ASSESSMENT OF THE SITUATION OF IT GOVERNANCE IN SERGIPE STATEPUBLIC ADMINISTRATION DEPARTAMENTS

Context: In public administration, the focus of Governance in Information Technology is to provide its customers with greater transparency, providing better quality services, further modernization of sectors and greater efficiency. The absence of a solid Governance system brings serious problems to the organization. Objective: To know the current scenario of information technology (IT) Governance in public organizations in the State of Sergipe, Brazil, in accordance with the assessment made by the Federal Audit Court, as well as to support managers in adopting good Governance practices in their management. Method: A Survey was applied to the main state public organizations of the State of Sergipe, to evaluate the dimensions of leadership, strategy and control. Results: It was observed that only 35.7% of public organizations have a satisfactory result in relation to the adoption of IT Governance; that only 7% of the organizations carry out an audit of IT actions integrally within their organizations; and 50% of responses are between non-adoption or application of an IT Governance policy within the strategic planning of organizations. Conclusion: This scenario shows, initially, that most of the specialized agencies do not have an application to a level of excellence related to IT Governance in the State of Sergipe, Brazil.


Resumen
Contexto: En la administración pública, el enfoque de la gobernanza en la tecnología de la información es proporcionar a sus clientes una mayor transparencia, proporcionando servicios de mejor calidad, una mayor modernización de los sectores y una mayor eficiencia. La ausencia de un sistema de gobernanza sólido acarrea graves problemas a la organización. Objetivo: Conocer el escenario actual de la Gobernanza de la Tecnología de la Información (TI) en las organizaciones públicas del Estado de Sergipe, Brasil, de acuerdo con la evaluación realizada por el Tribunal de Cuentas Federal, así como apoyar a los gestores en la adopción de buenas prácticas de Gobernanza en su gestión. Método: Se aplicó una encuesta a las principales organizaciones públicas estatales del Estado de Sergipe, para evaluar las dimensiones de liderazgo, estrategia y control. Los resultados: Se observó que solo el 35,7% de las organizaciones públicas tienen un resultado satisfactorio en relación con la adopción de la gobernanza de la tecnología de la información; que solo el 7% de las organizaciones llevan a cabo una auditoría de las medidas relativas a la tecnología de la información de manera integral en sus organizaciones; y que el 50% de las respuestas se sitúan entre la

INTRODUCTION
Governance in Information Technology (IT) is formally defined as a set of structures that guide the decision-making processes and relational mechanisms. It can also be defined as the ability of the organization to properly manage investments in Information Technology (DE HAES; VAN GREM-BERGEN, 2009;ISACA, 2012;TONELLI et al., 2017;TRIDOYO;WIJAYA, 2017;WEILL;ROSS, 2004). Aligning corporate Governance with IT Governance, since they are related branches, has fundamental importance to the organization, knowing that IT today is a very important part of organizational life.
This alignment helps to better manage the uncertainties generated by IT services (NYONAWAN et al., 2018). Transformation of the organization in order to satisfy the greatest number of needs of its consumers, align objectives to other sectors, aggregation of values to the services provided by the IT area and creation of committees to compose the organization's general strategic planning are among the requirements to have a good IT Governance system (ELAGHA, 2014).
In public administration, the focus of Information Technology Governance is to provide its clients with greater transparency, offering better quality services, greater modernization of sectors and greater efficiency (ALI; GREEN, 2012;CAMPBELL;MCDONALD;SETHIBE, 2010;SUOMI;TAHKAPAA, 2004;VANDER WALT;VON SOLMS;COETSEE, 2014). The absence of a solid Governance system brings serious problems for the organization, such as wasting resources, greater exposure to IT threats, inability to manage and prevent risks, among other problems (WILKIN; CHENHALL, 2010;NOLAN;MCFARLAN, 2005) and (TAMBOTOH et al., 2017) argue that Governance actions in Information Technology include monitoring, warning, starting, and guide the planning required, and provide access to external resources and knowledge related to IT initiatives.
In order to better management of IT resources in the Federal Public Administration (APF) in Brazil, the Federal Audit Office (TCU) conducts an evaluation every two years in federal public organizations (DA SILVA et al., 2018;SILVA et al., 2018a). This evaluation is carried out in two stages: the first step consists of sending a questionnaire addressing good Governance practices in laws, regulations, technical norms and international models. In the second step, an audit of a sample of the organizations evaluated is carried out to determine if the answers are consistent with their veracity (CGU, 2015).

