with
the client especially when negative audit findings are identified as
client believes a negative perception of him. He may view the work of
Audit as being punitive and not necessarily adding to improvements or
strategic value.
Contradictions also arise as A&F reports administratively to divisional
executive, but reports functionally to the Eskom Audit Committee
(question of two bosses and perception of independence often arises). Conflicts with Subject, Tools and
Object Conflict with the Tools results as challenges with having the Audit
working paper and business monitoring tools to fully support its audit
methodology. Sufficient knowledge of tools also impacts
objective being reached. Conflicts with Subject, Rules and
Object
The IIA standards are sometimes misunderstood by auditors and
perceived as preventing flexibility. Also, auditors have not fully
embraced the consulting avenue.
The changing rules and legislation poses challenges in terms of auditors
constantly keeping abreast with changes in the environment. Table 1: Contradictions and Conflict in A&F Work System
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 17
1.4.4 Using the Viable Systems Model
I used Stafford Beer’s Viable Systems Model (VSM) to describe my current situation,
contextualize the concern of strategic value of IT Auditing and understand its relevance to the
situation of a state-owned enterprise having to survive and adapt in a changing environment. I
also made use of the Viable Systems Diagnosis (VSD) to X-ray the situation and ‘judge what is
going on the basis of what a healthy situation should look like’ (Jackson, 2003) in order to
diagnose my problem and concern.
The VSM essentially looks at an organisation interacting with its environment. The organisation
is seen as two parts: the Operation which does all the basic work (production, distribution,
earning the money) and the Metasystem which provide a service to the Operation by ensuring the
whole organisation works together in an integrated way.
The emphasis of the VSM is on the relations of the system as a whole, and not on the separate,
individual parts. A viable system has to ensure effective adaption, co-ordination and
implementation functions. It is also critical that information channels and control loops are
properly designed in the system. The Operation and Metasystem further sub-divide into five
interacting systems. The purpose of each of the system is captured below:
Figure 7: VSM –Systems
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 18
Beer (1992) essentially argues that for an organisation to be healthy and viable the five
subsystems have to be present and healthy.
The representation of Eskom as a VSM aids in understanding the mechanisms and functional
allocations. The following diagram depicts Eskom as a VSM.
Figure 8: Eskom as a VSM
Note that at the time of writing this dissertation, Eskom is undergoing a major strategic review.
The purpose of which is examine and redefine Eskom’s strategic objectives, which includes
revised functions and structuring of Eskom from its current form. The VSM above was based on
its current functions and role.
I performed a Viable System Diagnosis (VSD) to determine the high levels threats to the
viability of the organization, but to particularly focus on the concerns relating to the Auditing
System 3*.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 19
Some of the possible threats at Eskom level which have been brought into sharp focus over the
past two years aim to be addressed through the current Strategic review implementation which is
focused on:
• Increasing the current level of autonomy of the operating units (Generation, Transmission
and Distribution)
• Strengthening the current weak and fragmented Intelligence function (which had resulted in
the collapse of the policy function onto the Control function)
• Strengthening the policy function through establishment of dedicated strategic management
function and focus on clear direction setting for the organisation
• Refocusing the Coordination functions to ensure that they are more aligned to service
delivery to the operating units
1.4.5 Taking a closer look at the Audit function (S3*)
I now focus more closely on the Auditing S3* function. System 3* interacts closely with
Systems 1, 2 and 3 as shown more clearly in the diagram below.
Figure 9: VSM - Role of S3*
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 20
A&F fulfills the role of the audit group System 3*, which is a crucial element of System 3
activities. System 3* is seen as a servant of System 3. Taking into account the work system
described above, the purpose of System 3* is to do audits and surveys in order to provide an
information service to System 3. This is to enable System 3 to have a thorough model of all that
it needs to know about the goings-on within the entire complex of interacting Operational units.
System 3* is often referred to as looking for signs of stress. In the original physiological model
by Beer (1981) System 3* was based upon a nerve called the vagus which reports back to the
base brain on signs of stress in the muscles and organs.
The role of S3* is to empower System 3 in performing its Control function. System 3 requires
feedback from S3* to change its input and strengthen control and cohesion to have the desired
output. Without Feedback, the organisation cannot adapt.
1.4.6 The Relevance of Strategic Value of IT Auditing to Eskom
The IT environment itself, by its very nature of rapid changes in technology, is dynamic. Stafford
Beer (1981) argues that it is to the rate, rather than the changes themselves, that we have to
adapt. The rate of change of technology has been exponential. Beer points out that computer
system today are more than a hundred million times faster than they were in the 1940s.
In addition, the King Report (2009) also highlights that information systems were used as an
enabler to business, but now ‘IT has become pervasive because it is an integral part of the
business and is fundamental to support, sustain and grow the business’. IT has become more
pervasive in Eskom. With the convergence of IT and Operational Technology (OT), the real-time
engineering systems, which Eskom is heavily dependent on for its 24*7, 365 days a year service,
are no longer ring-fenced systems. They are running on similar architecture as the more
traditional IT systems and are now susceptible to the same IT risks. As one of my interviewees
aptly remarked, “IT is like electricity, it cuts across all spheres of life’’.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 21
Furthermore, looking at the current complexities in the Eskom environment and in particular
with relation to the IT environment, IT Audit can be criticized for providing fragmented or
‘scattered’ assurance that is unable to fulfill the information gaps required by System 3.
The complexity (or variety) that IT Audit has to deal with has increased. IT Audit is not
fulfilling the functions of a vagus. Questions were raised as to ‘where were the auditors?’ when
Eskom experienced load shedding countrywide. Furthermore, the perception exists that Audit
has become autonomous and dictates the audit plan which does not necessarily focus on fulfilling
the information gaps.
As a result of weak Control function (S3), there are increasing requests to A&F from
management relating to information that will enable/support strategic decision making. The weak
Intelligence function has also left a vacuum in terms of the trends internally as well as globally.
Management is looking to A&F to fill in some of these gaps. Furthermore, there is growing
expectation that Audit should signal signs of stress, referred to as emerging risks both from Audit
committee and Eskom.
By not providing the ‘right’ quality feedback in terms of strategic value to S3, the Auditing
System 3* impacts on the threats to viability of Eskom as S3 will be making decisions in
ignorance. Furthermore, the sustainability of A&F is threatened as there is a heightened risk of
being outsourced as external audit firms have strengthened their role of providing internal audit
services. In particular, an external audit firm is currently serving as an internal assurance
function at one of Eskom’s sister state-owned enterprises.
Having looked at the role of IT Audit within Eskom, I now will focus on understanding the
stakeholders in this situation.
1.4.7 Understanding the different Stakeholders
West Churchman as cited by Ryan (2009) captures that the systems approach begins when you
‘first see the world through the eyes of another stakeholder’. A perspective reflects a worldview
which is much broader than a theory. Any particular view is generally bound by a background
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 22
philosophy derived from the interaction of life experiences, value systems and worldviews
(Ryan, 2009). There are always several worldviews (or ‘weltanschauung’) as individuals
interpret the world differently. Based on our worldview, where we select only certain data and
ignore the rest, we are limited in our perspectives. In order to have a full appreciation of my
problem and improve my understanding of the situation, it was important for me to take into
consideration multiple perspectives from different stakeholders. In the figure below, it is only by
pulling the different perspectives together, are the blind men able to ‘see the whole elephant’.
Figure 10: Multiple Perspectives
Picking the Right Stakeholders
A number of stakeholders were identified and analysed and detailed in the Appendix. The
characteristics of the stakeholders were mapped onto Savage’s Topology as shown below.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 23
Figure 11: Stakeholder analysis
CATWOEs (Customers, Actor, Transformation, Owner, Environment) are used to frame a
perspective which express how various stakeholders perceive the imperative for strategic value
of IT Auditing. The Appendix provides CATWOEs and root definitions for the key stakeholders
and illustrates the different perspectives that exist.
1.4.8 Let’s take a ‘rich’ picture
I have used a rich picture to creatively capture the mess. A rich picture is an artifact that
represents the real world problem situation which assists in providing a way of arriving at an
understanding of the situation. Durant-Law (2005) points out that the main benefit is derived
from its generation rather than the end result diagram.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 24
Figure 12: Rich picture
Within the picture, there are multiple perspectives. This situation is viewed from an
organisational, technical and personal perspective.
From rich picture, several failures/issues were identified as summarised below:
• Institute of Internal Auditors (IIA) recognizing the evolving role of auditors
• Audit clients frustrated with the lack of business understanding of the auditor
• The IT auditor overwhelmed with the changes and complexities in the environment
• Concerns from Audit Committee regarding Audit’s ability to evolve to a strategic partner
• Growing competition from External Audit
• Audit management concerns around how to strengthen the long term position of IT Audit in
the wake of increasing threats around possible outsourcing of IT Audit
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 25
I am part of the senior management grappling with how to add strategic value to address
increased expectations of audit committee and audit clients.
1.5 The Research Problem
Strategy has as its main aim the continuation and growth of the organization. Based on the
current challenges and issues in Eskom and IT Audit as discussed above, my concern is the level
of strategic value of IT Auditing at Eskom.
I have illustrated the past, current and potential behaviour of this concern over time as in the
graph below.
Figure 13: Concern behaviour over time
Overall, the strategic value of IT Auditing at Eskom is declining. The evidence for this behaviour
is based on Customer satisfaction surveys received from audit clients and executive
management. Analysis of these surveys indicate concerns around IT Audit not being able to
adequately meet clients changing expectations. There has been ‘pockets’ of value that has been
added that could be seen as strategic value, especially when the IT Auditors evaluated certain
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 26
engineering systems, but this has been fragmented and has not been sustainable. Furthermore, the
recent consideration of outsourcing as one of the options for assurance services for Eskom,
although not exercised, raises serious concerns.
The graph also predicts the future reference scenario if nothing is done to address the concern
raised. If nothing is done, the strategic value of IT Auditing will continue to decline, given the
rapid rate of change of technology and the increased complexities, change and diversity in the
Eskom environment. This will impact directly on the viability of Eskom as IT has become
pervasive in the organization. Eskom, in its fragile state of recovery cannot afford further threats
to its viability. In terms of a departmental impact, it could result in IT Auditing and A&F being
outsourced. The implications of this on a personal level is that staff (including myself) become
demotivated and leave the organisation. If there is outsourcing, it generally results in
retrenchments. Hence, action needs to be taken to address this concern.
1.5.1 Force Field Analysis of factors impacting on Strategic value of IT Auditing
Force Field analysis considers what the drivers and restrainers are to the level of strategic value
of IT Auditing as shown below.
Figure 14: Force Field Analysis impacting on Strategic value of IT Auditing
This highlights the complex nature of the problem.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 27
1.5.2 Avoiding Errors in My Problem Formulation
Mitroff (1998) guards against making of an error of the 3rd
kind, an error of defining the
incorrect problem precisely. He warns against trying to make complex problems appear
simplistic in suggesting that there are simple or singular solutions. To avoid such errors, I have
paid attention to boundary judgments to analyse the boundaries that I have drawn around the
system of interest as shown in the table below.
Nature of error Application to this research
1. Picking the right
stakeholders
Stakeholder analysis was performed to
consider this.
2. Expanding options The concern is phrased to consider the
underlying dynamics of strategic value of IT
Auditing.
3. Phrasing the problem
correctly
The concern is phrased broadly to consider
human, technical and organizational variables.
4. Expand the problem
boundaries
Boundaries are expanded to focus around IT
Audit in Eskom.
5. Being prepared to
manage paradox
The relevance to Eskom, the broader system
in which the concern is situated, has been
considered.
Table 2: Avoiding error of the 3rd
kind
Raising the concern about the strategic value of IT Auditing poses a number of questions and in
the following section I focus on how to develop a powerful question to address this concern.
1.6 Research Question
‘Judge others by their questions rather than by their answers’. - Voltaire
The purpose of this section is to formulate a single clear Research Question whose answer will
address the concern raised within IT Auditing at Eskom.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 28
I followed the brainstorming process recommended by Booth et al (2005) in order to general
several potential questions so as to cover a high degree of comprehensiveness. The results are
listed below:
• What are the drivers of strategic value of IT Auditing in Eskom?
• How can IT Audit move away from compliance to value add auditing?
• Why has IT Audit not been able to deliver strategic value to Eskom?
• Why is IT Audit not serving as a strategic function in Eskom?
• How can IT Audit be improved to deliver strategic value?
• What are the factors that impact on strategic value of IT Auditing?
Considering the questions above, and attempting to arrive at a powerful question, the question
chosen to be most appropriate was:
Why has IT Audit not been able to deliver strategic value to Eskom?
In evaluating the powerfulness of the question, to ensure that the research question adequately
addresses the concern of strategic value of IT Auditing arising from my situation, I made use of
the framework by Vogt, Brown and Isaacs (2003) which addresses the three dimensions of
Construction, Scope and Assumptions of the question.
In terms of construction, the use of Why makes it a searching question that is more powerful than
a question with a Yes/No answer. Asking Why has the potential to create useful insights (Vogt et
al, 2003) and one that provokes thoughtful exploration and evokes creative thinking.
I have used boundary management in keeping my question within “realistic boundaries
and needs of the situation” (Vogt et al, 2003). Hence, I am focusing on IT Audit within Eskom, a
more manageable scope than say IT Auditing in South African internal auditing functions.
Finally, the question assumes that there is more than one potential solution and that IT Audit has
not been able to provide strategic value to Eskom.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 29
1.7 Research Framework
I have developed an integrated research framework using different system approaches in
combination to guide my research process to reach an answer to the research question raised.
This research was approached from a critical realist perspective. In order to identify the system
approaches and methodologies appropriate to my problem context, I made use of Jackson’s
(2003) framework for classifying systems methodologies, referred to as the System of Systems
Methodologies (SOSM). I therefore used the VSM, Activity Theory, Stakeholder analysis and
rich picture to understand the mess. In order to gather, interpret and analyse data to develop a
theory explaining the causal mechanisms impacting on the strategic value of IT Auditing at
Eskom, I have integrated the methodologies of Grounded Theory and Soft Systems Methodology
(SSM). The integrated research framework is discussed in Chapter 3.
