Board roles required for IT governance to become an integral component of corporate governance ☆

Digitization is fundamentally changing how organizations create and deliver business value, with information technology (IT) leveraged to improve business processes and controls. Its pervasive effects upon organizations ’ risk exposures and performance requires boards ’ prudent and integrated consideration of the resultant IT opportunities and risk management. However, IT governance research suggests that boards ’ governance of IT is more commonly delegated and relegated to management and committees than integrated as part of their corporate governance practices. In response, our study contributes timely and structured understanding of boards ’ roles and the mechanisms required for IT governance to become an integrated component of corporate governance.


Introduction
With information technologies (IT) redefining organizational processes, controls and performance, digitization is increasingly yielding benefits, such as increased efficiency and productivity, lower operational costs and faster decision-making (Deloitte, 2020).The significance of this change is evident in global IT spending, which is projected to total $4.6 trillion in 2023 (Gartner, 2023).However, digitization gives rise to IT-related risk exposures, with the cost of a data breach averaging $4.35 million in 2022 (IBM, 2022) and software quality issues reportedly costing US organizations US$2.41 trillion in 2022 (Synopsys, 2023).Given these strategic challenges to organizations' risk exposures and performance (OECD, 2014;Vial, 2019), there are increasing calls for boards of directors to ensure prudent governance of IT investments, risk and performance as part of their corporate governance activities (Wilkin andChenhall, 2010, 2020;OECD, 2014).
As corporate governance "provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined" (OECD, 2015, 9), board activities should entail an integrated perspective of IT's pervasive effects upon performance and risk exposures.However, rather than being viewed as "an integral part of corporate governance for which … the board is accountable" (De Haes et al., 2020, 3), IT governance is typically determined "as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals" (Gartner, 2023).As such, IT governance appears more delegated and relegated to management and committees than an integral component of corporate governance.
In response, the purpose of this study is to review the current perspectives about corporate governance and IT governance in the research literature and practitioner resources.In doing so we seek to derive improved understanding of boards' actual and required roles when IT governance is exercised as an integral component of corporate governance.First, using the framework of the six board roles for corporate governance identified by Huse (2005), we compare the roles for boards of directors evident in the corporate governance research with those evident in IT governance research.Next, we appraise the relevance and implications of these findings by referencing two practitioner resources (namely focus groups and analysis of two IT Governance practitioner frameworks).
Findings highlight the need to adjust board roles in order to achieve integration of corporate and IT governance.We consolidate our contribution through a framework that focuses on two board accountabilities, control and service.Related to agency theory, boards' control accountabilities focus on control of the executive team regarding risk and resource management, together with control of outputs (reporting and regulatory compliance), and strategic control of assets and performance.Linked to effective strategic participation, boards' service accountabilities highlight necessary consideration of evaluative and directive aspects (i.e., advice and counsel for the executive team) and accessing and signaling aspects (networking and lobbying to gather intelligence and market responses).To address these accountabilities, boards require more IT-focused mechanisms, including adaptations to existing board structures and activities, and increased IT competency at board-level.Specifically, of Huse's (2005) six board roles, the only board role that appears to be exercised as part of corporate governance is the output control role.This is consistent with the impact of IT-related controls and performance on corporate governance.In terms of control accountabilities: as part of boards' behavioral control role, more specific focus is required on IT risk, performance management and compliance; and a more proactive strategic control role is required in evaluating and monitoring IT-related strategic issues and their alignment.Regarding service accountabilities, more focus is required regarding: IT-related resources and signaling the important IT-related matters to stakeholders (networking and legitimating role); behavioral aspects in their advice and counsel role for the executive team; and proactivity in their strategic participation role about ITrelated strategic decisions.
The remainder of this paper is structured as follows.Section 2 outlines the theoretical background regarding corporate and boardlevel IT governance, together with the related board roles.Section 3 details the research design, with the results reported in Section 4. In Section 5 we present the results, the study's limitations and our contribution to theory and practice.

Background
Consistent with its historical trajectory from being the primary responsibility of IT professionals and management to becoming an integral component of corporate governance, IT governance in the 1980s-1990s was seen as "IT-related authority patterns" (Sambamurthy and Zmud, 1999, 262).Being expressed as control or structure, rather than governance (Brown and Magill, 1994), reflected a perceived need for strategic IT management (Venkatraman et al., 1993).Here IT was seen as an increasingly significant resource, impacting organizations' competitive capabilities (Henderson and Sifonis, 1988).From 1998, ISACA 1 (and later ISO) developed practitioner resources and frameworks for IT governance, with a focus on evaluating, directing and monitoring IT investment and performance.More recently, while links to corporate governance are espoused (Holder et al., 2016), IT governance remains more delegated to IT steering, IT strategy and audit committees (Huff et al., 2006;Turel and Bart, 2014;Wilkin and Chenhall, 2020).In this context, we explore the synergistic and theoretical perspectives of corporate and IT governance in order to progress a structured understanding of the board roles and mechanisms required for their integration.

Synergistic perspectives related to corporate governance and IT governance
While different board structures exist, 2 in general a board of directors (commonly referred to as the board) is the formal body responsible for an organization's governance, including its strategic objectives and activities.As the system by which companies are directed and controlled, "corporate governance involves a set of relationships between a company's management, its board, its shareholders and other stakeholders" together with the structure required to determine objectives and monitor performance (OECD, 2015, 9).
Reflecting the pervasive effects of digitization, IT governance is increasingly defined as a subset of organizational or corporate governance that focuses on "the current and future use of IT including management processes and decisions" (ISO/IEC, 2015, 1).However, despite new risk exposures arising from digitized controls, processes and cyber security (i.e., Steinbart et al., 2016Steinbart et al., , 2018)), reliance on big data for decision-making (Abbasi et al., 2016), and blockchain (PWC, 2020), IT governance typically remains separately exercised from corporate governance (Magnusson et al., 2020).This is evident from annual surveys of IT leaders conducted by the Society of Information Management.For example, their 2021 survey findings from 737 IT leaders report only 36.4 % of companies fully centralizing their IT governance (Kappelman et al., 2022).Further evidence of a lack of integration includes "item-level analysis of the 15 corporate governance codes for IT (governance)-related content [showing that] aside from the South African code, the corporate governance codes score very low overall when it comes to including IT (governance)-related practices or guidelines" (De Haes et al., 2019, 100).Indeed, G20/OECD principles for corporate governance lack "specific directives regarding IT governance or IT governance disclosure, aside from using the company website as a disclosure channel for material company information" (De Haes et al., 2019, 100).
For boards, there are obvious practical and theoretical synergies in their integration (Kranz, 2021;Leclercq-Vandelannoitte and Emmanuel, 2018;Turel et al., 2017).First, value creation is the shared purpose of both: corporate governance purposes its role in value creation as "the ways in which suppliers of finance to corporations assure themselves of getting a return on investment" (Shleifer and Vishny, 1997, 737); and IT governance defines its role as "support of … the creation and protection of business value from IT-enabled business investments" (De Haes et al., 2020, 3).Similarly synergistic is the focus on controls: corporate governance's regulatory requirements, such as the Sarbanes-Oxley Act (SOX), oblige organizations to report on the effectiveness of their internal control systems that are increasingly IT-enabled (Li et al., 2007;Vincent et al., 2017).Third, two key standards require such integration.The first, International Standards for the Professional Practice of Internal Auditing, requires that "the internal audit activity must assess whether the information technology governance of the organization supports the organization's strategies and objectives" (The Institute of Internal Auditors, 2016, 13).Second, South Africa's code of company governance requires that "the governing body should govern technology and information in a way that supports the organization setting and achieving its strategic objectives" (Institute of Directors in Southern Africa, 2016, 62).
Together this evidence motivates our study's aim to offer a pathway for addressing urgent calls for board roles to incorporate those related to IT governance (Rothrock et al., 2018;Stafford et al., 2018;Wilkin and Chenhall, 2020;Ziolkowski et al., 2020).This requires better understanding of boards' current roles and those required when IT governance is exercised as an integral component of corporate governance.

