Copyright 2005 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.

From Business Strategy to IT Action

By Robert J. Benson, Thomas L. Bugnitz and William B. Walton
Reviewed by Christina Tsang-Reveche, CISA, CISM, PMP
ne of the greatest challenges facing organizations
today is how they invest in technology and how these
investments are integrated within their overall business
strategies. Many organizations struggle to measure IT
performance in ways that can be related to the business,
resulting in a disconnect between the overall strategic goals of
the organization and the goals and activities of IT. These
disconnects occur in planning, prioritization, performance
measurement and organizational development. Although the
traditional return on investment (ROI) method is widely used,
this method alone may not be sufficient in connecting IT
investments to the bottom line.
From Business Strategy to IT Action presents an integrated
approach in connecting an organizations strategies with its IT
activities and provides a road map to get there. The book is
about controlling and selecting the right things on which to
spend. The problem is not to justify an individual project; it is
to choose the best portfolio of projects.
The book introduces five basic management practices that
flesh out the strategy-to-bottom-line value chain called the
New Information Economics (NIE). These practices are briefly
defined as follows:
Practice 1: Demand/supply planningBusiness and IT
managers achieve consensus on where the organization is
going and what IT can do to help. They do this by
establishing the business drivers as expressed through
managements strategic intentions, and translating them
into the strategic IT requirements needed to fulfill these
strategic intentions.
Practice 2: InnovationThe practice of innovation drives
business management to uncover the business opportunities
that IT makes possible. It also provides a way to feed
these opportunities into business strategic and tactical
planning. The result is a robust and competitive set of
business opportunities.
Practice 3: PrioritizationPrioritization is the assignment of
resources to the highest value projects after assessing the
business impact of the proposed IT initiatives. Prioritization
helps managers identify the IT projects that strongly support
strategic intentions, ranking them by future business impact.
As a result, resources are spent in the right places, for the
right reasons, with business and IT managers agreeing on
the decisions.
Practice 4: AlignmentThis practice assesses the business
impact of the existing IT activities. Money spent on
maintaining existing systems is money not spent on new
development. This practice lets business and IT managers
decide together which existing IT initiatives should get
resources, rather than assuming that everything currently in
operation is critical for the business and should be supported

at existing levels. The result is a more

reasoned approach to spending money
on current activities, which often
results in money made available for
new development.
Practice 5: Performance
measurementWhile it is relatively
easy to measure IT performance in
operational and tactical terms, it is
difficult to measure the impact IT has on the
business. Performance measurement blends the two and
allows IT to determine what to measure, how to manage IT
based on those measures, and how to communicate its
performance to business managers in ways that they can
understand. The result is improved IT performance and
improved communication with business management.
The five practices in the NIE make up a set of tools for IT
and business managers to use. Embedded in management
processes, they can be used to translate an organizations
strategies into programs and initiatives that IT can implement.
The business value maturity model is introduced to measure
each NIE practice individually, and a complete set of processes
is provided for the assessment of the maturity of an
organizations processes.
Often, companies that have good planning practices handle
alignment and prioritization well and employ good enterprise
architecture practices, yet fail to get it all together in the form
of action. Action, after all, is what produces results. To put it
all together, portfolio management is the core concept of the
NIE. The use of portfolio management is more than
prioritization alone. It is the foundation for managing IT in the
organization. By looking at IT as a set of portfolios, all
resources can be managed for the bottom-line impact
accordingly. The key is to look at all the resources in a
consistent manner, linking them to business outcomes: cost,
service level and quality, and technical obsolescence.
The authors identify 12 elements in the strategy-to-bottomline value chain. The value chain provides the information
context within which each NIE practice operates. These
elements also establish the basis for the process and
information connections that lead from business strategy to the
bottom-line outcomes. Examples of these elements include
business strategic intentions, assessed portfolios, strategic IT
plan and agenda, annual project plan and business plan. The
objective is to coordinate and connect these elements using the
NIE practice. The NIE practice will strengthen the deliverables
as well as the connections among the elements.
Since understanding, measuring and monitoring IT and
business alignment are the prerequisites for delivering and
demonstrating IT value, this book introduces a variety of tools

