Understanding the Role of Information Technology for Organizational Control Design: Risk Control as New Control Mechanism

  • Manuel Wiesche
  • Michael Schermann
  • Helmut Krcmar
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 366)


Organizational control is one of the fundamental functions of management. Although controls come along with performance constraints, organizations rely on control mechanisms to direct attention, motivate, and encourage organizational members to act according to organizational goals and objectives. Managers build their decision on control design on the degree of knowledge about the value creation process and the predictability of the outcome. In this paper, we enhance a popular theoretical framework for organizational control design by enclosing IT-enabled controls. We explore the framework empirically in a multiple case study on Governance, Risk management, and Compliance information systems (GRC IS), a popular new trend in organizational control design. Our findings provide evidence that IT-enabled controls enable a new control mechanism, risk control, for situations with perfect knowledge about the transformation process and high ability to measure output. As research implication, we recommend an extension of organizational control theory to incorporate the effects of information technology on control design. As practical implication, we provide decision support for the selection of GRC controls, depending on situational factors and the expected value proposition. In sum, this research enhances the body of knowledge on organizational control design with a risk-based perspective.


Risk Control Organizational Control Risk Management Compliance Governance GRC Uncertainty 


  1. Ansoff, H.I.: Managing strategic surprise by response to weak signals. California Management Review 18(2), 21–33 (1975)Google Scholar
  2. Arnold, V., Sutton, S.G.: The Theory of Technology Dominance: Understanding the Impact of Intelligent Decisions Aids on Decision Makers’ Judgments. Advances in Accounting Behavioral Research 1, 175–194 (1998)Google Scholar
  3. Ashbaugh-Skaife, H., Collins, D., Kinnery, W.R.: The effect of SOX internal control deficiencies and their remediation on accrual quality. The Accounting Review 83(1), 217–250 (2008)CrossRefGoogle Scholar
  4. Beneish, M., Billings, M., Hodder, L.: Internal control weaknesses and information uncertainty. The Accounting Review 83(3), 665–703 (2008)CrossRefGoogle Scholar
  5. Cardinal, L.B., Sitkin, S.B., Long, C.P.: Balancing and Rebalancing in the Creation and Evolution of Organizational Control. Organization Science 15, 411–431 (2004)CrossRefGoogle Scholar
  6. Chambers, E.G., Foulon, M., Handfield-Jones, H., Michaels, E.G.: War for Talent. McKinsey Quarterly 3, 44–58 (1998)Google Scholar
  7. Chan, Y.E.: Why haven’t we mastered alignment? The importance of the informal organization structure. MIS Quarterly Executive 1(2), 97–112 (2002)Google Scholar
  8. Clegg, S.: Foucault, Power and Organization. In: McKinley, A., Starkey, K. (eds.) Foucault, Management and Organization Theory, pp. 29–48. Sage, London (1998)Google Scholar
  9. Das, T., Teng, B.: Trust, control, and risk in strategic alliances: An integrated framework. Organization Studies 22(2), 215–283 (2001)CrossRefGoogle Scholar
  10. Davenport, T.H.: Process innovation: reengineering work through information technology, p. 365. Harvard Business School Press, Boston (1993)Google Scholar
  11. Dittmar, L.: Demystifying GRC. Business Trends Quarterly 4, 16–18 (2007)Google Scholar
  12. Doyle, J., Ge, W., Mcvay, S.: Determinants of weaknesses in internal control over financial reporting. Journal of Accounting and Economics 44(1-2), 193–223 (2007)CrossRefGoogle Scholar
  13. Eisenhardt, K.M.: Control: Organizational and Economic Approaches. Management Science 31(2), 134–149 (1985)CrossRefGoogle Scholar
  14. Fisher, J.: Compliance in the Performance Management Context: What technologies could simplify compliance and automate information gathering? Bank, Accounting & Finance 20(4), 41–49 (2007)Google Scholar
  15. Foucault, M.: Discipline and Punishment: The Birth of the Prison, p. 318. Vintage, New York (1977)Google Scholar
  16. Glaser, B.G., Strauss, A.L.: The discovery of grounded theory: Strategies for qualitative research. Aldine de Gruyter, Hawthorne (2001)Google Scholar
  17. Gunge, S.P.: Business Process Reengineering and The New Organization. In: Knights, D., Willmott, H. (eds.) The Reengineering Revolution: Critical Studies of Corporate Change, pp. 114–133. Sage, London (2000)Google Scholar