1.8 The Answer: The Theory that emerged through the research
I applied the research framework to obtain my research results. In essence, having made sense of
the situation and understanding the relevance of the concern, and raising a powerful question, I
then made use of Grounded Theory to collect and interpret data to build a theory to explain the
casual mechanism driving the behaviour of strategic value of IT Auditing in Eskom.
Through rigorous application of the Grounded Theory process, the level of Mindfulness, the
effectiveness of Shared value proposition and the level of Strategic skills and competencies
emerged as the three core variables critical to driving the level of strategic value of IT Auditing
in Eskom. The findings relating to these variables are summarised below.
• Mindfulness
It emerged through the interviews that there is a need for auditors to move away from the
compliance mindset (“tick and bash” auditing) and instead to bringing in new fresh insight and
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 30
being able to rely on their sense of intuition more. It also surfaced that auditors need to be more
reflective and question assumptions as they audit.
• Shared Value Proposition
Many interviewees expressed the concern around the lack of a shared meaning and direction for
Audit. They felt that strategic planning is part of management’s tasks and do not feel a sense of
involvement in the process.
• Strategic skills and competencies
The majority of the interviews highlighted the concern around skills and competencies of IT
auditors that need to evolve beyond technical skills, and focus on the increasing importance of
behavioural competencies as well as the understanding of the business.
The main outcomes of my research process were found to be Effectiveness of
consulting/advisory, Level of Systems Auditing, and the Level of continuous learning and
adaptability.
Through the Grounded Theory process and comparison to the Business Idea archetype, I was
able to use these variables to develop a theory that explained the causal mechanisms driving the
behaviour of strategic value of IT Auditing.
My theory explains that the distinctive competencies of Mindfulness, Strategic skills and
competencies, and Shared value proposition, in their mutually reinforcing interaction, drives the
strategic value of IT Auditing and creates sustained competitive advantage for IT Audit. This
will enable it to adapt to the evolving needs of Eskom. The theory that emerged shows the causal
relationships between the variables in a causal loop diagram and resembles a ladybird. I have
used this as a metaphor to describe my ‘ladybird theory’, which has a head of mindfulness, wings
of competency and adaptability, and supported by a body of shared value proposition, all
interacting to drive the level of strategic value of IT Auditing in Eskom .
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 31
The results of my research are discussed further in Chapter 4.
1.9 The Rationale for the Answer
The theory that emerged as the answer to my research question is ‘grounded’ in the data gathered
and analysed. I build arguments, loop by loop to explain the causal relationships in the theory
that emerged to explain how the distinctive competencies of Mindfulness, Strategic skills and
competencies, and Shared value proposition, in their mutually reinforcing interaction, will drive
strategic value of IT Auditing and create sustained competitive advantage for IT Audit in Eskom.
This is discussed in Chapter 4.
1.10 Evaluation of the Answer
In Chapter 5, I reflect critically and evaluate my research in terms of Relevance, Utility, and
Validity of my research answer. Based on my arguments presented for the evaluation, I claim
that my research is relevant, has utility, is dependable, credible, confirmable and to a certain
extent transferrable. I also give due consideration to the ethical implications of my Research
Answer through the use of Velasquez’s (2006) ethical evaluation framework which focuses on
Utilitarianism, Rights, Justice and Caring. Furthermore, I reflect on the significance and
implications of this research, my learning, as well as provide insight as to how this research can
be developed further.
1.11 Conclusion
This chapter established relevance by demonstrating that the Concern of Strategic Value of IT
Auditing is relevant to Eskom. The increased challenges and complexity facing Eskom relating
to keeping the lights burning has resulted in increased risk for the organization. Hence, greater
assurance and consulting is required from IT Audit to mitigate against these risks. Therefore, by
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 32
IT Audit not providing strategic value to Eskom, it impacts on the threats to viability of Eskom if
strategic decisions are made in ignorance of IT governance, risk management and controls.
Furthermore, the sustainability of A&F is threatened due to the heightened risk of being
outsourced as external audit firms strengthen their role of providing internal audit services.
In Section 1, various system tools were used to capture the situation by understanding the mess
and bringing in multiple perspectives from different stakeholders relating to my concern, which
led to raising a powerful question to address the concern.
Thereafter, I provided an overview of the research framework and the theory that was developed
as an answer to the question of ‘Why has IT Audit not been able to deliver strategic value to
Eskom?’
Having provided an introduction and overview of my dissertation in Chapter 1, the next chapter
builds a body of knowledge based on relevant literature and locates my research results within
this body of knowledge.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 33
CHAPTER 2 - LITERATURE REVIEW
This chapter establishes a body of knowledge based on existing literature related to my research
topic. I focus on building a body of knowledge relevant to Strategic Management and IT
Auditing from an internal auditing perspective as well as locating the research results in this
body of knowledge.
In order to achieve this, I performed the Literature Review on three conceptual levels as follows:
• The parent theory – Strategic Management (as my research is located within the strategic
domain of management, with a particular focus of this within state-owned enterprises)
• The immediate area of concern – Strategic Value of IT Auditing
• The core categories from my research findings –Mindfulness, Strategic skills and
competencies, and Shared Value Proposition
This is indicated in the diagram below.
Figure 15: Three Level Literature Review
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 34
To conduct the literature review, I have tried to use a wide sample of existing literature and
mainly made use of electronic sources, predominantly on academic and business databases. I
have also consulted books and EMBA class notes and handouts. I was able to locate a wide
source of literature relating to Strategic Management and Internal Auditing, but particularly how
this relates to Strategic Value of IT Auditing was more limited.
2.1 Level I Literature Review
This section reviews relevant literature on strategic management as part of the parent theory.
This is explored to gain an understanding of the key models, theories, debates and trends relating
to strategic management.
2.1.1 Strategic Management
Numerous authors concur that the fundamental question in the strategy field remains: ‘How do
organisations achieve sustainable competitive advantage?’ The literature points out that the
environment has changed and traditional approaches to strategic management are not adequate.
The reliance on the traditional application of rational, analytical strategy tools and techniques has
demonstrated to be inadequate when organisations are confronted by an uncertain business
environment (O’Shannassy, 2007). This view is shared by Bitar (2004) who highlights that early
strategy theories, which assumed that value existed somewhere outside the firm and that
strategy’s role was to design a fit between the organization and the environment, are limited in
turbulent environments.
Lamberg and Parvinen (2003) share similar views and have introduced a new metaphor for
strategic management, namely, that of the strategy river. This metaphor aims to emphasize the
evolutionary, dynamic and systemic nature of strategic management. They highlight that
strategic decisions, like rivers, are constrained not only by the historical decisions made but also
by issues related to timing and co-evolutionary interplay with the environment. Furthermore,
they see that strategic decision-making takes place in systemic, network-like settings, which
resemble the molecular structure and behaviour of water. Similar to water, they perceive the
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 35
future strategic direction of a company to be determined by its current velocity, mass and
direction. The river metaphor highlights the complexities associated with strategic management.
Price (2009) echoes similar sentiments that traditional strategic planning fails when this is
confused with operational planning. He indicates that strategic planning needs to be done in
phases and “treated as an ongoing process rather than an event, you weave your strategy into the
organisation’s culture”.
As part of my research findings, I have found that we are as management within A&F are
grappling with strategic management and currently treating strategic planning as events,
traditionally done bi-annually in order to submit strategic plans. We talk about having to improve
our strategy management to become an embedded process, but we not sure how to do this.
2.1.2 Strategic Management in Public Sector/ State-owned enterprises
Literature reviewed clearly indicates that there are challenges of strategic management in the
public sector. The challenges are heightened as this sector needs to balance their public interest
and their money interest. Davis (2007) emphasizes that a strong public sector is fundamental to
the strength of any society and points out further that globalization and demography are two
primary threats facing governments. Moore (1997) warns that most government organisations
see themselves as monopolies and treat competition as being out of place. Hence, they place little
emphasis on corporate strategy as in private sector. Overall, the writers generally agree that a lot
more emphasis needs to be placed on strategic management in the public sector.
As Eskom is the only major electricity player in South African, I have reviewed literature on
strategic management/challenges in other electricity utilities globally. The existing literature
highlights that the Electricity industry globally is experiencing severe challenges. Fatih Birol
(2007) highlights that the growing risk of disruptions to energy supply, the threat of
environmental damage caused by energy production and use, and persistent energy poverty are
the three strategic challenges facing the global energy system in the coming decades. Eskom,
currently, is plagued by these challenges which pose a threat to its viability. The issue of energy
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 36
poverty is particularly relevant in South Africa as it prevents merely raising tariffs to reduce
resource constraints, as Eskom also needs to take into account socio-economic factors.
2.1.3 Current Theories/Models on Strategic Management
Some of the current leading perspectives on Strategic Management that were reviewed are
discussed below:
2.1.3.1 Resource Based View
Resource Based View (RBV) takes an internal focus and assumes that organisations are unique
bundles of resources; that resources are relatively immobile, and that resources need capability,
capacity, durability and specificity. In terms of RBV, individual firms may exhibit sustained
performance advantages due to their superiority of their resources. Only value-adding resources
can lead to competitive advantage. Resources are defined as tangible and intangible assets that
include assets, capabilities, processes, attributes, knowledge and know-how that is possessed by
the firm, and that can be used to formulate and implement competitive strategies (Rivard, 2006).
Resource-based view (RBV) differs from the Industrial Organization (I/O) Model which largely
focuses on industry structure or attractiveness of the external environment rather than internal
characteristics of the firm.
Sustained competitive advantage requires that resources must be difficult to imitate or substitute.
From the resource based view perspective, resources and capabilities that are valuable (V),
relatively rare (R), and difficult to successfully imitate/substitute (IN) are at the core of
sustained, excellent firm performance. However, the writers contend that VRIN resources are
tough to find.
The resource based view had been criticised for presenting a very static view of what is
essentially a dynamic process. Furthermore, the lack of empirical validation as one of its core
propositions is a critical issue facing the development of the RBV view. Many of the
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 37
contributions have been theoretical to date and empirical measures are essential in order to
measure the value of the RBV approach.
One of the assumptions of RBV is that resources are relatively immobile. I argue that this is a
challenge in the IT Auditing industry. IT Auditing skills are transportable across internal and
external auditing sectors, both locally and globally and hence IT audit resources are generally
highly mobile. Jeurgens (2006) also points out that IT Auditors tend to be more mobile than
traditional auditors as there is a lack of skilled IT auditors in the marketplace and that the
challenge for Chief Audit Executives today is to hire and retain competent IT audit professionals.
Furthermore, in terms of my research results, the emphasis on having staff with superior
knowledge was highlighted during the interviews as being critical to deliver auditing that adds
value. But I would argue that having an internal focus on the superiority of resources alone does
not lead to a sustained competitive advantage as IT by its very nature is dynamic. As IT auditors,
we need to be in a position to respond to an ever-changing environment, which requires more
than just an internal focus.
2.1.3.2 Dynamic capability theory
More recently, the dynamic capability perspective has extended the Resource Based View to the
realm of evolving capabilities. Teece (2007) defines Dynamic Capability as organisation’s ability
to “integrate, build, and reconfigure internal and external competencies to address rapidly
changing environments.” The dynamic capability theory seeks to explain how firm achieve and
sustain competitive advantage despite an ever-changing environment (Ryan, 2009). Dynamic
Capabilities are those competencies that allow the firm to respond to and exploit changing
market environment.
Teece (2007) mentions that a firm must “sense” and “shape” an organisations success by
constantly scanning, searching and exploring across technologies and markets. The processes
above if coordinated and managed optimally will result in competitive advantage as long as a
unique approach is used. A number of writers have highlighted the need to match the internal
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 38
organisations capabilities to meet and master the requirements of managing the continuously
adapting variables within the external world. However, the writers all recommend that it is
crucial to bear in mind the history within the firm and decision made to take the organisation to
its current position. This has also been highlighted through the strategy as a river metaphor
discussed above.
The literature review pointed out that learning and uniqueness are the basis for developing
dynamic capabilities. Bitar (2004) takes this further and argues that dynamic capabilities as
organisational social learning processes are a result of the firm’s unique history, and that the
uniqueness of Dynamic Capability emerges through a concept known as ‘causal ambiguity’. This
means that the links between specific resources and skills and the results attained are hard to
identify and are not understood.
2.1.3.3 Complementary Approaches
Bitar (2004) embraces previous research by Chandler and Porter (1992) whose theories focus on
internal capabilities and Andres (1971) whose SWOT model identified a focus on opportunities
and threats which gives an external view. By combining these approaches or frameworks,
Dynamic Capabilities leads to a tighter integration between these essential components of
strategy. The literature indicates that certain theories can be integrated and should not be
approached in isolation.
2.1.3.4 Strategy as practice
Strategy- as- practice is concerned with the doing of strategy; sees strategy as something that
people do. It brings in the human actors and their interactions to strategy research.
Strategy- as- practice has been proposed as furthering Resource Based View and Dynamic
Capability. Jarzabkowski and Spee (2009) suggest that ‘Strategy- as- practice furthers the study
of social complexity and casual ambiguity in Resource-based view, unpacks the dynamism in
dynamic capabilities theory and explains the theory that constitutes strategy process’.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 39
Chia and Holt (year unknown) state that no strategy ever follows as planned because of the
necessarily live and reactive nature of strategic engagements. They argue that strategy-making
should not be viewed as a detached transcendent activity that relies predominantly on maps and
strategic models to guide the process.
My research findings support the literature that traditional approaches to strategic management
are not adequate and further that complementary approaches to strategic management are
required. My ladybird metaphor (discussed in Chapter 4) that I propose as a symbolic
representation of the underlying dynamics that impact on strategic value of IT Auditing
illustrates how Resource Based View, Dynamic Capability and Strategy-as-Practice can
systemically integrate with each other.
2.2 Level II Literature Review
This section discusses literature review on Internal Auditing with a specific focus on IT Auditing
and the strategic value thereof. The purpose is to review literature relating more closely to the
research question: Why has IT Audit not been able to deliver strategic value of IT Auditing to
Eskom?
