Officeof the City Auditor
Portland, Oregon



September 2005

Audit Services Division

Gary Blackmer, City Auditor
Drummond Kahn, Director of Audit Services

1221 S.W. 4th Avenue, Room 3


Portland, Oregon 9720


(503) 823-4005 FAX (503) 823-445


September 13, 200


TO: Mayor Tom Potter
Commissioner Sam Adams
Commissioner Randy Leonard
Commissioner Dan Saltzman
Commissioner Erik Sten
Matthew Lampe, Chief Technology Officer

SUBJECT: Best Practices for Information Technology Governance, Report #314B

Attached is Audit Report #314B on Best Practices for Information Technology Governance.
The report outlines 20 best practices that contribute to the successful management of
information technology resources and the way they align with and support organizational

Many of the practices discussed are significant initiatives which may be implemented
incrementally. We have not addressed the degree to which BTS and the bureaus have
implemented these practices.

The successful implementation of an Information Technology Governance framework requires
a coordinated effort between BTS and the bureaus. We believe this report will be a useful
guide for all managers who work with information technology within our City.

GARY BLACKMER Audit Team: Drummond Kahn
City Auditor Alexandra Fercak
Sharon Meross


Table of Contents

Introduction 1

Five areas of information technology governance



Strategic IT Alignment


Value Delivery



Risk Management


Resource Management


Performance Measurement



List of 20 Best Practices





The objective of this audit is to identify practices that can guide

and support the management of information technology (IT)

resources. We learned that many organizations are facing the

challenge of effectively delivering IT services and products that

support and add value to their varied business processes. We

found that implementing a set of sound business practices is

the key to delivering IT services that meet customer needs. The

framework for implementing many of the practices we identify

in this report is often referred to as “Information Technology


Research shows that successful IT organizations possess the

following six key characteristics.

• Senior management supports information technol-


• I nfor mation technology is an impor tant con-

sideration but does not drive the organization’s

operational strategies.

• The information technology department understands

the operations of its customers.

• The information technology department and its cus-

tomers work together as partners.

“Fundamentally, IT
governance is concerned

about two things:
IT’s delivery of value
to the business and

mitigation of IT risks.”

Board Briefing on IT

IT Governance Institute


• The information technology department has a sound

rationale for project priorities.

• The information technology department demonstrates


The practices identified in this report help foster and develop

these characteristics.

In order to compile the best practices, we reviewed literature

on management, governance, IT service structures, and internal

controls. We collected literature from various sources including

academic databases and private and public sector technology

publications. We also relied on the research and publications

of the U.S. Government Accountability Office, Gartner, Inc. and

the framework of the IT Governance Institute’s leading research

publication Control Objectives for Information and Related Tech-

nology (COBIT).

We identified cities whose IT departments are noted as leaders

in IT or who implement innovative IT practices and interviewed

their staff. We also interviewed IT professionals in local organi-

zations, including Multnomah County, Metro, and the Oregon

Health & Sciences University. Studying organizations that func-

tion in different businesses and sectors helped us gain insight

into how IT departments meet their organization’s technology

and organizational requirements.

We developed this guide for organizations with an internal

IT service department. We hope that both the IT department

and their customers will find this guide beneficial.

We conducted our work in accordance with generally accept-

ed government auditing standards.



Five areas of information
technology governance

Information technology governance is a framework for imple-

menting policies, business processes, and internal controls to

effectively support all the services that an IT department provides.

IT governance seeks to improve the value of bureau business

operations, rationally prioritize project requests, measure the IT

department’s performance. IT governance recognizes that for

IT to truly add value to the bureaus, both the bureaus and the

IT departments must be accountable for IT investments.

The IT Governance Institute, a leading researcher in the develop-

ment and application of IT governance objectives since 1998,

considers the implementation of IT governance an ongoing

process. IT governance requires organizational change and new

processes: cooperation, collaboration and communication are

necessary to achieve results.

The following best practices are divided among five IT Gover-

nance “focus” areas. The IT Governance Institute outlined these

five IT Governance focus areas after studying market predictions

and other analyses produced by leading IT researchers.

