Information Technology Governance for Higher Education Institutions: A Multi-Country Study

: Information Technology governance (ITG) calls for the deﬁnition and implementation of formal practices at the highest level in the organization, involving structures, processes and relational practices for the creation of business value from IT investments. However, determining the right ITG practices remains a complex endeavor. Previous studies identify IT governance practices used in the health and ﬁnancial sectors. As universities have many unique characteristics, it is highly unlikely that the ITG experiences of the ﬁnancial and health industry can be directly applied to universities. This study, using Design Science Research (DSR), develops a baseline with advised practices for the university sector. The analysis of thirty-four case studies from the literature review provides a set of practices as a starting point for the development of the baseline model proposal through multiple case studies involving interviews with IT directors, in ten universities in ﬁve countries: eight new practices emerge in this study. The model proposed was evaluated by experts. The result is a baseline model with adequate practices for IT governance in universities as well as a set of guidelines for its implementation. Findings revealed that is possible to extend the ITG practices’ baseline when looking at speciﬁc contexts.


Introduction
IT has become essential in supporting the growth and sustainability of all types of organization [1][2][3]. Organizations have been using IT to automate and perform process integration, connecting the enterprise with customers, suppliers and distributors to obtain sustainable competitive advantage. Moreover, the pervasive use of technology has created a critical dependency on IT that demands considerable attention to IT Governance (ITG) [4].
When properly implemented, ITG can impact the organization positively and enhance business/IT alignment [3]. To manage the variety of technologies, ITG practices are necessary to support IT-related decisions, actions and assets and to make sure they are tightly aligned with an organization's strategical and tactical intentions [1,5,6].
The process of identifying the right ITG practices to apply to a specific context is a complex endeavor which may depend on the organization's size, country, industry, control (public or private), along with other factors [7][8][9][10][11][12][13]. Universities are complex organizations that require adequate IT and information systems (IS) to fulfil their mission. Their IT consists of a variety of applications, different platforms, academic systems and cloud applications, i.e., a heterogeneous set of technologies [14].
The effective and efficient use of IT at universities to support research, teaching and management requires appropriate ITG [15][16][17][18][19]. Effective ITG in universities is strongly associated with a high level of maturity of ITG practices [20]. Moreover, the adoption of formal practices at the highest level of the organization for governing IT, as claimed by [21,22], is expected to bring benefits and improve organizational performance.
An effective ITG helps an institution achieve its goals by applying IT resources in optimal ways. On the other hand, ineffective ITG might affect the organization performance, quality of services, and management of operations and costs. In universities, ineffective ITG might affect the quality of teaching, research and management of internal processes (e.g., access to online courses, software, academic databases etc.). Complex organizations, such as universities, should devote particular attention to their practices for the governance of IT to better deal with innovation and changes in their environment and adapt to new technologies. While providing high-quality services and delivering value, universities should also consider risk. Organizations such as universities have quite different goals from industry, especially the public ones, regarding their mission in society [23]. While universities create and disseminate knowledge in society, industry is more focused on generating profit to the shareholder, reducing costs and creating economic value.
Given the relevance that ITG has gained in IS, building upon the work of [3,[24][25][26][27][28][29], this study intends to contribute to the body of knowledge on ITG, answering the following research question: What is the baseline of advised practices to govern IT in universities?
In order to answer the research question, this study aims to elicit a list of the most used ITG practices, regardless of industry, from the literature. Thereafter, the list is used as a baseline to perform an exploratory study in Education industry and finetuned with a new ITG practices proposed by experts.
This article is structured as follows: Section 2 introduces the concepts of ITG and the research on ITG practices, with a description of the research on ITG in universities. Section 3 presents the methodology adopted in this study, and a multiple case study consisting of interviews. Section 4 presents the proposal of ITG baseline, with the findings and results of this study. Section 5 presents the evaluation of the ITG practices' baseline. Section 6 presents the discussion. Finally, the conclusion and future research proposals are discussed in Section 7.

Background
This section sets the scope, creating a clear overview of the main topics of this investigation. First, a general overview of the topic and ITG is provided. Then, the main studies on ITG practices in different types of industry are detailed. The third section details studies about ITG in Education (university). Last, but not least, this section offers information about ITG practices in the universities with an analysis of the level of implementation and effectiveness, looking at different case studies in the literature.

IT Governance
Many authors define ITG under different meanings. We use the following definition provided by [30], p. 123: "ITG consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategy and objectives". Corporate Governance of IT is the system in which the current and future use of IT is directed and controlled to support the organization according to ISO/IEC 38500 and has been recognized by a number of studies [31][32][33].
The research in IT governance is divided into two streams: IT Governance Forms and IT Governance Contingency Analysis [34]. The first stream is related the decision-making structures adopted by IT organisations, for instance, decentralised, centralised and federal. The second stream tries to uncover the factors for an effective IT governance framework in a particular organisation. This research focuses on the second stream to understand how IT governance can be implemented in faculties and to uncover the most appropriate configuration. In this study, the contingency factors proposed by the authors will be considered for the reality of universities. Therefore, it is necessary to adapt frameworks and IT governance practices according to context and contingency factors.

IT Governance Mechanisms
ITG involves a set of high-level definitions, such as principles, values and goals, operationalized through practices [35]. Thus, ITG practices are a practical manifestation of these high-level definitions and contain day-by-day activities as a way to execute ITG in practice. An ITG framework may be deployed using a set of practices, including structure, processes, and relational mechanisms [30,36,37].
ITG structures are responsible for defining roles and responsibilities. Steering committees are an example of such a structure. A steering committee is composed of directors, managers and executives, in essence, individuals responsible for decision-making in the organization [30]. ITG processes refer to the planning and strategic decision-making of IT, based on practices from ITIL, COBIT or Balanced Scorecard, for example, including techniques and appropriate tools to align business and IT.
ITG relational mechanisms include the participation and interaction between IT and business, calling for appropriate communication and knowledge-sharing, combined with learning and coaching, including job-rotation, announcements, advocates, channels, and education efforts [30].
The relevance of structural, procedural, and relational practices for information governance has been stressed [26,38], since organizations increasingly depend on data. In addition, the organizations aim to maximize the value of their informational assets or to protect that value from myriad risk factors that might undermine or delay the flow of organizational value from information [26].
Contingency factors may influence the success of ITG practices implementation, as well as their adoption [12,13,30,34,39,40]. There is no universal ITG model for all organizations, and contextual factors impact the contribution of ITG to the enhancement of corporate performance [12]. Researchers in the literature are unanimous in arguing that a universal IT governance framework is not possible [12,13,34]. The solution depends on contingency factors. In this stream of research, the authors present the contingency factors that can influence an IT governance framework, such as organisational structure, competitive/business strategy industry and firm size [34]. As noted by [30,41], ITG practices that are suitable for one industry may not be suitable for another.

