Regulatory impact on IT governance: A multiple case study on the Sarbanes-Oxley Act

As computer systems continue to be leveraged to manage and store critical information, the need to properly govern these systems to insure data integrity and security increases. Over the past decade a number of regulatory initiatives have been implemented to force organizations to meet minimum IT governance standards when the data being managed could have significant impact to the public if exposed or corrupted. Regulations, such as the Health Insurance Portability and Accountability Act (HIPPA), have mandated organizations to secure and encrypt the personal information of clients and customers. Other regulations, such as the Sarbanes-Oxley Act, go beyond mandating data security and also mandate that IT governance controls be followed to prevent errors in the financial reporting of public companies.;Although there has been much research in the area of IT governance, there has been limited research in the area of how regulatory initiatives that mandate IT standards are impacting IT governance. This study used an iterative model of the teleological change theory as a theoretical framework to evaluate the impact the Sarbanes-Oxley Act had on three retail corporations. The study considered the perceived positive and negative impacts on IT governance, the impact across the strategic planning, IT operations, and evaluation dimensions of IT governance, and whether or not the change could be considered a primary or secondary impact of the regulation.;The case studies demonstrate that regulatory initiatives, such as the Sarbanes-Oxley Act, do have an impact on IT governance, but those impacts vary based on the IT governance maturity level of each organization. However, in general, the primary impact is an increase in the overall IT governance maturity of the IT organization. In addition, there are significant governance maturity improvements in the specific areas the regulatory initiative controls. In regards to the Sarbanes-Oxley Act, these areas include IT change management, the software development life cycle, IT system security, and many others. Finally, the study concludes there is a primary and secondary impact to regulatory initiatives and that over time, the impacts evolve and change as the organization continues to seek more efficient and effective ways to meet regulatory requirements.