“…IT governance is
at least as important

as any piece of
infrastructure or
any application

– perhaps more so in
an environment where

the CIO has to do
more with less.”

IT Governance: Is it the

Tech Republic


Strategic IT Alignment

Strategic IT alignment ensures that IT services and investments

meet business objectives that are outcomes of strategic plan-

ning. Information technology is “aligned” when IT management

allocates resources and undertakes projects in coordination

with the bureaus’ strategic plans and business objectives and

the City’s strategic vision. Strategic IT alignment is only pos-

sible when bureaus have strategic plans and specific business

objectives in place.

Value Delivery

The IT department demonstrates value to the bureaus when it

completes projects as specified, on-time, and within budget.

The IT department also delivers value by meeting customer

expectations for basic IT services such as e-mail and internet

access. To deliver value, IT expenditures and the return on IT

investments need to be managed and evaluated.

Risk Management

Internal controls and policies enable the IT department to assess

and control the many risks related to IT projects.

Resource Management

The IT department needs to manage its resources to optimize

resource value. Staff, customers, vendors, hardware, software

and relationships are resources that need to be managed.

Performance Measurement

Performance measurement demonstrates how well the IT

department accomplishes its objectives and identifies under-per-

forming areas. Performance measurement allows for continual

organizational improvement.

“IT governance is also a
continuous life cycle, which can

be entered at any point.”

Board Briefing on IT Governance
IT Governance Institute



Within each area of IT Governance key activities and processes

contribute to the successful management of resources, includ-

ing the way they support and match organizational goals. The

following sections describe twenty common best practices. They

are presented within the five governance areas.

Professional literature suggests “best practices” have evolved

from experience and lessons learned. A list of the best practices

can be found in Appendix A.


Strategic IT Alignment
Strategic IT alignment ensures that IT services and investments
meet business objectives that are outcomes of strategic plan-
ning. Information technology is “aligned” when IT management
allocates resources and undertakes projects in coordination
with the bureaus’ strategic plans and business objectives and

the City’s strategic vision. Strategic IT alignment is only pos-

sible when bureaus have strategic plans and specific business

objectives in place.

BEST PRACTICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1 Use an IT advisory board to oversee IT strategy and policy

2 Base IT decisions on bureau and City-wide strategic

3 Position the IT director as a strategist who resolves
business issues with information technology.

4 Ensure that IT customer service managers possess
excellent communication and interpersonal skills.

5 Inform bureau managers on the rationale behind IT
policies and of emerging technologies.

6 Monitor and report on the progress of the IT strategic


Strategic IT Alignment

1. Use an IT advisory board to oversee IT strategy and
policy decisions.

An IT advisory board should be in place and responsible for

City-wide strategic IT planning and IT policy. To make effective

decisions with the IT director, the board must understand the

City’s vision and the bureaus’ business objectives, and possess an

adequate understanding of the current technological environ-

ment in which the bureaus’ operate. The board should include

bureau management staff and external community partners.

2. Base IT decisions on bureau and City-wide strategic

IT should exist to support bureau and City-wide goals. A decision

to use specific technologies should arise from well identified

strategy and operational needs—including the identification of

users and customers—and a thoughtful risk analysis. Changes in

a bureau’s strategy or a change in Council’s priorities may require

updates to the IT department and/or bureau strategic plan.

“Although IT can operate without consulting other people
in the organization, it should not operate in this fashion. An

authoritarian approach could be a contributing factor leading to
another round of decentralization, because IT will reinforce the

belief that it is not responsive to the needs of the organization.”

Centralizing Information Technology in a Distributed System (Again?),
Wayne Brown, Heald College

“ ‘This is not just an IT

. . . you should assemble
some sort of council or

IT strategy committee
when coming up with
a governance model. .
. Typically it should be

senior-level management
from business groups that

represent IT’s user base.”

Models of IT Governance,


3. Position the IT director as a strategist who resolves
business issues with information technology.

The IT director is a communicator, educator and relationship

builder with strong IT experience. The IT director acts as a bridge

between the IT department and the bureaus. The IT director

should be embraced as a member and full participant of the

executive management team.

