COBIT, currently in its fifth edition, is a good-practice framework for the enterprise governance of IT. There is limited academic research that either analyzes COBIT or leverages COBIT as an instrument in executing research programs. Through linking core elements and principles of COBIT to insights from IT-related and general management literature, this paper explores the use of COBIT in future research activities. This paper positions COBIT as a framework for enterprise governance of IT. The major directions and core principles of the framework are described. Connections are made of these directions and principles to the relevant literature. Research questions for future research around enterprise governance of IT and COBIT 5 are proposed and discussed.
Figures - uploaded by Steven De Haes
Author content
All figure content in this area was uploaded by Steven De Haes
Content may be subject to copyright.
Discover the world's research
- 20+ million members
- 135+ million publications
- 700k+ research projects
Join for free
JOURNAL OF INFORMATION SYSTEMS American Accounting Association
Vol. 27, No. 1 DOI: 10.2308/isys-50422
Spring 2013
pp. 307–324
COBIT 5 and Enterprise Governance of
Information Technology: Building Blocks and
Research Opportunities
Steven De Haes
Wim Van Grembergen
University of Antwerp
Roger S. Debreceny
University of Hawai'i at M
¯
anoa
ABSTRACT: COBIT, currently in its fifth edition, is a good-practice framework for the
enterprise governance of IT. There is limited academic research that either analyzes
COBIT or leverages COBIT as an instrument in executing research programs. Through
linking core elements and principles of COBIT to insights from IT-related and general
management literature, this paper explores the use of COBIT in future research
activities. This paper positions COBIT as a framework for enterprise governance of IT.
The major directions and core principles of the framework are described. Connections
are made of these directions and principles to the relevant literature. Research questions
for future research around enterprise governance of IT and COBIT 5 are proposed and
discussed.
Keywords: enterprise governance of IT; IT governance; COBIT; business/IT alignment;
balanced scorecard; organizational systems; IT controls.
I. INTRODUCTION
I
nformation technology (IT) has become crucial in the support, sustainability, and growth of
enterprises. Previously, governing boards and senior management executives could minimize
their involvement in the direction of IT, leaving most decisions to functional management. In
most sectors and industries, such attitudes are now impossible, as enterprises are increasingly
completely dependent on IT for survival and growth. These organizations also face a wide spectrum
of external threats arising from IT including abuse, cybercrime, fraud, errors, and omissions. IT has
the potential to support both existing business strategies, as well as shaping new strategies. IT
increasingly becomes not only a success factor for day-to-day operations, but also as a critical
facilitator for enhancement of competitive advantage ( Van Grembergen and De Haes 2009; Weill
We thank Miklos Vasarhelyi (editor) and two anonymous referees for their guidance on an earlier version of this
commentary.
Editor's note: Accepted by Miklos A. Vasarhelyi.
Published Online: February 2013
307
and Ross 2009). Given the centrality of IT for enterprise risk management and value generation, a
specific focus on enterprise governance of IT (EGIT) has arisen over the last two decades ( De Haes
and Van Grembergen 2008b; Thorp 2003; Wilkin and Chenhall 2010). Enterprise governance of IT
is an integral part of enterprise governance. EGIT addresses the definition and implementation of
processes, structures, and relational mechanisms in the organization that enable the board and senior
business and IT management to execute their responsibilities in support of risk and value
management ( Van Grembergen and De Haes 2009).
Enterprises are increasingly making tangible and intangible investments in improving
enterprise governance of IT. In support of this, enterprises are drawing upon the practical
relevance of generally accepted good-practice frameworks such as COBIT ( ISACA 2009a).
COBIT, now in its fifth edition, describes a set of good practices for the board and senior
operational and IT management (ISACA 2012b).
1
It sets out a set of controls over information
technology and organizes them around a logical framework of IT-related processes.
2
COBIT is
part of a suite of products including: implementation; service management and assurance
guides; low-level practices; and mapping to cognate frameworks and standards. Research
indicates that organizations are adopting COBIT in practice (Debreceny and Gray 2013; ISACA
2011c; Van Grembergen and De Haes 2009). Given COBIT's historical origins in the audit
community, there is a particular connection between the COBIT framework and the conduct of
IT assurance. However, there has been limited academic research that leverages or explores
COBIT. Many of the core principles of COBIT build on models, concepts, and theories from
the IT and general management literatures. There are, as a result, opportunities for research that
references and leverages COBIT. In this paper, we discuss how the COBIT 5 framework
embraces concepts from the professional and academic literatures and builds upon earlier
iterations of COBIT. The main contribution of this paper is that it seeks to provide directions
and challenges for undertaking research that draws upon COBIT 5. As such, a principal
objective of the paper is to narrow the gap between academic research and practice.
The paper provides an overview of the directions COBIT is taking and offers suggestions on
research that takes COBIT as its unit of analysis or as a source of models, practices, and knowledge
for the design of research. The paper proceeds as follows. In Section II, the concept of Enterprise
Governance of IT is defined in more detail. COBIT is then positioned as a framework for enterprise
governance of IT. Next, in Section III, the manner by which COBIT 5 embraces insights from the
IT and general management literature is explored. Some directions for future research around
enterprise governance of IT and COBIT are set out in Section IV. Finally, Section V brings some
concluding remarks together.
II. BACKGROUND
This section of the paper provides background on the shape of EGIT, places COBIT within the
historical development of EGIT, and describes some of the core dimensions of the COBIT approach
to IT governance.
1
The authors of this paper have been actively engaged in COBIT development over the past decade, including
membership of the COBIT Steering Committee and development teams at various times over the period.
2
A framework is a set of guiding principles and good practices that are explicitly designed to be adapted by
adopting organizations. Frameworks are distinguished from standards that are designed for monolithic adoption.
Standards are also more typically associated with certification of adopting organizations. Confusingly, some of
the '' standards'' promulgated by the International Standards Organization are essentially frameworks (e.g., ISO/
IEC 2008).
308 De Haes, Van Grembergen, and Debreceny
Journal of Information Systems
Spring 2013
Enterprise Governance of IT
The concept of IT governance has been in existence for less than two decades. In the early
1990s key strands of IT governance could be discerned in the academic literature. The first strand
studied alternative forms of organization of the IT function and the impact of those forms on
business outcomes (ITGI 2005; Ives and Jarvenpaa 1993). A second strand explored the nature and
effect of alignment between enterprise consumers of IT services ('' the business '' ) and the IT
function ( Henderson and Venkatraman 1993; Luftman 1996; Venkatraman et al. 1993). A third
strand, inspired by Porter's research on strategy and competitive advantage ( Porter 1979, 1985),
addressed links between enterprise strategy, investment in IT, and enterprise performance (Andreu
and Ciborra 1996; Chan et al. 1997; Weill 1990, 1992). This strand received considerable impetus
as researchers reacted to research by Brynjolfsson (1993) that pointed to a seeming paradox
between high levels of investment in IT and an absence of evidence on returns on that investment. It
was only in the late 1990s that articles first mentioned IT governance in the title or abstract (e.g.,
Brown 1997; Sambamurthy and Zmud 1999), although these papers mostly focused on debates
about the most effective form of IT organization. In the practitioner arena, ISACA created the IT
Governance Institute (ITGI) (www.itgi.org) in 1998 to promote the IT governance concept. As
explored in more detail shortly, the various publications of ISACA and ITGI explicitly incorporated
IT governance notions in COBIT 3 (ITGI 2000) and the board briefing on IT governance ( ITGI
2001).
Current perspectives on enterprise governance of IT see EGIT as an integral part of corporate
governance. The recent ISO/IEC Standard 38500 '' Corporate Governance of IT'' defines IT
governance as '' The system by which the current and future use of IT is directed and controlled.
Corporate governance of IT involves evaluating and directing the use of IT to support the
organization and monitoring this use to achieve plans. It includes the strategy and policies for using
IT within an organization'' (ISO/IEC 2008). Van Grembergen and De Haes (2009) define EGIT as
the '' Board overseeing the definition and implementation of processes, structures, and relational
mechanisms in the organization that enable both business and IT to execute their responsibilities in
support of business/IT alignment and the creation of business value from IT enabled investments. ''
Both definitions indicate clearly that IT governance is the responsibility of governing boards and
that execution lies with senior management.
The IT governance concept has received considerable attention in the academic literature over
the last decade. Wilkin and Chenhall (2010), in a recent survey of IT governance, establish a
taxonomy of IT governance. They see concepts of strategic alignment, performance measurement,
risk management, and value delivery as the most significant enablers of IT governance. Wilkin
and Chenhall (2010) note that broader organizational structures, business processes and
technology, and resource capabilities influence the enablers and by extension IT governance.
Wilkin and Chenhall (2010) see corporate governance as being a primary influence on the shape
of IT governance. This focus on corporate governance was in response to two directions in the
academic and professional communities. First, the increasing importance of corporate governance
in general management and the academic literature influenced research in IT governance, as did
professional guidance in the U.S. (COSO 1992) and its counterparts in other parts of the world.