IT Governance in Universities
Despite ITG's relevance for organizations, empirical studies in this field are still scarce, particularly in universities [18,42]. Universities from many countries have increasingly recognized the importance of ITG [18,42,43]. Complex organizations, such as universities, should frequently review their ITG practices to deal with innovation and changes in their environment and adapt to new technologies [11,17,44]. It is not only necessary but essential for this kind of organization to reduce risk and resolve vulnerabilities to provide an efficient and high-quality service.
Most of the studies found cover part of the ITG practices, but most of them aim to develop a framework or a model for a particular reality. Some universities used ITIL as the main practice to implement ITG [23,[45][46][47], others include COBIT [19,48] or ISO/IEC 38500 [18].
How the model was designed and proposed for UK universities is unknown [49], the same model used without any significant changes for Spanish universities [50]. A model, which was specific to the context of Thailand, was developed and validated with CIOs of 20 universities and five IT experts [18].
The authors of [24] proposed a theoretical framework for ITG based on structure, processes and people. The proposed framework is based on case studies in Australian universities. In this study, the authors propose a minimum baseline of ITG practices for universities, taking the relevant findings of previous studies into account in order to complement the body of knowledge of previous research.

IT Governance Mechanisms in Universities
A list of ITG practices from a literature review [51] was used and adapted in this study. These ITG practices can be adopted for all types of industry. After the identification of the ITG practices, case studies on universities were selected in in databases such as Web of Science, SCOPUS and AIS eLibrary to identify suitable practices grounded on the exiting knowledge. Furthermore, the most important academic portals regarding ITG in higher education, two associations of information systems in universities EDUCAUSE in the United States of America and UCISA in United Kingdom, were examined. The following criteria were used for the review process search: publications that were written in English and the full text was available; publications that used the keywords "IT governance in higher education", "IT governance in universities", "Information Technology for universities", "Information Technology for higher education", "IT governance" and "University", with the combination of topic and title. Other articles regarding this topic were found, but were not considered, since we could only access the abstract.
Regarding the case studies from the literature review, 27 articles were found, accounting for 34 case studies in ITG at universities and showing some empirical results (see Table 1).

Implementation and Effectiveness
In order to identify the ITG practices implemented and their effectiveness in case studies, a list with 46 ITG practices was adopted and identified in the literature [51]. Table 1 summarizes the ITG practices (frequency of implementation vs. effectiveness) regarding the structure, process and relational practices from the literature review.
The aim of identifying each mechanism is to know if the adopted mechanism may somehow impact ITG at universities. Moreover, if the mechanism was adopted by other case studies, this is an indication that it might have positive empirical results and must be included in the baseline. To identify the practices, all the articles were carefully read more than once, aiming to perceive the effectiveness of each mechanism as well as its implementation. In addition, to assist in the process of identifying the practices implemented and their effectiveness, the software NVIVO [60] was used.
Although it was indicated that some practices were implemented, no evidence is shared regarding their effectiveness in ITG in the case studies (the "IT audit committee", "IT project steering committee", "Charge back", etc.). Therefore, more empirical studies are necessary to comprehend the effectiveness of these practices as well as the importance of ITG in universities. Section 3 presents a multiple-case-studies phase to accomplish this, another phase in the design and development of the ITG practices' baseline.

Research Methodology
The aim of this research is to develop a baseline model of ITG practices for universities. A suitable research methodology for the creation of an artefact is Design Science Research (DSR). The key elements of DSR on investigations into information systems are the possibility of new fields of research, conduction of tests and validation of theories, or the building of new theories. The purpose of this work is to develop a model and solve a specific problem; in this case, ITG in universities. Therefore, DSR, extensively used in information systems research to solve complex problems [61][62][63][64], can be a suitable approach for this study.
DSR was, then, followed for the development of the model. DSR is not only appropriate to solve organisational problems in specific domains, but also adequate to produce artefacts, as in the case of this model [62][63][64][65]. Figure 1 presents a description of the research strategy using a Design Science Research process and summarizes the design and development of the ITG mechanism's baseline. artefacts, as in the case of this model [62][63][64][65]. Figure 1 presents a description of the research strategy using a Design Science Research process and summarizes the design and development of the ITG mechanism's baseline.

Design and Development: Multiple Case Studies
Previous studies have examined IT governance in different industries, but few attempted to identify suitable IT governance practices for universities. This is an exploratory study in nature, looking for a minimum set of essential IT governance practices that

Design and Development: Multiple Case Studies
Previous studies have examined IT governance in different industries, but few attempted to identify suitable IT governance practices for universities. This is an exploratory study in nature, looking for a minimum set of essential IT governance practices that can be implemented in universities, something that has been explored very little to date and requires better understanding. The case study method is particularly appropriate for these types of study and well-suited to capturing knowledge and the development of theories [66]. Consequently, this study chose the case study method, since case studies are a valuable way of looking at the world around us, and have been gaining particular importance in recent years in the IT area [67]. Moreover, a qualitative interpretivist approach is used in this work where the ITG practices among the universities are analyzed and compared. A multiple-case approach [68] was used, in which IT governance practices are examined across ten universities, with each one being a case under study. The units of analysis are the IT department in each university. These ten cases were selected bearing in mind diversity in size, culture, strategy, structure and the process used to reduce contextual bias [69]. The next section then presents the data collection.

Data Collection and Data Analysis
In order to identify implemented ITG practices as well as new practices at universities, semi-structured interviews were conducted in ten universities across five different countries: Brazil, Portugal, the Netherlands, Spain and Israel. Although a convenience sampling of universities was used based on their availability for the study, a mix of different ones according to institutional size, culture, strategy, structure and process were selected to reduce contextual bias [69]. Table 2 provides some information regarding these institutions. Interviews were conducted with the universities' IT decision-makers at the top and medium management levels (CIO, IT Coordinator and IT Director), usually responsible for all concerns IT [70]. The interviews last around 1.5 h each. All interviews, face to face or when it was not possible, via skype, were recorded. The researcher adopted the following contact strategy: access the IT website at the institution to obtain contact with the CIO or some IT decision-maker for information such as name and e-mail. Then, an e-mail was sent to the individual explaining the objective of the research and the purpose of the interviews, including an invitation to participate in the questionnaire as a guide for the interview. A document with definitions of the ITG practices was also included to ensure that all interviewees had the same interpretation of each ITG practice during the interview.
The questionnaire and interview were designed according to Myers and Newman recommendations (2007, pp. [16][17] in order to minimize social dissonance. In addition, observations, documents, the IT website and IT strategic plans' analysis were also used to confront the interviewees and ensure awareness and certainty of their answers. The questionnaire used to frame the interview was developed in four parts: the first part contained general questions about the institution; the second part, personal questions about the interviewee; the third part, questions regarding effectiveness and ease of implementation (using a five-point Likert scale); the fourth part, the option to suggest new practices, particularly in the context of universities and the choice of the ten most important practices. The question was repeated for each of the 46 practices (Table 1) in order to obtain more in-depth details on each practice. The data were analyzed using Microsoft Excel, creating a frequency count of each mechanism. Additionally, the software "NVIVO" (version 11.3.2 for mac) was used to transcribe and analyze the qualitative data. Three main pre-defined categories were created, namely, Structure, Process and Relational, to code the data [60]. Interviewees also had the opportunity to add missing practices, grounded in their experience. For the interpretative analysis of interviewees' suggestions for new practices, we used Structures, Processes and Relational Mechanisms as the three main categories to code the data. For example, the quote "We are in an open environment. You understand what I mean. Universities are different compared to industry. Here, we can do experiments and test a range of solutions, if we make an error it does not impact the organisation. While, in industry it is not possible due to operational efficiency which is necessary . . . " was inserted in the processes category at the created selective code of "Test and Experiments Possibility. The same strategy was adopted for all practices proposed by interviewees. Eight practices emerged in the data analysis. Table 3 shows the ten practices chosen by each interviewee, from 1 (most important) to 10 (least important).  Partnership between university and software industry 2 1

Sum 26
Concerning the choice of the ten most important practices, it is vital to note that the collected data IT governance regarding the level of implementation, effectiveness and ease of implementation were significant for the interviewed to understand the context of IT governance in their universities. Moreover, in this process, the interviewee rethought the actual IT governance model in their university and understood the definition of each mechanism to make it easier to choose the ten most important ones.
The "Frequency" column accounts for the number of respondents that have selected that particular mechanism as one of the most important. In addition to the selected practices in Table 2, other practices were suggested, such as "Process Management Office" "Dashboard", and one that emerged from data analysis, "Engagement between IT and Academia.