Theoretical perspectives regarding corporate governance and IT governance
Corporate governance focuses on interaction between senior management in organizations, and board roles related to directing, monitoring and evaluating organizational performance.This typically involves a focus on agency theory (Daily et al., 2003;Huse, 2005;Jensen and Meckling, 2019;Thomas et al., 2009) as the board is required to control the self-interest of executive management (the agent) and protect the organizational owners' (principals') interests (Hillman and Dalziel, 2003).However, given the complexity of boards' roles and interactivity with senior management, research would be advantaged by a wider range of theoretical perspectives such as those offered by the resource-based view of the organization, resource dependence theory and stewardship theory (Daily et al., 2003;Roberts et al., 2005;Huse, 2005).These theories offer complementary perspectives.First the resource-based theories allow a focus upon directors as valuable resources in terms of their competencies and/or facilitating access to resources for the organization (Daily et al., 2003;Huse, 2005;Johnson et al., 1996).Second, use of stewardship theory offers the potential to counter the agent theoretic view of the self-interested manager by considering managers as trustworthy stewards of the organization (Daily et al., 2003), and to correlate this with board roles related to collaborating and mentoring (Hillman and Dalziel, 2003;Shen, 2003).As integrating IT and corporate governance will require adaptations to an organization's existing governance structures, processes and relational mechanisms, this range of theoretical perspectives should advantage an understanding of this interactivity.For example, besides an agential focus on boards' governance roles in monitoring and protecting against the self-interest of IT management (Ferguson et al., 2013), boards must direct and evaluate the performance of organizational resources (the resource-based view) by stewardship of IT resources (Wilkin and Chenhall, 2020).
Consequently, we argue the need to explore the extent to which IT governance is exercised as part of boards' corporate governance, and what more is required.We premise this upon: (1) IT governance being more separately exercised than as an integral component of corporate governance (Kranz, 2021;Leclercq-Vandelannoitte and Emmanuel, 2018;Turel et al., 2017;De Haes et al., 2019); and (2) the growing importance of digitization (Vial, 2019), which requires boards to consider IT-related internal controls and increasing ITrelated risk exposures (OECD, 2014).To achieve our purpose, we adopt three research questions: RQ1: What findings from board roles in corporate governance are applicable to IT governance?RQ2: What are the implications for board roles when boards exercise IT governance as an integral component of corporate governance?RQ3: What mechanisms would advantage the performance of board roles when IT governance is integrated with corporate governance?

Research design
Our research design comprises two components.First, to delineate the roles of the board of directors, we review corporate governance research about board roles and compare these findings with what IT governance research reports about the relevance and current execution of such roles.Second, we correlate and validate these findings through focus groups and comparison with two wellestablished practitioner frameworks that offer perspectives on IT governance.

Theoretical component
In our theoretical component, we use the framework created by Huse (2005) to structure understanding about: (1) board roles and accountabilities in exercising corporate governance (as reported in research focusing on corporate governance); and (2) the extent to L. Caluwe et al. which these roles are evident in board-related IT governance research, together with where and how these roles may advantage board's exercise of IT governance.
In structuring this review, there were three reasons that underpinned our choice to adopt Huse's (2005) framework.First, he drew upon a wide body of corporate governance research, including the seminal work of Zahra and Pearce (1989), to develop a framework that accommodates tailoring board roles to evident contingencies.Second, consistent with our purpose, he developed his framework as a means to explore board behavior, particularly the "gap between board role expectations and actual board task performance" i.e., board accountability and actual performance (Huse, 2005, S65).Third, by focusing on board behavior in terms of expectations for boards' behavior, performance, interactions and processes, Huse (2005) emphasizes the relevance of a range of theoretical perspectives.This is consistent with our purpose to substantiate board roles and accountabilities for integrated governance (corporate and IT).As a result, his framework constitutes a structured, established and integrated perspective of board accountabilities for corporate governance in terms of six roles, namely: (1) behavioral control; (2) advice and counsel; (3) output control; (4) networking, lobbying, legitimating, and communication; (5) strategic control; and (6) strategic participation (Huse, 2005).
Accordingly, using Huse's (2005) six roles as our structure, we interrogate the corporate governance research, focusing on their definition, related theories, specific tasks and value proposition.This enables our coding frame of boards' roles and accountabilities regarding corporate governance (see Appendix A for an overview of relevant theories in Table A1 and the coding frame in Table A2).Next, we use this frame to analyze IT governance research that relates to board roles.
In identifying relevant IT governance research, we use the systematic literature procedure designed by Kitchenham and Charters (2007).To ensure the inclusion of relevant papers we searched, in parallel, Web of Science and Google Scholar, adopting a forward and backward search.Then using the same criteria, we checked Decision Support Systems and Information and Management and journals listed in the Senior Scholars Basket.3Using a variety of relevant terms, together with the concepts "board of directors" and/or "director", we designed a specific search string to capture the IT governance concept as a whole.The string specified the language (English), document types (articles or conference proceedings papers) and indexes. 4The initial search of articles published between 2000 and 2018 returned 48 results. 5These were manually analyzed to identify statements regarding possible IT governance board roles that relate to elements in our coding frame.When we excluded research where IT governance is not a central concept, not (at least partially) focused on board-level or director-level matters, not in English and/or not an article or a conference proceeding (Caluwe and De Haes, 2019), the initial sample was reduced to 32 papers.Later, we used the same process and extended the search to cover the period 2019-2022.This yielded an additional 16 papers (see Appendix B, Table B1).
Next, guided by our coding frame, we use qualitative content analysis of these 48 papers to identify the presence, frequency and centrality of concepts (Schreier, 2012).Specifically, applying the elements in our coding frame, we manually analyzed the papers to identify statements regarding possible IT governance board roles.For example, related to the advice and counsel role, we identified the keyword "collaboration".When this keyword appeared in IT governance papers, we evaluated whether this referred to collaboration between the board and management concerning IT-related matters.

Focus groups
To ascertain practitioner views, we used focus groups, as this method: (1) enables understanding and description of a "specific issue from the perspective of the participants of the group"; (2) permits exploring differing views without forcing a consensus; and (3) reduces researcher-induced bias as participants control interactions rather than the researcher (Liamputtong, 2011, 3).
In conducting the focus groups, we used three steps, namely: (1) each of the 22 participants (see Appendix C, Table C1) received a 60-minute introduction to board-level IT governance and the different board roles for IT governance; (2) participants were assigned to one of five focus groups, with sessions lasting about 45 min; and (3) findings from each group were discussed in a plenary session.To encourage discussion, each group received a written overview of our theoretical findings concerning board roles in governing IT.
To capture different perspectives, including the dynamics between executive and non-executive directors, each group had 4 to 5 participants.Members comprised a mix of non-executive board members, CEOs and participants with other expertise.All are considered knowledgeable about the inner workings of boards as they: (1) have professional backgrounds related to strategic organizational governance and/or management; (2) are members of Guberna, the Belgian Institute of Directors (a knowledge center for board members); and (3) have taken Guberna's course about board effectiveness.
To avoid bias, the focus group and plenary sessions were led by two authors.The recordings were transcribed with the data analyzed and coded by the primary author, based upon Huse's (2005) six board roles (including their tasks and value).Discussion and verification of this coding identified material related to board mechanisms.Next, these views were correlated with findings from the theoretical component of the study, with the findings presented in Tables 7 and 9.