The Sarbanes-Oxley Act in the U.S. in 2002 provided significant impetus to widespread adoption
of corporate governance methods in the field and a dramatic expansion in the academic literature,
along with specialist journals. Second, the increasing importance of IT in meeting enterprise goals
coupled with the inherent tension in aligning business and IT management has led to a recognition
of the importance of setting IT goals and decision rights at the governance level (i.e., governing
boards) (De Haes and Van Grembergen 2008a; Thorp 2003; Weill and Ross 2009). These forces
initiated a shift in the naming of the concept from '' IT governance'' toward '' enterprise
COBIT 5 and Enterprise Governance of Information Technology 309
Journal of Information Systems
Spring 2013
governance of IT,'' that focuses on board and senior business management involvement in
strategic and tactical directions for IT.
Origins and Positioning of COBIT
COBIT is an IT governance framework developed by ISACA. Figure 1 shows the major
milestones in the development of COBIT. The COBIT framework arose from initiatives by
members of ISACA in the financial and IT audit communities. These audit professionals confronted
increasingly automated environments. To guide their work, the initial development of COBIT was
as a framework for the execution of IT audit assignments. It was constructed around a
comprehensive set of so-called '' Control Objectives for IT Processes'' (IASCF 1994). Over
successive versions, COBIT transitioned toward a broader IT governance and management
framework with management tools including metrics, critical success factors, maturity models, and
tools for the assignment of roles and responsibilities for IT processes. COBIT 4 saw the
development of tools to align business and IT goals and their relationship with supporting IT
processes. COBIT 4 also strengthened the connection with other relevant governance frameworks
and IT frameworks and standards (ITGI 2005). More recently, COBIT was complemented with the
Val IT and Risk IT frameworks (ISACA 2009c, 2010). These addressed the IT-related business
processes and responsibilities in value creation (Val IT) and risk management (Risk IT). In each
case, Val IT and Risk IT drew key concepts and processes from COBIT and added domain-specific
guidance.
In April 2012, COBIT 5 was released, with the concept of enterprise governance of IT as a
foundation (ISACA 2012b). According to ISACA, '' COBIT 5 provides a comprehensive
framework that assists enterprises to achieve their objectives for the governance and management
of enterprise IT. COBIT 5 enables IT to be governed and managed in a holistic manner for the
whole enterprise, taking in the full end-to-end business and IT functional areas of responsibility,
considering the IT-related interests of internal and external stakeholders'' (ISACA 2012b). COBIT
5 integrates the knowledge previously dispersed over the three ISACA frameworks, viz: COBIT,
Val IT, and Risk IT (ISACA 2009c, 2010; ITGI 2005). COBIT, to some degree in the fourth edition
and more systematically in the fifth edition, covers the lifecycle of governance, strategic, and
tactical management within the IT domain. The relative roles of several general governance, IT
FIGURE 1
Timeline of COBIT Developments
310 De Haes, Van Grembergen, and Debreceny
Journal of Information Systems
Spring 2013
governance, and IT management frameworks are illustrated in Figure 2, along two dimensions: the
level of abstraction of the framework or standard and the extent to which the framework covers the
lifecycle of IT from design of governance systems through tactical IT management.
General-purpose corporate governance frameworks such as COSO are at a high degree of
abstraction and cover only issues of governance and organization. At the other end of the
continuum, standards such as TickIT (a standard for quality software development), are related only
to a particular aspect of IT. TickIT and other IT standards relate are relevant at the tactical level
within the IT function. Other well-known standards such as ITIL and CMMI relate primarily to
management rather than governance and to tactics rather than strategy (Ahern et al. 2008; Cabinet
Office 2011). In recent releases, both ITIL and CMMI have moved more toward strategy and at
least some aspects of governance.
Concepts of Control in COBIT
The concept of control in COBIT builds on the general literature of management control and
management control systems. Management control theory arose from commerce, particularly with
the development of the private corporation as enterprises grew such that ownership became
separated from management ( Berle and Means 1932), and from theories including Fayol's general
FIGURE 2
IT-Related Frameworks-Level of Abstraction and Lifecycle of IT
COBIT 5 and Enterprise Governance of Information Technology 311
Journal of Information Systems
Spring 2013
theory of management, organizational theory (Cyert and March 1963; March and Simon 1958), and
the cybernetics of Stafford Beer ( Beer 1959, 1972). Earlier views of management control were
strongly influenced by the scientific management approaches of Anthony and others (Anthony
1965) and related primarily to the acquisition and use of resources in pursuit of organizational
objectives. Later, however, management control theory gravitated more toward seeing control as a
suite of tools for achieving the strategic goals of the firm (Simons 1990, 2000). For example,
Simons sees management control as a suite of informal norms and formal processes designed to
bind organizational outcomes to organizational strategic goals.
Simons (1990, 2000) defines four types of formal systems: beliefs systems ('' formal systems
used by top managers to define, communicate, and reinforce the basic values, purpose, and
direction for the organization'' ), boundary systems ('' formal systems used by top managers to
establish explicit limits and rules that must be respected), diagnostic control systems ('' formal
feedback systems used to monitor organizational outcomes and correct deviations from preset
standards of performance'' ), and interactive control systems ('' formal systems used by top managers
to regularly and personally involve themselves in the decision activities of subordinates'').
The view of control within COBIT is broadly in line with Simons' perspective. For example,
the definition of control in COBIT 3 is '' the policies, procedures, practices, and organizational
structures designed to provide reasonable assurance that business objectives will be achieved and
that undesired events will be prevented or detected and corrected '' (ITGI 2000, 12). The concept of
a control objective is unique to COBIT. It sees the institution of control as leading to a necessary
outcome or end state. As will be discussed in next sections, the word '' control'' is not in use in
COBIT 5 and is replaced by '' good practices.'' These are in highly active and prescriptive language,
and their debt to the former COBIT control objectives assumptions is clear. These new good
practices are defined as '' a proven activity or process that has been successfully used by multiple
enterprises and has been shown to produce reliable results'' (ISACA 2012b).
III. MAJOR DIRECTIONS IN COBIT 5
This section analyzes and places in context some of the key directions taken in COBIT 5. This
provides a foundation for development of a set of research questions. First, the COBIT 5 framework
is built around five core principles: (1) meeting stakeholder needs; (2) covering the enterprise
end-to-end; (3) applying a single, integrated framework; (4) enabling a holistic approach; and (5)
separating governance from management. This section discusses each of these principles and relates
them to concepts and insights from the general management, accounting, and IT literatures. Second,
consideration of implementing COBIT now has a more central role in the framework. Third,
COBIT made significant changes in the measurement of IT process maturity, changing the concept
to process capability. This change aligns COBIT with the ISO/IEC 15504 standard. Finally,
changes in the domain and process structure of the framework are reviewed.
Meeting Stakeholder Needs: Strategic Business/IT Alignment
According to ISACA, Principle 1 (Meeting Stakeholder Needs) implies that COBIT 5 provides
all of the required processes and other enablers to support business value creation and risk
management through use of IT. This principle closely links to the notion of strategic alignment
initiated by Henderson and Venkatraman (1993). The idea behind strategic alignment between the
board, operational management, and IT is comprehensive and has been present in the COBIT
framework from the outset. However, the challenge is how organizations can achieve alignment.
The COBIT framework is large and complex. It normally will take some years for full adoption
even for a relatively small enterprise. Some of the important issues that the board and management
must address include: Which processes should be managed with COBIT? In which order should
312 De Haes, Van Grembergen, and Debreceny
Journal of Information Systems
Spring 2013
those processes be introduced and developed? How deep should the investment be in implementing
the suite of processes? The COBIT 5 development team undertook research to understand how
enterprise goals drive IT-related goals and vice versa. These research projects used in-depth
interviews in different sectors together with Delphi surveys of subject matter experts. This research
established a generic list of enterprise goals, IT-related goals, and their inter-relationship or
'' cascade.'' This cascade now constitutes the core entry point for COBIT 5. In COBIT 5, there is an
explicit assumption that organizations should commence by analyzing their business/IT alignment
state through definition of enterprise goals, linking those goals to IT-related goals and subsequently
to the IT processes within COBIT ( De Haes and Van Grembergen 2010; Van Grembergen et al.
2008).
In the goals cascade, enterprise and IT-related goals are categorized into financial, customer,
internal, and learning and growth perspectives (Figure 3). This follows the commonly accepted
dimensions of balanced scorecard analysis. Each perspective holds a number of commonly
referenced goals in organizations in that area based on earlier executed exploratory research ( Van
Grembergen et al. 2008). Next, primary (P) and secondary (S) relationships between enterprise and
IT-related goals are provided, based on experts' opinions. These relationships indicate how
enterprise goals drive IT-related goals and/or how IT-related goals support enterprise goals. As an
illustration of this cascade, Figure 4 shows that the enterprise goal of '' External compliance with
laws and regulation'' requires a primary focus (P) on the IT-related goals of '' IT compliance and
support for business compliance with external laws and regulations'' and ''security of information
and processing infrastructure.'' When adopting COBIT 5, organizations will take the weighted
importance of IT-related goals to guide them in deciding which subset of the framework's 37 IT
processes are the most important for early adoption.