Design and Development: Proposal of a Baseline
This section presents the steps for the development of a baseline of ITG mechanisms for universities. The aim of this artefact is to propose the most suitable and essential practices for universities that may be useful for all types of university, regardless of size and others contingency factors. The endeavor is to identify the advised ITG practices for universities. In order to do this, the next section presents the integration of ITG practices from the literature review, with an exploratory case study.

Integration of ITG Practices
The ITG practice baseline is developed through integration of the effectiveness of ITG practices identified in the literature review (Section 2) with the effectiveness of practices in a single case study in ten different analysis units in five different countries. The objective of DSR is in the integration of different constructors. Therefore, the ITG effectiveness practices identified in 34 case studies in the literature review were integrated (Section 2) with the practices in the exploratory case study, with ten different analysis units in five different countries (Section 3).
As a result, a baseline with suitable ITG practices for universities was proposed. The ITG practices identified in the literature in 34 case studies were a good starting point based on the empirical results from other universities. In addition, the exploratory case study complemented the ITG practices in the literature, adding new practices to the specific context.
During the selection process used to develop the ITG baseline, some difficult decisions needed to be made. After reading the concept of some practices several times, it was decided to join some practices from the literature review and from the exploratory case study which had an indication of similar meaning or function in practice. It is important to emphasise that the union of these practices was not performed before the data collection due to the reason of maintaining the initial concept of the practices in studies possible in studies of other industries from the literature review.
However, regarding the proposal of the artefact itself, as it is particular for a given context, such a union of practices was deemed necessary. In addition, the purpose of the DSR is to be a simple artefact, so this union of practices also helped to achieve this goal.
Our artefact is named "IT Governance Mechanisms Baseline", composed of ten Structure practices, nine Process practices and eight Relational practices, illustrated in Figure 2. A holistic view of suitable ITG practices for universities can be seen in Figure 2.

ITG Mechanisms Baseline for Universities
This research demonstrated that the various models, frameworks and practices fo ITG may not provide all that is necessary for ITG at universities. Thus, a baseline mode of ITG practices was developed, in particular, in the context of universities as a solution

ITG Mechanisms Baseline for Universities
This research demonstrated that the various models, frameworks and practices for ITG may not provide all that is necessary for ITG at universities. Thus, a baseline model of ITG practices was developed, in particular, in the context of universities as a solution to overcome these problems.
A list with 46 ITG identified practices was started with in the literature review. These practices may be considered generic to ITG across all types of industry. The study by [4] proposed 33 ITG practices for the banking industry in Belgium. The list of 46 practices was used from the literature review and identified which of these have been implemented by the universities in 34 case studies, as well as the importance and effectiveness and frequency of the implementation of each mechanism. In addition, new practices suggested by practitioners were also identified to compose the baseline. Appendix A (Table A1) shows the ITG governance baseline mechanisms for universities, with a description of each practice.
There is an awareness that the list may uncover all ITG practices or that some mechanisms could be missing from this list. However, a rigorous process was performed to develop and validate the model with a holistic approach. Based on the findings in the literature review and the experience of carrying out a case study with ten different universities from five countries, the following recommendations are proposed, based on three dimensions, namely, Structure, Process and Relational Practices. A guideline for the implementation of ITG practices at universities is suggested.
1. Obtain Executive Sponsorship/Sponsor at Senior Management level: The University needs to have a sponsor at board level with an awareness of the impact of IT on education. The sponsor should be the Rector or Head of some area with a higher decision-making power in the institution. Moreover, the sponsor must have the knowledge and awareness that IT can change education and have real benefits when implementing effective IT governance. This person also should be responsible for engagement with the CIO/IT leadership, motivating all stakeholders to change IT at the university. The creation of a formal structure and committees at an institutional level must be sponsored by this person.
2. Implement an IT Strategy Committee: To ensure that IT is included in the strategic plan of the institution and aligned with the institution strategy. This should encompass people from different backgrounds and levels of expertise (i.e., administrative staff; academic professors, students, researchers, IT people) who aim to understand the needs of different levels of IT stakeholders.
3. Create an IT Strategic Plan: This involves the objectives and goals of the institution, ensuring all priorities and investments. The plan should be a simple document with a longterm duration (four years). This plan should be discussed and approved by the IT strategy committee. The strategic plan aims to achieve the maximum benefit from information technology innovations, increasing research capability, enhancing teaching and learning, and delivering efficiencies in support of administrative functions.
4. Review the IT Organisation Structure: The IT organisational structure, as well as the definition of roles and responsibilities, should be reviewed and a shift to a centralised IT organisation structure for better decision-making in the institution may be considered. The adoption of a centralised structure is necessary if the university has one campus, and a federal structure if it has multiple campuses, where the infrastructure, strategy, roles and procedures are centralised to avoid wasting resources and the execution and operations are decentralised.
All the IT services and applications in a unique central data centre (i.e., e-mail server, domain, academic system, among others) should be centralised to avoid the redundancy of having the same service offered in each school or department. Additionally, there should be IT staff in each school or department supporting all IT activities and reporting to an IT person like a CIO or IT director supervising the entire university. Moreover, the IT technician in faculties working to identify bottlenecks and opportunities for improvement and reporting to the IT centre at the university is crucial. To clearly define roles and responsibilities in different areas of support, management and executive decisions with documentation of all of these roles is also a necessary component. 5. Implement an IT Governance Framework: A good starting point is implementing the ITIL framework, defining a service catalogue in the institution. In addition, to publish the service catalogue on the website and show it to students, professors and administrative staff are provided with IT services. It is also important to implement the three main processes: help desk, incident and problem management. A suggestion is the adoption of a web information technology management tool. The recommendation is to use an open-source software "CITTSMART", which is ITIL's compliance with thirteen processes certified by Pink Verify and the software "OTRS".
6. Implement a CIO office: Implement a CIO office and a formal function for the Chief Information Officer in the institution, with engagement and a relationship with the board of the institution, working in partnership to promote IT.
7. Engage and Commit among Stakeholders: Share the IT objectives with all stakeholders, business and IT staff to show that IT is an enabler for changing education. To arouse creativity and entrepreneurial spirit among employees to enhance the processes in the institution using IT is important. It is also crucial to pay attention to disruptive technologies in changing IT, and consequently impact education. Promoting a culture of learning and growth for all the staff and providing e-learning courses for the maximum spread of knowledge among people are also important.
8. Share Knowledge on IT: Sharing IT knowledge internally, such as information about technology, frameworks, best practices, tasks and responsibilities, and publishing the information on the intranet, blogs or the university portal. Additionally, sharing knowledge externally with CIOs and IT managers from other universities about IT best practices, type of software, issues related to IT and solutions, and governance models, among others, is important.
9. Adopt International Standards and Common Solutions: Adopting international standards and common solutions used by several universities in the same country (i.e., ITSM, Business Intelligence software). Before adopting a new technology, identifying what the other universities have implemented and sharing experiences with other IT managers is vital. 10. Establish a Partnership with the Software Industry: This includes industries such as Google and Microsoft, among others, and taking advantage of the education programs provided by these industries. To use the hosting services as much as possible (i.e., email, file storage) at least for students, to reduce the cost of the infrastructure and people dedicated to maintaining thousands of email accounts can be useful. 11. Provide an Environment with the Possibility of Tests and Experiments: Solutions providing virtual machines with a range of software for the entire academic community to test and use (i.e., administrative staff, professors, students). For instance, to provide more than one e-learning application for students and professors rather than the standard adopted by the university is a suggestion. If the university adopts a standard, e.g., Blackboard and only provides support for this, it is stimulating to offer others, such as Moodle.
12. Engage IT with Academics: (e.g., school of engineering, systems information, computer science among others) aims to develop projects and solve real IT problems. The researchers and professors in the faculties working in partnership with the IT staff is important. For instance, the IT department could propose the development of a mobile application in the computer science school by the students, or other IT problems at the institution could be a topic of a dissertation or thesis.
13. Prioritise and Manage IT Projects: To define an IT budget clearly with the priorities of IT investment in projects and IT is important. To successfully deliver projects with the best benefits for and impact on the institution is crucial, as well as adopting methodologies for project management such as PMBOK and PRINCE 2 to ensure that the projects are well-defined and effectively managed, and monitored with the use of software for project management.
14. Manage Security and Risks: Adopting a culture based on compliance, in accordance with the laws and legislation of the university/country, is crucial. The following risks should be looked at initially: information security, data privacy/confidentiality, identity/access management, compliance with laws and regulations, physical security of IT resources, disaster planning and recovery systems to promote campaigns to staff and students for the responsible use of systems.
15. Implement Performance Measurement: It is essential to evaluate IT Services and IT Projects, with the application of surveys to measure the IT satisfaction of students, professors and administrative staff, as well as the impact of the projects. It is important to provide a dashboard for use by IT staff, which is easy for academic staff to utilize to analyse data at an organisational level.
The next section presents the evaluation of the IT governance mechanisms' baseline.