Comparison with practitioner frameworks
To further establish alignment between theory and practice, we mapped findings from our theoretical component to two established practitioner frameworks for IT governance, namely ISO/IEC 38500:2015 6 and COBIT 2019 (ISO/IEC, 2015; ISACA, 2018).These were chosen because both are internationally recognized as established practitioner frameworks for IT governance and offer guidelines for boards about how to implement IT governance duties.Specifically, ISO/IEC 38500:2015 is an international standard for IT governance by which organizations can get certified if all requirements defined by the standard are met.COBIT 2019 is an open framework offering guidelines regarding IT governance and management.Our focus concerns the governance objectives in the Evaluate, Direct and Monitor domains, as the framework explicitly mentions that these are the responsibility of a board of directors.

Board roles evident in corporate governance and IT governance research
We structure our review of the corporate governance and IT governance research in terms of the six board roles in Huse's (2005) framework.Our analysis focuses on: (1) the board tasks and their value for each role as reported in the corporate governance research; (2) how this compares with what is reported in IT governance research; and (3) the relevance of these tasks to board roles when IT governance is integrated with corporate governance.

Behavioral control
Huse (2005) classifies the board's role in behavioral control, otherwise referred to as the board's monitoring function (Adams et al., 2010;Daily et al., 2003), as having an internal focus (see Table 1).It concerns management behavior and operational control (Huse, 2005), which is performed as boards scrutinize, evaluate and regulate the actions of executive management (Hillman and Dalziel, 2003;Sundaramurthy and Lewis, 2003).Here, an agency theory perspective suggests that the board should control for the self-interest of executive management and protect stakeholder interests (Hillman and Dalziel, 2003;Johnson et al., 1996).
IT governance research shows boards as responsible for monitoring/controlling managerial IT-related decisions and actions (Benaroch and Chernobai, 2017;Kuruzovich et al., 2012;Turel et al., 2019b;Valentine and Stewart, 2015;Bandodkar and Grover, 2022).Rather than judging each management decision, boards should focus on how management handles decision-making and evaluate whether they have established the correct procedures to adequately manage IT (Trites, 2004;Dong et al., 2021;Benaroch and Fink, 2021).Consistent with corporate governance research, agency theory is used to elicit perspectives regarding this board role (Benaroch and Chernobai, 2017;Price and Lankton, 2018;Yayla and Hu, 2014;Bandodkar and Grover, 2022;Dong et al., 2021).As such, boards should protect against management's self-interested behavior and control behaviors, such as when management makes inappropriate IT investments to increase their power (Benaroch and Chernobai, 2017).Here, later research adopts upper echelon theory (Li et al., 2021;Liu and Preston, 2021).

Advice and counsel
In corporate governance, this board role concerns providing advice and counsel to the CEO and executive management (Hillman and Dalziel, 2003;Sundaramurthy and Lewis, 2003).By viewing managers as trustworthy stewards of the organization, this role relates to board support for management (see Table 2), and thus to stewardship theory (Anderson et al., 2007;Daily et al., 2003).Resource dependence theory offers relevant perspectives as boards' advice, based on director's education and industry experience, affects research and development investments (Chen, 2014) and may offset limited managerial experience (Kor and Misangyi, 2008).
In the context of IT governance, this is a key board role as it concerns offering IT-related guidance and advice to management (Benaroch and Chernobai, 2017;Price and Lankton, 2018).However, it may be less important than a board's monitoring role (Benaroch and Fink, 2021).Two relevant theories are: resource dependence theory (Benaroch and Chernobai, 2017;Van Peteghem et al., 2019;Dissanayake et al., 2021); and stewardship theory (Turel and Bart, 2014;Vincent et al., 2019).The resource dependence perspective offers insights about how boards' IT-related expertise affects organizational value (Van Peteghem et al., 2019;Yayla and Hu, 2014;Dissanayake et al., 2021;Benaroch and Fink, 2021).Stewardship theory implies a board focus on offering IT-related advice rather than on controlling management regarding IT-related matters (Turel and Bart, 2014).

Output control
For corporate governance, output control (see Table 3) has an external focus on monitoring executive management, concentrating on organizational outputs i.e., Corporate Social Responsibility (CSR) and outputs in financial markets (Huse, 2005).In accord with stakeholder theory, this focus entails a board being responsible for protecting the interests of stakeholders, including shareholders, employees, the local community and the environment (Frias-Aceituno et al., 2013;Jo and Harjoto, 2011).
A major element of output control is oversight of financial reporting.As output control increasingly depends on IT-related controls 6 ISO/IEC 38500:2015 is produced by the International Organization for Standardization and is purposed to provide "guiding principles for members of governing bodies of organizations (which can comprise owners, directors, partners, executive managers, or similar) on the effective, efficient, and acceptable use of information technology (IT) within their organizations" (ISO/IEC, 2015, 1).COBIT 2019 is produced by ISACA, an international professional association that focuses specifically on governance of IT (ISACA, 2018).COBIT 19 incorporates ISACA's Val IT that focuses more on value realization.ITIL, as an internationally recognized standard, is a comprehensive framework but focuses more on IT service management.
L. Caluwe et al. and processes, it is surprising that few of the 48 IT governance papers reference this board role, except in relation to: audit committee responsibilities (Butler and Butler, 2010); the CIO's role in ensuring adequate IT controls over financial reporting (Benaroch and Chernobai, 2017); and reassurance to shareholders that IT-related issues are well considered (Bandodkar and Grover, 2022).As such, stakeholder theory provides perspectives about a board's duty to safeguard stakeholders' interests and demonstrate CSR by monitoring management's IT-related activities (Best and Buckby, 2007).
Lack of discussion about this board role in the IT governance research may be explained by output control being an aspect of corporate governance where boards have already integrated an IT governance component to address IT-related control and risk

Table 1
Identified board roles regarding behavioral control.

Value
• reducing default risk, as agency costs are mitigated, managerial performance is monitored and information asymmetry between the organization and its shareholders is reduced (Bhojraj and Sengupta, 2003;Johnson et al., 1996); • increased probability of CEO dismissal due to low managerial ability, which correspondingly may motivate the CEO to work harder (Adams et al., 2010); and • reducing expropriation or misallocation of funds to improve organization's productivity and reporting (Bhojraj and Sengupta, 2003).

Table 2
Identified board roles regarding advice and counsel
• providing insights on and guide management's attention towards certain topics (Turel and Bart, 2014;Van Peteghem et al., 2019); and • stimulating collaboration between the CIO and executive management (Turel et al., 2017) as well as between the CIO and the board (Bandodkar and Grover, 2022;Li et al., 2021).