Meeting Stakeholder Needs: The Balanced Scorecard
To verify whether stakeholder needs are indeed being met, a sound measurement process needs
to be established (Elbashir et al. 2008; Hyvo¨nen 2007; O'Connor and Martinsons 2006).
Traditional performance methods such as return on investment (ROI) capture the financial worth of
IT projects and systems, but reflect only a limited part of the value that can be delivered by IT
(Davern and Wilkin 2010; Van Grembergen and De Haes 2009). COBIT builds on balanced
FIGURE 3
Cascade of Enterprise Goals and IT-Related Goals
a
Source: COBIT 5.
a
P: Primary goal; S: Secondary goal.
COBIT 5 and Enterprise Governance of Information Technology 313
Journal of Information Systems
Spring 2013
scorecard concepts as developed by Kaplan and Norton (1996), and as adapted for the IT domain
(Hu and Huang 2006; Van Grembergen et al. 2003).
COBIT 5 provides outcome measures at the IT process level. Figure 5 shows an example for
the process of '' Managing Security,'' providing specific process goals and related metrics.
Consolidation of these metrics at the enterprise, IT-related, and COBIT process levels, enables
organizations to build a comprehensive scorecard for the entire IT environment. This allows
organizations to develop a measurement instrument to verify meeting of stakeholder needs.
Covering the Enterprise End-to-End
The second principle (Covering the Enterprise End- to-End) articulates that COBIT 5 covers all
functions and processes within the enterprise. COBIT 5 does not focus only on the ''IT function,''
but treats information and related technologies as assets or capabilities that need examination along
with other assets in the enterprise. This perspective aligns with Weill and Ross (2009) on the notion
FIGURE 4
Primary and Secondary IT Goals for Enterprise Goal ''External Compliance with Laws and
Regulation''
Source: COBIT 5.
a
P: Primary goal; S: Secondary goal.
FIGURE 5
Balanced Scorecard Metrics for the Security Process
Source: COBIT 5.
314 De Haes, Van Grembergen, and Debreceny
Journal of Information Systems
Spring 2013
of '' IT Savviness'' and the resource-based view and capabilities literatures (Andreu and Ciborra
1996; Feeny and Willcocks 1998; Law and Ngai 2007; Tarafdar and Gordon 2007). Weill and Ross
clarify the need for general business management to take ownership of, and accountability for,
governing the use of IT in creating value from IT-enabled business investments. In many
organizations, this implies a crucial shift in attitudes and behavior of general business and IT
management as well as the governing board. As Weill and Ross (2009) note: '' If senior managers do
not accept accountability for IT, the company will inevitably throw its IT money to multiple tactical
initiatives with no clear impact on organizational capabilities. IT becomes a liability instead of a
strategic asset.''
Related to this discussion, COBIT 5 encompasses both IT processes and IT-related business
processes. Collaboration and reciprocal relationships and task dependencies between business
management, IT management, and external parties is an important element of IT governance (Cragg
et al. 2011; Zarvi
c et al. 2012). COBIT 5 provides RACI charts (Responsible, Accountable,
Consulted, Informed) in which both business and IT roles are included. To illustrate this, Figure 6
provides an example RACI chart for the process '' Manage Service Agreements.'' This RACI chart
indicates that for the SLA process, both business and IT functions have primary (P) and secondary
(S) accountabilities and responsibilities.
Applying a Single, Integrated Framework: COBIT, Risk IT, and Val IT
Principle 3 (Applying a Single, Integrated Framework) explains that COBIT 5 aligns at a high
level with other relevant standards and frameworks. It can thus serve as the overarching framework
for governance and management of enterprise IT. COBIT 5 integrates all of the previous ISACA IT
FIGURE 6
End-to-End Responsibility in Managing Service Agreements
Source: COBIT 5.
COBIT 5 and Enterprise Governance of Information Technology 315
Journal of Information Systems
Spring 2013
governance materials in COBIT 4, Val IT, and Risk IT ( ISACA 2007, 2009c, 2010). In this
overarching approach, COBIT identifies 37 IT processes spread over governance and management
domains. The five governance processes are the board's responsibilities in IT covering the setting of
the governance framework, responsibilities in terms of value (e.g., investment criteria), risks (e.g.,
risk appetite), resources (e.g., resource optimization), and providing transparency regarding IT to
the stakeholders. We return to governance later in this section. In the management domain, there are
four subdomains: '' Align, Plan, and Organize '' (APO); '' Build, Acquire and Implement'' (BAI);
'' Deliver, Service, and Support '' (DSS); and '' Monitor, Evaluate and Assess '' (MEA). The domain
APO concerns the identification of how IT can best contribute to the achievement of business
objectives. A management framework is required and specific processes related to the IT strategy
and tactics, enterprise architecture, innovation, and portfolio management. Other important
processes in this domain address the management of budgets and costs, human resources,
relationships, service agreements, suppliers, quality, risk, and security.
The domain BAI makes the IT strategy concrete through identifying, in detail, the requirements
for IT and managing the investment program and projects. This domain further considers managing
capacity, organizational change, IT changes, acceptance and transitioning, knowledge, assets, and
configurations. The domain Delivery, Service and Support (DSS) refers to the actual delivery of
required IT services. It contains processes on managing operations, service requests and incidents,
problems, continuity, security services, and business process controls. The fourth management
domain, MEA, includes those processes that are responsible for the quality assessment in
compliance with the control requirements for all previously mentioned processes. It addresses
performance management, monitoring of internal control, and regulatory compliance ( ISACA
2012b).
COBIT 5 emphasizes the requirement of general business management being accountable for
managing IT. Processes that address specific business roles are APO3: Manage Enterprise
Architecture, APO4: Manage Innovation, and BAI05: Manage Organizational Change. A specific
process on business process controls (application controls) is included ('' DSS06: Manage Business
Process Controls'' ).
Enabling a Holistic Approach: Organizational Systems
The fourth principle (Enabling a Holistic Approach) explains that efficient and effective
implementation of governance and management of enterprise IT requires a holistic approach. This
approach takes into account several interacting components: processes, organizational structures,
and human resources. This implementation challenge is related to what is described in the strategic
management literature as the need for an organizational system, i.e., '' the way a firm gets its people
to work together to carry out the business'' ( De Wit and Meyer 2005 ). Such an organizational
system requires the definition and application of structures (e.g., organizational units and functions)
and processes (to ensure tasks are coordinated and integrated), and attention to people and relational
aspects (e.g., culture, values, joint beliefs).
Peterson (2004) and De Haes and Van Grembergen (2009) have applied this organizational
system theory to EGIT. Organizations can and are deploying EGIT by using a mixture of various
structures, processes, and relational mechanisms. EGIT structures include organizational units and
roles responsible for making IT decisions and for enabling contacts between business and IT
management decision-making functions (e.g., IT steering committees). EGIT processes refer to the
formalization and institutionalization of strategic IT decision making and IT monitoring procedures,
to ensure that day-to-day outcomes are consistent with policies and provide a feedback loop (e.g.,
IT balanced scorecard). These relational mechanisms are ultimately about the active participation
316 De Haes, Van Grembergen, and Debreceny
Journal of Information Systems
Spring 2013
of, and collaborative relationship among the board, senior corporate executives, IT management,
and business management.
COBIT 5 builds on these insights and incorporates formal discussion on so-called '' Enablers''
in its framework. These are factors that, individually and collectively, influence whether something
will work—in this case, governance and management over enterprise IT. The framework describes
seven categories of enablers, of which the '' processes,'' ''organizational structures,'' and '' culture,
behavior, and ethics'' closely relate to the organizational systems concept.
Separating Governance from Management
Finally, Principle 5 is about the distinction COBIT 5 makes between governance and
management. This draws heavily on the guidance in the ISO/IEC standard on '' Corporate
Governance of IT'' (ISO 38500) ( ISO/IEC 2008) and general governance frameworks such as
COSO. There were governance elements within earlier versions of COBIT but they were mixed in
with management aspects. In COBIT 5, the organization of governance processes follows the EDM
model ('' Evaluate—Direct—Monitor'' ) as set out in ISO 38500. IT governance processes are the
responsibility of the board of directors and ensure that enterprise objectives are achieved by
evaluating stakeholder needs; setting direction through prioritization and decision making; and
monitoring performance, compliance, and progress against plans. Based on these governance
activities, business and IT management plans, builds, runs, and monitors activities (a COBIT
translation of Deming's PDCA circle Plan, Do, Check, Act) in alignment with the direction set by
the governance body to achieve enterprise objectives.
Implementing Enterprise Governance of IT
Another important change in COBIT 5 is close attention to the challenges of implementing
EGIT within the enterprise. ISACA had previously provided systematic guidance on implementing
IT governance (ISACA 2009a, 2009b) but this guidance was separate from the core COBIT
framework. As a result, the adopting organizations often overlooked the considerable challenges of
implementation of COBIT. The guidance on implementation has been updated ( ISACA 2012a) but
now, however, the core messages from this guidance are incorporated into the COBIT framework.