Evaluation
In this section, an evaluation of the artefact is presented. The evaluation of design artefacts and design theories is a major endeavour and a critical part of the DSR [64,65,71]. In order to evaluate the proposed universities ITG practices' baseline, a series of qualitative interviews were performed. The interviews are one of the most known methods used to evaluate artefacts [72,73]. Therefore, an evaluation of the proposed ITG practices' baseline for universities in this study was adopted. A variety of universities was chosen to evaluate these practices. The aim was to find out if the ITG mechanism list was fitted to all university types. A questionnaire was used to collect and evaluate the artefact. Hence, the result's robustness as well as their applicability were discussed and validated through different universities.
In this study, the artefact was evaluated in terms of construct and model with the following criteria: completeness, ease of use, fidelity with real-world phenomena, internal consistency, level of detail, simplicity, Understandability, importance, accessibility, and suitability were looked at, as proposed by March and Smith [64] and Rosemann and Vessey [74]. Based on the criteria in Table 4, a questionnaire was created. Table 4. Questionnaire for Evaluation of the IT Governance Practices' Baseline.

Completeness
The Baseline contains all the necessary practices for effective ITG at universities.
2 Ease of use The Baseline of practices is well-described and easy to use and implemented in the universities with little effort.

Fidelity with real world phenomena
The proposed baseline corresponds to a possible solution to the suitable choice of practice for ITG at universities.

Internal consistency
The Baseline uses an adequate terminology, is well written and justified by the theory.

5
Level of Detail The Baseline contains a sufficient level of detail in each mechanism for ITG at universities.

Simplicity
The Baseline contains the minimum number of practices for ITG at universities and they are easy to implement.

Understandability
The baseline is easily understood as a model for ITG at universities and the meaning of each mechanism is easily understandable.
8 Importance The Baseline is important for ITG at the universities.

Accessibility
The Baseline has an understandable terminology with a practice perspective, not only a theoretical one.

Suitability
The Baseline of practices is applicable in the practice to assist with ITG at universities.
As mentioned earlier, the evaluation is a crucial and important part of the DSR. To evaluate the artefact, universities were selected from other contexts which were different to the ones selected to develop the artefact. This choice allows us to have more rigor in the evaluation, ensuring that the artefact can really work in practice. Universities in four different countries, Brazil, Portugal, Spain, and Germany, were contacted. Table 5 presents the position, education and work experience of the university IT experts in the field of teaching, research, and service to the community. The evaluation of the university in Portugal was in loco, and the ones in Spain, Germany, and Brazil were done via Skype. All the interviews were recorded and began by introducing and explaining the research's context, as well as the problem and the proposal. Then, all the steps of the artefact's development process were presented, showing the importance of the artefact's evaluation.
It was also explained that the artefact contained three main parts: the structure, process, and relational practices, and that each one of these dimensions encompasses several practices, whose definitions were also explained. In this phase, the author adopted a realistic language, showing the importance of these practices, their relationship with practice, and the advantages of their implementation and possessing an effectiveness ITG in universities. Additionally, the experience and knowledge acquired from the interviews in other universities were shared, as well as the obtained results. All doubts were elucidated in this phase. Finally, after all these phases, the evaluation process began.
The comments provided were analysed using content analysis [75], where the data collected in each criterion were analysed by comparing the keywords and the meaning of the text, aiming to improve the artefact.
The ITG practices' baseline was evaluated by IT experts from universities of different contexts. As a result, it was concluded that the structure, process, and relational practices were relevant for the practitioners to implement for an effective university ITG. Although some practices were difficult to implement due to the current reality of the universities, human resources issues, and time and organisational culture regarding changes, the ITG practices' baseline contained a deep appreciation of the IT experts. Furthermore, the interviewees' feedback provided interesting points, to be taken into account when implementing specific practices.
In addition, the proposed guideline, with the implementation order of each mechanism, was helpful for ITG in the universities. This guideline can be applied to all universities. However, it is not a "silver bullet" for university ITG. To the best of the author's knowledge, the proposed model can be useful for universities when implementing ITG or even in choosing suitable practices for their actual ITG model; however, it is conceivable that the proposed model will not solve all problem of universities' ITG, although it could be a good starting point. Furthermore, effective ITG implementation at universities always depends on human resources, time, management's support, ITG maturity level, and a desire for change.
In conclusion, the proposed baseline's evaluation had a high acceptance level from university experts. Moreover, based on their answers, the criteria used to evaluate the artefact in the Design Science Research were reached. Concerning the suggestions and feedback received in order to improve the artefact, several suggestions were included. However, in-depth details of the indicators and activities were not included. From the perspective of the author, more studies on each mechanism are needed to identify what kind of detail level should be reached. Such suggestions are interesting, and should be better explored in future work, moving from a model to a method and acquiring further details.
Despite the recognised importance of the impact of such practices, the findings revealed that universities are still in an initial maturity level concerning ITG, focused on the technical part of infrastructures rather than management. Therefore, it is evident that there is a long way to for before an ITG mechanism is implemented at universities. In addition, managers need to be aware that IT can provide several benefits for education and work and can be a driving force in the transformation of education. The next section presents a discussion and the conclusion of this study.