4. Ensure that IT customer service managers possess
excellent communication and interpersonal skills.

IT customer service managers must understand and commu-

nicate the strategic objectives of both the IT department and

the bureaus. They need the skills to articulate and balance the

wants, needs, capabilities and limitations of both the bureaus

and the IT department. The customer service managers are the

key players for managing expectations and resources between

the bureaus and IT. Knowledge of bureau business processes,

and customer service and project management skills are crucial

for IT customer service managers.

“To be truly customer driven, the IT product
developer must understand customers’ business

needs, as well as the functionalities and
capabilities required to meet these needs.”

Use the Gartner Internal Service Company Model to
Maximize IT Shared Service Performance,


“IT management must
be knowledgeable

about senior
management’s strategic

and tactical thinking
. . .IT people must
be present when

business strategies are

Eight Imperatives for the
New IT Organization,
Sloan Management


Value Delivery

5. Bureau managers understand the rationale behind
IT policies and are periodically informed of emerging

The IT director is responsible to see that bureau managers

understand the IT department’s strategic plan and the ratio-

nale behind citywide IT standards, rules and policies. Periodic

updates on current and emerging technologies allow bureau

managers to consider emerging technologies when developing

bureau-specific IT plans.

6. Monitor and report on the progress of the IT strategic

The strategic plan should be evaluated every twelve to eigh-

teen months. Top management should act on the results of the

evaluation and update the strategic plan as goals are achieved

or strategies change.

“…CEOs in both the public and private sectors are
demanding to see some Return on Investment (ROI) from

IT investments. That can only happen when technology
delivers what business units need across the enterprise.”

Establishing Frameworks,
public CIO

“It is important to
remember that the

formal strategic plan
is a moving target. We

concentrate on the
plan’s implementation
and making sure that

the departments
are driving the IT


Christine O’Connor,

Deputy Director of IT,
City of Tucson, Arizona


Value Delivery

The IT department demonstrates value to the bureaus when

it completes projects as specified, on-time, and within budget.

The IT department also delivers value by meeting customer
expectations for basic IT services such as e-mail and internet
access. To deliver value, IT expenditures and the return on IT
investments need to be managed and evaluated.
BEST PRACTICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7 Focus on optimizing bureau business strategies and IT

8 Wherever possible, standardize common applications
across bureaus and use off-the-shelf software.

9 Use consistent and methodical processes when
consolidating or re-engineering systems or services.

10 Make the Help Desk’s effectiveness a priority.

11 Ensure that IT costs and cost recovery methods are
transparent and clearly communicated.

12 Use project management, change management and
project review processes.

13 Consider service level agreements (SLAs) a formal contract
between the IT department and the bureaus, and report
on performance metrics specified in the SLA.


Value Delivery

“IT governance is the organizational capacity exercised by the
Board, executive management and IT management to control the

formulation and implementation of IT strategy and in this way
ensure the fusion of business and IT.”

IT Governance and Its Mechanisms,

Information Systems Control Journal

7. Focus on optimizing bureau business strategies and IT

To maximize the value that IT can add to a bureau, the IT de-

partment needs to shift from its fundamental role of supporting

basic IT functions to assisting its customers in the evaluation

and uptake of new technologies. Improving its competencies

in financial management, product development and customer

relationship management will facilitate this shift. Figure 1 shows

the stages and accompanying characteristics of IT organizations

as they shift from a basic competency focus to a strategic focus.

A strategic focus requires a shift from viewing IT as an expendi-

ture to be minimized to viewing IT as a valuable resource and

service center.

8. Wherever possible, standardize common applications
across bureaus and use off-the-shelf software.

Standardized applications create economies of scale because

the costs for maintenance, software updates, training and

custom programming requests are shared among bureaus

and knowledge bases are broadened. Off-the-shelf software

requires minimal programming and maintenance which frees

technical staff to support and develop the necessary custom-

ized applications.



Source: Adapted from “Enabling the Strategy-focused IT Organization,”
R.S. Gold. Volume 4, 2002, Information Systems Control Journal.

Figure 1. Evolutionary Stages in the Development of Value Driven IT

IT expenditures are
externally budgeted,
often as share of

Service level
agreements and
charge back systems
are employed.