The guidance sets out a seven-stage lifecycle for implementing EGIT, from EGIT program
initiation to review of effectiveness and sustaining the implementation. Core messages from the
guidance include the need to build an appropriate environment for the changes involved in
implementing EGIT, and recognizing the critical importance of building a realistic business case for
undertaking EGIT.
Process Maturity and Process Capability
Process maturity has been a core component of COBIT for more than a decade. Determining
the level of process maturity for given processes allows organizations to determine which processes
are essentially under control and those that represent potential management challenges ( Weill
1992). Assessment of process maturity is arguably a necessary condition for implementation of
EGIT. The concept of process maturity in earlier versions of COBIT was adopted and adapted from
the Software Engineering Institute's Capability Maturity Model (Debreceny and Gray 2013). In
COBIT 5, process maturity has been replaced by the concept of process capability ( ISACA 2011b),
based on the ISO/IEC 15504 (SPICE) standard '' Information Technology—Process Assessment.''
A benefit of this assessment model is the improved focus on confirming that a given process is
actually achieving its purpose and delivering the required outcomes as expected. Indeed, a
requirement to meet level one of the five-level maturity model under COBIT 5 is that the
COBIT 5 and Enterprise Governance of Information Technology 317
Journal of Information Systems
Spring 2013
'' implemented process achieves its process purpose'' and at level two, the process is '' implemented
in a managed fashion (planned, monitored, and adjusted), and its work products are appropriately
established, controlled, and maintained.'' These can be challenging for organizations to demonstrate
and, as a result, process maturity levels under the new assessment model will be considerably lower
than under the earlier CMM-based process maturity model in COBIT 4. This may present some
implementation challenges.
IV. COBIT 5 AND RESEARCH OPPORTUNITIES
This section builds on the previous sections that sought to develop an understanding of core
principles and concepts in COBIT 5 to explore potential new research opportunities. Wilkin and
Chenhall (2010) set out some 20 research questions across various domains in their IT governance
taxonomy (strategic alignment, value delivery, risk management, resource management, and
performance measurement). Our objective is to complement Wilkin and Chenhall by pointing to
research that (1) investigates COBIT as an artifact; (2) sees COBIT within an ecosystem of
competing and complementary frameworks and standards; or (3) uses COBIT as a common
measurement foundation for investigation of some particular aspect of EGIT or cognate areas of
inquiry such as IT audit and assurance.
Researching COBIT as an Artifact
COBIT and its associated suite of products is a large, multifaceted, and complex set of
guidance. The content in COBIT is considerably more complex than COSO or the high-level
frameworks such as ISO/IEC 38500. COBIT is systematically designed to encompass the complete
investment lifecycle, with both governance and management aspects. This complexity gives rise to
the need for research on COBIT as an artifact.
The Quality and Consistency of COBIT as an Artifact
There is a need to investigate COBIT's intellectual foundations, design, applicability, and
internal consistency, or lack thereof. For example, COBIT 5 integrates three significant but related
frameworks covering IT governance and management (COBIT), value generation (Val IT), and risk
management (Risk IT). This integration is a major undertaking and the success of this integration is
not yet clear. An example of research on COBIT as an artifact is Boritz (2005), who considered
notions of information integrity in COBIT, other practice frameworks, and the academic literature.
Boritz (2005), after surveying practitioners, concluded that the way information attributes and
information integrity were established in COBIT should be significantly modified to incorporate
information. The Boritz study is the only research that systematically investigates the design of any
aspect of COBIT. There is a clear need for additional research.
The Association between Prescription and Real-World Conditions
COBIT and other similar frameworks are drawn from good practice in the field and are
essentially prescriptive. The quality of this prescription is only as good as the process of
identification of good practice. The various iterations of COBIT are based on (1) original research,
(2) widespread use of experts in workshops and workgroups, and (3) input from cognate standards
and frameworks. This approach is, necessarily, only a partial sampling of real-world conditions.
Tuttle and Vandervelde (2007) research the applicability of COBIT 3 as an internal control
framework for the financial statement audit and find that COBIT can be employed in this manner.
There is a need for research to understand the relationship between COBIT's prescriptions and real-
world conditions.
318 De Haes, Van Grembergen, and Debreceny
Journal of Information Systems
Spring 2013
COBIT as a Framework
COBIT is a framework rather than a standard and, as a result, is designed to be adapted by
adopting organizations. Yet, little is known as to which components of the framework are necessary
to be retained in order for adoption to still be effective. This applies both horizontally (choice of
processes) and vertically (components including process capability, RACI charts, etc.). For example:
Could it be feasible to adopt COBIT with only the five processes at the governance layer,
shorn of RACI charts, process capability modeling, and other core COBIT attributes?
Could COBIT be used only by the board and audit committee and still be functional?
Researching COBIT within an Ecosystem of Competing and Complementary Frameworks
A core principle of the design of COBIT 5 is to align systematically with cognate frameworks
and standards. These include governance frameworks of higher abstraction (e.g., ISO/IEC 2008)
and more specific frameworks that are positioned at the level of IT-related management (e.g.,
TOGAF [Open Group 2009]). Understanding how COBIT operates in an ecosystem of competing
and collaborating frameworks is an important area of research.
The Relationship between COBIT, COSO, ISO/IEC 38500, and Other Governance Frameworks
ISACA has made a major investment over the years in mapping COBIT to other frameworks,
with detailed mappings of COBIT 4 to ten other frameworks including COSO, ITIL, PMBOK, and
TOGAF ( ISACA 2011a). There is no academic research about the inter-operation of these
relationships. Questions include:
How does an enterprise manage multiple frameworks and standards?
How do enterprises measure and manage performance across multiple frameworks and
standards?
The Board of Directors Involvement in Enterprise Governance of IT
As we discuss above, there is strong influence upon COBIT from general governance
frameworks, including the COSO internal control framework, and from ISO/IEC 38500. COBIT 5
clearly distinguishes between governance and management. Limited research is available on how
boards are taking up responsibility for governing and monitoring IT. From analysis of annual
reports and Management's Discussion and Analyses (MD&As), or through case, field study, or
survey research, it would be interesting to understand whether the board is taking up the five areas
of responsibility as discussed in COBIT:
Which of the five governance processes are really taken up by boards?
What are boards reporting on their IT governance roles in the annual report?
What is the relationship between boards' involvement and IT governance performance?
COBIT 5 and the Audit of Internal Controls
In the U.S. context, the Sarbanes-Oxley Act requires that SEC registrants certify whether there
are material weaknesses in internal control, as lined up against a control framework. Larger
registrants must have their internal controls audited. While the Sarbanes-Oxley Act does not
mandate a single internal control framework, effectively all registrants choose the COSO
framework. The COSO framework includes some limited commentary on the role of information
technology in maintaining internal controls and the exposure draft for a revised version of COSO
makes this link even stronger (Janvrin et al. 2012). It is now seven years since a customized version
COBIT 5 and Enterprise Governance of Information Technology 319
Journal of Information Systems
Spring 2013
of COBIT for IT control objectives under the Sarbanes-Oxley act was promulgated by ISACA
(ITGI 2006). Research questions include:
What role does COBIT play in support of internal and external audit programs?
COSO makes explicit mention of application controls. Business application controls are now
more central in COBIT 5. To what extent does the guidance on business application controls
in both COBIT and COSO correlate? What are the practical applications and use of this
guidance?
COBIT as a Common Measurement Foundation
COBIT provides good practice guidance for the complete lifecycle of IT investment. It comes
with a suite of management tools together with supporting guidance. COBIT offers, then, a
foundation for measurement of a wide variety research on EGIT. Debreceny and Gray (2013) draw
explicitly on the IT processes and process maturity components of COBIT 4 in a large international
field study. Similar research can allow us to both understand the EGIT landscape and validate the
design of COBIT.
Alignment of Enterprise and IT-Related Goals
The concept of business/IT alignment is not new, but it is still high on the agenda of many
organizations. Building on the strategic alignment model of Henderson and Venkatraman (1993) and
original research ( Van Grembergen et al. 2008), COBIT provides an approach on how to define
enterprise goals and IT-related goals. It will be important to understand how robust this relationship
is. Case study research could reveal whether organizations are clearly articulating enterprise goals and
IT-related goals, and the degree to which these goals are symbiotic. Specific questions can include:
Are businesses clearly articulating their priorities to IT?
Is IT pro-actively engaged in the business strategic discussion?
Is the business involved in defining the IT-related goals?
How Do Organizations Measure the Performance of IT?
Measuring the value of IT is a complex challenge. As COBIT leverages the balanced scorecard
insights, it provides a reference to build conceptual measurement frameworks for IT as a whole or
for specific processes of IT. Research projects could work on building such conceptual frameworks
based on COBIT, and then validate whether such measurements instruments are in use and
optimized based on empirical findings. Examples of specific questions are:
Are organizations using COBIT to build balanced scorecards?
Are the metrics in COBIT 5 usable for practice?
How are enterprises organizing the performance management process?
How Involved Is the Business in Enterprise Governance of IT?
There is an emphasis in COBIT 5 on establishing end-to-end responsibilities in governing and
managing IT assets and capabilities. The RACI charts in COBIT 5 provide usable templates for
analysis of whether general business management is taking up their IT-related responsibilities.