Discussion
In this section, we discuss the results of ITG Mechanisms Baseline in terms of structures, process and relational mechanisms.

Strucutures
Some conclusions can be drawn from the IT organisation structure adopted by universities. The federal mode is the most adopted by large and extra-large universities. Due to the size of these universities, which usually have more than one campus, this structure is essential. On the other hand, a centralised structure is adopted by medium-sized universities, where the ITG infrastructure is central and there are not several campuses. An interesting finding is that any university adopts a totally decentralised structure. Moreover, the adoption of a centralised structure has some benefits, such as economising on skills, economising on applications, cost reduction and standardisation.
The definition of an IT strategy at institutional level is mentioned as one the most important practices for IT at universities [58]. Hence, the strategy is also pointed out as the main concern in most case studies. Another important reason identified in the case studies is the importance of having an IT strategy committee to align IT with the business. Additionally, IT must have organisational credibility, operating at a high level of maturity in the long-term, not just the short-term, and during a crisis.
While the literature suggests several committees for ITG (an IT steering committee, an IT project steering committee, an IT audit committee, an IT security committee, among others) this exploratory study showed that having a lot of committees is not effective in practice. Moreover, a factor stated by interviewees is the difficulty of creating different formal committees, due to the lack of people and a lack of engagement within areas of the institution. Moreover, due to the lack of human resources and knowledge, it is difficult to have many committees at university. Councils are perceived as more effective in practice than committees.
Universities are increasingly recognising the importance of project management at institutional and IT department levels. Universities should have a Project Management Office to guide and monitor projects as a support function for effective ITG, using different methodologies or the best practices.
Business Process Management (BPM) is an emergent and recent approach discussed in organisations. Organisations are a collection of processes, even though, for the most part, the processes are not well defined and documented. A formal Business Process Management Office (BPO) brings IT and business closer together to work as partners. It is an interesting mechanism to identify bottlenecks and process improvements. The goal of this BPO is to discover, analyse and propose areas to be optimised. The proposed areas can be discussed by an IT strategy committee. The institutions all increasingly recognise the importance of process management.
Universities are increasingly recognising the importance of a formal ITG function at the institution. This structure function is responsible for promoting, driving, and managing ITG processes. The findings in the exploratory study show that the universities are still in the initial phase in the implementation of ITG officer. However, the importance of an IT function in the university is also recognised.
The exploratory study also reveals that universities with a smaller structure, due to the limitations of physical space and human resources, have difficulties in an ITG office. However, it is recommended to ensure that such ITG functions are linked to a particular employee. As a result, an improvement in the ITG processes in the institution can be expected.
Therefore, the ITG function in a university has to be clear. It has to have an office and a physical location for reference, in which the personnel are allocated. This place should be known by everyone in the university: students, professors, and support.
Concerns regarding the adoption of security and compliance are greater in the financial industry, due to IT's impact on business, in particular, in banks with money loss. The results in a study with 246 American institutions of higher education show that 81% of institutions do not include IT risk in their institution's strategic plan (Bichsel and Patrick, 2014). However, risk management is a big concern, in accordance with the study. Therefore, universities need to pay attention to these risks in their organisation. Risk management details how an institution determines its appetite for risk, as well as how risk controls and mitigation strategies for any given endeavour are developed and enforced throughout the enterprise [54]. The adoption of a culture of compliance and standards following known standards and best practices is suggested.
Findings in the exploratory study of universities reveal the importance of having an IT professional as the bridge between business, IT and administrative affairs, and faculties and departments interacting with professors and directors, trying to identify their demands as well as making suggestions of how IT can assist the university. This representative could be the CIO, IT director or another IT staff member who explains to the business how IT works and vice versa. In the case of universities, due to their size and complexity, this person plays a key role in explaining IT, and the functionality of many issues for the various departments. This helps IT to be proactive and work closely with business, assisting the units when necessary.
In universities, few studies identify a clear and in-depth analysis of the impact of this mechanism for IT governance. However, for effective IT governance at universities, it is fundamental to have a CIO on the executive committee [52]. The findings of this exploratory study reveal that it is for a person with IT expertise to have an active voice on the institutional board. This person is responsible for showing other board members the importance of IT in the institution. According to the suggestions in the case study, the CIO is the most appropriate person for the task of selling IT to the board. Thus, the CIO is the highest representative of IT, interacting with the IT team. Moreover, the CIO has the knowledge of all IT needs. Thus, to have the CIO on the executive committee as an active voice on the board, interacting with other members, is an essential mechanism for effective ITG.

Processes
A strategy information system planning, also known as an IT Strategic PLAN, is the most relevant IT document. It is a document and tool used to justify and plan all IT activities at the institutional level. This document's function is to assure that the priorities and investments of the IT area align with the mission, objectives and goals of the organisation. In other words, it is an enabler for IT and aligns it with the institutional strategy. Moreover, the organisations should maintain a detailed IT strategic plan that incorporates business requirements. In the case of universities, there should be a plan which encompasses the activities of teaching, learning, and administrative tasks.
There are several frameworks and standards for the management of different issues of IT. The most known and popular are ITIL, COBIT and ISO/IEC 38500. From the interviews, it is understood that ITIL is more practical, and it is the most popular ITG framework implemented. Service desk and incident management are the most common ITIL processes implemented in all universities. It is remarkable that IT at universities has a focus on operational services, taking into account the number of IT users and quality of service of delivery to students, professors and administrative staff.
The findings show that, due to the plurality of ideas in an academic environment, universities can do experiments and test a range of solutions. As a result, if they make an error, it does not impact on the organization. In contrast, in industry this is not possible, due to the necessity of operational efficiency. Thus, it is quite clear that universities are an environment for the creation and development of solutions to real problems, to disseminate knowledge to industry and society. Therefore, the IT department should provide an environment with different solutions for students and professors to test and homologate.
Universities provide a suitable environment to test different solutions, to stimulate research, teaching, and innovation that can further be applied to other industries. Moreover, it is necessary to identify opportunities for innovation in a classroom environment and provide disruptive innovation in the teaching-learning process. Therefore, a methodology to assist in selecting and governing these technologies would be important.
Universities have different characteristics from those of the financial and healthcare industry. This mechanism requires a benchmark with other universities to adopt the same international standards and solutions. Moreover, purchasing a new technology to interact with the CIOs from other universities to exchange ideas and discuss experiences can bring insights as well, as benefits in terms of cost reduction, before the implementation of a new software, for example, in the process of implementing new IT service management software (ITSM). Several open-source and commercial tools are available. Nevertheless, few of these tools are known in the context of universities and the process of implementing and training them may be too expensive. Therefore, adopting tools which are common to other universities can be advantageous in fostering a partnership among universities to promote courses, exchange information and reduce costs.
Universities increasingly need to know how to prioritize their processes and to define the appropriate IT investments that directly impact on teaching, research and extension activities. In the literature, different studies show that portfolio management is a mechanism with positive empirical results on ITG in universities [14,57]. Findings in the exploratory case study reveal that the prioritization of IT projects, as well as spending and investment, is essential and needs to be discussed in the committees. Such prioritization and investment must be approved and known of by the university management. On the other hand, the results of the exploratory case study show the difficulty IT managers have in prioritizing projects and defining priorities that really impact the business. In addition, this is perceived to be due to political issues that are part of universities and how they are managed, as many times IT priorities are not well defined. This affects projects and activities, which could more directly affect other activities as well. In the context of higher education, studies on how to measure return on investments in IT in research, teaching and learning were not found.
The findings in this exploratory study revealed that all universities have concerns regarding, and a need for, an IT budget. Most of them do not have a defined budget for IT, which is a problem according to those interviewed. The findings show that, to obtain proactive and innovative IT focusing on the improvement in processes as well as developing new technologies, it is important to know the budget. Indeed, for IT departments to develop projects or even invest in new technologies, the university boards need to ensure financing. In order to promote better IT at the university, as well as develop strategic projects that affect teaching activities, learning is crucial, as well as IT budget control and reporting.
The universities measured user IT satisfaction through surveys. It can be argued that in a university environment, where there are over thirty thousand users, measuring the user's satisfaction regarding IT services in an important indicator to evaluate IT in the university.