2.2.1 Internal Auditing
“The internal auditors also need to establish themselves as vital cogs in their organizations,
rather than as observers who watch from the periphery and wait for events to impact them”
(Sawyer and Vinten, 1996).
Various sources of literature reviewed indicate that the Internal auditing profession has
undergone dramatic changes that have expanded its scope in a way that position it to make
greater contributions to the organisation it serves. As a result, there are increasing expectations
from Internal Audit to operate as a strategic partner to the organisation. From the literature
reviewed, auditing of risk management and strategic planning is emphasised. The KPMG paper
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 40
(2000) that focuses on new strategies and best practices in Internal Audit recommends that
Internal Audit not just focus on compliance testing, but incorporate integrity testing that evaluate
decision making in terms of the long term interests of the organisation.
There is consensus between the KPMG paper (2000) and the PWC 2012 survey (2007) that
although there is compelling evidences that “traditional” assurance is no longer adequate, many
Internal Audit functions have not adjusted to reflect this change. It was found that despite the
threat of strategy risks, the typical audit department continues to spend the majority of its time on
traditional assurance activities covering financial and compliance risks.
Strategic risk has become an increasingly important consideration. Over the past 10 years,
strategic risk failures accounted for 68% of the root causes responsible for significant market
capitalisation declines, but in many cases Audit assurance has not adjusted to reflect this change.
The following graph from the ADR paper (2010) that focuses on next generation Auditing
reflects this.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 41
Figure 16: Traditional assurance (Source: ADR, 2010)
The PWC 2012 study (2007) concurs with this view that “Internal Audit is uniquely placed to
offer a wide and deep perspective from the organisation’s strategic view of risk and risk appetite
through to the way in which risk is being managed within the business. However, frequently
Internal Audit’s focus is on individual audits, rather than on the tremendous value it can bring by
looking across the organisation.”
The articles indicate that overall there is an opportunity for Internal Audit to take a whole
organisational view. Moreover, there is growing pressure from Audit committees and senior
management for internal audit to provide more clear-cut strategic value (PWC 2012 survey).
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 42
2.2.2 Increasing Importance and Challenges of IT Auditing
The literature reviewed indicate that IT Auditing is increasing in importance as organisations
become increasingly dependent on IT and that IT is changing the nature of the internal audit
function. Jeurgens (2006) points out that as organisations increase their reliance on IT: two key
issues emerge:
• Large % of key controls on which the organization relies, is likely to be technology driven
• Systems that have control deficiencies will have a larger impact on organisation’s operations
and competitive readiness, thereby increasing need for effective IT controls
Jeurgens (2006) puts forward that the Snowflake theory illustrates that each environment is
unique, and accordingly presents a unique set of risks. The difference in IT environments makes
it difficult to take a generic or checklist approach to IT Auditing. Furthermore, technology is
increasing rapidly; consequently IT risks are not static. These contribute to a more dynamic
environment.
As pointed out by a Chief Audit Executive in the PWC 2012 survey (2007) “ the lines separating
IT and non-IT audits will continue to blur over the next five years, given the need to leverage the
power of technology to enhance audit efficiency”.
The literature reviewed indicates strongly that IT Audit needs to move to beyond a technical
focus to add value to the organisation.
Views expressed in the literature review are congruent to my research findings in that the rate of
change of technology and the environment has added to our complexities, and although we know
that we have to change from our traditional audit focus and focus on strategic audits, we have
not. This is evident where in the past two years Eskom’s strategic risks relating to load shedding
and financial sustainability materialised, yet the IT Audit plan today is still predominantly
focused on traditional rather than strategic focus audits.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 43
I claim that A&F, like other internal audit functions indicated in the literature review, has not
reflected the change required mainly due to not having a systemic understanding of how to add
strategic value. Thus far, we have been provided with various recommendations to strategically
position internal auditing for the long term, but without an understanding how the underlying
mechanisms interact to provide strategic value, we have been unable to implement meaningful
change. My research findings build on the body of knowledge by illustrating the causal
relationships between the categories that impact on strategic value of IT Auditing.
2.3 Level III Literature Review
In this section, I review literature related to the core categories that emerged through the research
as critical to driving strategic value of IT Auditing. The relevance is to discuss key arguments
from previous research on how Mindfulness, Strategic Skills and Competencies and Shared
Value Proposition impact on strategic value of IT Auditing. In order to reduce bias and
prejudgments, the literature review on these categories was only done after they emerged as core
categories through the grounded theory process.
2.3.1 Mindfulness
As Langer (2000) points out, mindfulness is not an easy concept to define, but can be understood
as “the process of drawing novel distinctions, which keeps us situated in the present”.
Mindfulness can be seen as containing components of (a) openness to novelty, (b) alertness to
distinction, (c) sensitivity to different contexts, (d) implicit, if not explicit, awareness of multiple
perspectives and (e) orientation in the present. Mindlessness is the lack of these attributes.
Studies by Langer (2000) and others have shown that mindfulness results in increase in
competence, creativity, decreased burnout and stress, and increased productivity. Mindlessness
can show up as the direct cause of human error in complex situations.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 44
Langer (2000) further points out that through the simple process of ‘mindful learning - of seeing
the familiar in the novel and the novel in the familiar, we will be able to avert danger not yet
arisen and take advantage of new opportunities that may present themselves.”
Weick and Sutcliffe (2001) concur with this kind of self conscious auditing and have developed
a mindfulness audit that makes one more attentive to the moments when one or the organisation
is working on automatic pilot. They argue that mindful people are alert to unanticipated
possibilities, and view failures as symptoms that give clues about the health of the system as a
whole.
Perkins and Ritchhart (2000) take Langer’s ideas further and consider three high-leverage
practices of nurturing disposition of mindfulness that of “Looking closely, exploring possibilities
and perspectives, and introducing ambiguity”.
2.3.1.1 Mindfulness for Auditors
Dittenhofer et al (2010) concede that the behavioural dimensionals of internal auditing has
received little systemic exploration in the professional and academic literature for the past few
decades. This has been my experience when trying to search for similar literature. I have had to
rely mostly on Dittenhofer’s research.
Although the literature consulted, does not specifically refer to term mindfulness when
describing competences required in auditors, references are made to auditors having to develop a
“sixth sense” and becoming more alert and aware (Dittenhofer et al, 2010). The literature
reviewed recognises the need for auditors to possess high degrees of emotional and social
intelligence.
Furthermore, Dittenhofer et al (2000) argue that professional skepticism of internal auditors must
be continually developed and “listened to”. This relates to auditor’s sixth sense or gut instinct,
sometimes called the “smell test”. What happens at a subconscious level is the auditor’s
evaluation as to the credibility of what he or she is observing. He argues that the mental process
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 45
is not only cognitive but also an affective activity, a sensitivity or feeling that something is
amiss. He suggests that some would call it “intuitive process”. This can be linked to one of
Langer’s (2000) components of Mindfulness related to not taking things for granted and going
beyond assumptions.
The compliance mindset leads auditors to operate in auto-pilot mode. As Dittenhofer points out,
many auditors are exposed to the ‘strict inflexible dogma of existing auditing mantra’.
Karl Albrecht, as cited by Dittenhofer et al (2010), refers to a role as consisting of five categories
of competence, using the mnemonic S.P.A.C.E:
• Situational Awareness: “the ability to read situations and interpret the behaviour of people in
those situations”
• Presence: “a range of verbal and non-verbal patterns, one’s appearance, posture, subtle
movements”
• Authenticity: “various signals from our behavior that lead others to judge us as honest, open,
ethical , trustworthy, and well-intentioned – or inauthentic”
• Clarity: “ “our ability to explain ourselves, illuminate ideas, pass data clearly and accurately
• Empathy: “having a feeling for someone else….a shared feeling between two people
Dittenhofer et al contends that the above five dimension are directly applicable to the role that
internal auditors play.
Waddock (2005), as cited by Dittenhofer, takes a strong position that “if we want accountants
(auditors) who are capable of acting with integrity and understanding the broader system in
which they work, we must teach them to be mindful – aware of their belief systems, conscious of
consequences, and capable of thinking broadly about the impact of their actions and decisions”.
Considering the above in terms of what is expected of auditors behaviourally, I can see distinct
similarities between these and Langer’s meaning of Mindfulness. Components of Langer’s
mindfulness, although not explicitly referred to as Mindfulness, are embedded in the above
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 46
expectations of auditors. Therefore, the literature reviewed supports that auditors are required to
have a sense of Mindfulness to improve their value add.
2.3.2 Strategic Skills and Competencies
The literature reviewed emphasise that traditional auditing skills are not sufficient to keep up
with the changes in the environment and global economy. Even as an IT auditor, technical skills
alone would not suffice.
Dittenhofer et al (2010) states that Internal Auditing is very much a relationship and
communications business. They elaborate that there is a greater need for auditors to have soft
skills which include the ability to share information, make persuasive arguments, negotiate
agreements, while simultaneously understanding different roles and responsibilities, empathising
with others, acting with integrity, and relating well with others from all levels of the
organization.
The recent IIA Global Internal Audit Survey (2010) concurs with this. It indicates that
globalisation and the rapid pace of change have in many ways altered the critical skill framework
necessary for success of the internal audit function.
The survey results show that in the wake of the turbulent global economy, the following skills
emerged as the three top competencies:
• Communication skills (including oral, written, report writing, presentation)
• Problem identification and solution skills (including core, conceptual and analytical skills)
• Keeping up to date with industry and regulatory changes and professional standards.
Understanding the business ranked overall as the important technical skill. These results are
applicable for all auditors, including IT auditors.
The survey results ranked the importance of competencies in three categories: general
competencies, behavioural competencies and technical skills.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 47
The results for general competencies (skills that are essential to perform certain tasks) are shown
below: Communication skills ranked as the most important competency for audit staff.
Figure 17: General Competencies (Source: IIA, 2010)
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 48
The results for behavioural skills are shown below: Confidentiality ranked as top behavioural
skill for audit staff.
Figure 18: Behavioural Skills (Source:IIA, 2010)
The results for technical skills are shown below: Understanding the business ranked as top
behavioural skill for audit staff. Other literature also emphasise that internal auditors must
understand the business well enough to be able to look beyond ‘surface facts’ and identify
problems' root causes.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 49
Figure 19: Technical skills (Source: IIA, 2010)
These results are also echoed by Dittenhofer et al (2010) who highlight that while internal
auditors need to rely on their knowledge of audit technology, it is their behavioural competencies
that often determine the extent of successful outcomes of assurance and consulting activities.
The PWC 2012 survey (2007) also highlights similar findings. The survey participants recognize
that to operate effectively going forward, audit leaders must develop a mix of capabilities,
competencies, and experience levels. The Chief Audit Executives interviewed for this survey
also talked about a broader set of non-technical yet highly desirable characteristics for the
internal auditors of tomorrow. They cited the need for personable, well-rounded professionals
who could “think beyond the project” and who had the business knowledge and confidence to
engage in substantive conversations with senior and executive management and audit committee.
Baker (2010) agrees that auditors need to understand the business in order to be able to challenge
it. He raises that the difficult part is getting people to accept that they don’t know enough. He
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 50
suggests increasing business knowledge by bringing in specialists from the business, use of
“guest” auditors and rotating auditors into the business to build up experience.
In general, this concurs with my research findings that IT Auditors need to move beyond
technical skills and the heightened importance of behavioural skills. Moreover, additional insight
was provided from the literature into recent developments around established programmes for
rotational resourcing including guest auditors, as well as training of internal auditors in systems
thinking in an Internal Audit function in Colombia.
2.3.3 Shared Value Proposition
(Walz, 1997) emphasises that although Auditing has become a matter of survival especially in
these recessionary times, some internal auditors have little idea of how they add value. He argues
that without understandable constructs for explaining and demonstrating their value creation,
internal auditors risk being labeled by management as resource consumers, not value-adders.
Their survival depends on being value adders.
This view is shared by several writers who argue that if internal audit is to be a strategic
contributor to the organisation, its fundamental value proposition must shift. This involves
moving beyond the fundamentals of risk and controls to create a new internal audit value
proposition.
It is recognised that the creation of value propositions needs to involve employees. O’ Malley
(year unknown) states that “having a clearly articulated purpose that is understood and embraced
by all employees is the essential foundation upon which practical strategies, tactics, and action
steps can be built.”
He elaborates that the purpose of any business is to create value for customers, employees, and
investors, and that sustainable value cannot be created for one group unless it is created for all of
them.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 51
In addition, Thakor and Bass (2000) highlight that strategy cannot be executed unless it is
understood. They further highlight that value creation is a journey, therefore a process of
constant evolution.
This confirms my research findings on value proposition, as it is typical of the experience in
A&F, where interviewees expressed that they do not feel a sense of buy-in and involvement in
A&F strategic processes, and that it is perceived as being done in isolation by the managers. As a
result, it impacts on the extent to which strategy is embedded in the department.
2.4 Conclusion
In summary, the literature review highlighted the inadequacies of traditional strategic planning to
deal with the complexities and changes in today’s environment. Taking into account the
evolving role of Internal Auditing, Internal Audit will be measured by its ability to drive positive
change and improvement. The literature review bears testimony that given the changing nature of
the environment, IT Audit would need to act quickly to improve its strategic value if it is to be
relevant.
Further, the literature review broadly supports my emergent theory in that Mindfulness, Strategic
Skills and Competencies, and Shared Value proposition impact on strategic value. However, in
understanding the gaps in my existing theory, I do not suggest that these are the only three
factors that affect strategic value, but given the scope of the paper, my intention was to locate my
findings within the existing body of knowledge.