• 74 •
To assist managers and make them aware of the importance of implementing a Governance system, the TCU provides the Basic Governance Framework. The manual addresses Governance practices in general, addressing leadership, auditing, management transparency, and other relevant issues. It also addresses guidelines for good Governance, especially targeted at public organizations (TCU, 2014).
Given the importance of a good Governance system, the objective of this work is to evaluate the IT Governance situation in-state public organizations in the State of Sergipe. For this, an online survey was applied.
This work is structured as follows: section 2 brings some works with related objectives; section 3 shows the steps of the survey, its application, formulation of research questions and hypotheses, selection of participants and instrumentation; Section 4 presents the analyses and interpretations of the data collected; section 5 shows the threats to the validity of the research and section 6 presents the conclusions and suggestions of future works.

RELATED WORKS
We did not find surveys and scientific researches that had the same objective of this work, evidencing that they do not impose many studies applied to measure the level of IT Governance in public institutions. Next, some studies found that have similar goals.
In (ALIYU, 2010) a case study was conducted to investigate the level of implementation and Governance practices adopted in the IT Division of International Islamyc University Malaysia (IIUM), a public institution. Through interviews, the author identified the role of each sector in the quoted division and suggested changes that bring significant improvements to the provision of quality services and better utilization of available resources.
Bayona e Ayala (2017), applied an adapted survey (FERNÁNDEZ, 2009) in order to analyze the state of IT Governance in public institutions of Peru, based on the principles of ISO/IEC 38500. In its assessment, attach four degrees of organizational maturity in Governance.
Differently (SOUSA, 2015), was analyzes the federal institutions present in the State of Amazonas, Brazil, proposing improvements to the managers and identifying the failures. It also attributes a degree of maturity to the institutions, through the analysis of critical points. Similar to the TCU's assessment it covers five levels of maturity and defines its peculiarities.
Similarly (SILVA et al., 2018), conducted a survey with Public Organizations that have Capacity stages Enhanced, according to TCU iGovTI. This survey collected which were the practices used and identified the profiles of the organizations and their interviews. As main results, they recognized that the Good Practices used in Enhanced organizations are the same ones known in both academia and industry (COBIT, ITIL, CMMI, MPS.Br, PMBOK). Another relevant result was the evidence that even Enhanced organizations do not adopt best practices considered relevant.
These works prompt the investigation of how Public Organizations are addressing this issue and how they fit into the governance aspect. In addition, they stimulate the creation of hypotheses about the need for a framework to direct organizations. The following section presents in detail the steps regarding the survey.

SURVEY
This section presents all the steps for conducting the Online Survey: from its objective, through participant selection, instrumentation, operation, analysis and interpretation of the collected answers.

OBJECTIVES
Based on the evaluation conducted by TCU \cite{da2015levantamento} and in order to verify the IT Governance situation in the public organizations in the State of Sergipe, an online Survey was applied, mirrored in the tool proposed by \cite{silva2018peticgov} . In order to fulfill this objective, the following questions were formulated: • RQ1: what is the IT Governance situation in the Sergipe state public organizations? • RQ2: does the organization audit IT actions? • RQ3: is the IT area included in the process of developing the company's strategic planning?
The questions presented were used for the analysis of the answers provided by the managers are in the Analysis and Interpretations section.