Unit costs and
demand are
quantified and

investment decisions
are informed by
business strategy.


Quality focus is
exclusively on
system availability.

Quality focus is on
systems availability
and response time.

Quality is managed
to negotiated service
level agreements.

Availability and
reliability are no
longer an issue.


Delivery schedules
are constrained by
resources and internal

Resource allocation
is driven by politics.

Methods are applied to
reduce development
cycle time.

Broad focus is on
time to market and
competitive advantage
for the business.


Creative budgeting
and accounting are
used to defend against

Technologies are used
in innovative ways to
reduce IT costs.

Role of technology in
business strategy is

Technology is
embedded in the firm’s
value proposition.



Value Delivery

9. Use consistent and methodical processes when
consolidating or re-engineering systems or services.

Understanding business processes, both within the IT depart-

ment and among the bureaus, is the first step in consolidating

systems and services. One model suggests the following steps

for re-engineering or improving service delivery:

• Identify the similar and dissimilar services among all

the business operations.

• Define the services that the IT department will deliver.

Some processes may not be suitable for consolidation

or re-engineering, or incremental redesign may be


• Map each of the major processes required to deliver

each service.

• Assign service delivery responsibilities to individuals

or teams for each defined area to be consolidated or


• Operate under clear structures that include policies,

reporting relationships, clear roles and authorities,

goals and performance measures for each defined


“The agency must understand each process: who owns it, who uses it, what
system(s) support it, what the integrated systems are and how frequently the

process changes.”

Maximizing the Return from Asset and Service Management Systems,
MRO Software, Inc.



10. Make the Help Desk’s effectiveness a priority.

Since the Help Desk is often the first contact point between

IT and the customer, it is important that the Help Desk is re-

sponsive to customers’ needs. The Help Desk’s effectiveness

and responsiveness builds trust between IT and the customer.

Referral of Help Desk calls to analysts for additional help should

be minimized, which means that the Help Desk staff needs to

have high level skills in all systems within the organization.

11. Ensure that IT costs and cost recovery methods are
transparent and clearly communicated.

The City’s executive management should determine cost re-

covery policy in collaboration with the IT department and IT

advisory council. The IT department should be able to explain

how charges are determined, and report regularly on revenues,

costs and variances.

12. Use project management, change management and
project review processes.

Many control techniques exist to keep projects on time, on

budget, and as specified. These techniques include project

charters, business case requirements, Gantt charts, and scope

change requests. Change and patch management controls

make the process for planned changes rigorous and visible

and reduce the risk that unplanned or untested changes will be

made to live systems. Quality assurance provides independent

verification that IT staff follows its own procedures and that

top management is informed of project progress. Post-imple-

mentation reviews enable the IT department and the bureaus

to improve their processes. All of these processes should be

clearly supported and communicated by top management and

understood and used by the IT staff and the bureaus (see also

Best Practice #15).

“Cost recovery should
be used with great

care and is part of the
chargeback [rate model]

policy decision. Cost
recovery too can be very

contentious, so there
needs to be a fair and

transparent approach to

Chargeback – How far should
you go?


Value Delivery

13. Consider service level agreements (SLAs) a formal
contract between the IT department and the bureaus, and
report on performance metrics specified in the SLA.

Service level agreements and performance agreements are key

to effective management of IT resources and good customer

relationships. Good SLAs balance customer needs with the IT

department’s capabilities, and customer expectations with the IT

department’s commitments. A service level management (SLM)

process should monitor customer satisfaction with services, and

monitor IT performance in the service level categories. Best

practices for SLAs include:

• Limited technical jargon and services expressed in

business terms,

• Definitions of terminology,

• Formal approvals from all parties,

• Clear service level objectives (e.g. availability, reliability,

performance) and corresponding measures,

• Nonperformance clauses defining consequences of

unfulfilled commitments (i.e. warnings, escalation

procedures, financial penalties),

• Limitations and customer responsibilities.



Best practices for service management include:

• Designating a service level manager who is respon-

sible for monitoring and reporting on the status and

achievement of the SLA’s performance criteria,

• Conducting service level satisfaction surveys to expose

customer perceptions of performance,

• Continuously evaluating SLAs to ensure the alignment

of IT and bureau objectives.