I am concerned that the existing literature focuses mainly on strategic value of internal auditing
and that there is limited literature directly focusing on the strategic value of IT auditing. The
dynamics of IT Auditing, as discussed above, introduces further complexities into internal
auditing. Moreover, various recommendations are provided to increase the value of internal
auditing and strategically position itself for the long term. However, it does not address how the
underlying dynamics of strategic value interact together to drive strategic improvement.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 52
Therefore, decisions and actions based on existing literature may not provide a holistic basis for
understanding and improving the strategic value of IT Auditing. But, I concede that the existing
literature provided further insight into actionable knowledge relating to the use of
multidisciplinary teams and training of auditors in systems thinking which can be used for action
taking on the emergent theory.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 53
CHAPTER 3 - RESEARCH FRAMEWORK
3.1 Introduction
The purpose of this chapter is to discuss the research framework that I used to guide my research
in order to reach an Answer to the Research Question: Why has IT Audit not able to deliver
strategic value to Eskom? Crabtree and Miller (1992) capture that doing research is in many
ways like taking a descriptive and explanatory snapshot of reality. They draw the analogy that
‘for each particular photograph, the investigator must decide what kind of camera, what scene on
which to focus, through which filter, and with what intent’. I have used this analogy to guide me
in developing my research framework. This chapter therefore discusses the nature and purpose of
management research, the philosophical foundations that I have adopted, and justifications for
the research methods and system methodologies that I have used to develop my integrated
research framework.
3.2 The Nature and Purpose of Management Research
Management practice is an interactive process of Sense making (what can I know), Decision
taking (what might I do), and Action taking (what may I hope) in order to drive critical reflection
and improvement. This is illustrated below as the Management Triad (Ryan, 2009).
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 54
Figure 20: Management Triad
Sense-making entails understanding of the problem context. Having this understanding, one can
then make an informed decision. Thereafter, action can then be taken, taking effect within the
context of the problem.
In the context of this dissertation, this involves making sense of the IT Auditing in Eskom, which
contributes to the development of a theory, which in turn provides the input for making decisions
to address the strategic value of IT Auditing and to take the relevant actions. Given the scope of
this dissertation, I have only focused on Sense-making and development of the theory which can
be used to guide decision making, and have also not incorporated Action Taking into this
dissertation.
3.3 Ontological Position – Theory of reality
Ontology is the philosophy of the worldview of reality (Durant-Law, 2005). For social sciences
and management research, in particular, there is a diversity of philosophical approaches or
ontological perspectives including that of positivism, hermeneutics, phenomenology and realism
(Chia, 2002). For the purposes of this study, I have adopted Critical Realism, which is part of the
Realism category, as my ontological perspective for the reasons discussed below.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 55
3.3.1 Critical Realism (A model of the world)
Empiricism broadly refers to philosophies that see science as explaining events that can be
empirically observed. It holds the view that which cannot be observed, directly or indirectly,
cannot exist. Critical Realism was introduced as a critique to this philosophy.
The main feature of a critical realist approach to science is a ‘fundamental concern for
explanation in terms of independent underlying causal or generative mechanism which in
principle may be unobservable’ (Mingers, year unknown).
According to the philosophy of Critical Realism, reality exists independently of us or of our
knowledge and our perceptions. Bhaskar (1989) explains social reality as stratified into three
domains. These are the empirical, the actual and the real domain:
• the empirical is made up of experiences and events through observations
• the actual includes events whether observed or not
• the real consists of the processes, structures, powers and causal mechanisms that generate
events.
This multi-layered ontological representation helps in representing the complexity of the real
world phenomena. I therefore adopted a critical realist perspective with the aim to build a theory
to explain observable phenomena in IT Auditing with reference to underlying structures and
mechanisms. Bhaskar (1989) acknowledges that “we will only be able to understand, and also
change, the social world if we identify the structures at work that generate those events and
discourses”.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 56
3.4 Epistemological Position
Epistemology refers to the theory of knowledge. In order to perform my research, I needed a
theory of knowledge in order to gather, and interpret data that would assist in developing an
answer to my research question. I first needed to establish whether the research method should
be qualitative or quantitative. I have then used Jacksons’ SOSM to guide in determining the
appropriate system methodologies and tools to gather knowledge on my situation and concern. I
have used Grounded Theory to gather data, interpret the data and build a ‘grounded’ theory of
what is driving the level of strategic value of IT Auditing in Eskom.
3.4.1 Qualitative and Quantitative Research Methods
Qualitative research is associated with research questions and phenomena of interest that require
exploration of detailed in depth data, aimed at description, comparison, or prescription
(Partington, 2002). Its focus is more theory oriented as compared to quantitative research which
focuses on surveys and questionnaires.
Easterby-Smith et al. (1991) as cited by Perry (2003) explains that exploratory research is
qualitative and asks `what are the variables involved?’; in contrast, explanatory research is
quantitative and asks ` what are the precise relationships between variables?'
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 57
The differences between qualitative and quantitative research as outlined by Mays & Pope
(1995) are shown in the table below.
Qualitative Quantiative
Social Theory: Action Structure
Methods: Observation, interview Experiment, survey
Question: What is X? (classification) How many Xs? (enumeration)
Reasoning: Inductive Deductive
Sampling Method: Theoretical Statistical
Strength: Validity Reliability
Table 3: Differences between Qualiative and Quantiative Research
They further point out that quantitative and qualitative research method can complement each
other and can be viewed as labels that describe two ends of a continuum.
However, considering the purpose of my research which was to explore why IT Audit is not able
to deliver strategic value by discovering relationships and causal mechanisms, qualitative
research was therefore deemed more suitable for my study than quantitative research.
Qualitative research is evaluated in terms of its validity. However, the problem inherent in
qualitative research is observer bias as the researcher is both the data collector and analyst. I
acknowledge my bias in this situation. I was cognisant of this and tried to reduce my bias
through:
• Searching for disconfirming evidence which involved both theoretical sampling and
prolonged engagement. This is explained further under Grounded Theory below.
• Triangulation – I have made use of a combination of different data sources and methods
during the research process.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 58
I further made use of Maxwell’s model for qualitative research design. It is an iterative model
based on ‘interconnection and interaction among the different design components’ (Maxwell
2005). It allows for flexibility and I found myself going back and forth between the components
and having to refine my question through the research process. My research design is shown in
the Appendix A.
3.4.2 Choice of Systems methodologies
Jackson (2003) proposes that to deal with the complexity, diversity and change today, managers
require Creative Holism. He argues that using different systems approaches in combination
ensures for managers the benefits of both creativity and holism.
In order to identify the system approaches and methodologies appropriate to my problem
context, I made use of Jackson’s framework for classifying systems methodologies, referred to as
the System of Systems Methodologies (SOSM). I first located my problem context within
Jackson’s ‘ideal-type’ grid by taking into account the systems I have to deal with and the
participants involved.
This is shown in the table below.
Figure 21: Ideal-type Grid
Source: Adapted from Jackson (2003)
In terms of systems, my research problem lies more in the complex side of the continuum as it
has many subsystems which evolve and adapt over time as they are affected by their own
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 59
purposeful parts, and turbulent environment in which they exist. This is in contrast to simple
systems which tend not to change over time.
Regarding my participants in my research, they have both elements of unitary and pluralist
relationships. Some groups of participants have similar values, beliefs and interests (unitary), and
others, although their basic interests are compatible, they do not share the same values and
beliefs (pluralist).
My problem context therefore straddles the Complex-unitary and Complex-pluralist domains, as
Jackson indicates that the grid does not suggest that real world problems can be defined as fitting
exactly into any of these boxes.
3.4.3 Jackson’s System of Systems Methodologies (SOSM)
In order to choose methodologies appropriate to my problem context, I used Jackson’s SOSM,
but first taking into consideration the different paradigms. Jackson defines a paradigm as a world
view or way of seeing things and he indicates that four common paradigms in use in social
theory are as follows:
• the functionalist paradigm – wants to ensure that everything in the system is functioning well
so as to promote efficiency, adaptation and survival
• the interpretative paradigm – believes that social systems result from the purposes people
have which stem from interpretations they make of the situations they find themselves in
• the emancipatory paradigm – is concerned to emancipate oppressed individuals and groups in
organisations and society
• the postmodern paradigm – opposes modernist rationality that it sees present in all other three
paradigms (focuses on diversity)
My problem context has elements of both functionalist and interpretative paradigms. It is focused
on improving adaptation and survival of IT Auditing, but through taking into account the people
and their different interpretations of the situation.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 60
Combining this into the ‘ideal type grid’ to take account of my problem context, I have selected
relevant system methodologies from those suggested by Jackson (2003) for the different
paradigms as shown below.
Figure 22: Systems approaches related to SOSM
Adapted from Jackson (2003)
I have used the Viable Systems Model (VSM) as part of organizational cybernetics in order to
gain an understanding of the relevance of my concern in the situation in order to improve
adaptability of IT Audit.
Checkland’s Soft System Methodology (SSM) is part of Soft Systems Thinking which takes into
the account the pluralist relationships among different participants. I have used SSM to gain a
richer understanding of the different viewpoints and interpretations of my participants. I provide
insight into the VSM next and discuss SSM further in this chapter.
3.3.4.4 Using the Viable Systems Model (VSM)
I have used the Stafford Beer’s Viable Systems Model (VSM) as part of understanding the mess.
In particular, I used the VSM to understand the role of IT Audit within a complex organisation
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 61
like Eskom as well to get an understanding of the threats impacting on the organisation’s
viability.
The three basic elements are the Operation, the Metasystem and the Environment. All three are
in continuous interaction as shown below:
Figure 23: VSM - O, E, M Interaction
Beer essentially argues that for an organization to be healthy and viable the five subsystems of
Operations, Coordination, Control, Intelligence and Policy activities have to be present and
healthy.
3.3.4.5 The Rationale for using Grounded Theory
Grounded Theory does not test a predefined hypothesis. Instead, it aims to understand the
research situation and to discover the theory implicit in the data (Locke, 2001). The researcher
starts with an area of concern or interest and allows the theory to emerge from the data. Given
this and that the purpose of my research was to explore the underlying dynamics impacting on
the strategic value of IT Auditing, I integrated Grounded Theory into my research framework.
I have made use of the Grounded Theory to collect my data, interpret the data and build a
‘grounded theory’ to explain the causal mechanisms impacting on strategic value of IT Audit at
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 62
Eskom. As Partington (2002) explains Grounded Theory is fundamentally about being
systematic with qualitative data.
Grounded theory is an inductive, theory discovery methodology that ‘allows the researcher to
develop a theoretical account of the general features of a topic while simultaneously grounding
the account in the empirical observations or evidence’ (Glaser and Strauss, 1967).
Grounded Theory was used to surface the key variables that drive the strategic value of IT
Auditing. To gain this understanding, it was necessary to obtain the various perspectives of all
the stakeholders. I used Grounded Theory to understand how the stakeholders interpret their
reality as Grounded Theory is effective in understanding how the stakeholders construct meaning
in their real experiences.
Partington (2002) describes the twin pillars of Grounded Theory as follows:
Constant Comparison
Each time a new instance of an existing category is found in the data, it is compared with
previous instances of the same category. If the new instance does not fit the definition, then
definition must be changed or a new category must be created.
Theoretical Sampling
Data collection process is not defined up front but is allowed to be driven by emerging ideas.
Theoretical sampling is different from statistical random sampling which is guided by rules of
statistical inference. Grounded Theorists are unrestricted by such rules. With theoretical
sampling, the data collection strategy is driven by emerging theoretical ideas. The role of
theoretical sampling is to enable the researcher to maintain control over the theory development
process by seeking to maximise or minimise selected differences and similarities between
instances of data. This increases the likelihood that new and unexpected data will be found
relating to a category.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 63
Grounded Theory makes use of the following five different rigorous methods for data analysis:
• Open coding for conceptual understanding
• Constant comparison of codes, concepts and categories as they emerge from the data
• Memos for clarity of thought
• Discovery of the Core Category which becomes the focus for selective coding
• Theoretical coding that investigates the links between categories.
Conducting open-ended interviews early in the research process allowed me to get ‘sensitised’ to
what was important to my interviewees. In Grounded Theory, it is not about what is important to
me, but to understand the situation from the interviewee’s point of view.
The treads I discovered in earlier interviews determined how I conducted later ones. Data
collection, analysis, coding were done simultaneously. In addition, memos were used to keep a
record of my thoughts and ideas as they occurred and maintain my ideas pertinent to the
emerging theory.
Theoretical Saturation
Theoretical saturation is achieved when no new categories or properties are found, and all further
instances of data merely add to the bulk of specific instances of already discovered categories
and properties. The time has come to allow the emerging theory to solidify.
Partington (2002) points out that there can be temptation to close the analysis too soon, before
the full theoretical richness of the data has been allowed to inform the theory. Grounded Theory
aims to relentlessly search for instances which do not fit emerging categories. Therefore I was
careful about saturation, and concluded my interviews once fully convinced that the data was
saturated.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 64
Selective Sampling of Literature
Stern (1980) as cited by Strubert et al (1999) suggests that reviewing literature before the
research study may lead to prejudgments. He suggests selective sampling of literature should
occur simultaneously with data analysis. I therefore performed selective sampling of literature
after my three core variables emerged in order to become familiar with existing literature on
these categories and identify gaps in my emerging theory.
Critique of Grounded Theory
‘There is an irony—perhaps a paradox—here: that a methodology that is based on
‘‘interpretation’’ should itself prove so hard to interpret’.
- Dey (1999) as cited by Larossa (2005)
As Suddaby (2006) points out Grounded Theory is neither perfect nor is it easy. It is inherently
messy and not an excuse not to follow any methodology and must be done with understanding of
an ontological position. I have therefore integrated Grounded Theory with Critical Realism and
other system methodologies to strengthen my research. I have also managed my bias through
careful consideration to theoretical sampling, constant comparison and the use of memos to
develop the emerging theory.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 65
3.4.4.6 Integration of Critical Realism with Grounded Theory
By integrating Critical Realism with the Grounded Theory, I was able to collect data that was
grounded in the Empirical and Actual world. Through rigorous analysis of this data, I developed
a theory that attempts to explain the causal mechanisms in the Real world. This process is shown
further in the diagram below.
Figure 24: Integration of Critical Realism with Grounded Theory
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 66
3.3.4.7 Integration of Grounded Theory with Soft Systems Methodology
Soft Systems Methodology (SSM) was developed by Checkland (1996) for use in ill-structured
or messy problems where there is no clear view on what constitutes a problem or what action
should be taken to overcome the difficulties experienced. SSM believes that problem situations
arise when people have contrasting views on the same situation. SSM attempts to draw in and
explore a diversity of viewpoints as part of the decision making and intervention process. The
social theory implicit in SSM is interpretive rather than functionalist. Given that the nature of my
problem context also encompasses an interpretative paradigm, I have integrated SSM to take into
account the different worldviews of my key stakeholders. This was done by taking into account
human activity systems.