Research questions include:
Are business managers aware of the responsibilities as assigned in the COBIT 5 RACI
charts?
Do business managers take up the responsibilities as assigned in the COBIT 5 RACI charts?
320 De Haes, Van Grembergen, and Debreceny
Journal of Information Systems
Spring 2013
What are enablers and inhibitors for business managers to take up the responsibilities as
assigned in the COBIT 5 RACI charts?
How Are Organizations Implementing Enterprise Governance of IT?
Enterprises increasingly recognize the importance of EGIT. Many organizations struggle with
implementing and embedding these governance practices into their organizations. Through case and
survey research, it will be vital to verify how organizations are adopting EGIT. Building on
organizational systems theory, COBIT 5 can be a foundation for interview and survey protocols.
Some specific questions are:
Which COBIT 5 processes and related practices/structures are most adopted in
organizations?
Which COBIT 5 processes and related practices/structures are perceived as being most
effective?
Which COBIT 5 processes and related practices/structures are perceived as being easy/
difficult to implement?
V. SUMMARY AND CONCLUSION
Over the last two decades, the role of information technology in organizations has changed
from primarily a supportive and transactional function to being an essential prerequisite for strategic
value generation. Further, while IT plays an important role in mitigating enterprise risk, information
technologies also create risks. These risks include potential monetary losses, reduction in
operational capability and, particularly important in an increasingly networked world, losses to
enterprise reputation. The increased focus on IT for value generation as well as meeting compliance
obligations in a host of industries has resulted in enhanced board and senior management attention
to IT. The early 1990s saw introduction of the term IT governance, now increasingly and
appropriately rebranded in the professional and academic literatures as the '' Enterprise Governance
of IT'' (EGIT).
Over a similar period, ISACA has promulgated five versions of the good practice EGIT
framework, COBIT. The IT audit community was a strong influence on the first version in 1996. It
served as a blueprint for conducting audits of IT functions. COBIT has matured and adapted to
changes in the external environment. The latest iteration, COBIT 5, includes several important
developments influenced by changes in the external environment and by new and revised
frameworks to which COBIT aligns. First, there is a distinct separation between governance and
management. The new governance domain has five processes that would be in the hands of the
board and the most senior management. Second, COBIT 5 integrates the guidance in COBIT 4, Val
IT, and Risk IT. Third, the important contribution that IT makes in achievement of organizational
goals is central to the framework. Fourth, assessment of process maturity, a core metric in COBIT,
now aligns with international standards. Fifth, responding to the challenges of adoption of
governance frameworks such as COBIT has been more directly integrated in the framework.
COBIT is a complete and overarching governance and management framework that benefits
from many years of experience and alignment with other frameworks and standards. Yet there is
little academic research that leverages COBIT as an instrument in executing research programs.
Through clearly indicating how the core elements of COBIT 5 are built on IT and general
management insights, this paper contributes to the exploration of the use of COBIT in future
research activities. A catalog of potential research questions is provided that (1) investigates COBIT
as an artifact; (2) sees the framework within an ecosystem of competing and complementary
frameworks and standards; or (3) uses it as a common measurement foundation for investigation of
COBIT 5 and Enterprise Governance of Information Technology 321
Journal of Information Systems
Spring 2013
some particular aspect of EGIT or cognate areas of inquiry such as IT audit and assurance. These
research questions can be a source of inspiration for researchers in this field. There are many
research opportunities on EGIT and aligned research domains. Finally and probably most
importantly, these opportunities have implications for both theory and practice.
REFERENCES
Ahern, D. M., A. Clouse, and R. Turner. 2008. CMMI Distilled: A Practical Introduction to Integrated
Process Improvement. 3rd edition. Boston, MA: Addison-Wesley.
Andreu, R., and C. Ciborra. 1996. Organizational learning and core capabilities development: The role of
IT. Journal of Strategic Information Systems 5 (2): 111–127.
Anthony, R. N. 1965. Planning and Control Systems: A Framework for Analysis. Boston, MA: Division of
Research, Graduate School of Business Administration, Harvard University.
Beer, S. 1959. Cybernetics and Management. London, U.K.: English Universities Press.
Beer, S. 1972. Brain of the Firm. London, U.K.: The Penguin Press.
Berle, A. A., and G. C. Means. 1932. The Modern Corporation and Private Property. New York, NY: The
Macmillan Company.
Boritz, J. E. 2005. IS practitioners' views on core concepts of information integrity. International Journal of
Accounting Information Systems 6 (4): 260–279.
Brown, C. 1997. Examining the emergence of hybrid IS governance solutions: Evidence from a single case
site. Information Systems Research 8 (1): 69–94.
Brynjolfsson, E. 1993. The productivity paradox of information technology. Communications of the ACM
36 (12): 66–77.
Cabinet Office. 2011. ITIL Lifecycle Suite. London, U.K.: The Stationery Office.
Chan, Y. E., S. L. Huff, D. W. Barclay, and D. G. Copeland. 1997. Business strategic orientation,
information systems strategic orientation, and strategic alignment. Information Systems Research:
ISR: A Journal of the Institute of Management Sciences 8 (2): 125–150.
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 1992. Internal Control—
Integrated Framework. New York, NY: Committee of Sponsoring Organizations of the Treadway
Commission.
Cragg, P., M. Caldeira, and J. Ward. 2011. Organizational information systems competences in small and
medium-sized enterprises. Information and Management 48 (8): 353–363.
Cyert, R. M., and J. G. March. 1963. A Behavioral Theory of the Firm. Englewood Cliffs, NJ: Prentice Hall,
Inc.
Davern, M. J., and C. L. Wilkin. 2010. Towards an integrated view of IT value measurement. International
Journal of Accounting Information Systems 11 (1): 42–60.
De Haes, S., and W. Van Grembergen. 2008a. Analyzing the Relationship between IT Governance and
Business/IT Alignment Maturity. Proceedings of the 41st Hawaii International Conference on System
Sciences, Kailua-Kona, HI, Shidler College of Business, University of Hawai'i at Manoa.
De Haes, S., and W. Van Grembergen. 2008b. An exploratory study into the design of an IT governance
minimum baseline through Delphi research. Communications of AIS 22: 443–458.
De Haes, S., and W. Van Grembergen. 2009. An exploratory study into IT governance implementations and
its impact on business/IT alignment. Information Systems Management 26 (2): 123–137.
De Haes, S., and W. Van Grembergen. 2010. Analyzing the impact of enterprise governance of IT practices
on business performance. International Journal on IT/Business Alignment and Governance 1 (1): 14–
38.
De Wit, B., and R. Meyer. 2005. Strategy Synthesis: Revolving Strategy Paradoxes to Create Competitive
Advantage. London, U.K.: Cengage Learning EMEA.
Debreceny, R. S., and G. L. Gray. 2013. IT governance and process maturity: A multinational field study.
Journal of Information Systems 27 (1).
322 De Haes, Van Grembergen, and Debreceny
Journal of Information Systems
Spring 2013
Elbashir, M. Z., P. A. Collier, and M. J. Davern. 2008. Measuring the effects of business intelligence
systems: The relationship between business process and organizational performance. International
Journal of Accounting Information Systems 9 (3): 135–153.
Feeny, D., and L. Willcocks. 1998. Core IS capabilities for exploiting information technology. Sloan
Management Review 39 (3): 9–21.
Henderson, J. C., and N. Venkatraman. 1993. Strategic alignment: Leveraging information technology for
transforming organizations. IBM Systems Journal 32 (1): 4–16.
Hu, Q., and C. D. Huang. 2006. Using the balanced scorecard to achieve sustained IT-business alignment:
A case study. Communications of AIS 17: 2–45.
Hyvo¨nen, J. 2007. Strategy, performance measurement techniques, and information technology of the firm
and their links to organizational performance. Management Accounting Research 18 (3): 343–366.
ISACA. 2007. COBIT
t
4.1. Rolling Meadows, IL: ISACA.
ISACA. 2009a. Building the Business Case for COBIT
t
and Val ITe: Executive Briefing. Rolling
Meadows, IL: ISACA.
ISACA. 2009b. Implementing and Continually Improving IT Governance. Rolling Meadows, IL: ISACA.
ISACA. 2009c. The Risk IT Framework: Risk IT Based on COBIT. Rolling Meadows, IL: ISACA.
ISACA. 2010. Enterprise Value: Governance of IT Investments. The Val IT Framework 2.0. Rolling
Meadows, IL: ISACA.
ISACA. 2011a. COBIT Mapping: Overview of International IT Guidance. Rolling Meadows, IL: ISACA.
ISACA. 2011b. COBIT
t
Process Assessment Model (PAM): Using COBIT
t
4.1. Rolling Meadows, IL:
ISACA.
ISACA. 2011c. Global Status Report on the Governance of Enterprise IT (GEIT)—2011. Rolling Meadows,
IL: ISACA.
ISACA. 2012a. COBIT 5 Implementation. Rolling Meadows, IL: ISACA.
ISACA. 2012b. COBIT 5: A Business Framework for the Governance and Management of Enterprise IT.
Rolling Meadows, IL: ISACA.