“A balanced SLA is a compromise between the needs,
expectations and requirements of the organization (user

group) and the service provision capabilities and promises
of the service provider. At the same time, it must protect

the service provider by limiting liability, identifying
responsibilities and rationally managing user expectations.”

Using CobiT and the Balanced Scorecard as
Instruments for Service Level Management,

Information Systems Control Journal


Value Delivery

Risk Management

“The early identification of project risks and the timely
taking of project control measures leads to a reduction of

overall project costs.”

Risk Management in IT Projects,
Information Systems Control Journal

Internal controls and policies enable the IT department to as-

sess and control many risks related to IT projects.

BEST PRACTICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

14 Apply principles found in IT best practices guides.

15 Use policies, procedures and clear authorities to manage

16 Clearly define the scope of an Enterprise Resource
Planning (ERP) system.


Risk Management

14. Apply principles found in IT best practices guides.

Governance best practices and operation controls help align IT

and bureau strategies and, allow the IT department and bureaus

to measure process and to control risks. Control Objectives for

Information Technology (CobiT) is directed at senior manage-

ment and focuses on IT organizational processes and controls

that support effective service. The Information Technology

Infrastructure Library (ITIL) focuses on methods that IT man-

agement can employ to achieve many of the goals outlined in

CobiT. The

Global Technology Audit Guide

(GTAG) is directed at

Boards of Directors, Audit Directors and advisory committees

and provides an overview of selected information technology

topics. The CobiT and ITIL frameworks are very comprehensive

and may take years to incorporate into an organization. Experts

recommend an incremental approach to implementing these

frameworks which includes:

• Building support of executive management, the IT

advisory council and the IT staff,

• Identifying major weaknesses in the IT organization

and selecting concepts from each CobiT and ITIL that

address those weaknesses,

• Selecting only those concepts that fit the IT depart-


• Implementing the concepts and methods by starting

with the elements that have the greatest ease and /

or potential for success.

“Research shows that
organizations that use

IT governance structures
that reflect their situations

and objectives are more
successful than those that


IT Strategy and Governance:
Harness Change to Encourage




15. Use policies, procedures and clear authorities to manage

Any change, from software modifications to unplanned depar-

tures of key staff, can cause disruptions. Policies, procedures and

clearly defined authorities can help mitigate the risks associated

with these disruptions. The IT organization should prioritize the

development of change management policies and procedures

using risk assessments to identify key weaknesses, recurring

problems, and areas where losses can be high. Exploring future

changes in technologies and business needs will help the IT de-

partment prepare for future risks (see also Best Practice #12).

“Use unplanned work as an indicator of effectiveness
of IT management processes and controls. High

performing IT organizations spend less than 5
percent of their time on unplanned work.”

Change and Patch Management Controls: Critical for
Organizational Success,

Global Technology Audit Guide


Risk Management

16. Clearly define the scope of an Enterprise Resource
Planning (ERP) system.

An ERP system integrates many departments and functions

across an organization onto a single system that aims to serve

many diverse needs. There are many best practices for the

design and implementation of ERP systems. Some key consid-

erations are:

• ERP projects should be driven and managed by the

bureaus who own the applications that are to be mi-


• In addition to the high cost of ERP software, other

“hidden” costs should be considered such as data con-

version, training, and integration with other systems

and business processes.

• Business processes need to be clearly defined and

understood before implementing an ERP. Processes

that need major re-engineering add risk if configured

into the ERP.

• Only business processes that optimize business per-

formance should be configured into the ERP.

• Much consideration should be given to controls that

maintain data integrity and data security because many

users have access to the system.

While ERP applications can resolve a number of control
issues associated with a fragmented legacy systems

environment, not surprisingly, they can introduce new risks
of their own.”

Risk and Governance Issues for ERP Enterprise Applications,
Information Systems Control Journal

“Those companies that
stressed the enterprise,
not the system, gained

the greatest benefits.”