Jackson( 2003) defines a human activity system as a ‘model of notational systems containing
activities people need to undertake for a particular purpose’. Human Activity systems by their
very nature are complex as they act based on the different interpretations of the world. Root
definitions were created for relevant human activity systems to capture the essence of the human
activity system. I have made use of CATWOE (Customers, Actors, Transformation process,
World view, Owners and Environmental constraints) to ensure well formulated root definitions.
These are detailed in Appendix A.
As part of SSM, I also made use of the rich picture to express the problem situation. The rich
picture provides a creative understanding of the problem situation and highlights significant and
contentious issues.
To provide richer insight into my problem and to develop a sound theory grounded in the data, I
have decided to integrate Grounded Theory and SSM. Durant-Law (2005) recommends
integrating these methodologies as SSM draws data from the perspective of participants, while
Grounded Theory develops theory from the researcher. He shows how these two methodologies
are aligned as captured in the table below.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 67
Steps Soft Systems Methodology Grounded Theory
1 The problem situation unstructured An unexplained phenomena or process
2 The problem situation expressed The phenomena or process identified
for study
3 Root definitions of relevant systems Data collection and coding
4 Conceptual model construction Theme extraction
5 Model and problem situation
comparison
Postulate generalisations
6 Feasible and desirable change
construction
Develop taxonomies
7 Actions to improve the situation Theory development
Table 4: SSM and Grounded Theory alignment
Source: Durant-Law (2005)
Therefore, by integrating these methodologies, I sought a more holistic answer to my research
question.
3.5 Data Collection
To ensure triangulation of data, I made use of a number and variety of participants. My main
source of data collection was through conversational interviews (which were recorded), but I also
used participant observations, document analysis and selective research of existing literature as
my part of my data collection.
3.6 Ethical considerations
Throughout the research process, I gave consideration to the ethical implications of my research.
I ensured that I had informed consent from my participants and handled any confidential data
sensitively.
In addition, I considered the ethical implications of my Research Answer using Velasquez’
model which deals with the following four questions:
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 68
1. Does the action, as far as possible, maximize social benefits and minimize social injuries?
2. Is the action consistent with the moral rights of those whom it will affect?
3. Will the action lead to a just distribution of benefits and burdens?
4. Does the action exhibit appropriate care for the well-being of those who are closely
related or dependent on oneself?
This is discussed in detail in Chapter 5.
3.7 Integrated Research Framework
Based on my ontological and epistemological positions justified above, my integrated research
framework developed to reach an answer to Why has IT Audit not been able to deliver strategic
value to Eskom is illustrated diagrammatically as shown below. This framework integrates
Critical Realism, Grounded Theory and Soft Systems Methodology in an attempt to provide a
more holistic explanation to answer my research question.
Figure 25: Integrated Research Framework
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 69
3.8 Conclusion
This chapter explored the research framework that I have develop in order to develop an answer
to my research question. The framework has incorporated a Critical Realism ontology and I used
an integration of system methodologies as part of my epistemology. This chapter provided a
justification for my research paradigms and my choice of system methodologies. The various
systems methods used to make sense of my situation were discussed. Furthermore, Critical
Realism was integrated with Grounded Theory and the integrated research framework was
presented. The next chapter, Chapter 4, discusses the research results and the theory that
emerged from the data, by application of this integrated research framework.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 70
CHAPTER 4 - RESEARCH RESULTS
4.1 Introduction
The purpose of this chapter is to present and discuss the research results emanating from the
application of the integrated research framework described in Chapter 3.
As discussed in Chapter 1, my Concern relates to the “level of strategic value that is provided by
IT Auditing” and my research question is “Why has IT Audit not been able to deliver strategic
value to Eskom? “
This chapter discusses the data gathering, analysis and interpretation of the data. It integrates
Critical Realism with Grounded Theory and Soft Systems Methodology to produce an Answer to
my research question.
4.2 Developing an Answer to my Research
4.2.1 Stakeholder Identification
I first identified the relevant stakeholder that impact on the level of strategic value of IT Auditing
in A&F. In order to sweep in multiple perspectives to get a better understanding of my “messy”
problem, I considered multiple stakeholders as there may be very different views from the
stakeholders regarding what is impacting on the strategic value of IT auditing. Stakeholder
analysis was done as discussed in Chapter 1. The list of interviewee participants is provided in
Appendix A.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 71
4.2.2 Conversational Interviews
My primary data collection was through conversational interviews. I conducted 19 interviews, of
which 15 were face-to face and 4 were conducted telephonically. Each interview lasted between
45 to 60 minutes. Grounded Theory methodology recommends the use of unstructured
interviews in order not to influence interviewees’ thought process to a specific direction and
introduce bias in their responses. The interviews that I held were generally unstructured, but
explored key themes. In line with Grounded Theory, I followed up with some interviewees again
for further clarification after analysis of the interview data. To encourage interviewees to discuss
issues openly and frankly, I assured them of confidentiality and anonymity.
Conducting open-ended interviews early in the research process allowed me to get ‘sensitised’ to
what was important to my interviewees. I was cognisant that in Grounded Theory, it was not
about what is important to me, but to understand the problem from the different stakeholder’s
points of view.
Taking into account, Critical Realism, the aim of each interview was to get the interviewees to
surface what is happening in the empirical and actual world, that is, to give an account of what
they saw and heard and not their subjective interpretation of what it may have meant.
4.2.3 Data Recording and Transcribing
Interviews were audio-taped. Recording the interviews allowed me to focus on listening and
understanding the views of the participants.
I did the transcription process myself. Although, I found this to be extremely tedious and time
consuming, I realised that this joint process of transcription, coding and analysis, afforded me the
opportunity to become sensitised to the full richness of the data. The slowness of the process
helped to contribute to theoretical depth. Initially, I started off transcribing almost every word.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 72
As I became more sensitised to the data and emerging theories, I was more selective as to what I
transcribed in full and what I paraphrased.
In addition to the voice recording, I took my own notes which guided me as memos as well. I
used these memos to freely record my thoughts and ideas as they occurred. I noted down my
ideas and reflections throughout the coding process in the memos as well.
4.3 Concept formation: Coding and Emergence of Categories
4.3.1 Level 1 coding (Substantive Coding)
As part of this process, I made some use of ‘invivo’ codes – where words of participants were
used to ‘stay close to the data’, which is an essential feature of grounded theory. I did the data
collection, coding and analysis jointly from the beginning.
I allocated properties and dimensions to categories to allow me to becoming sensitised to the
extreme characteristics in the data and to drive theoretical sampling. An example is shown
below.
Category Property Dimension
Systems Auditing Understanding of the
business
Limited Extensive
Table 5: Example of Property and Dimensions of category
4.3.1.1Theoretical Sampling
Theoretical sampling is different from statistical random sampling which is guided by rules of
statistical inference. With theoretical sampling, the data collection strategy is driven by emerging
theoretical ideas. It increases the likelihood that new and unexpected data will be found relating
to a category. In addition, early interviews led to identification of additional interviewees who I
had not initially considered.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 73
4.3.1.2 Emergence of Categories
The following categories emerged from my first round of Interviews:
Ref. Categories
1 Focus of IT Audit on Advisory/Consulting
2 Intelligence (Internal & External)
3 Quality of Skills
4 Organisational Structure and design
5 Understanding the business as a whole
6 Shared value proposition
Table 6: Categories – Data Collection Round 1
The emergent codes, categories and concepts from this round of interviews were used as a basis
for coding the next round of interviews.
4.3.2 Level II Coding
Level II coding makes use of the constant comparative method. As I coded the data, each time a
new instance of an existing category was found, I compared this with previous instances of the
same category. If the new instance did not fit the existing category, I either changed the category
to fit the new instance and all previous instances, or created a new category. Through the second
round of interviews, in some instances, the data revealed new codes that required to be assigned
to a different category.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 74
From the analysis of the data from the second round, there was a sense that new categories were
emerging. I therefore created additional categories as shown below:
Ref. Categories
7 Understanding of strategic value
8 Mindfulness
Table 7: Categories – Data Collection Round 2
Furthermore, the existing category Understanding of the business as a whole was broadened to
be that of Systems Auditing to be more inclusive of the additional codes that emerged during this
round of interviews. In addition, the category Quality of skills was modified to Strategic skills
and Competencies as this round of data emphasised the importance of behavioural competencies
as well. The other codes emerged to strengthen the existing categories. As the concepts were
still emerging from my interviews, I had not yet reached saturation. Hence, I scheduled further
interviews.
Elliot and Lazenbatt (2004) highlight that an important feature of grounded theory is that it does
not require that the researcher return to the original participants to check if participants agree
with the researcher’s interpretation of data. Instead, I made use of theoretical sampling and
constant comparison to move on to involve other people who have different experiences to see if
the findings hold if new data is collected.
4.3.3 Theoretical Saturation
Theoretical saturation is achieved when no new categories or properties are found, and all further
instances of data merely add to the bulk of specific instances of already discovered categories
and properties. There can be temptation to close the analysis too soon. Therefore I was careful
about saturation, and performed an additional three interviews to be fully convinced that the data
was saturated. This round of interviews did not lead to any new categories, although concepts
emerged to strengthen the existing categories.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 75
4.3.4 Concept Modification and Integration (Emergence of Core Variables)
After my final round of interviews, the following emerged as the saturated categories (detailed
concepts provided in the Appendix):
Ref. Categories
1 Level of Involvement in consulting/advisory
2 Level of Strategic skills and competencies
3 Level of Mindfulness
4 Level of Systems Auditing
5 Effectiveness of Shared Value Proposition
6 Level of internal and external Intelligence
7 Level of Continuous learning and adaptability
8 Effectiveness of Organisational structure and design
Table 8: Saturated Categories
Once I obtained the final saturated categories, it became necessary to reduce the number of
categories in order to determine the core categories or variables. In order to reduce to three
variables or key drivers, I made use of Inter-relationship diagraph (ID) for this. The key variables
that resulted through this process were the level of Mindfulness, level of Strategic Skills and
Competencies, effectiveness of Shared value proposition. The variables that emerged as the main
outcomes were found to be effectiveness of consulting/advisory, level of Systems Auditing and
level of continuous learning and adaptability.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 76
The ID is shown below.
Figure 26: Inter-relationship Diagram
The following data expands on my research findings relating to the above concepts/variables.
Strategic skills and competencies
The majority of the interviews highlighted the concern around skills and competencies of IT
auditors that need to evolve beyond technical skills, and focus on the increasing importance of
behavioural competencies as well as understanding of the business. The following extract of
quotes illustrates this sentiment:
“IT Auditors can’t get by anymore with having just technical expertise, we need a package of
skills”
“Specialist knowledge in IT is not enough, we need to be able to think and converse
strategically”
“We have to get away from IT jargon and speak the business language”
“We have to understand how the IT systems impact on the business objectives”
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 77
“We don’t have the mindset of how IT systems impact at the strategic level”
“Auditors need to be able to ask insightful questions”
Mindfulness
It emerged through the interviews that there is a need for auditors to move away from the
compliance mindset (“tick and bash” auditing) and instead to bringing in new fresh insight and
being able to rely on their sense of intuition more. It also surfaced that auditors need to be more
reflective and question assumptions as they audit. This is evident in the quotes below:
“It’s like we have blinkers on, rigidly following the audit programme”
“We are taught to look for evidence, therefore we hardly rely on our instinct”
“Auditors need to develop greater awareness in scanning the internal and external
environment”
“We have to be able to think out of the box”
“We don’t have time to sit back and diagnose. We chase one audit after the other”
Shared Value Proposition
Many interviewees expressed the concern around the lack of a shared meaning and direction for
Audit. They feel that strategic planning is part of management’s tasks and do not feel a sense of
involvement in the process, all shown below.
“There must visible and felt leadership in driving strategy”
“We don’t have a shared meaning of what adding value is”
“Strategy planning is done by the managers in isolation”
“We need to create awareness so that auditors understand what it means to give strategic value”
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 78
Systems Auditing
Systems auditing involves having a systemic view of an organisation. It was evident from the
interviews that there is a lack of understanding of the organisation as a whole. As a result
auditors are auditing the organisation in functional silos, without understanding the systemic
nature of the organisation. They are particularly not focused on the interdependencies and
implications of IT systems across the whole organisation as illustrated below.
“IT auditors need to understand the bigger picture”
“It’s like we are playing ping-pong, we audit one IT system here and another there”
“We don’t have an understanding of the value chains across Eskom”
“IT Auditors are digging in the trenches, but we need a helicopter view from them”
“IT is like electricity – cuts across all spheres of life”.
Continuous learning and Adaptability
Another key concept that emerged was the perception of a lack of a continuous learning culture
and Audit not easily adapting to change. This perception seems to be driven by there being so
much of change in Eskom and the environment, but Internal Audit has not changed much in
responding to these changes.
“There is no robust market intelligence that Audit provides”
“I pay for ADR (Audit Director Roundtable) and other subscriptions, but auditors are not
continuously updating themselves”
“We are reactive and not forward looking”
“We do not have a culture of continuously updating ourselves”
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 79
4.3.5 Selective Sampling of Literature
Stern (1980) as cited by Strubert et. al (1999) suggests that reviewing literature before the
research study may lead to prejudgments. He suggests selective sampling of literature should
occur simultaneously with data analysis. I performed selective sampling of literature around my
three core variables that emerged, that is, Degree of mindfulness, Effectiveness of Shared Value
Proposition, and Level of strategic skills & competencies. The purpose of this was to become
familiar with existing literature on these categories and to fill in the missing pieces in my
emerging theory. The results thereof have been captured in Chapter 2.
4.3.6 Triangulation of Data
To add more rigour to my data and test the validity of what has surfaced, I considered other
sources to ensure that I had a triangulated body of data.
I also made use of participant observation by attending the Strategic Risk Assessment workshop.
The top risks for A&F identified at the workshop were:
• Lack of strategic direction – There is no strategic roadmap. Strategic management is not
embedded in daily activities and treated as separate exercise.