Relational Mechanisms
The use of portals, such as a system to share and transfer knowledge in IT governance frameworks, tasks, and responsibilities, is essential for universities. It is important to have an internal portal that can be used to share information on IT [22]. Knowledge management is an important issue to be explored in IT governance.
Findings in the exploratory study reveal that the shared knowledge on ITG should be used by the entire academic community and on other courses. Universities have adopted different types of systems and solutions to store and share knowledge regarding the task, frameworks and responsibilities. Some examples are portals used to publish services for IT employees and the academic community. As mentioned, the use many portals and wikis to share and to store information is not effective in practice, due to the difficulty of finding out where the information is. To share knowledge on IT at university, one unique portal software to centralize the information is recommended. The results show that centralizing the information is better for management and makes it easier to search for information.
Knowledge Sharing Among Universities enables universities to share crucial information on several topics (management, courses, etc.). However, this mechanism has a limitation, which was highlighted by the interviewees. Such a mechanism can only be implemented among universities that are managed by a common entity, like most public universities. The application of these practices among public and private universities does not seem to be a future reality, since they are competitors. According to [24], knowledge about IT governance should not only be created inside the research community but disseminated through dialogue and collaboration between the academic community and industry.
The universities share similar facilities and solutions, such as infrastructure, systems, and laboratories. For instance, some scale economies could be applied in new software acquisition when purchased for all universities rather than individually. To summarize, it is possible that the implementation of this mechanism would not be easy, given the universities' context (i.e., financial autonomy), but the centralization of some common aspects could be very effective and useful in practice.
IT leadership is an important practice to take into account to obtain effective ITG. In the universities analyzed, the principal IT leadership is the IT leader, usually the CIO, IT Director or IT coordinator. This position is responsible for building a bridge between IT and business, as well as interacting with the board of the university. The empirical evidence also shows that most universities analyzed IT leadership as a person with a strong background and technical skills, rather than a background in management education. In this sense, the IT strategy and projects to articulate IT internally sometimes depend on the person in this position.
The universities should have a formal model for training at institutional level. The implementation of effective ITG to consequently yield a formalized program of IT education and learning [14]. The results of this exploratory case study show that, although training is not an essential mechanism for effective ITG in universities, it does not affect IT performance: staff training is important. In addition, it is important that training and education for IT employees focus on the management and strategy process. This type of training is useful for IT employees as a holistic perspective of the university, since most of them have a strong technical background and IT expertise.
With the advancement of distant education and technological resources, universities should start taking advantage of this by developing online courses on platforms such as Moodle and Blackboard. Once a course has been modelled, it is possible that the audience who performs this training is much larger. In addition, in public universities, it is possible for IT business workers to enjoy having the same resources shared.
It is true that the need for IT departments has no relation to the technical training of a particular technology to be launched or a new operating system. Training should not refer to the area of strategy and management or the processes of the organization. Once you have a vision, but are systemic about tools and solutions, it becomes easier to know how to optimize processes. This is noticeable in the case of Dutch universities: many people carry out training in other universities and such training is made available on a portal.
Thus, it is perceived that it is interesting to create a portal to provide training, not only related to IT but in other areas as well. In this way, the creation of a portal with e-learning courses is an alternative, due to the reach that distance education has.
The "Partnership" practice between the software industry and universities is essential to ensuring a complex and open-minded environment in which to develop new ideas, create knowledge and propose solutions to complex problems. Students and professors need to test and know a variety of IT solutions. At universities, the IT department is responsible for providing the infrastructure with laboratories and software to meet the teaching-learning requirements. However, many universities face severe financial restrictions with regards to spending money, with new software acquisitions.
To promote new software alternatives and provide a larger range of technologies to students and professors, a partnership with the software industry may be essential. In fact, several organisations have educational programs specific to universities, such as Microsoft, IBM, Google and DELL, aiming to deliver IT systems. Moreover, this partnership can bring many other advantages for universities, such as a reduction in the cost of software, materials for training, support, and knowledge for students.
The study carried out by [24] also reveals that communication is a key aspect to the success of ITG. The use of formal channels is supplemented by informal channels such as a network approach or lateral coordination. An appropriate means of IT communication in the institute is crucial for effective IT governance. Communication in the universities involves IT marketing and campaigns, and how the IT issues are addressed.
Findings from this study show that the majority of universities use an informal channel for communication and networking to solve daily IT problems. The telephone and personal contact are two widely used methods of communication to address IT issues internally, among IT users. However, it is perceived that universities also frequently use e-mail as a communication channel for IT subjects among the academic community. Information is usually published for students, professors and administrative staff through e-mail and dissemination on the website. In addition, some universities have recently started using social media to raise IT issues. In this sense, it is advisable that, whenever the university adopts a new solution, or some IT project is in progress, it divulges, communicates, and explains this to all those involved, so that they understand the IT activities within the institution.
An interesting conclusion to this is that the university environment is based on networking among the people who are involved. The evidence of this is clear through the results of the interviews, in which the directors and technicians of different universities have a good relationship. Thus, the workforce is optimised and knowledge multiplied with this kind of exchange of experience.
An interesting mechanism that emerged from data analysis is named engagement between IT and academia. In the exploratory case study, the findings lead us to perceive an integration in some universities between the faculties and mail, with engineering and computer science courses. This mechanism had three pieces of evidence, identified in the exploratory case study. It is quite clear that integration between IT in universities with schools, mainly the school of engineering, computer science and courses related to technology works well. An example of this is case three, in which IT sought to solve a real university problem and took this to be the subject of undergraduate work to be developed in the school environment. The engineering school developed a solution to a parking control and student mapping.
In this sense, this brings real IT problems to be studied by the staff, with examples including information systems and management, among others. In addition, as identified, there is often a shortage of human resources in the IT department of universities, which inhibits the innovation of certain processes within the institution.
Therefore, one way to put this together and partner with faculties and professors is via research centers. The university is a complex environment and can be an interesting environment for real studies and cases. In addition, given this environment, problems can have a practical application. However, this requires awareness and collaboration from the professors' side in order for them to accept this challenge, as well as for IT staff to create the test environment, solutions, etc., which are often available.
This engagement between IT and business and academia involves those associated with IT, with knowledge about the organization's business processes, and people working closely together with the same goal. This engagement is an important mechanism, with the mission of change and IT transformation in the institution.
This study reveals that shared understanding is an important relationship practice. In the field of universities, it is necessary for stakeholders such as those in IT, business and academics to share common goals and IT purposes. In addition, the results of the exploratory study also show that top management executives often lack the sensitivity needed to understand IT's purpose in universities, and its impact on education. It is notable that, according to the interviewees, IT, for some CIOs, is seen as a strategy, with a focus on ITG practices for aligning business; however. in other universities, IT is still very focused on technical issues.