HYPOTHESIS FORMULATION
In order to evaluate the research questions, frequency-based metrics will be used, making up the number of IT Governance scenarios in Sergipe state public organizations (i), the accomplishments of IT actions (ii) audits and IT in the process of preparing the company's strategic planning (iii). H0 = maturity in IT Governance is the same in organizations evaluated; H1 = maturity in IT Governance is different in organizations evaluated.

SELECTION OF PARTICIPANTS
The research participants are professionals working in the IT sectors of the state agencies, among technicians, analysts and managers, selected from a simple sampling. According to the Transparency Portal of the State of Sergipe (http://lai.se.gov.br/orgaos-entidades-do-governo-de-sergipe/), Sergipe State has thirty-eight organizations in its current administrative structure, of which thirty-six are with their internet pages available. Before these numbers, the questionnaire was sent to these thirty--six organizations, directly to the e-mail of the managers and through the System of Ombudsman of the State of Sergipe, SE-Ouv (http://se-ouv.se.gov .br / esic), the latter used for organizations that did not make contact with their sectors on their websites.

INSTRUMENTATION
The questionnaire was transcribed from the PeticGov tool (SILVA et al., 2018b) for Google Forms, a Google tool for creating online questionnaires (https://docs.google.com/forms/u/0/), and distributed • 76 • via the Internet, with the necessary instructions for the correct completion of the same. To classify organizations according to their grades, four degrees of maturity were assigned: initial, when IT does not have real chances of adding value to the organization; basic, when IT has little chance of adding value to the organization; intermediate, when IT has a reasonable set of IT Governance practices, which may be sufficient for the organization; improved, when IT has sufficient Governance practices and add value to the organization.
The questionnaire has five options for answers, each with its own weight: "not applicable", when the question does not address something that is part of the organization; "not adopted", when the issue is consistent with the organizational reality, but the organization does not use such an approach; "initiated plan to adopt", when the organization has documentation and formal plans for adoption of that measure in its management; "partially adopts", when the proposed plan begins to be put into practice; and "fully adopts", when the item addressed has already been used in the organization and produces satisfactory results (CGU, 2015). Table 1   To calculate the grades, a spreadsheet was prepared using Microsoft Excel 2013. The grading was done following the proposal of (SILVA et al., 2018b), making the sum of the grades of each dimension evaluated and verifying which degree of maturity corresponds to that note range. Table 2 shows the range of grades that corresponds to each degree of maturity. Next, the target audience of the survey was identified and the direct e-mails and the requests were sent to the SE-Ouv system. In order to have as many participants as possible, some care was taken: objective questions, time spent by the respondent not exceeding eight minutes and use of clear and concise language (WOLF, 1986).

ANALYZES AND INTERPRETATIONS
From the thirty-six requests sent fourteen responses were obtained (approximately 39% of organizations) from 04/24/2019 to 06/27/2019, when the questionnaire was available to collect answers. For identification and calculation notes, it was asked to the respondents to identify their positions and organizations to which they belonged it was also clarified that the name of the organization would not be disclosed.
Thus, it was identified that approximately 28.57% of respondents chose not to report their position. Technicians, systems analysts and general IT coordinators have a total of approximately 14.28% each. Planning adviser, deputy ombudsman and communication advisor present total of approximately 7.14% each. Graph 1 illustrates more clearly the percentages reported.

Graph 1 -Positions of respondents
Source: Survey data.
As for the segment of organizations, it was identified that foundations, regulatory agencies and banks make up approximately 7.14% of respondents, each. Public companies represent approximately 21.42% of the total of respondents. The autarchies represent approximately 28.57%, mixed capital companies and the judiciary represent 14.28% of the total of respondents. Graph 2 shows these numbers.