Value
• directors can be valuable resources in terms of their competencies (Chen, 2014;Hillman and Dalziel, 2003); • directors with connections to an organization's external environment can advise management on its specifics (i.e., the procedures, interesting contacts), thereby reducing uncertainty and transaction costs (Hillman et al., 2000); and • enabling organizations to keep up with fast-changing markets by meeting the demands of dynamic R&D environments (Chen, 2014).
• providing valuable resources such as knowledge regarding IT governance and outsourcing (Van Peteghem et al., 2019;Yayla and Hu, 2014); • directing management's attention and enhancing the quality of their decisions, thereby enabling a better fit between the organization's needs and its external environment (Coertze and Von Solms, 2013;Turel and Bart, 2014;Li et al., 2021); • addressing risks of IT resource deficiencies (Benaroch and Chernobai, 2017); • supporting the creation of shared understanding about how IT can add business value in terms of innovation and growth (Coertze and von Solms, 2014); • less important than the monitoring role (Benaroch and Fink, 2021); and • facilitating social alignment by promoting trust between the board and top management (Liu et al., 2019).
exposures.Key drivers relate to: (1) increasing IT-related risk exposures and boards' corporate governance duties regarding risk management (Ponemon, 2018;Kritzinger-von Solms and Strous, 2003); and (2) the importance of board roles in governing internal ITenabled controls over financial reporting (Johnstone et al., 2011).Hence, as output control concerns organizational outputs, corporate governance requires board oversight of identification, reporting and remediation of material weaknesses, including IT material weaknesses (ITMWs).Interestingly, ITMWs can have even more detrimental effects than non-ITMWs (Kim et al., 2018), and are associated with higher director turnover and hiring directors with higher levels of IT expertise (Haislip et al., 2016).Further, as cyber risks form significant threats, corporate governance's focus on output control may reflect strategic responses to cyber exposures and disclosures (Radu and Smaili, 2021), and their financial impact (Adelmann et al., 2020).Third, the output control role includes strategic responses to government regulations, such as financial reporting requirements and privacy.For example legislation concerning data breach notification (e.g., the Australian Notifiable Data Breaches scheme and the European General Data Protection Regulation) increasingly requires organizations to inform regulators and affected individuals about data breaches (Daly, 2018).

Networking, lobbying, legitimating and communication
When exercised as part of corporate governance, the networking, lobbying, legitimating and communication role (see Table 4) has elements of service, with a specific focus on the external environment (Huse, 2005).Boards may act as boundary spanners between organizations and their environments (Hillman et al., 2000;Kim and Cannella, 2008).Consequently, this role is leveraged by boards' relational (or social) capital and linkages to their organizations' environment, with a wide range of interested parties (Hillman and Dalziel, 2003).These include customers, suppliers, investors, business leaders, regulators and media (Kim and Cannella, 2008).Theoretical grounding for this role is evident in resource dependence theory (Daily et al., 2003;Hillman et al., 2000), as organizations' environmental dependence relates to their need for externally-sourced resources (Daily et al., 2003).
IT governance research reports this role as entailing two main functions: providing resources and signaling.Accordingly, it relates to strengthening the public image of the organization's IT capability (Benaroch and Chernobai, 2017) and is shown to positively impact share market reactions to security breaches (Higgs et al., 2016).From a resource dependence perspective, directors can leverage their relationships with multiple organizations to provide access to resources including IT providers and capital (Benaroch and Chernobai, 2017;Turel and Bart, 2014).Alternatively, related to signaling theory, a board's legitimating role includes establishing IT governance mechanisms at the board-level, thereby signaling to the market that it places emphasis on IT-related issues (Higgs et al., 2016;Bandodkar and Grover, 2022;Liu and Preston, 2021).

Strategic control
As part of corporate governance, a board's strategic control role (see Table 5) relates to monitoring functions, such as reviewing strategic initiatives and overseeing execution of strategy (McNulty and Pettigrew, 1999;Rindova, 1999;Schmidt and Brauer, 2006).With appropriate knowledge, expertise and objectivity, boards should improve strategic decision-making by effectively challenging executives' proposals (Stiles, 2001;Barroso-Castro et al., 2017;Rindova, 1999).As this does not entail boards' responsibilities for initiating and implementing strategic decisions (Pugliese et al., 2009), the role may be regarded as passive (Castro et al., 2009).From a legal theory perspective, aspects include boards' fiduciary duties to evaluate decisions about generating organizational value (Lan and Heracleous, 2010;Styhre, 2018).
IT governance research reports that this role concerns evaluating and monitoring IT-related strategic matters, such as IT-related goals and strategic proposals (Jewer and McKay, 2012;Turel et al., 2017;Bandodkar and Grover, 2022;O'Donnell, 2004).Indeed, boards' IT competence may be considered as both a dynamic capability and a cognitive bias that influences strategic choices.Whilst boards' IT competence contributes to an organization's competitive advantage (Héroux and Fortin, 2018), it is also shown to negatively affect organizations' market performance when IT failures occur (Benaroch and Fink, 2021).Theoretical foundations include: (1) an agency theory perspective about reducing conflicts of interest regarding possible misalignment between IT and the business strategy (Benaroch and Chernobai, 2017;Posthumus and von Solms, 2008;Bandodkar and Grover, 2022); (2) a resource-based view of the organization whereby board members' IT competence constitutes a valuable resource for strategic oversight (Price and Lankton, 2018;Joshi et al., 2022); and (3) a strategic choice theory perspective wherein board attributes (such as board IT competence, board size and proportion of internal board members), influence strategic decision-making (Jewer and McKay, 2012;Van Peteghem et al.,

Value
• CSR is positively linked to organizational performance, possibly by mitigating agency conflicts (Jo and Harjoto, 2011); and • reducing information asymmetry and agency conflicts between management and various stakeholders (Jo and Harjoto, 2011;Frias-Aceituno et al., 2013).
• ensuring adequate reporting on IT-related matters to all stakeholders (Butler and Butler, 2010); and • CIOs on the board reduces shareholders' concerns related to technological issues (Bandodkar and Grover, 2022).

Strategic participation
For corporate governance, strategic participation (see Table 6) refers to boards' active involvement in strategic decision-making (Castro et al., 2009;Hillman and Dalziel, 2003), Through setting their organization's strategic direction (Ingley and Van der Walt, 2001;Judge and Zeithaml, 1992), the board becomes a strategic partner with management (Anderson et al., 2007;Castro et al., 2009).At a minimum, the board determines the strategic parameters for management's strategic decision-making (Stiles, 2001).Thus, the role includes influencing management's preparation of strategic proposals and shaping the content, context and conduct of a strategy (Ingley and Van der Walt, 2001).
Hence, stewardship theory and resource dependence theory offer useful perspectives.Stewardship theory offers some differentiation from the agency theoretic view of the self-interested manager, by focusing on the role of boards in empowering managers (Castro et al., 2009;Kim and Cannella, 2008;Pugliese et al., 2009).Alternatively, resource dependence theory's perspective predicts boards' critical roles, such as providing access to strategic information and reducing uncertainty through networking (Castro et al., 2009;

Table 4
Identified board roles regarding networking, lobbying, legitimating and communication

Corporate Governance
IT Governance
• providing resources (Kambil and Lucas, 2002;Turel and Bart, 2014) and securing funds to implement new technologies (Turel and Bart, 2014); • sourcing individuals or organizations to provide advice and collaboration in support of IT processes (Kuruzovich et al., 2012); • is advantaged when CIOs are appointed to boards (Bandodkar and Grover, 2022;Liu and Preston, 2021); and • may be inhibited by board flux (Dissanayake et al., 2021).

Value
• supporting access to necessary resources (Daily et al., 2003); • improving the fit between the organization and its environment (Kim and Cannella, 2008); and • reducing environmental uncertainty and consequently reducing transaction costs (Hillman et al., 2000;Hillman and Dalziel, 2003).

Table 5
Identified board roles regarding strategic control

Value
• encouraging executives to improve their strategic plans before presentation to the board, thereby improving strategic decision-making (Baysinger and Hoskisson, 1990;Stiles, 2001).
IT governance research shows that boards should proactively engage in IT-related strategic decision-making by integrating IT topics into strategic discussions (Andriole, 2009;Coertze and von Solms, 2014).This is enhanced by networking (Xue et al., 2021) and more formal roles for CIOs (Bandodkar and Grover, 2022).As such, this service role may be grounded in stewardship theory (Turel and Bart, 2014).Other theoretical perspectives relate to resource dependence theory such as: including CIOs on boards to ensure IT experience and knowledge (Bandodkar and Grover, 2022;Dissanayake et al., 2021); and networking to ascertain market trends (Turel and Bart, 2014).As for boards' strategic control role, application of the resource-based view (Feng et al., 2021) and/or upper echelon theory (Li et al., 2021) provides perspectives about the impact of board attributes such as IT competence on strategic-decision-making.