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2005

and methods for understanding and improving the IT-to-business

alignment. Examples of such methods include a strategic
demand/supply plan that explicitly connects IT strategies and
plans to that of the business side, culture management concepts
to establish an environment that increases ITs impact on the
business, performance measurement models for continuously
measuring and monitoring the IT-to-business connection, and an
IT improvement zone for continuously identifying ways to
improve the current IT resources.
Although there is a great amount of information contained
in this book, the way the information is organized makes it
easy to follow and digest. There are section summaries after a
concept is introduced to help readers capture the key points. At
the end of each chapter, there is a management agenda area
with questions related to the topic discussed that management
should consider. These questions allow readers to pause and
reflect on their current situations. Additional resources are
listed at the end of the chapter as well as online should the
readers want to research further into the topic.

An excerpt of the book is also available online at

http://media.wiley.com/product_data/excerpt/18/04714919/047
1491918.pdf.
Christina Tsang-Reveche, CISA, CISM, PMP
is a business systems analyst at the Capital Group Companies
in Brea, California, USA. She has more than 10 years of
experience in the information technology industry, specializing
in business-to-IT process development and IT project
management. She is also a member of the ISACA
Publications Committee. She can be reached at christina.tsangreveche@dynasys.com.

Editors Note:
From Business Strategy to IT Action is available from the
ISACA Bookstore. For information, see the ISACA Bookstore
Supplement in this Journal, visit www.isaca.org/bookstore,
e-mail bookstore@isaca.org or telephone +1.847.253.1545,
ext. 401 or 478.

Integrated Auditing of ERP Systems

By Yusufali F. Musaji
Reviewed by Sarathy Emani, CISA, CISM

his book is intended to familiarize the reader with

built-in controls in the enterprise resource planning
(ERP) architecture and recommend control procedures
that have audit significance. It also advises IS auditors and IT
departments on establishing an integrated auditing approach
while designing systems and controls. The book could form the
basis for developing training courses for general audit staff, IT
audit specialists, internal auditors and others involved in ERP
and/or audit.
The book is primarily intended for auditors responsible for
designing and administering audit programs to evaluate and
test controls over the ERP system. It is useful for those who
are responsible for controls in the ERP environment and has
necessary inputs for guiding entry-level ERP auditors. In
addition, it is especially of interest to Certified Information
Systems Auditor (CISA) candidates.
The book depicts an ERP life cycle and addresses the key
activities, audit tests and deliverables in each of the phases.
Change management and potential challenges are addressed as
well. All topics receive a reasonable depth of coverage. The
reader may find that some subjects, such as control objectives,
are covered in multiple sections; this alleviates the need to go
back and forth for review.
This book begins with an ERP system implementation

overview covering different types of

systems and their inherent problems.
Chapter 2 addresses ERP system
vulnerabilities (risks) and internal
controls. Chapter 3 provides an overview
of the generally accepted phases of an
ERP life cycle and includes control
objectives, which are presented pictorially. Risks, business
impact and expected controls are presented in a tabular format.
Chapter 4 addresses change management processes, including
customer service, change requests, implementation and
deployment. To enhance clarity, several examples are provided.
Chapter 5 deals with post-implementation issues and controls,
including classification of ERP control procedures. Each
control is explained through background, control procedures,
compensating controls, and significance of weaknesses and
possible compliance tests. An overview of SAP R/3, one of the
most complex ERP systems, is presented in chapter 6.
The author, Yusufali F. Musaji, weaves several control
techniques through ERP system phases. Multiple mentions of
control objectives, techniques and audit tests in different
phases may seem repetitive, but this formatting is actually
advantageous; one can go to a specific chapter of interest and
begin working, as each section is self-sufficient.

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2005

Sarathy Emani, CISA, CISM

is the CEO of MEQPRIMA Advisory Services, helping IT
organizations with quality, process and risk management. He
has more than 21 years of experience in the software industry
in the areas of development, quality assurance, information
systems audit and security, and he has worked in Bahrain,
India, Japan, Malaysia and the US. He is a member of ISACAs
Publications Committee.

Editors Note:
Integrated Auditing of ERP Systems is available from the
ISACA Bookstore. For information, see the ISACA Bookstore
Supplement in this Journal, visit www.isaca.org/bookstore,
e-mail bookstore@isaca.org or telephone +1.847.253.1545,
ext. 401 or 478.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal
does not attest to the originality of authors' content.
Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.
www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2005