Information Systems Audit and Control Foundation (IASCF). 1994. Control Objectives for Information and
Related Technology: COBIT . Rolling Meadows, IL: Information Systems Audit and Control
Foundation.
International Organization for Standardization/International Electrotechnical Commission (ISO/IEC). 2008.
ISO/IEC 38500 Corporate Governance of Information Technology. Geneva, Switzerland:
International Organization for Standardization/International Electrotechnical Commission.
IT Governance Institute (ITGI). 2000. COBIT. Rolling Meadows, IL: IT Governance Institute.
IT Governance Institute (ITGI). 2001. Board Briefing on IT Governance. Rolling Meadows, IL: IT
Governance Institute.
IT Governance Institute (ITGI). 2005. COBIT
t
4. Rolling Meadows, IL: IT Governance Institute.
IT Governance Institute (ITGI). 2006. IT Control Objectives for Sarbanes-Oxley: The Role of IT in the
Design and Implementation of Internal Control over Financial Reporting. 2nd Ed. Rolling Meadows,
IL: IT Governance Institute.
Ives, B., and S. L. Jarvenpaa. 1993. Organizing for global competition: The fit of information technology.
Decision Sciences 24 (3): 547–580.
Janvrin, D. J., E. A. Payne, P. Byrnes, G. P. Schneider, and M. B. Curtis. 2012. The updated COSO Internal
Control—Integrated Framework: Recommendations and opportunities for future research. Journal of
Information Systems 26 (2): 189–213.
Kaplan, R. S., and D. P. Norton. 1996. The Balanced Scorecard: Translating Strategy into Action. Boston,
MA: Harvard Business School Press.
Law, C. C. H., and E. W. T. Ngai. 2007. IT infrastructure capabilities and business process improvements:
Association with IT governance characteristics. Information Resources Management Journal 20 (4):
25–47.
Luftman, J. N. 1996. Competing in the Information Age: Strategic Alignment in Practice. Oxford, U.K.:
Oxford University Press.
March, J., and H. Simon. 1958. Organizations. New York, NY: John Wiley.
COBIT 5 and Enterprise Governance of Information Technology 323
Journal of Information Systems
Spring 2013
O'Connor, N. G., and M. G. Martinsons. 2006. Management of information systems: Insights from
accounting research. Information and Management 43 (8): 1014–1024.
Open Group. 2009. The Open Group Architecture Framework (TOGAF), Version 9. Zaltbommel, The
Netherlands: Van Haren Publishing.
Peterson, R. 2004. Crafting information technology governance. Information Systems Management 21 (4):
7–22.
Porter, M. E. 1979. How competitive forces shape strategy. Harvard Business Review (March-April): 137–
145.
Porter, M. E. 1985. Competitive Advantage: Creating and Sustaining Superior Performance. New York,
NY: Free Press.
Sambamurthy, V., and R. W. Zmud. 1999. Arrangements for information technology governance: A theory
of multiple contingencies. MIS Quarterly 23 (2): 261–290.
Simons, R. 1990. The role of management control systems in creating competitive advantage: New
perspectives. Accounting, Organizations and Society 15 (1/2): 127–143.
Simons, R. 2000. Performance Measurement and Control Systems for Implementing Strategy. Upper
Saddle River, NJ: Prentice Hall.
Tarafdar, M., and S. Gordon. 2007. Understanding the influence of information systems competencies on
process innovation: A resource-based view. The Journal of Strategic Information Systems 16 (4):
353–392.
Thorp, J. 2003. The Information Paradox. New York, NY: McGraw-Hill Ryerson.
Tuttle, B., and S. D. Vandervelde. 2007. An empirical examination of CobiT as an internal control
framework for information technology. International Journal of Accounting Information Systems 8
(4): 240–263.
Van Grembergen, W., and S. De Haes. 2009. Enterprise Governance of Information Technology: Achieving
Strategic Alignment and Value. New York, NY: Springer.
Van Grembergen, W., R. Saull, and S. J. De Haes. 2003. Linking the IT balanced scorecard to the business
objectives at a major Canadian financial group. Journal for Information Technology Cases and
Applications 5 (1): 23–45.
Van Grembergen, W., S. De Haes, and H. Van Brempt. 2008. Understanding How Business Goals Drive IT
Goals. Rolling Meadows, IL: ISACA.
Venkatraman, N., J. C. Henderson, and S. Oldach. 1993. Continuous strategic alignment: Exploiting
information technology capabilities for competitive success. European Management Journal 11 (2):
139–149.
Weill, P. 1990. Strategic investment in information technology: An empirical study. Information Age 12 (3):
141–147.
Weill, P. 1992. The relationship between investment in information technology and firm performance: A
study of the value-manufacturing sector. Information Systems Research 3 (4): 307–333.
Weill, P., and J. W. Ross. 2009. IT Savvy: What Top Executives Must Know to Go From Pain to Gain.
Boston, MA: Harvard Business School Press.
Wilkin, C. L., and R. H. Chenhall. 2010. A review of IT governance: A taxonomy to inform accounting
information systems. Journal of Information Systems 24 (2): 107–146.
Zarvi
c, N., C. Stolze, M. Boehm, and O. Thomas. 2012. Dependency-based IT governance practices in
inter-organizational collaborations: A graph-driven elaboration. International Journal of Information
Management 32 (6): 541–549.
324 De Haes, Van Grembergen, and Debreceny
Journal of Information Systems
Spring 2013
... Often the processes end by not being consistent and properly defined [Rohloff, 2008]. Plus, most of these IT frameworks overlap each other [de Haes et al., 2013]. This implies a duplication of investment, costs, and human resources for organizations [Gama et al., 2013]. ...
... As pointed out by several authors such as [Aguiar et al., 2018;Schlarman, 2007] IT frameworks can easily overlap one another. Moreover, IT frameworks are complex to understand and implement [de Haes et al., 2013;Evelina et al., 2010;Herrera, Hillegersberg, 2019;Serenko et al., 2016]. By way of response, the maturity model (MM) concept was introduced to assess the level of a process [Becker et al., 2009]. ...
... Therefore, such findings strengthen the aim and relevance of this research. It can be observed that the inquiry into the implementation of multi-frameworks and how it can be handled and measured has been financially rewarded [de Haes et al., 2013]. ...
Many different information technology frameworks have been proposed to assist organizations implementing information technology. However, these frameworks are complex, difficult to implement, and overlap with one another making their simultaneous implementation even more difficult to accomplish by organizations. This study proposes to develop an overlapless maturity model that helps organizations deal with the aforementioned problems. The model was applied and evaluated by experts at five organizations. This approach was recognized as useful, complete, and helpful in a multi-framework implementation by problem management (PM) experts. This research provides contributions for academics since it distinguishes itself from the existing studies in the body of knowledge and is a baseline for further investigation.
... Framework Cobit 2019 menjadi salah satu panduan yang dapat digunakan untuk menerapkan Teknologi Informasi untuk tata kelola Teknologi Informasi pada Institusi Teknologi Bisnis dan Dinniyah Lampung karena dapat memberikan masukan dalam membantu pengelolaan kerangka keja manajemen Teknologi Informasi Penelitian ini bertujuan menerapkan Framework Cobit 2019 untuk membangun rancangan tata kelola teknologi informasi dalam pengelolaan bisnis dan teknologi sehingga didapatkan informasi berhubungan dengan tatakelola yang telah berjalan. (Abdulrasool and Turnbull 2020;Evangelista et al. 2020;Fantini, Pinzone, and Taisch 2020;De Haes et al. 2020, 2013Haouam 2020;Majumdar, Garg, and Jain 2021;Nachrowi, Nurhadryani, and Sukoco 2020;Syuhada 2021) sehingga atas dasar penelitian penelitian sebelumnya framework cobit ini menjadi panduan untuk menerapkan tata kelola teknologi informasi. ...
- M Adie Saputra
- M Reza Redo
Berkembangnya teknologi informasi memaksa perguruan tinggi untuk dapat mengikuti dan meningkatkan sumber daya dengan teknologi informasi untuk menghadapi persaingan dan perkembangan zaman. Framework Cobit 2019 menjadi salah satu panduan yang dapat digunakan untuk menerapkan Teknologi Informasi untuk tata kelola Teknologi Informasi pada Institusi Teknologi Bisnis dan Dinniyah Lampung karena dapat memberikan masukan dalam membantu pengelolaan kerangka keja manajemen Teknologi Informasi Penelitian ini bertujuan menerapkan Framework Cobit 2019 untuk membangun rancangan tata kelola teknologi informasi dalam pengelolaan bisnis dan teknologi sehingga didapatkan informasi berhubungan dengan tatakelola yang telah berjalan.
... The authors initially refer to existing KPI frameworks such as COBIT (Control Objectives for Information and Related Technology) and ITIL (Information Technology Infrastructure Library). CO-BIT is a standard defining typical objectives for an IT organisation together with related KPIs [10]. ITIL is a collection of best practices for IT management [11]. ...