Putting the Enterprise into
the Enterprise System,

Harvard Business Review

Resource Management
The IT department needs to manage its resources to optimize
resource value. Staff, customers, vendors, hardware, software
and relationships are resources that need to be managed.
BEST PRACTICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

17 Develop strong and broad staff competencies.

18 Manage computing assets.

19 Recognize the customer as an important resource.

“IT – business relationships are one of the three major
resources (along with IT human resources and technology

resources) that IT executives value to a firm.”

Eight Imperatives for the New IT Organization,
Sloan Management Review


Resource Management

17. Develop strong and broad staff competencies.

Assessing the skills and knowledge of IT staff regularly ensures

that skill levels are adequate to achieve the organization’s goals

and objectives. Cross-training opportunities and annual train-

ing plans should be built into annual performance evaluations.

In addition to technology skills, IT staff should also be trained

in business operations knowledge and communication skills.

Staffing levels and skills should also be evaluated after major

organizational changes. Customer evaluations of customer ser-

vice staff should be given strong consideration in performance


18. Manage computing assets.

Effectively managing IT assets requires an accurate inventory of

computing hardware, systems, licenses and applications. Asset

management should be addressed in the investment and op-

erational budget and should be based on a clear understanding

of technology and application software life cycles.

19. Recognize the customer as an important resource.

Clear communication with IT customers allows the IT department

to predict demand for services and receive input on possible

improvement to processes. Customer service satisfaction sur-

veys and customer input are important tools for evaluating IT

staff performance and identifying under-performing processes

and staff.

“To establish
joint ownership

for performance

organizations strive
to construct measures

jointly with their
stakeholders, customers,
managers, and CIO staff.”

“Maximizing the Success of
Chief Information Officers,”

Government Accountability

Performance Measurement
Performance measurement demonstrates how well the IT

department accomplishes its objectives and identifies under-

performing areas. Performance measurement allows for continual

organizational improvement.
BEST PRACTICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

20 Measure performance and use the results to initiate
improvements and change.

“IT is increasing in importance for the public sector, but
technology has disappeared as a priority among policy
leaders. To demonstrate the value of IT, CIOs are using

performance measurement to show they can deliver
results and improve services.”

CIOs must measure performance now that results count,
public CIO


Performance Measurement

20. Measure performance and use the results to initiate
improvements and change.

The IT Director can use performance measures to build cred-

ibility and show bureaus that IT delivers results and improves

business processes. Performance measures can also indicate

areas that need improvement. Measures should focus on busi-

ness outcomes such as service levels, performance targets and

customer satisfaction. Performance results need to be readily

accessible to IT management and reported to customers and

the governing council. Good IT performance measures:

• are developed with input from external partners, in-

ternal staff and customers,

• show the value of a service delivered or a system

implemented and de-emphasize system performance


• focus on quality, process, functionality and timeli-


• measure customer satisfaction

• are reported to customers, IT staff and executive man-


• have associated targets or goals,

• are expressed in percentages that indicate results or

accomplishments rather than in raw numbers of work

performed. For example, the percentage of all new

development projects that were delivered on-time is

more meaningful than the number of new develop-

ment projects undertaken.


A- 1

List of 20 best practices

1. Use an IT advisory board to oversee IT strategy and policy decisions.

2. Base IT decisions on bureau and City-wide strategic plans.

3. Position the IT director as a strategist who resolves business issues with information

4. Ensure that IT customer service managers possesses excellent communication and
interpersonal skills.

5. Inform bureau managers on the rationale behind IT policies and of emerging

6. Monitor and report on the progress of the IT strategic plan.

7. Focus on optimizing bureau business strategies and IT investments.

8. Wherever possible, standardize common applications across bureaus and use off-the-
shelf software.

9. Use consistent and methodical processes when consolidating or re-engineering
systems or services.

10. Make the Help Desk’s effectiveness a priority.

11. Ensure that IT costs and cost recovery methods are transparent and clearly

12. Use project management, change management and project review processes.

13. Consider service level agreements (SLAs) a formal contract between the IT department
and the bureaus, and report on performance metrics specified in the SLA.