  18. Hammer, M., Champy, J.: Reengineering the corporation: A manifesto for business revolution. Harper Business, New York (1993)Google Scholar
  19. Heiser, J.: Hype Cycle for Governance, Risk and Compliance Technologies (2010) Google Scholar
  20. Jensen, M.: The modern industrial revolution, exit, and the failure of internal control systems. Journal of Finance 48(3), 831–880 (1993)CrossRefGoogle Scholar
  21. Kirsch, L.J., Sambamurthy, V., Ko, D.-G., Purvis, R.L.: Controlling Information Systems Development Projects: The View from the Client. Management Science 48, 484–498 (2002)CrossRefGoogle Scholar
  22. Kirsch, L.S.: Portfolios of Control Modes and IS Project Management. Information Systems Research 8(3), 215–239 (1997)CrossRefGoogle Scholar
  23. Lange, D.: A Multidimensional Conceptualization of Organizational Corruption Control. The Academy of Management Review 33(3), 710 (2008)CrossRefGoogle Scholar
  24. Liu, L., Yetton, P., Sauer, C.: A normative theory of organizational control: Main and interaction effects of control modes on performance. In: Proceedings of the18th European Conference on Information Systems (ECIS), Verona, Italy (2010) Google Scholar
  25. Locke, E.A., Latham, G.P.: Building a Practically Useful Theory of Goal Setting and Task Motivation. American Psychologist 57(9), 705–717 (2002)CrossRefGoogle Scholar
  26. Meiselman, J.: Risk, Governance and Compliance Trends for 2007. Risk Management 54(2), 40 (2007)Google Scholar
  27. Nilakant, V., Rao, H.: Agency Theory and Uncertainty in Organizations: An Evaluation. Organization Studies 15(5), 649–672 (1994)CrossRefGoogle Scholar
  28. Nixon, W., Burns, J.: Management control in the 21st century. Management Accounting Research 16(3), 260–268 (2005)CrossRefGoogle Scholar
  29. Nolan, R., McFarlan, F.W.: Information technology and the board of directors. Harvard Business Review 83(10), 96–106 (2005)Google Scholar
  30. Orlikowski, W.: Integrated Information Environment or Matrix of Control? The Contradictory Implications of Information Technology. Accounting, Management, and Information Technologies 1(1), 9–42 (1991)CrossRefGoogle Scholar
  31. Ouchi, W.G.: A Conceptual Framework for the Design of Organizational Control Mechanisms. Management Science 25(9), 833–848 (1979)CrossRefGoogle Scholar
  32. Parry, E.: SOX Wars: CIOs share ideas, fears on Sarbanes-Oxley compliance, (2004) Google Scholar
  33. Quattrone, P., Hopper, T.: A ‘time–space odyssey’: management control systems in two multinational organisations. Accounting, Organizations and Society 30(7-8), 735–764 (2005)CrossRefGoogle Scholar
  34. Racz, N., Weippl, E., Seufert, A.: A Frame of Reference for Research of Integrated Governance, Risk and Compliance (GRC). In: Communications and Multimedia Security, pp. 106–117. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  35. Sia, S., Tang, M., Soh, C., Boh, W.: Enterprise resource planning (ERP) systems as a technology of power: empowerment or panoptic control? ACM SIGMIS Database 33(1), 23–37 (2002)CrossRefGoogle Scholar
  36. Strauss, A., Corbin, J.: Basics of Qualitative Research Techniques and Procedures for Developing Grounded Theory Sage. Sage, London (1998)Google Scholar
  37. Tannenbaum, A.S.: Control in Organizations: Individual Adjustment and Organizational Performance. Administrative Science Quarterly 7(2), 236 (1962)CrossRefGoogle Scholar
  38. Volonino, L., Gessner, G.H., Kermis, G.F.: Holistic Compliance with Sarbanes-Oxley. Communications of the Association for Information Systems 14 (2004)Google Scholar
  39. Wagner, S., Dittmar, L.: The unexpected benefits of Sarbanes-Oxley. Harvard Business Review 84(4), 133 (2006)Google Scholar
  40. Walsh, J.P., Meyer, A.D., Schoonhoven, C.B.: A Future for Organization Theory: Living in and Living with Changing Organizations. Organization Science 17(5), 657–671 (2006)CrossRefGoogle Scholar
  41. Weick, K.E., Sutcliffe, K.M.: Managing the Unexpected: Assuring High Performance in an Age of Complexity. John Wiley and Sons, San Francisco (2007)Google Scholar
  42. Wiesche, M., Berwing, C., Schermann, M., Krcmar, H.: Patterns for Understanding Control Requirements for Information Systems for Governance, Risk Management, and Compliance (GRC IS). In: CAiSE Workshop on GRCIS, London, UK (to appear, 2011)Google Scholar
  43. Yin, R.K.: Case Study Research: Design and Methods, 5th edn. SAGE Publications, Thousand Oaks (2008)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Manuel Wiesche
  • Michael Schermann
  • Helmut Krcmar

There are no affiliations available

Personalised recommendations