Purpose - The purpose of this paper is to critically rethink the concepts and the theoretical foundations of IT governance in small- and medium-sized enterprises (SMEs). Design/methodology/approach - The paper is based on multiple case studies. In total, eight cases of outsourced information system projects where failures occurred were selected. An outsourced information system failure (OISF) is suggested as a failure of governance of the IT in a SME environment. A structure for stating propositions derived from two competing theories is proposed (Agency Theory and Theory of Trust). Findings - The results reveal that trust is slightly more important than control issues such as output-based contracts and structured controls in the governance of IT in SMEs. Practical implications - The world of SMEs is significantly different from that of large companies, and therefore, the concept of IT governance in SMEs needs reconsideration. For researchers and practitioners, it would be more meaningful to focus on actual, working SMEs instead of on a version of their activities derived from those of large companies. Originality/value - The paper offers two contributions. First, it elaborates the limited research on IT in SMEs and second, it brings theoretical foundations for their IT governance. The value of IT governance in SMEs is explained.