14. Apply principles found in IT best practices guides.

15. Use policies, procedures and clear authorities to manage change.

16. Clearly define the scope of an Enterprise Resource Panning (ERP) system.

17. Develop strong and broad staff competencies.

18. Manage computing assets.

19. Recognize the customer as an important resource.

20. Measure performance and use the results to initiate improvements and change.

A – 2

List of best practices

B – 1




Addison, S. “Risk and Governance Issues for ERP Enterprise Applications.” Information Systems
Control Journal, Volume 4, 2001.

Amy Santenello quoted in Newcombe, T. “CIOs must measure performance now that results
count.” public CIO, February 2005.

Brown, W. “Centralizing Information Technology in a Distributed System (Again?).” Heald
College, San Francisco, November 20-23, 2002.

Chickowski, E. “Models of IT Governance: Is it time to evaluate your decision-making
processes?”, April 9, 2004.

Davenport, T.H. “Putting the Enterprise into the Enterprise System.” Harvard Business Review,
July-August 1998.

De Haes, S. & Van Grembergen, W. “IT Governance and Its Mechanisms.” Information Systems
Control Journal, Volume 1, 2004.

Flint, D. “IT Strategy and Governance: Harness Change to Encourage Alignment.” Gartner,
March 2005, ID Number: G00126303.

Gartner, Inc. “Chargeback – How far should you go?”, May 2003.

Gaulke, Markus. “Risk Management in IT Projects.” Information Systems Control Journal, Volume
5, 2002.

Gerrard, M. “Use the Gartner Internal Service Company Model to Maximize IT Shared Service
Performance.” Gartner, December 23, 2004, ID Number: G00124282.

Gold, R.S. “Enabling the Strategy-focused IT Organization.” Information Systems Control Journal,
Volume 4, 2002.

Government Accountability Office. “Maximizing the Success of Chief Information Officers:
Learning from Leading Organizations.” GAO Executive guide, GAO-01-376G, February

Information Technology Governance Institute. “Board Briefing on IT Governance.” 2nd edition,
October 2003.

MRO Software. “Maximizing the Return from Asset and Service Management Systems.” www., 2004.

B – 2


Newcombe, T. “Establishing frameworks.” public CIO, February 2005.

Oltsik, J. “IT Governance: is it the answer?” TechRepublic, January 22, 2003.

Rockart, J.F., Earl, M.J., & Ross, J.W. “Eight Imperatives for the New IT Organization.” Sloan
Management Review, Fall 1996.

Taylor, R. et al. “Change and Patch Management Controls: Critical for Organizational Success.”
Global Audit Technology Guide, Institute of Internal Auditors, 2005.

Van Grembergen, W., De Haes, S. & Amelinckx, I. “Using CobiT and the Balanced Scorecard as
Instruments for Service Level Management.” Information Systems Control Journal, Vol. 4,

Other sources for information technology information

Center for Digital Government:

CIO Magazine:

Forrester Research, Inc.:

Gartner Group:

Government Computer News:

Government Executive:

Government Technology:

Information Week:

IT Infrastructure Library (ITIL):

IT Governance Institute:

META Group Inc:

MIS Quarterly:

B – 3

Professional organizations

Association for Federal Information Resources Management:

Chief Financial Officers Council:

Federal Chief Information Officers Council:

General Accounting Office:

Government Information Technology Services Board:

Information Systems Audit and Control Association and Foundation:

Information Technology Association of America:

Information Technology Resources Board:

International City/County Management Association:

National Association of State Chief Information Officers:

Society for Information Management:

B – 4



This report is intended to promote the best possible management of public resources.
This and other audit reports produced by the Audit Services Division are available on the
web at: Printed copies can be obtained
by contacting the Audit Services Division.

Gary Blackmer, City Auditor
Drummond Kahn, Director of Audit Services

Other recent audit reports:

Parks Bureau Softball: Operating agreement for the
softball program should be revised as it nears self-
sufficiency (#323, August 2005)

Percent for Art Program: Financial allocation process is
informal, inconsistent, and may not fulfill requirements for
public art (#317, August 2005)

Audit Services Division
Office of the City Auditor
1221 SW 4th Avenue, Room 310
Portland, Oregon 97204

Best Practices for Information Technology Governance
Report #314B, September 2005

Audit Team:
Alexandra Fercak
Sharon Meross