IT GOVERNANCE SITUATION IN THE STATE OF SERGIPE
Analysis of IT Governance of the situation was carried out in the state of Sergipe, to answer the research Question 1 as an evaluation model proposed in the study by (SILVA et al., 2018b). The collected of each public organization's responses were transcribed to a spreadsheet calculation, in order to obtain the grades and their corresponding degrees of maturity. As mentioned earlier, four degrees of maturity are assigned according to the scores obtained, according to Table 2. According to the answers provided, most of the respondent organizations are far from the ideal framework in IT Governance.
Of the 14 organizations analyzed, approximately 28.57% are in the initial grade, that is, IT has no real chance of adding positive value to the organization, according to (CGU, 2015). About 35.71% of organizations are at the basic level, that is, IT has little chance of adding positive value to the organization. Only about 21.42% are in intermediate level, that is, with a reasonable set of practices in IT Governance that may be sufficient to the organization and about 14.28% are in an improved degree, that is, IT has a good set of Governance practices and add positive value to the organization. Graph 3 shows these percentages.

Graph 3 -Situation of IT Governance in the State of Sergipe
Source: Survey data.
In order to answer the research Question 2, it was observed that among the organizations that obtained an initial stage, only one claimed to perform partially an audit of the organization's IT actions. It was also observed that among those who obtained a basic stage, only one claimed to perform partially auditing and one claimed to be initiating a plan for the adoption of audit practices in the IT sector. Among those who obtained an intermediate stage, all organizations claim to have partial IT auditing practices and among those that obtained an advanced stage, all of them claimed to adopt audit practices in the IT sector.

Graph 4 -Answers to the question: Internal audit monitors Governance and IT management actions
Source: Survey data.

Exatas e tecnológicas
Reinforces the importance of auditing the measurement and improvement of IT services and the correct application of available resources, thus avoiding fraud and unnecessary expenses, for continuous improvement of the services provided and greater positive gains for the organization as a whole (RADOVANOVIĆ et al., 2011;ZUMBA-VASQUEZ et al, 2018). Highlights how important it is for IT to carry out an audit proposed by COBIT 5, in order to facilitate the monitoring, targeting and improvement of IT actions to meet all organizational needs, of stakeholders, whether internal or external to the organization (MURAD et al., 2018). Graph 4 represents the answers given, in general, to the question that addresses the existence of audit actions in the organization.
It was also observed that only intermediate and improved organizations claimed to have partial and integral, respectively, IT risk management practices. The others, from initial and basic grades, have argued that they do not apply or do not adopt such practices. According to (BURKOV et al., 2018;DENG, 2010), risk management in an organization is critical to the success of the organization. Identifying potential risks, assessing the chances of occurrence and assigning degrees of impact to them help the organization in prevention, and, in the event of an event, help mitigate its effects. In IT, this is no different. Argue that good IT risk management has a positive impact across the organization (CHENG; GONG, 2012; JAVAID; IQBAL, 2017). Graph 5 generally represents the answers given to the question of risk management.
Graph 5 -Answers to the question: Internal audit evaluates IT risk management Source: Survey data.
Responding to Question 3, it was observed that among the organizations that obtained an initial degree, all of them claimed to participate partially in the elaboration of the strategic planning of the organization, but only one of them claimed to have a partial IT strategic steering committee to act with senior management in the overall strategic planning of the organization.

• 81 •
In organizations that received a basic stage, only one claimed to have a full strategic IT management committee, but also claimed that they did not participate fully in the organization's overall strategic planning. Among the others of basic level, one organization claimed that although it does not have an IT strategic committee, it fully participates in the strategic planning process, one claimed that the committee does not apply to the reality of IT, one initiated a plan to adopt the committee and two claimed not to have an IT strategic committee.
Among intermediate-level organizations, two of them claimed to have a partial IT strategic committee and partially participate in the organization's strategic planning process. According to the Basic Reference TCU Governance (TCU, 2014), good Governance requires that all parts of the organization are aligned strategically. This alignment contributes to the growth of the organization and greater attention to users' needs through the provision of better quality services. Argue that strategic alignment between the IT sector and the organization "ensures consistency in strategies, priorities and organizational structure" (ANDRADE, MOURA, 2008;ELAGHA, 2014).
Graph 6 -Answers to the question: Internal audit evaluates IT risk management Source: Survey data.
Graph 6 and Graph 7 represent the responses of all evaluated organizations about the existence of strategic IT committee and participation in the strategic planning process of the organization, respectively.
Graph 7 -Answers to the question: The institutional strategic planning process foresees the participation of the IT area Source: Survey data.