Conclusions
The objective of this research was to develop a baseline model of ITG practices for universities. As a result, a list of effective ITG practices found in the literature was created and considered as a baseline. The purpose of this was to create a reference point for an effective ITG at universities; thus, it was ascertained that the identified practices were appropriate and sufficient to be the starting point, providing a minimum for effective ITG at universities.
During the proposal of an ITG practice baseline at universities, the literature was reviewed for the practices that were found in our case studies, to check that they had not already been proposed by other authors. In addition, we reviewed the literature maintain the rigor and ensure that each identified mechanism had the same meaning in other articles. This study is useful to increase the understanding of different perspectives on ITG at universities, as it has acquired valuable information regarding each mechanism. Thereafter, using the mechanism analysis in the literature review, and the practices identified in the exploratory case study, the research progressed to the third stage.
As a result of the evaluation of the ITG practices' baseline in universities, it was concluded that the structures, processes, and relational practices were relevant, in the eyes of the practitioners, and could be implemented to increase the ITG's effectiveness. Nevertheless, some of the practices may be difficult to implement, due to the current reality of the universities and issues related to human resources, time and organisational culture. All the experts shared a deep appreciation of the ITG practices' baseline. Moreover, the proposed guideline for the implementation order for each mechanism was helpful for IT at the universities. A highlight of this guideline is that it may be applicable to any university; however, it cannot be considered as a "silver bullet" for ITG in all universities. Nonetheless, the proposed model may be useful for universities when implementing or re-evaluating their actual ITG model.
Universities increasingly need to be innovative to address the market's requirements and promote better processes and services for teaching, research and service activities. In this sense, is crucial that they manage innovation inside their IT departments by testing and implementing new solutions to provide the same services, products, and courses with low and affordable prices. Moreover, internal integration among the IT, schools and faculties of the university is necessary to obtain an overview of IT needs. All these elements, IT and academics, must be engaged with the unique purpose of promoting better ITG. The formation of an innovative and enterprising environment is expected as a result of this co-operation and integration. Therefore, in order universities to have an effective ITG, it is necessary to focus on the management of innovation by providing a suitable environment for testing and experimenting new solutions, sharing knowledge with other universities, entering into partnerships with industry, and engaging in relationships with internal schools and faculties. Sharing the models, practices, and solutions to problems with other universities, particularly in the public sector, must be permanent in order to help choose and manage a model which is easy to implement and operate.
We can argue that, while the ITG in the literature is related mostly to accountability, decision making, monitoring and control, the findings of this research revealed that it is mandatory for universities to take some other issues into account for an effective ITG. Firstly, partnership with industry, in particular with the software industry, from which it is possible to obtain many benefits. Secondly, sharing knowledge about models, practices, problems, and solutions with other universities. Thirdly, providing a suitable environment for testing and experimenting with new solutions to create an innovative IT, which is close to and aligned with business. As a result, IT can be a relevant factor in the transformation of education. The next section presents the contributions and implications of this study.

Contributions
This study contributes to and enriches the ITG literature in the context of universities, by developing a model with a suitable configuration on ITG from the perspective of structures, processes and relational practices in universities.

Theoretical Implications
The theoretical implication of this study is a conceptual ITG mechanism model that includes structures, processes and relational mechanisms, to guide university managers in choosing and implementing an effective and efficient ITG. Moreover, this study assists in identifying the impact of the practices in a specific context, from the perspective of university CIOs. The proposed model allows universities to govern IT efficiently and effectively. Moreover, this study added eight new practices to the literature on ITG. Furthermore, the effectiveness and ease of implementation of ITG practices is also analysed, in a context that is still rarely explored.
From the eight ITG baseline-increasing practices suggested in this study, according to De Haes and Van Grembergen [4], one can be classified as a structural mechanism-The Process Management Office (PMO); four as the process practices of Test and Experiments of Solutions, Methodology to Manage Disruptive Innovation, International Standards/Common Solutions, and Dashboard; three as the relational practices of Knowledge Sharing Among Universities, Partnership Between University and Software Industry, and Engagement Between IT and Academia. The aim of this is to obtain an ITG practice list not only from the perspective of a literature review, but also from the perspective of a practitioner.

Practical Implications
Besides its meaningful theoretical implications for scientific knowledge, the study provides a major practical input to industry practitioners. This research provides a guide to assist managers with ITG implementation, as well as with the evaluation of their own implemented ITG model or assessment of the current IT situation in their institution. The model incorporates structures, processes and relational practices and will help managers to adopt practices which are able to accomplish their mission. Moreover, the model describes solutions (ITG structure type, committees, etc.) that universities have efficiently used in their environments for ITG.
It was confirmed that the IT organisational structure tends to be centralised rather than decentralised or federal. The federal structure is mainly applicable in universities with more than one campus, where local IT is needed in the faculties to meet their demands. In practice, this model is not effective, because IT employees within the faculties do not report to the central IT. However, it is necessary to have IT support in faculties, supporting all IT activities, as well as a business relationship between IT and business. In the academic environment, where there are several decentralised technologies, this structure is evident in laboratories, where it is necessary to support even the geographical issues. It can be concluded that the best configuration is one where both worlds have a federal structure, where the infrastructure, strategy, roles and procedures are centralised to avoid wasting resources and the execution and operations are decentralised.
In this way, this research outcomes will allow for benchmarking the solutions of many universities. One of the major ITG objectives is operational and strategic efficiency. All organisation types aim to reduce costs and to improve operational performance, increase profit, and deliver better products and services to the customer and internal user. In the context of higher education institutions, regardless of whether they are public or private, there is a need to optimise the resources the best possible way. Therefore, the ITG practices proposed in this study have practical implications for universities, as they allow them to re-evaluate their actual ITG models and their adopted practices.