• Skills and competencies – Recognition that a different skills set (beyond technical skills)
is required to meet the current challenges.
These two relate risks relate directly to my two core variables of Shared value proposition and
strategic skills and competencies. Mindfulness did not explicitly emerge as a key risk. However
references to mindfulness were made in terms of resilience and adaptability of the department.
Discussions focused around having to move away from a compliance mindset and evolving to
become a trusted advisor. This focused on how to make Internal Audit more proactive to be able
to adequately highlight emerging risks.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 80
I performed another participant observation by attending a Team Quality Circle meeting. The
findings were as shown below.
Core variable Finding
Mindfulness Auto-pilot mode – Compliance mindset when
performing the audit. Very little attention was paid
to seeing the audit from a different angle.
Shared Value Proposition Risk regarding lack of “compelling sense of the
future”. Auditors’ level of understanding of how to
add value to client is questionable.
Strategic skills and competences Problem with scoping and not understanding the
bigger picture of Eskom.
Conflict with client – having strategic foresight to
minimize these conflicts and the importance of
communication as a skill
Table 9: Results from Participant Observation
Further, to strengthen triangulation around Mindfulness, I surveyed a few auditors and managers
using the Mindfulness Audit developed by Weick and Sutcliffe’s (2001). The results showed that
Mindfulness needs to be improved at both a personal and organizational level in A&F. This
supported my findings related to Mindfulness.
4.4 Substantive Theory Generation (Emergence of Theory)
4.4.1Theoretical coding
Having established the saturated categories, I now focus on theoretical coding. Glaser (1978,
1992) advocates that theoretical coding examines the saturated categories and provides the
researcher with analytic criteria, which assists in the development of conceptual relationships
between categories and relevant literature.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 81
For the purposes of this research, I have found it more suitable to use an already established
archetype as my theoretical code, instead of the coding families. As I am focusing on strategic
management and specifically on creating a sustained competitive advantage for IT Auditing, I
researched relevant archetypes and models in this field. After considering numerous models, I
found that the Business Idea model was most suitable to my situation.
The Business Idea Archetype
The Business Idea model provides a method to consider the “future viability of a business
proposition in all basic aspects that together make for longer-term success'' (Van der
Heijden,1996). He describes the Business Idea as the organisation's mental model of the forces
behind its current and future success.
The Business Idea comprises the following four elements:
1. The societal/customer value created.
2. The nature of the Competitive Advantage exploited.
3. The Distinctive Competencies which, in their mutually reinforcing interaction, create
Competitive Advantage.
The three elements must be configured into the fourth element:
4. A positive feedback loop, in which resources generated drive growth.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 82
The Generic Business Idea is represented systemically as follows:
The Business Idea (BI – v/d Heijden)
Figure 27: The Generic Business Idea (Source: v/d Heijden, 1996)
By analysing my variables, I have made the following comparisons to the elements of the
Business Idea.
Elements of Business Idea Comparison to my Categories/variables
Customer Value Created Strategic Value of IT Auditing
Distinctive Competencies Level of Strategic Skills, level of mindfulness,
effectiveness of Shared Value Proposition
Nature of Competitive Advantage exploited Differentiation, through level of Adaptability and
level of Systems auditing
Dominant loop (that creates barrier to entry) Mindfulness � Shared Value proposition �
Adaptability � Systems auditing �
Mindfulness
Table 10: Business Idea Comparison
Using this archetype to inform the relationship between my variables, a Concern Causal loop
diagram was created to link the variables from my Grounded Theory. Jackson (2003) states that
Causal Loop Diagrams (CLDs) are system tools which can provide a holistic system description
of “what is going on” within a system of interest. The Concern Causal loop diagram shows the
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 83
casual mechanism driving the behaviour of strategic value of IT Auditing. The rationale is
explained loop by loop further in this chapter.
Level of strategic value
of IT Auditing
Level of strategic skills
and competencies
Effectiveness of Shared
value proposition
Level of Systems
Auditing
Level of adaptability
and continous learning
Level of
Mindfulness
SS
S
S
S
SS
R2
R1
SR3
S
R4
Figure 28: Causal mechanisms driving the behaviour of strategic value of IT Auditing
The following is a representation of how it aligns to the Business Idea archetype.
Figure 29: Comparison to Business Idea
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 84
The Competitive advantage exploited :
Mindfulness –> Leadership Value proposition –> Adaptability –> systems auditing – >
Mindfulness (Dominant loop)
This creates a differentiator and the relationships are explained below to show how this creates a
barrier to entry for newcomers. This loop is strengthened by the Distinctive Competencies.
My Concern Causal loop diagram has the following loops:
The mindfulness loop focuses on creating a more mindful culture in IT Auditing that allows
auditors to become more alert and develop a heightened sense of awareness when auditing.
The competence loop is concerned with developing the right mix of skills and competencies that
are required to take auditing to the next level (allows auditors to consistently deliver value add to
the client, enable decision making).
The Adaptability loop deals with creating an organization that is adaptable to change.
The Shared value loop focuses on leadership working collectively with employees to define and
understand the value proposition of IT Auditing.
4.4.2 Storylines of the Loops - The Rationale
To demonstrate the rationale, I discuss the Concern Causal loop diagram, loop by loop below.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 85
Reinforcing loop R1 – Competency loop
Level of strategic value
of IT Auditing
Level of strategic skills
and competencies
Level of Systems
Auditing
SS
S
R1
Figure 30: Competency Loop
The level of strategic skills and competencies impact on the level of systems auditing that is
done. The reason for this is that auditors possessing mainly IT technical skills may produce good
technical audits which are however not contextualized in terms of Eskom’s business. The
interviews revealed that the right mix of skills, which encompass behavioural competencies such
as the ability to ask insightful questions, will allow the IT auditor to surface real root causes of
problems and improves his ability to understand the business organisation as a whole. The
increase in the competence allows for a better understanding of the organisation and the
complexities in the environment. This understanding of the organisation as a system, with key
links and interdependencies therefore reinforces systems auditing, and moves away from
auditing in functional silos.
I further claim that the increase in the level of systems auditing increases the level of strategic
value of IT Auditing. My memos show that auditing Eskom at a systemic level will provide
auditing that is more aligned with Eskom’s strategic objectives and will also surface gaps in
information flows across the functional areas. Hence the strategic value of the IT audit is
increased as it now focuses on understanding how the IT processes and systems support the
strategic objectives.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 86
The level of strategic value in turn leads to the increase in strategic skills and competencies.
Based on our experience, as Eskom executive management recognises the value of IT Auditing
and its role in enabling sound decision making, it is more open to Audit’s resourcing needs. This
allows for greater investment in skills development, increasing the skills and competencies.
Furthermore, as the strategic value improves, there will greater support from business
management to second people to Audit to provide specialist expertise. In addition, as IT Audit
strategic value increases, it becomes easier to retain talent and recruit new talent. Auditors have
indicated in the interviews that they are more motivated to work for an organization that is seen
to add value.
Reinforcing loop R2 – Adaptability loop
Level of strategic value
of IT Auditing
Level of strategic skills
and competencies
Effectiveness of Shared
value proposition
Level of Systems
Auditing
Level of adaptability
and continous learning
Level of
Mindfulness
SS
S
S
S
SS
R2
R1
Figure 31: Adaptability Loop
The level of mindfulness impacts on the effectiveness of shared value proposition. A high degree
of mindfulness leads to an effective shared value proposition that is collectively created and
understood by leadership, audit clients and audit staff.
The reason for this claim is that an increase in the level of mindfulness creates a greater
awareness of the external environment and the need to add value and be sustainable as an
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 87
organisation. This will drive the development of a shared value proposition, ensuring common
understanding with customers, audit management, and all audit staff. As an interviewee pointed
out “a compelling sense of the future is created”. Furthermore, as revealed in my memos, if
auditors are more aware and alert, they become more adaptable and realise that strategic
management is dynamic and that value proposition is not a once-off event, but requires constant
monitoring and adapting thereof.
I further claim that effective shared value proposition leads to an increase in adaptability in the
organisation. From my memos, there was a sense that auditors resisted change to a degree as
they didn’t have a single clear view of what A&F’s intent is for the future. When there is a
shared assumption and understanding of value creation, employees have a greater sense of
purpose and are more open to change and adaptable.
An increase in continuous learning and adaptability leads to an increase in the extent of systems
auditing. The reason for this is as employees become more adaptable, they are more flexible in
their thinking and better able to understand the complexities in the organisation. Hence, they are
more open to holistic systems auditing as compared to traditional compliance auditing.
I finally claim that Systems auditing reinforces the degree of mindfulness. As auditors start to
understand the organization as a whole, they become insightful and look beyond the surface
problems. This leads to them being more aware of and open to potential “failures of the system”,
a key characteristic of mindfulness as indicated in the literature review.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 88
Reinforcing loop R3 – Mindfulness loop
Level of strategic value
of IT Auditing
Level of strategic skills
and competencies
Effectiveness of Shared
value proposition
Level of Systems
Auditing
Level of adaptability
and continous learning
Level of
Mindfulness
SS
S
S
S
SS
R2
R1
SR3
Figure 32: Mindfulness Loop
I claim that an increase in the level mindfulness results in an increase in strategic skills and
competencies. As an auditor remarked “if we are more aware of our environment, we will be
able to provide more value to the business by uncovering real root causes”. As auditors become
more mindful and sensing auditors, they develop a heightened awareness and understanding of
the complexities in the environment. This increases strategic skills and competencies, not only at
individual level but also at organizational level.
The relationship between the three variables Strategic skills and competencies, Systems auditing
and Mindfulness have already been discussed above as part of the Competency and Adaptability
loops.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 89
Reinforcing loop R4 - Shared Value loop
Level of strategic value
of IT Auditing
Level of strategic skills
and competencies
Effectiveness of Shared
value proposition
Level of Systems
Auditing
Level of adaptability
and continous learning
Level of
Mindfulness
SS
S
S
S
SS
R2
R1
SR3
S
R4
Figure 33: Shared Value Loop
My final claim is that an increase in the effectiveness of Shared Value Proposition leads to an
increase in the strategic value of IT Auditing. There was consensus amongst most of the
interviewees that the effectiveness of strategic outcomes is largely dependent on buy-in to the
compelling vision of the future created. This was supported by the literature review as well. The
shared understanding of value creation will focus IT Auditing on the role of IT in enabling
strategic objectives of Eskom, therefore increase strategic value.
By combining the above variables and the relationships between them, I am able to access the
Actual World and combine it with the Empirical World to develop a more trustworthy theory
that accounts for what is happening in the Real World and in turn driving the behaviour of the
low levels of strategic value.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 90
4.4.3 LadyBird Metaphor
Jackson (2003) highlights the importance of metaphors in enabling us to be more creative.
I have created my own metaphor for the Concern CLD above. It resembles that of a ladybird. My
ladybird has wings of competency and adaptability, built on a foundation on value proposition
which is spearheaded by mindfulness. Coincidentally, research has shown that ladybirds are used
as pest control insects as they highly adaptable and able to sustain themselves even though the
environment changes. Linking back to the business idea archetype, ensuring adaptability is
essential to survival. Therefore, IT Audit, similar to the ladybird, by having a head of
mindfulness and wings of competency and adaptability, and supported by a body of shared value
proposition, and having positive feedback (or reinforcing loops) will be able to survive and adapt
in a changing environment.
4.5 Conclusion
In this chapter, data was presented and analysed as per application of the research framework
developed in Chapter 3. The core categories or variables that emerged from the Grounded
Theory process were the level of Mindfulness, the effectiveness of Shared Value Proposition,
and the level of Strategic skills and competencies. The Grounded Theory process resulted in an
emergent theory which is context specific and grounded in the data. The rationale for the Answer
was discussed loop by loop.
One of the reasons that the legacy of Glaser and Strauss has become dimmed and diluted is that
their approach is difficult to grasp, particularly for novice qualitative researchers. (Partington)
I found that my experience with grounded theory was not an easy one. I have had to ‘wrestle’
with the data (Ryan, 2009). At the beginning of the process, I experienced feelings of lack of
control and required patience. But the process was rewarding at the end as the theory solidified.
My theory seemed powerful and realistic as it was grounded in the data.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 91
Chapter 5 will now provide a critical evaluation of the research results. The significance and
implications of this research, together with ethical considerations and future areas for
development will also be explored.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 92
CHAPTER 5 - CONCLUSION AND EVALUATION
Having analysed the data and developed a theory that explains the causal mechanisms driving the
behaviour of the strategic value of IT Auditing, this chapter now discusses the Significance and
Implications of my Research and critically evaluates the research in terms of Relevance, Utility,
Validity and Ethical considerations. It concludes with a discussion of my personal learnings and
areas for future research.
5.1 Significance of the Research Results
This research has significance and makes a contribution to the broader research context and the
parent discipline covered in Chapter 2 in three areas as discussed below.
• Adding results derived from system thinking to the existing literature
The literature review indicated that although internal audit functions are aware that they need to
change to meet the evolving role of internal auditors, they have not reflected this change. The
literature has shown that over sixty percent of internal audit work is still focused on traditional
assurance. Based on my experience, I claim that A&F, like other internal audit functions
indicated in the literature review, has not reflected the change required mainly due to not having
a systemic understanding of how to add strategic value. Thus far, as the literature review has
shown, we have been provided with various recommendations to strategically position internal
auditing for the long term, but without understanding causal mechanisms driving the behaviour
of strategic value of IT Auditing. My research builds on the body of knowledge by using a
systems thinking perspective that results in understanding these causal mechanisms. By now
having this insight, it can lead to more effective decisions and actions taken to improve the
strategic value of IT Auditing. To re-iterate the words of Bhaskar ”we will only be able to
understand, and also change, the social world if we identify the structures at work that generate
those events and discourses”.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 93
• Adds to literature on Strategic Management in State-owned Electricity Utilities
I was unable to find literature relating to Strategic value of IT Auditing in an electricity utility,
let alone that of a state-owned electricity utility. This research is therefore significant for
electricity utilities that are facing global strategic challenges and rely on technology to meet their
strategic objectives. This is even more significant for state-owned electricity utilities that have
the additional challenge of balancing the public interest with the ‘money’ interest. State-owned
electricity utilities operating in developing countries, similar to South Africa, have to ensure that
socio-economic objectives are taken into consideration rather than just plain pursuit of profits.