DATA VALIDATION
Data analysis was performed and two statistical tests, one non-parametric and one parametric, were performed, respectively, being X² and R's correlation.
The X² test was used in the grade of assessment of the degree of maturity of the companies that answered the questionnaire. To define the expected frequency, the mean value of the maturity level was defined, being this 9.5. Based on these data, the X² had its result equal to 45.92. With this, this research evidenced that the frequencies observed are different from the frequency expected, so there is a difference between them.
Comparing the calculated X² which resulted in 42.92 with the tabulated X² resulted in 21.026 with a significance of 0.05. It is possible to observe that the null hypothesis was rejected. It was previously defined as expected value for the test was 9.5. It corresponds to the average value of the grades that the analyzed institution can obtain in this research. Pearson's correlation coefficient, also known as correlation (r), measures the degree of linear correlation between two quantitative variables (FIGUEI-REDO FILHO; SILVA JÚNIOR, 2009).
Analyzing the Pearson parametric test, the result obtained by analyzing the degree of maturity of the companies that answered the questionnaire in comparison with the expected value that was explained previously, it is possible to observe that with the value of r = 0.56, the degree of correlation between these two metric scale variables can be considered positive, indicating a moderate correlation.

THREATS TO VALIDITY AND MITIGATION
Internal Validity: considering that the questionnaire used in this research was online, in order to reduce eventual problems related to the non-understanding of questions by the respondents, the non-participation of the target professionals in the survey, the survey was sent and a tutor to send was available to explain and ask questions about the questionnaire if necessary. However, no tutor has been contacted to ask questions, and some question may not have been correctly understood.
External validity: although the target audience are IT professionals, as explained in the description of the questionnaire, you can not ensure that this requirement is met, although all respondents said that they send to the responsible department to respond. It is also possible that the responses of the questionnaires do not correspond to the reality of some responding organizations.

CONCLUSIONS AND FUTURE WORKS
This paper presented a Survey applied to the public organizations of the State of Sergipe, Brazil, in order to clarify the situation of IT Governance according to the assessment made by the Court of Audit of the Union. Quantitative results were presented that will serve to support managers in the adoption of good Governance practices in their management. Moreover, with these results available to the academic community and interested organizations, it is possible for researchers and managers to direct their studies and efforts according to the observed demand.
Based on this research, it was evidenced that approximately 21.42% of the evaluated ones are in the intermediate degree with a reasonable set of practices in IT Governance, that can be sufficient to the organization. And about 14.28% are in improved degree IT, thus possessing a good set of Governance practices and adding positive value to the organization. Consequently, only 35.7% of the public organizations in the Sergipe State that participated in the survey present a satisfactory result in relation to the adoption of IT Governance. Another important point is that only 7% of organizations carry out an audit of IT actions integrally within their organizations.
From the point of view of the participation of the IT area included in the strategic planning process, only 28.6% fully adopt the participation of the sector. While 50% of the responses are between non-adoption or application. These data warn the lack of application of guidelines related to IT Governance. The main difficulty of this work was the difficult task of the application of a Survey-type survey within the state agencies of Sergipe. Even ensuring, in the context of seriousness and secrecy, only 14 of the 36 organizations responded to the survey. A tutor was also made available to answer any questions regarding the application of the questionnaire.
As future work, it is intended to deepen the research and data collection with the bodies involved, in an attempt to increase adherence to other organizations, in order to understand the low application of IT Governance guidelines at the level of excellence and the achievement audit of the evaluated organizations in order to verify if the context presented in the questionnaires corresponds to the reality of the organizations.