Correlation with practitioner sources (focus groups and governance frameworks)
Findings from the focus groups indicate reasonable consistency between their perspectives about how boards should exercise these six board roles, and how this is depicted in research (see Tables 7 and 8).First, they regard it as important that IT governance be exercised as part of corporate governance.However, they perceive boards typically lack IT expertise and would face difficulties in proactively engaging with IT-related strategic decision-making.Hence, given boards' financial and management expertise, participants argue that boards should focus on IT cost rather than IT oversight in their behavioral control and output control roles.This is consistent with IT governance research (i.e., Benaroch and Chernobai, 2017;Turedi 2020;Pan et al., 2016).
Focus groups regard the contribution of independent directors as particularly important to performance of boards' networking, lobbying, legitimating, and communication roles − again perspectives supported by IT governance research (i.e., Cheng et al., 2021;Li, 2019).Of the other three roles (advice and counsel, strategic control and strategic participation), they see particular difficulties arising from boards' general lack of IT expertise and an urgent need to manage this through targeted recruitment and/or strategic roles for executive management.This is consistent with IT governance research (i.e., Héroux and Fortin, 2018;Li et al., 2021).
Similarly, there is general alignment between our theoretical findings and those delineated by ISO/IEC 38500:2015 and COBIT 2019 (see Table 8).This particularly relates to risk management and two board roles (behavioral control and output control).However, three differences are apparent.First, despite it being established in the corporate and IT governance research, the practitioner frameworks lack reference to the networking, lobbying legitimating and communication role.Second, these frameworks provide more guidance regarding specific topics about which boards should advise management.Third, both ISO/IEC 38500:2015 and COBIT 2019 highlight the importance of considering the needs of all stakeholders (internal and external) when governing IT (ISACA, 2018): the corporate governance research addresses this aspect in its output control role, while board-related IT governance research focuses more on internal stakeholders.Hence, when IT governance is integrated with corporate governance, it would be beneficial to review how board roles should safeguard stakeholder needs (e.g., regarding cybersecurity).(Castro et al., 2009;Ingley and Van der Walt, 2001); • discussing strategic decisions (Anderson et al., 2007); • establishing long-term targets and allocating resources (Pugliese et al., 2009); • scanning the environment (Rindova, 1999); and • annually reviewing strategic directions (Stiles, 2001).

Mechanisms for facilitating board engagement with IT governance
Consistently evident from our theoretical review and our practitioner sources are: (1) the applicability and importance of the six board roles (Huse, 2005) related to the exercise of corporate governance to board roles when governance of IT is an integral component; and (2) identification of three key mechanisms by which boards may facilitate this integrated governance.Findings show these mechanisms as: improving board IT competence; ensuring an appropriate board structure and composition; and ensuring ITrelated board activities.

Improving board IT competence
Corporate governance research relates board competence to board members' skills, experience, expertise and knowledge being crucial for performing control roles (Hillman and Dalziel, 2003;Thomas et al., 2009).Competence is required in challenging executives' proposals (Barroso- Castro et al., 2017) and managing their improvement strategic plans (Baysinger and Hoskisson, 1990;Stiles, 2001).This competence is similarly important for boards' advisory and strategic participation roles (Hillman and Dalziel, 2003;Brickley and Zimmerman, 2010).
Similarly, IT governance research identifies the importance of boards' IT competence.In executing behavioral control, IT competence reduces information asymmetry between boards and executives, enabling better evaluation of IT decisions (Valentine andStewart, 2013a, 2013b;Vincent et al., 2019;Li et al., 2021), as well as the board's ability to provide IT-related advice and counsel (Benaroch and Chernobai, 2017).This competence may be enhanced: by recruiting directors with IT expertise (Benaroch and

Table 7
Comments by focus group participants regarding board roles.

Behavioral control
Tasks:This is very much oriented at what if things go wrong, how do we react, but should a board also not take a preventive stance, so that things are ready for when things go wrong (PDC3) .Regarding IT risk mitigationdetermining IT risk tolerance is very important (FGC6) .Should not ratify IT decisions if an operational failure (FGC13) .
Value:Does not directly create shareholder value (FGC9) but relates to managing shareholder trust (FGC11).

Advice and counsel
Task: We would like to formulate this as advise, counsel, and challenging … Board members need to ensure that there is awareness at the level of the executive committee, and then … that this awareness is also transferred throughout the entire organization (PDC6).
Value:We discussed that "create atmosphere of joint accountability concerning IT resources" required good management of the risk of 'responsibilization' (PDC7).

Output control
Task:Output control ranked third most important (PDC1) .
Value:Remains very high level.Should the board discuss the IT KPIs? (FGC19).Networking, lobbying, legitimating, and communication Task:Benchmarking and architecture are important (FGC38) .When it comes to implementing the networking role, besides board dynamics, we think that outside-looking mechanisms need to be put in place.For instance, an industry association or a network with the regulator (PDC7) .
Value:Useful if the board members could make the link to another company, not necessarily a competitor, but one that does have comparable challenges, to better understand what happens at peers at the back-end (PDC7) .Outside-looking (FGC37) .

Strategic control
Task: Strategic control as the most important role, followed by behavioral control, and then output control … we need to be able to articulate the strategic or operational role of IT (PDC1) Evaluate and ratify IT strategy = board scene setting.Ensure IT strategic alignment and measure IT-related strategic progress = next phase (FGC28).As a board-level committee, depending on the size of the organization (FGC30) .Behavioral control follows from this (FGC24) .

Value:Not only value creation, but also what happens when we don't know what the company needs? (FGC30). Strategic participation
Task:We discussed the concept of 'explore versus exploit', related to the strategic participation role.…"gather ITrelated information about the external environment", is good, but oriented [as] "explore".…The question relevant at board-level is …what will you eventually do with this?How can you challenge management in "exploit what you have explored" (PDC6) .Define competitive environment (FGC40) ."ITcommittee" is mentioned, but the question is does this need to be a separate committee or does this need to be an integral part of the strategic discussion, and thus part of a more generalist strategic committee where IT is not the only discussion point?(FGC7) .
Value:"seize relevant opportunities" is mentioned, but we miss a focus on the risks.In the context of these risks, the competitive environment needs to be defined.For instance, who are our established competitors?In the context of disruption, also new emerging competitors may be even from another sector (PDC7).
Chernobai, 2017; Bandodkar and Grover, 2022;Liu and Preston, 2021); hiring an IT expert (Vincent et al., 2019); or appointing a specific director to take an IT leadership role (Parent and Reich, 2009;Trites, 2004).Regarding output control, audit committee members' IT experience is important (Butler and Butler, 2010).Further, directors with IT awareness bring IT-related networks that support IT-related matters (Yayla and Hu, 2014).However, in relation to the maturity of IT risk management, while both are important, board involvement is more important than board IT expertise (Vincent et al., 2019).This competence supports roles related to IT strategic control (Mohamad et al., 2014;Yayla and Hu, 2014) and strategic participation (Turel and Bart, 2014;Li et al., 2021).
Focus groups stressed the importance of IT competence in terms of IT expertise, and boards' ability to adopt IT-related strategic perspectives (see Table 9).They saw these competencies as very difficult to find, 7 such that boards may attract inadequate board members (i.e., too technical with little strategic experience).They suggested that boards consider strategies to enhance their IT competence by: making IT expertise as a prerequisite in selecting new board members; hiring IT-competent independent experts; and training board members regarding IT-related matters.As directors are more likely to have financial and managerial expertise than IT expertise, this role may be executed more effectively in terms of cost management than by proactive IT risk management and compliance.
• Direct and monitor • assigned responsibilities in terms of IT supply and demand; • acquisition of IT assets; • IT risks and performance; and • conformance with mandatory legislation and regulations.
• Direct and monitor • the governance system; • risk management; and • resource management.