• Integrates Strategic Management Theories
Existing literature indicate that the traditional approaches to strategic management are not
adequate. In addition, it highlights that some of the leading perspectives and models of strategic
management should not be treated in isolation as they can actually complement each other. My
research findings adds insight into this by not only showing how three leading perspectives on
Strategic Management (viz. Resource Based View, Dynamic Capability and Strategy-as-
Practice) complement each, but also how they can systemically integrate with each other to drive
strategic value of IT Auditing. As discussed in Chapter 4, as part of my ladybird metaphor, the
competency wing supports the theory of Resource Based View, while the Adaptability wing is
linked to dynamic Capabilities. This is integrated with the Shared Value loop which can be
likened to Strategy-as-practice as it focuses on embedding strategy in the organization.
I see this as an example of Jackson’s Creative Holism in action that using methods in isolation is
not sufficient to deal with complex problems, but a combination of methods or system
approaches is required.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 94
5.2 Implications and consequences
Having looked at the significance of the results to the broader research context, I now consider
the implications and consequences of the research results for IT Audit (and A&F) in Eskom.
This considers the Utility to establish how adequately the research Answer answers the question
raised and addresses the concern of strategic value of IT Auditing.
Establishing Utility
The first step in establishing Utility deals with the Question that is to be asked. In framing my
research, as demonstrated in Chapter 1, I ensured that I ask a powerful question so that it deals
with my Concern.
I have discussed in Chapter 4, the rationale loop by loop of how the research findings will
address the Concern regarding the level of strategic value of IT Auditing. To summarise, my
theory developed explains that the distinctive competencies of Mindfulness, Strategic skills and
competencies, and Shared value proposition, in their mutually reinforcing interaction, drives the
strategic value of IT Auditing.
The mutually reinforcing interaction enhances competencies, creates adaptability and creates
focus on the people aspects of strategy and the embedding thereof. It therefore increases IT
Audit’s ability to sense changes in the environment and transform these into new products,
services and processes to build added value for the future. This will lead to understanding the
trends in external environment will provide insight into emerging risks and indicate where the
organization is likely to experience stress. This positions IT Audit to fulfill the role of a true
System 3* function. This improves its strategic value and places it in a position to advise Eskom
on its strategic objectives by feeding the Control function with the required information it needs
to improve Control and Cohesion.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 95
In considering the Business Idea, the key question is “What is unique about this formula, and
why are others unable to emulate it?” (van der Heijden, 1996). The answer shows how the
distinctive competencies of Mindfulness, Strategic skills and competencies, and Shared value
proposition, in their mutually reinforcing interaction, drives the strategic value of IT Auditing. It
is through the mutually reinforcing interaction that creates the uniqueness and creates sustained
competitive advantage for IT Audit.
I therefore conclude that in ensuring I asked a powerful question to deal with my concern, and
developing my Answer as the theory that emerged through rigorous application of the Grounded
Theory methodology, it is plausible that the Answer addresses the Question to deal with the
Concern. Furthermore, research findings on my core variables were supported by the literature
review.
I must clarify that my intent is not to present the Answer as a panacea, but taking into
consideration the above, I provide sufficient evidence that the Answer is plausible. However, the
Answer requires a mindset change. Firstly, mindfulness in auditing is a new concept.
Traditionally auditors have been schooled in a compliance mindset, and were not encouraged to
think out of the box, but to rigidly follow established audit programmes. There is also the risk
that mindfulness could be confused with some sort of meditation and religious connotation
which could increase resistance to embracing mindfulness.
Furthermore, my theory shows that developing strategic value is not a quick fix, and requires
constantly working at it and embedding it into day to day activities. Those managers in audit
looking for quick fixes will be discouraged with this Answer.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 96
5.3 Evaluation
In the following section, I evaluate my research in terms of Relevance and Validity of my
research findings. The Utility has been discussed under Implications above.
5.3.1 Relevance
The purpose of Relevance is to establish if the concern of strategic value of IT Auditing is
relevant to the research context, that of Eskom.
With respect to the evolving role of Internal Auditing, including that of IT Auditing, my research
has relevance as auditing functions are pressurised to deliver strategic value amidst increase
change and complexities facing their organisations. The changes in technology and the demand
for assurance in specific areas, like IT governance, add to complexities and uncertainties that an
IT auditor has to deal with.
This is especially true in the case of IT Audit at Eskom. IT Audit’s future viability is dependent
on the strategic value that it offers. Eskom is dependent on Information technology to run its
business. Eskom has a huge responsibility towards providing electricity for the country. With the
numerous challenges being experienced in Eskom, it requires IT assurance and consulting that
offers strategic value, signal signs of stress for the organisation and provide information that is
lacking. If IT Audit is unable to fulfill its role, it poses threats to the viability of Eskom as a
whole.
Furthermore, with Eskom streamlining its processes and focusing on effectiveness and efficiency
thereof on its path to regaining its image to that of a reputable global company, the pressure for
IT Auditing to demonstrate its value add, is heightened. This also increases the threat of IT
Auditing being outsourced if is not be able to improve its strategic value.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 97
In Chapter 1, I have made use of system tools which collectively highlight the relevance of the
Concern to the Situation. The application of Beer’s VSM revealed weaknesses in IT Audit in its
role as S3* in serving Eskom. The stakeholder analyses and root definitions highlighted the
different perspectives on the situation. The rich picture enhanced my understanding of the
concern within the situation.
I therefore conclude that relevance of the concern of strategic value of IT Auditing to Eskom has
been established.
5.3.2 Validity
To ensure Validity and provide a rationale for my research findings, I paid particular attention to
the Dependability and Credibility of the answer, as well as its Confirmability and Transferability.
5.3.2.1 Dependability and Credibility
I have followed a rigorous process for this research study. In Chapter 3, I have provided
motivation for the approaches, tools and methods that I had selected to use. The evidence of the
application thereof are detailed in the others chapters as well as the Appendix.
In ensuring that my research findings are valid, I focused on the following:
• Use of unstructured conversational interviews with key stakeholders
• Interviewing different stakeholders to sweep in multiple perspectives
• Consideration to boundary judgements
• Use of theoretical sampling to guide solidifying of theory
• Saturation process to strengthen validity
• Triangulation of interviews with participant observation, document review and mindfulness
survey
• Sourcing of literature from credible and reputable sources
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 98
Furthermore, I made a careful selection of system methodologies based on Critical Holism
(Jackson, 2003). I have made use of system tools appropriate for the functional and interpretative
paradigms relevant to my problem context. The justifications for these paradigms and selection
of system methodologies have been provided in Chapter 3.
In addition, my 16 years of experience spanning both IT and Auditing professions lends
credibility to the research. The past two years on the EMBA programme has enhanced my
understanding of and application of systems thinking.
5.3.2.2 Confirmability
I claim that my research has confirmability as I have reasonably provided sufficient information
for a third party to follow and confirm the process that I have followed. Evidence and audit trails
of work done are contained in the Appendices. The rationale for the findings is discussed loop by
loop in Chapter 4. Finally, memos and transcriptions of the interviews conducted are available on
request.
5.3.2.3 Transferrability
The learning from this research is transferrable to other aspects of my management practice. The
use of the SCQARE framework and the Management Practice Triad has provided me with
insight into using systems thinking to tackle other messy and ill constructed problems.
However, I cannot claim with certainty that the researching findings are transferrable to other
internal auditing functions as this was a qualitative research and was limited to the internal IT
audit function in Eskom. Although it is evident in the literature review that the Internal Auditing
profession as a whole, shares similar concerns, the research findings cannot be just generalized
to internal auditing functions in other organisations.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 99
5.4 Ethical Considerations
In formulating my Answer CLD strategy, I took into account the ethical implications of my
answer. Using the Velasquez (2006) approach, I considered the following questions:
• Does the action, as far as possible, maximize social benefits and minimize social
injuries?
In terms of utilitarian theory, this means that we need to consider all the costs and benefits that
will follow from an action and weigh these up against one another. With regard to implementing
my answer to improve the level of strategic value of IT Auditing, I believe that the action would
“generate the greatest good for the greatest number” (Velasquez,2006).
Exploiting distinctive competencies of mindfulness, strategic skills and competencies, and shared
value proposition will increase the extent of systems auditing as auditors will now have a holistic
understanding of the business. This will lead to understanding of the complexities in the business
and external environment and will positively impact on the strategic value of IT Auditing.
Hence, having the key information required to enable strategic decision making will direct
improve the viability of Eskom.
In addition, this will help to restore the credibility of A&F and prevent outsourcing and avoid
possible retrenchments. This impacts directly on employees and their families. In addition,
enhanced competencies lead to more confident and motivated employees, possibly having a
positive influence on their remuneration.
Furthermore, taking into account Eskom as a key stakeholder, the greater good that will result to
Eskom, will be improving its viability. This will enhance effectiveness and efficiency of
operations, ultimately benefiting the community and the country as a whole. The larger society
benefits from Eskom’s risks being well mitigated.
Based on the above, I believe that overall implementation of the answer would maximize social
benefits while minimizing social injuries. In fact by not doing anything to improve the level of
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 100
strategic value of IT auditing, greater social injuries would result to employees, customers, and
ultimately the community at large.
• Is the action consistent with the moral rights of those whom it will affect?
In terms of the argument of John Locke (1632-1704) as cited by Velasquez (2006), individuals
have moral rights irrespective of the needs of society as whole. In considering my Answer, I took
into account whether any of the decisions went against employees’ moral rights. None of my
actions violate employees’ moral rights. In fact, it helps to protect their right to employment as
their mindfulness and their skills and competencies increase, making them more valued
employees.
In terms of the rights of the consumers, one can argue whether consumers have a right to
electricity as a “societal need” in terms of the government’s development targets or should it be
provided to only those privileged enough to afford electricity. Eskom is facing challenges with
keeping the lights burning. Implementation of the Answer improves the strategic value of IT
Auditing which will assist in increasing the viability of Eskom as threats and risks will be
identified earlier, thereby helping to protect the right to electricity.
However, if the concept of mindfulness is perceived to be that of meditation and having religious
connotations, it could be seen as infringing on people’s right to freedom of religion. This needs
to be carefully managed as this not the intent behind encouraging mindfulness in auditing.
• Will the action lead to a just distribution of benefits and burdens?
The distribution of benefits would be just as all stakeholders will benefit from improved strategic
value of IT auditing. There is no intention of placing burdens on any stakeholder. However,
management could be seen as being more burdened in implementation of the Answer as the
Answer provided does not propose a quick fix solution and will initially require effort and
mindset change. But, this is compensated for in the long run as implementation of the Answer
improves sustainability of IT Audit.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 101
• Does the action exhibit appropriate care for the well-being of those who are closely
related to or dependent on oneself?
My Answer takes into account the well-being of all key stakeholders. The shared value
proposition promotes greater care by encouraging closer engagement with staff who are currently
left out of the strategic management process. The Answer also promotes greater care towards
audit clients as mindfulness, in particular, will encourage auditing in a cordial environment,
away from that of a ‘policeman’ mentality.
5.5 Areas for future research
Based on the evolving role of internal auditing, it would also be useful to extend the research
wider to IT Audit functions in other organisations, and perhaps to even research IT Audit
functions in external audit assurance providers to test how generalizable these research findings
are to other organisations.
In addition, further research could be done on developing actionable interventions to improve the
strategic value of IT auditing. Furthermore, this research was approached from a qualitative
perspective and certain aspects of the research could be extended by performing a quantitative
research to validate the research findings.
‘I like to think of the end result of a qualitative study not as an end but as a beginning. I
anticipate quantiative follow-up for many of the discoveries of qualitative research.’ (Zyanski as
cited by Crabtree & Miller, 1992)
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 102
5.6 Personal Reflection and Learning
I found that I have derived immense value from this research, and gained new insight into
theories and practices. I have been able to make better sense of my Auditing world and learnt to
see this world through the eyes of others. The ladybird theory that emerged enriches my
understanding of how to improve the strategic value of IT Auditing in Eskom. In general, the
system thinking perspective has provided me with a more holistic approach to tacking similar ill-
structured problems in future.
5.7 Conclusion
This chapter discussed the significance of this research to the broader research context.
Furthermore, based on the arguments presented, I demonstrated that my research has more than a
reasonable level of relevance, utility and validity. The careful consideration of ethics also shows
that the Answer does not violate any ethical principles. In addition, this research has provided a
basis for future research.
Finally, I too like to think of the end of the EMBA journey not as an end, but as a beginning; a
beginning of endless possibilities when seeing through systems thinking eyes…
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 103
BIBLIOGRAPHY
ADR. (2010). Next Generation Auditing: Building the Audit plan from Strategic Objectives from
Audit Director Roundtable. Retrieved December 2010, from Audit Director Roundtable:
www.adr.executiveboard.com
Bailey, J. A. (2010). Global Internal Audit Survey: Core Competences for Today’s Internal
Auditor – Report II. Florida: IIA.
Beer, S. (1981). Brain of the Firm. Chichester: John Wiley & Sons.
Birol, F. (2007). Energy Economics: A place for energy poverty in the agenda? The Energy
Journal, 1-6.
Bitar, J. (2004). A contingency View of Dynamic Capabilities. HEC Montreal.
Crabtree, L., & Miller, W. (1992). Doing Qualitative Research - Research Methods for Primary
Care. London: Sage Publications.
Davis, I. (2007). Government as a business. McKinsey Quarterly.
Dittenhofer, M. A., Evans, R. L., Ramamoorti, S., & Ziegenfuss, D. E. (2010). Behavioral
Dimesions of Internal Auditing: A practical guide to professional relationships in
internal auditing. IIA.
Durant-Law, G. (2005). The Philosophical Trinity: Soft Systems Methodology & Grounded
Theory. University of Canberra, 2-30.
Heijden, K. v. (1996). Scenarios - The Art of strategic Conversation. Wiley.
Hoebeke, L. (2000). Making Work Systems Better - Internet Edition.