- Sandra Castro
- Jürgen Jung
Enterprise Architecture Management is a well-established discipline fostering business-IT alignment and driving innovation in an organisation. It provides an extensive set of methods and tools for visualising and analysing an organisation using several perspectives. However, critical voices are increasing in recent years. A significant amount of initiatives for establishing Enterprise Architecture are not meeting expectations. Furthermore, Enterprise Architecture is often recognised as a burden to corporate stakeholders rather than providing benefits. Current research is aiming at providing a stronger focus on corporate needs while performing Enterprise Architecture work. There seems to be a shift towards collaborative and agile approaches. The paper at hand presents the results of a survey among Enterprise Architecture practitioners to understand the expected benefits from Enterprise Architecture. The results of the survey are used to develop a framework that supports measuring the success of Enterprise Architecture decisions. This framework does not only focus on specific Enterprise Architecture goals but also incorporates the impact of Enterprise Architecture Management on corporate objectives. A first version of such a framework has been specifically developed for a German logistics company. This specific framework will be the starting point for future research on a generic framework for determining EA benefits in a company.
... Dynamism in the environment denotes the unpredictability and rate of changes in the environment including the obsolescence of products and services, changes in technology, moves by rivals, and rapid changes in demands by consumers (De Haes et al., 2013).Due to the current fast moving technology-based business environment, managers are constantly faced with uncertainty in keeping with the demands with more information as well as the capability of processing this information quickly (Bermejo, 2014). This is why at present having IT capability is of utmost importance and value of this type of dynamic environment since it enables firms to mobilize their resources quickly and effectively. ...
During the last decade, information technology (IT) has been playing a more important role for organizations in achieving their goals. Recently, information technology governance has become a critical issue for many companies in various industries. The aim of this study is to examine the extent to which the influence of external environment characteristics affects the effectiveness of IT governance as well as the performance of organizations in Malaysian manufacturing companies. Moreover, the mediating influence of effective IT governance was also being tested. 357 questionnaires were used in order to conduct the analyses. Structural Equation Modeling (SEM) is used for testing the developed hypotheses generating from the theoretical framework of the study. The data was obtained from managers in the manufacturing industry; Samples were selected from seven states of Malaysia (Selangor, Penang, Johor, Sarawak and Negeri Sembilan, Melaka, Pahang). This topic of research has considerable significance in Malaysia; A significant contribution of this study is the construction of a theoretically based model which assimilates the external environment characteristics, effective information technology governance, and organizational performance.
... Enterprise SPICE was accepted by ISO/IEC 2 as international standard 33071 in 2016, but is rooting deeply in traditional quality management concepts developed prior to the digital era (e.g., [41]). Existing research on ITM standards often concentrates on certain subareas of ITM like IT governance (e.g., [42]) and IT service management (e.g., [43]) or even single standards like COBIT (e.g., [44]) and ITIL (e.g., [45]). Several authors empirically analyzed the dissemination of standards (e.g., [11,46]) often connected to questions for perceived and measured benefits after standard implementation (e.g., [45,47]). ...
- Gunnar Auth
For more than three decades professional standards have been popular as guidance and orientation to manage IT organizations. Although major standards like ITIL and COBIT have been updated with several versions to reflect changing requirements, their basic goals, concepts, and structures remained stable over time. In recent years this situation changed, when a number of new standards appeared to support new requirements for mastering digital transformation. This study explores the evolution of ITM standards during the last 20 years through analyzing a set of 60 formal, de facto, and emerging standards. Besides the rapid increase in number and update frequency starting in 2015, a shift of goals towards agility, lean management, and innovation was found. Finally, new problems and research questions raised by this evolution are presented.
... This recent adaptation of this framework was released presenting essential highlights. One of those highlights is the advancement from COBIT 4. Such a process should be done in association to enable both business and IT staff to fulfill their responsibilities and help the business/IT course of action (See in [66]). COBIT 5, the advanced equivalent of COBIT 4.1, offers a mapping apparatus that is easy to be implemented in order to map the strategic objectives of the association toward the related IT goals in order to accomplish the required model of governance (See in [67]). ...
- Elias Jreisat
In recent times we have witnessed the investment renascence in technology world through various aspects. The era of innovation and investment in information and communication technology has become sophisticated, especially in business and economic sectors. However one of the most valued new fashion trends, which is leading the market lately and is considered as an outsource service aligned with the IT department in most institutions, is called Cloud Computing. Cloud is divided into several main kinds, (Public cloud, hybrid cloud, and private cloud). It has become commonplace lately for many institutions to use such effectuation of Cloud services, considering its' positive effects on various levels in any company by facilitating business process and simplifying information storage methods, saving time and efforts, and enabling the company to reduce expenses allocated to cover the I.T Department needs, though such a choice would raise the red flag of risk therefore definitely in such cases we need to focus on increasing the security level as well as assigning some serious controls to mitigate all risks, moreover IT audit and IT risk concepts has become vital and necessary to get a reasonable assurance of mitigating risks, ensuring that the entire work process are under control, and complied with the general policies and procedures in any organization. Abu Bakar and Tasmin (2012) indicate that the competition, globalization and innovation related to technology, services and products' types which are offered to the customers in the banking industry affect on their satisfaction and loyalty, besides it enhances institution's profitability.[1] on the other hand Flowerday and Von Solms (2005); Hamaker and Hutton (2004) concentrated on the utilization of IT and how it will helps the institution's built and maintain new governance processes.[2-3] Weidenmier and Ramamoorti (2006) stated that the organizational risk could be increased with information technology; therefore, the organizations have to implement the control with a view to integrated controls and process linkages on IT. [4] The huge number of factors indicated the expansion in information technology, which needs environmental controls for information technology focusing on the growing demand of reducing risks and controlling IT costs. Nowadays, the control on the IT surroundings should be effective and designed in particular for the IT used by stakeholders. In order to face the challenges in business and achieve goals and objectives of the information technology, also the executives have to ensure that they had utilized the technology in the greatest possible efficiency. [5]. Nowadays, we are witnessing a dramatic era of rapid developments in some domains in IT sector, intended to facilitate work processes and procedures. For instance "Cloud computing is known as a type of computing 8 that relies on sharing computing resources rather than having local servers or personal devices to handle applications. Cloud computing is comparable to grid computing, a type of computing where unused processing cycles of all computers in a network are harnesses to solve problems, too intensive for any stand-alone machine" [6]. It has now become commonplace for many institutions to use the effectuation of Cloud Computing services. Conversely, Organizations are also increasingly exposed to various operational risks related to the use of IT such as virus attacks, unauthorized access to data, breakdown of infrastructure, system and infrastructure contingency, performance problems. Preventing such risks efficiently by identifying, analyzing and evaluating potential IT related operational risks. Since several financial related establishments announced operational misfortunes, there has been a developing enthusiasm for operational risk management, For instance UBS (Swiss multinational investment bank and financial services company) confronted an operational misfortune/loss due to one of its dealer's deceitful conduct (Fraud). Another precedent showing the seriousness of the disturbance in the monetary administration industry surprisingly better is that, in 2008, 119 banks announced the total amounts caused by operating losses to SIGOR (the Standards Implementation Group) reporting a total of € 59.6 billion. As clarified by the previous samples, the events of operational loss are complicated, They vary in classifications between the internal and external categories to business intrusions caused by system breakdowns.[8] Moreover, SOX & EUROSOX are considered to be kind of essential regulations to protect the financial sectors from exposing to any kind of losses caused by the operational risk in the organizations. Also it is worth to mention that EUROSOX was issued by the European Parliament which was joined by all EU members other than SOX that was regulated by the US Government in the early of 2000.[9] therefore all arranged security and different risks related to all business directors and sheets require a technique to upgrade partners esteem and control its risk utilizing, and here the concept of IT governance came out where it is much needed since it incorporates reception of control structures and best practices to encourage monitor and enhance critical IT activities to expand business esteem and diminish business risk. In 1996 ISACA issued the primary adaptation of "The Control Objectives for Information and related Technology" (COBIT) which is the answer that can apply the IT governance in Enterprise. ISACA attempted to create COBIT until achieved COBIT 4.1 and the last form was COBIT 5. [10]
... 07(ISACA , 2009c(ISACA , 2010. COBIT5 identifies -37‖ IT processes spread over governance and management domains. The five governance processes are the board's responsibilities in IT, covering the setting of the governance framework, responsibilities in terms of value, risks and resources and providing transparency regarding IT to the stakeholders.(Steven, Wim and Roger, 2013) ...
- Elias Jreisat
- M Gall
In the last decades we have witnessed the investment renascence in technology world through various aspects. Consequently audit concepts has become vital and necessary to get a reasonable assurance of mitigating risks, ensuring that the entire work process are under control, and complied with the general policies and procedures in any organization. This paper intends to shed light on the IT Governance / Audit and Cobit frameworks and practices in the MENA region. A desk based research was adopted with the purpose of using content analysis as a tool of research to assess Arabic and English literature studies. The context of the paper included a critical literature review of previous researchers publications with the objective to spotlight on the IT Governance and IT Audit process frameworks and technologies used to mitigate all kinds of risks, focusing on Public, private and governmental sectors in MENA region, conducted through a desk-based research with the purpose to analysis methods of IT governance / audit. This paper clarifies the extent of the previous researches' contributions in measuring the level of applying several frameworks such as IT Governance, Cobit, IT Audit and IT risk on several sectors in MENA region, also it illustrates the collaboration of some countries rather than the other in such scientific publication, showing the influence of applying such frameworks on the extent of improving institutions' growth, evolvement, stability, competency and profitability. Finally, we suggested some recommendation for future improvements in such regard.