Advice and counsel
Offering IT-related guidance and advice to management e.g., by providing insights and guiding management's attention towards certain topics and stimulating collaboration between the CIO and executive management.
Directors with IT expertise and strategic perspectives are scarce and so this aspect is difficult to achieve. •

Output control
Governing IT-related internal controls over financial reporting and ensuring adequate reporting on IT-related matters (e.g., cyber exposures and data breach notification regulations).
As directors are more likely to have financial and managerial expertise than IT expertise, this role may be executed more effectively in terms of cost management than in terms of proactive IT risk management.
Direct and monitor human behavior (which refers to the needs of all stakeholders).
Direct and monitor stakeholder engagement, communication, and reporting.

Networking, lobbying, legitimating and communication
Providing access to IT-related resources and signaling to the market that IT-related matters are important to the organization (and its board of directors).
This role is very important and may be achieved through use of independent directors.
Not readily apparent.Not readily apparent.

Strategic control
Evaluating and monitoring ITrelated strategic issues (e.g., ensuring IT strategic alignment, evaluating and ratifying the overall IT strategy and monitoring IT-related strategic progress).
Directors with IT expertise and strategic perspectives are scarce and so this aspect is difficult to achieve.
Direct and monitor the use of IT and IT-related activities in terms of their contribution to the business strategy.
Direct and monitor value optimization.

Strategic participation
Proactively engage in IT-related strategic decision-making by integrating IT topics into strategy discussions.
Difficulties arise due to lack of directors with competence related to IT expertise and strategic vision.
Evaluate IT use and IT-related activities in terms of their contribution to business strategy.
Establish the target investment mix and evaluate value optimization.
7 Some evidence of the lack of individuals with both competency and experience is evident from the 2020 survey by Kappelman et al. (2021, 69) where results of responses from 1,005 IT leaders shows "The average tenure of CIOs remains a little over six years, with almost 47% reporting to the CEO and over 26% to the CFO, the former down and the latter up since 2019.Continuing trends are for CIOs to come from outside the organization (now over 80%) and from non-IT positions (now nearly a quarter)."Similar figures are reported in their 2021 survey (Kappelman et al., 2022).
In the practitioner framework ISO/IEC 38500:2015, Sections 2 and 5.5 require governing bodies to be IT-competent as they must evaluate (consider and make informed judgements) both the risk arising from IT activities and the value generated by IT for the organization.COBIT 19 has similar emphasis on board IT competence as boards must now exercise IT governance as an integrated part of corporate governance (COBIT 19).Competence is particularly required as boards must oversee the definition and implementation of organizations' processes, structures and relational mechanisms that enable business/IT alignment and create business value from ITenabled business investments (COBIT 19,11).

Ensuring an appropriate board structure and composition
Corporate governance research reports the value of independent directors for boards' control roles (Hillman and Dalziel, 2003;Xie et al., 2003) and their networking, lobbying, legitimating and communication roles (Johnson et al., 1996).Internal directors and senior management are important where organization-specific information is critical for boards' monitoring and advisory functions (Adams and Ferreira, 2007;Hooghiemstra and Van Manen, 2004).Such appointments leverage information resources to advantage organizations (Aguilera et al., 2016).
IT governance research variously reports regarding the effects of board tenure and gender (Dissanayake et al., 2021).It shows that independent directors with IT expertise have important roles in enhancing boards' ability to provide IT-related advice to management (Benaroch and Chernobai, 2017).Besides network ties (Benaroch and Chernobai, 2017;Van Peteghem et al., 2019), they contribute alternative stakeholder perspectives (Turel et al., 2019a(Turel et al., , 2019b) ) and environmental scanning (Ako-Nai and Singh, 2019;Raghupathi, 2007).Equally, the role of internal directors and management is shown as important for providing IT-related information (Jewer and McKay, 2012;Haislip et al., 2021;Li et al., 2021).Affording structural power to CIOs is associated with positive performance (Feng et al., 2021) and achieved by: making the CIO a board member (Coertze and von Solms, 2014;Bandodkar and Grover, 2022) or a regular presenter (Mähring, 2006); and encouraging directors to communicate with CIOs or IT management between board meetings (Coertze and von Solms, 2014).In this manner, CIOs may support board roles for behavioral control (Posthumus et al., 2010), advice and counsel (Coertze and von Solms, 2014), and strategic participation (Turel et al., 2019b).
Focus groups offered a resource dependence perspective of directors' value.They agreed that CIOs have pivotal roles, bringing IT competence and key information to the board.Based on extended discussion (see Table 9), participants agreed that they opposed the option of permanently including the CIO on the board, indicating that CIOs should be treated in the same way as the CFO.They suggested that boards seek independent directors with IT expertise to enhance boards' IT competence.
In the practitioner framework ISO/IEC 38500:2015, the requirement for an appropriate board structure is apparent from its responsibilities and accountabilities to evaluate, direct and monitor the use of IT.While authority for aspects of IT may be delegated to management, "accountability remains with the governing body and cannot be delegated" (ISO/IEC, 2015, Section 4.2).Similarly, COBIT 19 (2019, 22) regards people, skills and competencies as a key component of governancebeing central for good decision-making.It .Involve other parties, as you do for instance involve Deloitte for finance matters, or a law firm for legal matters.So if you defined IT as being of strategic importance for your organization, you can also involve external parties for IT as you do with finance and legal matters (PDC2) .Independent directors with IT expertise.You could also invite external speakers with relevant IT expertise (PDC6) .Need profiles that have sufficient in-depth knowledge as well as high enough or apply this knowledge and expertise at a high enough level [strategic] in the organization.There is a real risk of having "scratching the surface" people (PDC7).High level versus deep technological?Profiles difficult to find (FGC36) .Ensuring an appropriate board structure and composition As board members, we are expected to have a generalist level of knowledge of finance and legal, but if IT is of strategic importance to the organization, maybe you should then also define your board as such that the board members also have generalist IT knowledge (PDC2).Independent board member with IT/technology expertise OR invite external competencydigital coach (FGC34).Use advisors (FGC23) .Ensuring IT-related board activities We need to articulate the strategic or operational role of IT, and the IT governance needs to be tailored to that role or importance of IT (PDC1).Invite external speakers with relevant IT expertise i.e., a 1-day offsite meeting with the board and executive committee, where multiple external speakers were invited with different IT-related expertise (PDC6) .Making a recurrent agenda item is important, for instance yearly … should this happen at a separate IT committee, or a broader strategic committee that doesn't only focus on IT-related matters (PDC7) .IT is broad, digital touches all aspects of the business.Technology becomes more of an enabler and discussion at the board should not be limited to merely IT or a technology discussion (PDC8) .Could envision an IT committee, where the CIO has a permanent seat, and the IT committee could then ask the board to invite the CIO to the board to present or discuss IT-related matters (PDC 3, PDC4).Board-level IT governance committee depending on the size of the organization (FGC32) .
advises that any deficiencies be addressed by training, coaching and feedback into recruitment.