Jackson, M. C. (2003). Systems Thinking - Creative Holism for Managers. Chichester: John
Wiley & Sons.
Jarzabhowski, P. (2002). Centralised or decentralised? Strategic Implications of resource
Allocation Models. Higher Education Quarterly, 5-32.
Jeurgens, M. (2006). Global Technology Audit Guide: Management of IT Auditing. Florida: The
Institute of Internal Auditors.
K Weick, K. S. (2001). Managing the Unexpected.
King Report on Governance for South Africa. (2009). Institute of Directors (Southern Africa).
KPMG. (2000). New Strategies and best practices in Internal audit: An emerging model for
building organizational value focusing on risk. KPMG Assurance and Advisory Services
Center.
Lamberg, J., & Parvinen, P. (2003). The River Metaphor for Strategic Management. Eurpoen
Managent Journal, 549-557.
Langer, E. J. (2000a). Mindful Learning. Current Dimensions in Psychology, 220-223.
Langer, E. J. (2000b). The Construct of Mindfulness. Journal of Social Isssues.
Lee, I. (2009, July 29). Internal Audit - increasing its value in recessionary times., (p. 8).
Wellington New Zealand.
Mays, N., & Pope, C. (1995). Reaching the parts other methods cannot reach: an introduction to
qualiatative methods in health and health services research. BMJ, 311(1), 42-45.
Moore, M. H. (1997). Creating Publc Value - Strategic Management in Government.
Cambridge: Harvard University Press.
P Jarzabkowski, A. P. (2009). Strategy-as-practice: A review and future directions for the field.
International Journal of Management Reviews, 11(1), 69-95.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 104
Partington, D. (2002). Essential Skills for Management Research. London: Sage Publications.
Perkin, D. N., & Ritchhart, R. (2000). Life in the Mindful Classroom: Nurturing the Disposition
of Mindfulnes. Journal of Social Issues, 56(1), 27-47.
Perry, C. (2002). A Structured approach to presenting theses: Notes for students and their
supervisors. Australian Marketing Journal, 6(1), 63-86.
PWC. (2007). Internal Audit 2012: A study examining the future of internal auditing and the
potential decline of controlc centric approach.
R Chia, R. H. (n.d.). Strategy as Wayfinding. Scotland: University of Aberdeen Business School
and University of Liverpool Management School.
Rivard, S., Raymond, L., & Verreault, D. (2006). Resource-based view and competitive strategy:
An integrated model of the contribution of It to firm performance. Journal of Strategic
Information Systems, 29-50.
Ryan, T. (2009). Multiple Perspectives - EMBA Class Slides.
Ryan, T. (2009). SCQARE: A Framework for Systemic Sense Making - EMBA Class Notes.
University of Cape Town.
Ryan, T. (2009a). EMBA Module 1 Course Readings. University of Cape Town: SYSTAL.
Ryan, T. (2009b). EMBA Module 2 Course Readings. university of Cape Town: SYSTAL.
Ryan, T. (2009c). EMBA Module 3 Course Readings. University of Cape Town: SYSTAL.
Ryan, T. (2010a). EMBA Module 4 Course Readings. University of Cape Town: SYSTAL.
Ryan, T. (2010b). EMBA Module 5 Course Readings. University of Cape Town: SYSTAL.
Ryan, T. (2010c). EMBA Module 6 Course Readings. University of Cape Town: SYSTAL.
Schwanginger, M. (1998). A Concept of Organisational Fitness. Switzerland: University of St
Gallen.
Strauss, A. C. (1967). Basics of Qualiatative Research: Grounded Theory procedures and
techniques. Newbury Park: Sage .
Struebert, H. J., & Carpenter D, R. (1999). Qualiative research in nursing. Lippincott.
Suddaby, R. (2006). From the Editors: What Grounded Theory is Not. Academy of Management
Journal, 633-642.
T Bogdan, S. T. (1984). Introduction to Qualitative Research Methods - The Search for
Meanings. Chichester: John Wiley & Sons.
Teece, D. J., Pisano, G., & Shuen, A. (1997). Dynamic Capabilities and Strategic Management.
Strategic Management Journal, 509-533.
V Thakor, J. B. (2000). Becoming a Better value creator.
Velasquez, M. G. (2006). Business Ethics (Concepts and Cases). New York: Pearson Prentice
Hall.
Walz, A. (1997). Adding value: creating value has become a matter of survival. Internal Auditor.
Whittington, R., Johnson, G., & Meilen, L. (2004). The Emerging Fields of Strategy Practice:
Some links, a trap, a choice and a confusion. Slovenia: EGOS Colloquiuim.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 105
APPENDIX A
1. Research Design
I made use of Maxwell’s model for qualitative research design. It is an iterative model based
on ‘interconnection and interaction among the different design components’ (Maxwell 2005).
It allows for flexibility and I found myself going back and forth between the components and
having to refine my question through the research process.
My initial Research Design, using Maxwell’s Framework is shown below.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 106
2. The CATWOE of the Audit System
The CATWOE of the Audit system is shown below.
C A T W O E of Audit System
CUSTOMER
Eskom business units and Audit Committee
ACTOR Auditors (Assurance and Forensic Department)
TRANSFORMATION Inputs: IIA Standards that govern the audit process, including methods of work and professional practices guidelines by IIA and the department’s audit manual. Business knowledge and processes required to gain understanding of business area. Outputs: Assurance, Forensic Services and Technical Investigations Process: Audit planning, execution, reporting and monitoring
WORLDVIEW A system to provide independent assurance, consulting and forensic services to improve Eskom’s operations in the areas of risk management, control and governance as directed by professional auditors who uphold ethical standards
OWNER Head of Internal Audit and audit senior managers
ENVIRONMENT Institute of Internal Auditors (IIA), IIA Standards and Practice Advisories, ISO standards, Association of Certified Fraud Examiners (ACFE)
ROOT DEFINITION: This is a system run by professional auditors, and owned by management to provide independent assurance, consulting and forensic services to Eskom business groups, within the constraints of the IIA, ACFE and ISO.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 107
3. Interview Log
The following stakeholders were interviewed:
No. Stakeholder
Category
Role Date Informed
Consent
1 Audit Staff
Snr Audit
Advisor
20/10/2010 Y
2 IT Audit
Management
Snr Audit
Manager
22/10/2010 Y
3 Customer
IM Manager 21/10/2010 Y
4 Audit Staff
Snr Audit
Advisor
25/10/2010 Y
5 Customer
IM Manager 25/10/2010 Y
6 Senior
Management -
A&F
Group Audit
Manager
31/10/2010 Y
7 Executive
Management –
Eskom
Divisional
Executive –
Corporate
09/11/2010 Y
8 External Audit
Partner 12/11/2010 Y
9 Customer IM Manager 14/11/2010 Y
10 Senior
Management
Chief Audit
Executive
12/11/2010 Y
11 Executive
Management –
Eskom
Divisional
Executive
16/11/2010 Y
12 Audit Committee
Member of
Audit
19/11/2010 Y
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 108
Committee
13 Audit
Management
Snr Audit
Manager
26/11/2010 Y
14 Customer
Risk Manager 20/10/2010 Y
15 Customer Information
Security
22/11/2010 Y
16 Audit Staff
Snr Audit
Advisor
22/11/2010 Y
17 Customer
Acting Chief
Information
Officer
02/12/2010 Y
18 Audit
Management
Snr Audit
Manager
07/12/2010 Y
19 Quality
Assurance
QAR Manager 25/10/10 Y
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 109
4. CATWOES of Stakeholders
CATWOEs (Customers, Actor, Transformation, Owner, Environment) are used to frame a perspective which express how various
stakeholders perceive the imperative for strategic value of IT Auditing. The following table provides CATWOEs and root definitions
for the key stakeholders and illustrates the different perspectives that exist.
Stakeholder Group
Customers Actors Transformation Worldview Owner Environment
Auditors Audit supervisors, Business units
Auditors, Audit supervisors
I = Knowledge, skills, tools/techniques, T = auditing process, O = Correct/incorrect Audit opinion
Audit projects need to be completed within time, budget constraints and Audit projects need to executed in line with IIA, ISACA standards. Management has to worry about strategic management.
Supervisory and executive management
Inherent complexities in performing audits
Root definition An Executive Audit Management owned system, operated by audit supervisors and auditors to perform audit projects in order to provide assurance and consulting services to the organisation, amidst growing complexities and technological changes and time budget constraints whilst complying to IIA standards.
Supervisory management/ Audit supervisors
Executive management, Business units
Auditors, Audit supervisors
I = Knowledge, skills, tools/techniques, T = auditing process, O = Correct/incorrect Audit opinion
Audit projects need to be completed within time, budget constraints and meet quality requirements
Executive audit management
Inherent complexities in performing audits
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 110
Root definition An Executive Audit Management owned system, operated by audit supervisors and auditors to review and manage audit projects in order to provide assurance and consulting services to the organisation, amidst growing complexities and time budget constraints whilst meeting quality requirements.
Senior audit management
Executive management, Audit Committee
Chief Audit Exec (CAE) and E Band managers
I = Strategies, resources, T = general management process, O = implemented strategies
Auditors/staff will perform well if they follow the manager’s leadership Strategic Management is complex in ever changing environment
Executive Management, Audit committee
Increased complexities and expectations creates uncertainty for A&F
Root definition An executive management owned system, operated by CAE and E Band Managers, through a general management process to ensure that staff perform audits well, amidst challenges and complexities in the environment, and consistently deliver value add and to ensure viability of Audit for the future.
Customers/ Clients
Business unit and executive management of Eskom
Business unit managers
I = Request, Audit plan, T = auditing process, O = correct/incorrect audit opinion
Auditors will provide a fair assessment and unbiased opinion to assist in improving controls and warning of stress in the system. Auditors are looking at the past.
Executive management
With increased risk and governance requirements, greater assurance is required as well as emerging risks.
Root definition An executive management owned system, operated by business unit managers, through an audit engagement process to obtain assurance on controls, in the midst of increased risks and complexities in the business.
Audit Committee Eskom executive management
Independent executives
I = experience and knowledge in good governance, T = advisory process on governance and risk management, O = independent oversight
Audit is our “eyes” and “ears” of the state of the organisation’s controls , governance and risk management.
Executive management
With recent corporate scandals and failures, focus on risks, controls and governance is even more critical.
Root definition An independent executive owned system, operated by Board, through an advisory process to provide oversight and guidance on controls, risk management and governance in the midst of increased risks and investments in the business.
Institute of Internal Auditors
Internal Auditing departments
IIA I = Knowledge and experience, T =
Internal auditors require guidance
Institute of Internal Auditors
Evolving role of internal audits
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 111
(IIA) advisory process strategic value, O = IIA Standards and advisories
when facing how to deliver value add.
creates increased challenges and opportunities for auditors.
Root definition A professional association owned system, operated by the IIA, through an advisory process to provide direction on professional standards, amidst changing role expected of internal auditors.
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 112
5. Grounded Theory Results
The following table shows the Affinity Diagram for the Saturated Categories that emerged
through the data collection process. The concepts that made up the categories are as follows:
Involvement in Consulting/Advisory Role
Intelligence (Internal & External)
Systems Auditing
Focus on IT on engineering environment
Access to market intelligence Understanding the organisation as a whole
Focus of IT Auditing Continuous learning "culture" is lacking Ability to see systemic patterns in organisation.
Involvement in IT Strategy Benchmarking should be provided Need for a helicopter view of the business
Involvement in risk management Need for Intelligence - internal & external
Looking at Eskom as a whole organisation
Involvement in IT Governance
Need industry specialisation Seeing beyond silos
Focus on advisory role
IT Audit needs something like a knowledge centre
Integrated audits
Move away from compliance mindset auditing
We are engineering company. We need industry base first, then IT.
Value chain auditing
Greater focus on the engineering environment and systems
Auditors need to get more business knowledge.
Systems monitoring.
Auditing of Project management processes
Auditors need knowledge so can apply and give advice.
Adequacy type of audits
Monitoring of environment is lacking.
Shared value proposition
Link to organisation’s strategic purpose
to advise on what’s going on globally to advise CIO.
Common shared vision and change management as well
Move away from compliance mindset auditing
Need experience around business issues.
Involvement of staff in strategy
Involvement in IT strategy – advisory services
Uunderstanding the value of your work
Auditors are the eyes and ears of organisation.
Strategic Skills and Competencies Visible and felt leadership
IT Audit to be a conduit to communicate info to CIO.
Ability to think strategically
Embedding of strategy
IT Audit to provide improvements
Ability to converse strategically
Beyond mission and vision
No shared assumptions/ purpose
Mindset of strategic value
Ability to ask key questions.
Mindfulness
Copyright UCT
Uncovering the Strategic Value of IT Auditing Confidential Page 113
Move away from reactionary approach
Basic skills for auditors (communication, conflict management
Sense of awareness
Proactive services Fresh, naïve approach, but with deep insight & understanding of business.
Building up resilience
Sensing signs of stress
Technical skills/knowledge combined with a large arsenal of soft skills.
Sixth sense auditing
Move away from execution focus to strategic focus
Continous learning/adaptability Compliance focussed Sensing auditors
Link to organisation’s strategic objectives
Courage to try new things
Rigid audit programmes
Trusted advisor role Better ways of doing things.
Smelling a rat
Move away from audit as “police” mentality
Innovation Thinking space
Consulting must be linked to reach these strategic goals.
Need to know what’s the latest trends Ability to reflect
Adapt to change Having a constantly enquiring mind
Continuous learning "culture" is lacking Alertness as an auditor
Organisational factors Intelligence (Internal & External)
Forums for auditors to disseminate information.
Access to market intelligence
Not competing for services in Eskom.
Benchmarking should be provided
Board & Exco not that well informed about IT
Need for Intelligence - internal & external
Limited control awareness in the business
Industry specialisation
Need everyone to be IT savy.
Knowledge centre
Mindset that IT is too complex. Business audit does not want to know about IT.
Engineering company industry base first, then IT.
In depth knowledge of the business Auditors need knowledge so can apply
and give advice. Cannot consult if don’t know the business.
Monitoring of environment