Limitations and Further Research
This research has some limitations. Firstly, the collected data were limited to ten universities from five countries. Secondly, only one executive was interviewed in each university. Thirdly, the implementation level, effectiveness and ease of assessment of each mechanism was based on a short timeframe. Therefore, a longitudinal case study would be interesting to analyse the ITG practices in each university over longer time-period. Further, in-depth studies are necessary to strengthen the outcomes for each mechanism.
Last but not least, the results were obtained based on the authors' understanding of the ITG mechanism and the definitions found in the literature on this topic, such as that in [4]. Nonetheless, the literature may have other ITG practices that were likely not identified or covered in this study. The baseline is grounded on the ITG practices encountered in the literature review, and in the multiple case studies with an interpretative analysis of a specific sample of universities. Accordingly, studies in different universities are necessary to include or remove practices in accordance with the university context.

Data Availability Statement:
The data presented in this study are available on request from the corresponding author.

Conflicts of Interest:
The authors declare no conflict of interest. Table A1. IT governance Mechanisms Baseline for Universities.

IT Governance Practice Description
IT Governance Structures S1 IT Organisation Structure The adoption of an IT organisation structure for better decision-making in the institution. The adoption of a centralised structure if the university has one campus, and a federal structure with if the university has multiple campuses, where the infrastructure, strategy, roles and procedures are centralised to avoid wasting resources and the execution and operations are decentralised. To centralise all IT services and applications in a unique central data centre (e-mail server, domain, academic system, etc.) to avoid the redundancy of having the same service within faculties. For universities with more than one campus or faculty, to have IT representatives in the faculties supporting all IT activities as well as reporting to an IT member of staff, like a CIO or IT director. Moreover, an IT technician working in faculties to identify bottlenecks and opportunities for improvement, and reporting to the IT hub at the university.

S2
IT Strategy Committee A committee at the institutional level with the mission of ensuring that IT is included on the agenda, to assist its alignment with institutional strategies. This committee should be composed of members of different backgrounds and expertise: administrative staff; academic professors, students, researchers, and IT employees. The aim is to understand the needs at different IT stakeholder levels.

S3 IT Steering Committees/Councils
A responsible committee to determine the IT priorities at the institution and implement IT strategy. This committee can be divided into several subcommittees or functions, with the role of discussing activities in teaching, learning, IT security and risks, and projects. Each of these subcommittees/councils can be created when necessary, depending on the context of the university and its needs.

S4
Roles and Responsibilities A definition of roles and responsibilities with formal functions and clear definition. Documentation to provide all tasks and responsibilities with a formal division at the IT level of the institution. Examples of formal functions include IT support, system development, IT infrastructure, and E-learning.

S5 Project Management Office
A project management office to manage all kinds of IT projects at the institution.
To create a culture of managing projects, adopting methodologies such as PMBOK or PRINCE 2 to govern and manage projects. The adoption of a tool to control and monitor projects.

S6 Process Management Office
A process management office composed of IT staff and academics to identify areas to be improved at universities. A function defined at the IT department level of the institution.

S7
ITG Function/Officer A formal function within the institution, responsible for promoting, driving and managing all ITG processes.

S9 Business/IT Relationship Managers
Business/IT relationship managers working as intermediaries between IT and other areas of the institution, such as in teaching, learning, and administrative tasks. These managers work daily to understand the needs of faculties as well as departments.

S10 CIO on Executive Committee
The CIO of an executive committee with the aim of representing IT, showing the benefits for and the impacts on the university and in all aspects of education.

P1 Strategy Information System Planning
A strategic plan aligned with the objectives and goals of the institution, defining all priorities and investments. The plan should be a simple document covering a length of two to four years. This plan should be discussed and approved by the IT strategy committee. The strategic plan aims to achieve the maximum benefit from information technology innovations, increasing research capability, enhancing teaching and learning, and delivering efficiencies in support of administrative functions.

P2 Frameworks and Standards ITG
The adoption of frameworks and standards to help IT governance at universities.

P3 Test and Experiments of Solutions
An environment with the possibility of tests and experiments regarding solutions in information technology.
In addition, an IT infrastructure to provide virtual machines with a range of software for all the academic community to test and use (i.e., administrative staff, professors, students). For instance, to provide more than one E-learning application for students and professors compared to the standard adopted by the university.
If the university adopts Blackboard as a standard and only provides support for this, it is stimulating to offer others, such as Moodle.

P4 Dashboard
Tools widely used by IT professionals which are easy to utilise by academic staff, to analyse data at the organisational level.

P5 Methodology to Manage Disruptive Innovation
A methodology to manage disruptive innovation in universities.

International Standards/Common Solutions
The adoption of international standards. A common solution adopted by several universities in the same country (i.e., the same software as ITSM, Business Intelligence). It could be easier to share information, promote training, and reduce costs in the software development.

P7
Portfolio Management Prioritisation of processes for IT investments and projects in the institution. Process used to monitor and control the IT budget and investments in projects. Define an IT budget to ensure investments and priorities for IT projects.

P9 IT Performance Measurement
The adoption of metrics and indicators in IT to assist managers in visualising and understanding the strategic objectives of the institution. To measure the organisation's performance through the use of satisfaction surveys, as well as an analysis of service quality and all issues regarding operational excellence.

P10 Benefits Management and Reporting
Processes used to monitor IT benefits for teaching and learning activities, during and after implementation. A way to show IT investments in projects and the real impact on the university.

R1
Knowledge Management (on IT) Share knowledge on IT at the university, such as information about technology, frameworks, best practices, tasks, responsibilities, and publish the information in the intranet, blogs or a university portal. The purpose of this is to store and create an organisational memory of IT knowledge, which should be available whenever it is necessary to recover any information.

R2 Knowledge Sharing Among Universities
Share knowledge of IT among IT managers, IT directors, and the CIO in universities by e-mail, forum, and a discussion group. Exchange experiences and best practices for software, infrastructure and training, and issues related to IT problems and solutions.

R3 IT Leadership
Have an IT leader to promote and lead IT projects. This leader should be the CIO or the IT representative, with higher IT decision-making responsibilities. The CIO is the IT leader responsible for creating the interface between IT and business, interacting with the board of the university. The CIO needs to have knowledge about all kinds of technology that could change education at the university, as well as processes which may impact teaching, learning and research activities.

R4 Training and Education
A formalised program of training and education for business and IT professionals. A program to ensure the development of knowledge and promote a culture of learning for all staff. Training for different courses and skills-not just technical skills, but those regarding management, business processes, governance, tools for education, etc.
To provide a portal with e-learning courses to extend the maximum number of attendees in IT and business.

R5
University and Software Industry Partnership Partnership among the university and software industry, aiming to acquire solutions for education. A good starting point is to establish a partnership with Google or Microsoft, where they provide a range of free and affordable tools for education.

R6 Corporate Communication
Formal institution communication to address general IT issues. Use formal and best practices to communicate IT to all stakeholders. Engagement and relationship with academia (e.g., school of engineering, systems information, computer science) aiming to develop projects and solve real IT problems. The researchers and professors in the faculties work in partnership with the IT professionals. For instance, the IT department proposes the development of a mobile application in the computer science school by students, or other IT problems at the institution could be a topic for a dissertation or thesis.

R8 Shared Understanding of Business/IT Objectives
To share the understanding of business/IT objectives among the main stakeholders in the institution. To clearly show the IT activities and the importance of each one.
To have a commitment from IT and business personnel linked to IT for education, respecting its contribution and the challenges it faces.