Ensuring IT-related board activities
Corporate governance research extensively reports on the influence of board committees on organizations' performance (Kolev et al., 2019).Effective communication between boards and management is shown as crucial in ensuring trust and respect (Adams and Ferreira, 2007;Anderson et al., 2007;Thomas et al., 2009).In general, board activity (as measured by the number of board meetings) is a factor, as more active boards are associated with lower levels of earnings management (Xie et al., 2003).Equity compensation is positively regarded for reducing goal conflict by linking management incentives to organizational performance (Hillman and Dalziel, 2003;Sundaramurthy and Lewis, 2003).
IT governance research shows that the board's advisory role is advantaged through frequent briefing by management on IT-related matters (Turel and Bart, 2014).More mature IT risk management practices are evident when boards probe management about these matters (Vincent et al., 2019).Similarly, board-level IT governance committees are shown as useful in informing all IT governance roles (Benaroch and Chernobai, 2017;Higgs et al., 2016;Price and Lankton, 2018;Oliver and Walker, 2006).These committees may vary, depending upon IT competency (Ako-Nai and Singh, 2019) and organizational circumstance, but include: an audit committee (Posthumus et al., 2010;Trites, 2004); an IT steering committee (Prasad et al., 2010); or a risk management committee (Posthumus et al., 2010).
Focus groups agreed that establishing board-level committees should depend on organizational size.They raised doubts whether these committees are suitable mechanisms by which boards perform advice and counsel roles and/or strategic participation roles.They argued that IT strategy should not be delegated or discussed separately from board's strategic deliberations.They supported two particular actions: (1) the CIO being invited to board meetings to inform IT-related issues; and (2) IT-related matters being a fixed item on board agendas (see Table 9).Both actions would support boards' advice and counsel, strategic control and strategic participation roles.They directed little attention to the issue of effective communication between the boards and management, and opposed • Agency theory.

Output control
Focus: Direct and monitor IT-related internal controls over financial reporting and ensuring adequate reporting on IT-related matters (e.g., concerning cyber exposures and data breach notification regulations • Adequate IT-related reporting.

Strategic control
Focus: Direct and monitor IT-related strategic issues and contribution to business strategy and value optimization • IT value creation.

Service roles
Advice and counsel Focus: Evaluate responsibilities assigned to management in terms of the IT supply and demand, acquisition of IT assets, IT performance (including IT risks), conformance with all mandatory legislation and regulations through stimulating collaboration between the CIO and executive management.
• Enhance social alignment; • Better fit between organization needs and external environment; and • Correct and prevent IT resource deficiencies.
Networking, lobbying, legitimating, communication Focus: Providing access to IT-related resources and signaling to the market that IT-related matters are important to the organization (and its board of directors).
• Better fulfillment of organization needs; and • Mitigate negative market reactions to security breaches.

Strategic participation
Focus: Direct and monitor the target investment mix and evaluate IT use and IT activities in terms of their contribution to business strategy and value optimization.Proactively engage in IT-related strategic decision-making by integrating IT topics into strategy discussions.
• Stewardship theory.* See Appendix A, Table A1 for an overview of these theories.
rewarding the CIO with long-term remuneration packages.
In the two practitioner frameworks, the relevance of ensuring IT-related board activities is evident.For example, ISO/IEC 38500:2015 requires governing bodies to "direct that they receive the information that they need to meet their responsibility and accountability" (ISO/IEC, 2015, Section 5.2).This relates to governing bodies being required to "regularly evaluate their organization's conformance to the framework for governing IT" (ISO/IEC, 2015, Section 5.6).COBIT 19 (2019, 25) similarly alludes to the importance of ensuring ITrelated activities in that it defines a significant IT-related risk as "reluctance by board members, executives or senior management to engage with IT".

Theoretical perspectives on board-level IT governance
Our study shows that board-level IT governance is as multi-faceted as corporate governance with different theoretical lenses affording differing perspectives regarding boards' execution of their roles.Accordingly, corporate governance-related recommendations to use a multi-theoretic approach (Daily et al., 2003) are applicable to research where IT and corporate governance are integrated.For example: by adopting a resource-based view of the organization, board IT competence may be considered as a dynamic capability (Héroux and Fortin, 2018;Price and Lankton, 2018;Joshi et al., 2022); upper echelon theory may regard such competence as a cognitive bias, being influential upon an organization's strategic choices (Carpenter et al., 2004;Héroux and Fortin, 2018;Li et al., 2021); a strategic choice perspective may enable understanding of how board attributes, such as size and IT competence, influence strategic oversight and participation (Jewer and McKay, 2012;Van Peteghem et al., 2019); and stewardship theory offers perspectives regarding boards' contributions to IT governance by supporting management as trustworthy stewards of the organization (Turel and Bart, 2014;Vincent et al., 2019).This enables links with resource dependence theory, wherein directors' value resides in their ability to contribute IT-related expertise and/or leverage their networks to provide access to resources (Benaroch and Chernobai, 2017;Turel and Bart, 2014).It accommodates the agency theoretic view regarding the board's roles for monitoring IT management strategy (Benaroch and Chernobai, 2017;Price and Lankton, 2018;Thomas et al., 2009).Other perspectives may be linked with: stakeholder theory that emphasizes the importance of boards safeguarding the interests of all stakeholders (Best and Buckby, 2007); and signaling theory, as boards can signal to the market that they contribute to the perceived trustworthiness of their organization by emphasizing IT-related matters (Higgs et al., 2016).

Discussion and conclusion
Whilst all board roles identified through our coding frame (Huse, 2005) are shown as relevant to IT governance, their integration with corporate governance is yet to be achieved.Yet, the pervasive effects of digitization upon organizations' IT-related controls and risk exposures increasingly require boards' prudent consideration of their strategic effect on investment and performance.
To advance boards' integration of IT and corporate governance, we consolidate our findings as a framework in which we articulate two key accountabilities, control and service (see Table 10 below).Boards' control accountabilities, being related to agency theory, highlight how boards should control for the self-interest of executive management (the agent) and protect stakeholder interests (the principal).Thus, they concern behavioral control of the executive team regarding risk and resource management, as well as control of outputs (reporting and regulatory compliance) and strategic control of assets and performance appraisal.Alternatively, boards' service accountabilities highlight their need to consider more behavioral aspects of their roles with evaluative and directive aspects (such as advice and counsel for the executive team) and accessing and signaling aspects (networking and lobbying for gaining intelligence and signaling to markets), which together are linked by effective strategic participation.
This finding aligns with corporate governance research, which shows that to be truly effective, boards must deliver upon both service and control accountabilities (Roberts et al., 2005;Sundaramurthy and Lewis, 2003).For example, over-emphasis on collaboration (i.e., service roles) may lead to inappropriate strategic persistence as executives and directors continue to defend their collective decision-making (Sundaramurthy and Lewis, 2003).Alternatively, emphasis on control may result in distrustful and less motivated executives who are less likely to share information.Accordingly, boards should embrace both aspects of their roles and balance these demands (Nolan and McFarlan, 2005).
However, as practically contributed by the focus groups, boards' balance of their service and control roles will depend on their organization's context.For example, a focus on societal trends, such as CSR, will encourage emphasis on output control and shareholders.Alternatively, an identified need for rapid digitization may necessitate that boards focus on behavioral control (to effectively evaluate IT risk management and monitor IT performance), and strategic participation and control roles (to ensure strategic business/ IT alignment and IT investment).
Regarding the board roles in corporate governance that are applicable to IT governance (RQ1), our analysis of the research for corporate and IT governance shows that all six roles for corporate governance identified by Huse (2005) are applicable to IT governance.This is important given the pervasive effects of digitization on organizations' processes, risk exposures and performanceall of which are matters requiring IT governance to be integrated with corporate governance.In extending our study, future research focusing on board's integrated governance may explore issues, such as the factors that influence boards' levels of involvement in governing IT and their impact on competitive value and innovation (Caluwe and De Haes, 2019).Second, while current research typically lacks distinction between different board roles, our review provides more nuanced understanding.Future research that distinguishes between different board roles will create more in-depth understanding of the consequences of particular foci and their effects, together with appreciation of the mechanisms and processes by which particular roles deliver business value.
Our findings regarding the implications for board roles when boards exercise IT governance as an integral component of corporate L. Caluwe et al. governance (RQ2) particularly concerns boards' focus on their roles in terms of control and service functions (see Table 10).Implications particularly relate to boards' lack of IT expertise.This has implications for three roles (advice and counsel, strategic control and strategic participation), and needs to be managed through targeted recruitment and/or strategic roles for executive management.
Here, independent directors may also contribute importantly to boards' networking, lobbying, legitimating, and communication roles.Given boards' financial expertise, their control functions should be advantaged by a focus on IT cost, IT-related reporting and regaining shareholder trust in the event of IT failure (i.e., output control and legitimating roles).While governance requires considering the needs of all stakeholders (internal and external), corporate governance research focuses on boards' output control role related to external stakeholders, while board-related IT governance focuses more behavioral control related to internal stakeholders.Hence, integrated IT and corporate governance would be advantaged by reviewing how board roles safeguard both stakeholder groups (e.g., regarding cybersecurity).Future research should extend initial findings related to: (1) the relationship between board IT competence and innovation (Héroux and Fortin, 2018); and (2) the effect on performance of a board's competence regarding business/IT strategic alignment and/or its authoritarian governance style (Turel et al., 2017).
Regarding the key mechanisms that advantage board roles when IT governance is integrated with corporate governance (RQ3), there is consistency between findings from the structured review of board roles, focus groups and analysis of two key practitioner frameworks.Key mechanisms are: the importance of improving boards' IT competence; ensuring an appropriate board structure and composition; and ensuring IT-related board activities.This suggests some theoretical avenues for future research.First, with board IT competence being critical, how are outcomes related to board roles for integrated corporate and IT governance informed by resource dependence theory and the resource-based view?While research advocates the importance of IT-competent directors, more clarity is required about the effect of boards' improved IT expertise on corporate governance processes, board-management dynamics and governancerelated links with the external environment.Similarly, it is important to investigate the dynamics of more formal advisory roles for CIOs and their effect on IT investment decisions.Of interest is that management may be more reluctant to share information with boards who focus on monitoring, and less reluctant when boards stimulate information exchange through advisory roles (Adams and Ferreira, 2007).This suggests the relevance of investigating factors which influence board-senior management dynamics.
In responding to calls for a stronger focus on behavioral approaches to understanding factors influencing boards' performance (Pugliese et al., 2009), it would be useful to adopt a range of methods.With current board-level IT governance research dominated by conceptual papers and/or use of survey data, future research would be advantaged by mixed method approaches.For example, indepth analysis of specific board activities and roles in their organizational contexts, using a range of methods, may progress understanding of board dynamics.Approaches may include case studies and interviews with chairpersons and board members from organizations of differing sizes and with differing IT capabilities.By linking organizations' digital capability, culture and maturity with the mechanisms of board IT competency and composition, research may usefully explore the effectiveness of its IT governance-related processes and activities when integrated with corporate governance.
While our findings offer various suggestions and different theoretical perspectives by which to explore these governance challenges, a number of limitations are evident.First, as our focus group participants are members of the Belgian Institute of Directors, their perspectives may differ from directors in countries with slightly different regulatory requirements for corporate governance.Second, organizational size, culture and context will affect boards' perspectives about their roles and accountabilities.In this regard, while our framework provides a mechanism by which boards may balance their accountabilities regarding their governance activities, its application is yet to be tested.
In summary, as organizations digitize their processes and controls, IT is increasingly a core asset, an essential component of performance, and a source of significant risk exposures.As a consequence, it is increasingly imperative that IT governance be exercised as an integral component of corporate governance.As such, our research and its resultant framework contribute timely and structured understanding of the required board roles and the mechanisms by which a board's corporate governance may address its IT-related governance responsibilities.

Theory Summary
Legal theory Legal theory offers perspectives that relate to the legal foundations upon which organizations are established, governed and managed (Styhre, 2018).In contrast to agency theory, it posits the organization rather than shareholders as the principal and thus offers an alternative perspective about boards' fiduciary duties (Lan and Heracleous, 2010;Johnson et al., 1996).

Resource-based view of the organization
The resource-based view of an organization has a more internal focus than that offered by resource dependence theory (Huse, 2005).In this regard, it premises directors as valuable resources in terms of their competencies and/or facilitating access to resources for the organization (Daily et al., 2003;Huse, 2005;Johnson et al., 1996).As such, board members' IT competence constitutes a valuable resource for strategic oversight (Price and Lankton, 2018;Joshi et al., 2022).

Resource dependence theory
When used in organizational studies, the theory focuses on how organizations may be affected by external resources, as they depend on their environment and other stakeholders within that environment.Thus, it enables an internal perspective on an external issue (Huse, 2005) such as how board expertise provides access to resources (Van Peteghem et al., 2019) and thereby help the organization limit its dependency on external resources (Hillman and Dalziel, 2003;Benaroch and Chernobai, 2017).This particularly relates to the role of external directors (Daily et al., 2003).

Signaling theory
Signaling theory is useful in situations of strategic interdependence, when two parties have access to different information and one party chooses (signals) whether and how to inform the other party who in turn must decide how to regard this matter (Higgs et al., 2016).For example, boards may signal quality by valuing an audit committee as part of its governance i.e., signaling prudent behavior enhances stakeholder perceptions of legitimacy and value (Bandodkar and Grover, 2022).

Stakeholder theory
This theory recognizes a wide range of interested parties (stakeholders) who have an interest in an organization's performance (Frias-Aceituno et al., 2013;Suddaby et al., 2017).Thus, the theory is useful for perspectives about board roles in protecting stakeholders' interests and monitoring management (Best and Buckby, 2007).

Stewardship theory
In contrast to agency theory, stewardship theory premises that management should generally be regarded as good stewards (Huse, 2005;Anderson et al., 2007).Hence, this perspective will regard board roles as being more concerned with collaboratively engaging with management to formulate and execute strategy (Hillman and Dalziel, 2003;Shen, 2003;Turel and Bart, 2014;Vincent et al., 2019;Kim and Cannella, 2008).

Strategic choice theory
Strategic choice theory aligns with perspectives where board attributes (such as board IT competence, board size and proportion of internal board members), influence strategic decision-making (Jewer and McKay, 2012;Van Peteghem et al., 2019;Benaroch and Fink, 2021).The theory aligns with board behavior when it influences the design of strategic decisionmaking process to address external pressures (Van Peteghem et al., 2019).

Upper echelon theory
This relates to the upper echelon of an organization being regarded as best positioned to appreciate the organization's operating environment (Li et al., 2021).The theory premises that, as senior management (upper echelons) have a key role in developing strategic initiatives, their personal characteristics, cognitive biases and values are influential (Liu andPreston, 2021, Carpenter et al., 2004).

Table A2
The coding frame for board roles using Huse's (2005) six roles for corporate governance focusing on their definition, relevant theories, specific tasks and value proposition.

Table 6
Identified board roles regarding strategic participation

Table 8
Correlation of findings from the theoretical component with two practitioner resources.

Table 9
Comments by focus group participants regarding board mechanisms.Improving board IT competence Not always the appointment itself, but certainly determining the necessary profile (FGC1).If composition cannot change, look at training (FGC15)

Table 10
Framework for board accountabilities and roles when IT and corporate governance are integrated

Overview of IT governance papers Table B1
The 48 identified IT governance papers.