Purpose With the increasing digitalization processes taking place in different industries, the success of family small and medium-sized enterprises (SMEs) appears to be more under threat than for any other types of organizations, especially when information technologies (ITs) are not adequately used and managed. To grow and increase the chances of survival, family SMEs need more than ever IT. Stemming from agency theory, the aim of this article is to understand whether family harmony impacts the performance of family SMEs and to what extent IT mediates this relationship. Design/methodology/approach The research follows a quantitative approach, based on a sample of 182 family SMEs. Structured equation modeling, through SmartPLS, was employed to validate the research model. Findings This study's main findings suggest that family harmony positively impacts firm performance and that IT governance and strategy mediate positively this relationship. Research limitations/implications First, the relatively limited number of respondents limits the degree of representativeness of all family SMEs. Replicating the research with a larger number of respondents could strengthen the findings. Second, this study is limited to French firms and future research could extend the findings by looking at cross-country comparisons. Practical implications Family SMEs are encouraged to link their IT governance with their IT strategy in order to increase their organizational performance. A favorable family harmony will make it easier to choose and implement a richer IT strategy and put in place an adequate IT governance function. Originality/value This research offers an enriched knowledge of the roles of family harmony and technological innovation in family SMEs and IT contexts as significant predictors of organizational performance. It contributes to family firm theory through the identification of three determinants of family SMEs' performance.
- IR. Erwin Setiawan Panjaitan
- Fandi Halim
- Darwin Siallagan
IT governance is the responsibility of the board of directors and executive management in the organization. This, is an integrated part of organizational governance and contains leadership and organizational structures and processes that ensure that IT organizations contain and support IT organizational strategies and objectives implemented through applications or systems in the organization will provide added value to everyone who uses IT such as staff, managerial and directors, therefore IT is very much needed by organizations because it can provide added value to the organization. Application of IT as a supporting instrument in the administrative process as well as providing useful information for all circles, so that it is in accordance with the goals previously set. This is to ensure the use of information technology that can truly support the expected IT goals while also taking into account the efficient use of resources and risk management as the basis for IT governance. Keywords: Frame work COBIT 5 from ISACA.
This paper advances our knowledge of information systems (IS) management by applying ideas and insights from accounting. An integrative cost–benefit framework is developed and applied to four areas of research: chargeback, outsourcing, decision support, and business process re-engineering and improvement. We show that the accounting literature contributes significantly to scholarship on the management of IS. #
To achieve lasting competitiveness through IT, according to the authors, companies face three enduring challenges: focusing IS efforts to support business strategies and using IT innovations to develop new, superior strategies; devising and managing effective strategies for the delivery of low-cost, high-quality IS services; and choosing the technical platform on which to mount IS services. Three strands of research - on the CIO's role and experience, the CIO's capabilities, and IS/IT outsourcing - demonstrate that businesses need nine core IS capabilities to address these challenges: 1. Leadership. Integrating IS/IT effort with business purpose and activity. 2. Business systems thinking. Envisioning,he business process that technology makes possible. 3. Relationship building. Getting the business constructively engaged in IS/IT issues. 4. Architecture planning. Creating the blueprint for a technical platform that responds to current and future business needs. 5. Making technology work. Rapidly achieving technical progress - by one means or another. 6. Informed buying. Managing the IS/IT sourcing strategy that meets the interests of the business. 7. Contract facilitation. Ensuring the success of existing contracts for IS/IT services. 8. Contract monitoring. Protecting the business's contractual position, cu:rent and future. 9. Vendor development. Identifying the potential added value of IS/IT service suppliers. IS professionals and managers need to demonstrate a changing mix of technical, business, and interpersonal skills. The authors trace the role these skills play in achieving the core IS capabilities and discuss the challenges of adapting core IS capabilities to particular organizational contexts. Their core IS capability model implies migration to a relatively small IS function, staffed by highly able people. To sustain their ability to exploit IT, the authors conclude, organizations must make the design of flexible IS arrangements a high-priority task and take an anticipatory rather than a reactive approach to that task.
In many organisations, information technology (IT) has become crucial in the support, sustainability and growth of the business. This pervasive use of technology has created a critical dependency on IT that calls for a specific focus on IT governance. IT governance consists of the leadership and organisational structures and processes that enable the required alignment between business and IT. This practice-oriented research concentrates on the IT governance practices that organisations can leverage to implement IT governance in reality. Based on literature research, pilot case research and delphi research, this paper provides insights regarding the effectiveness and ease of implementation of IT governance practices and provides a minimum baseline of practices that organisations at least should have. Via this research, we want to contribute to new theory building and assist practitioners by providing more guidance on how IT governance can be effectively implemented.
Enterprise governance of IT is a relatively new concept that is gaining traction in both the academic and practitioner worlds. Going well beyond the implementation of a superior IT infrastructure, enterprise governance of IT is about defining and embedding processes and structures throughout the organizations that enable both business and IT people to execute their responsibilities, while maximizing the value created from their IT-enabled investments. At the forefront of the field, the authors draw from years of research and advising corporate clients to present the first comprehensive resource on the topic. Featuring numerous case examples from companies around the world, the book integrates theoretical advances and empirical data with practical application, including in-depth discussion of such frameworks as COBIT and VALIT, which are used to measure and audit the value of IT investments and ensuring regulatory compliance. A variety of elements, including executive summaries and sidebars, extensive references, and questions and activities (with additional materials available on-line) ensure that the book will be an essential resource for professionals, researchers, and students alike. "At last we have a solidly research-based text on the enterprise governance of IT that successfully fuses business and IT perspectives. With its emphasis on the creation of business value, and on the use of relevant metrics, this book offers a distinctive view of these key processes. The authors, whose reputation and experience in the field is second to none, have created a guide to the strategic management of IT that will be an essential source for managers." Professor James W. Bryant Centre for Individual & Organisational Development Sheffield Hallam University United Kingdom "IT governance is a hot topic today and this book provides a wealth of practical and useful information. Regardless of whether you are concerned about compliance issues, or worried about the alignment of your IT investment with the corporate goals, this book will provide guidance to assist your efforts. As well as academic models and practice oriented frameworks such as CobiT, Val-IT and balanced scorecard, the volume includes recent case studies illustrating how the concepts and frameworks are applied in real life companies. I strongly recommend this book to Corporate and IT Managers as well as MBA and IT Graduate students." Aileen Cater-Steel, Ph.D Senior Lecturer (Information Systems) School of Information Systems University of Southern Queensland Australia. © Springer Science+Business Media, LLC 2009 All rights reserved.
- Carla Wilkin
- Robert H. Chenhall
This paper reviews Information Systems (IS) literature that is relevant to Information Technology Governance (ITG) and examines how it informs Accounting Information Systems (AIS). We present a taxonomy of research encompassing the focus areas identified by the IT Governance Institute (ITGI), namely Strategic Alignment (SA), Risk Management (RK), Resource Management (RM), Value Delivery (VD) and Performance Measurement (PM). Based upon 496 papers in ten IS/AIS and two Management Accounting journals over the period 1998-2008, we discuss research perspectives and identify avenues for future research. Results revealed a lack of integration between focus areas, with little about ITG as a whole.
To address the changing business environment and increased shareholder interest, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently issued an exposure draft updating its 1992 Internal Control-Integrated Framework. We review the updated Framework and discuss the comments we (as the Environmental Scanning Committee of the American Accounting Association's Information Systems Section) offered COSO regarding how to improve the Framework. In addition, we identify research opportunities for accounting information system scholars related to the new Framework.
It has been widely discussed in the management information systems (MIS) literature that the outcomes of information technologies (IT) and systems may be subject to the influence of the characteristics of the organization, including those of the IT and business leadership. This study was conducted to examine the relationships that may exist between IT infrastructure capabilities (ITC), business process improvements (BPI), and such IT governance-related constructs as the reporting relationship between the chief executive officer (CEO) and chief information officer (CIO), and senior management support of IT and BPI projects. Using a sample of 243 multinational and Hong Kong-listed firms operating in Greater China, this study yielded empirical support for the perceived achievement of capabilities in some dimensions of the IT infrastructure in the companies under study. It was found that the BPI construct was related to the reporting relationship between the CEO and CIO (CEO-CIO distance), and to the levels of senior management support. The dimensions of the ITC construct were also investigated and identified by an exploratory factor analysis (EFA). Associations were found between the selected organizational constructs and the ITC dimensions, except in two hypothesized relationships. Those between CEO-CIO distance and the ITC dimensions of data integration and training were not supported at the significance level of 0.05.
Source: https://www.researchgate.net/publication/247778781_COBIT_5_and_Enterprise_Governance_of_Information_Technology_Building_Blocks_and_Research_Opportunities
Posted by: keithkeithpieffere0274325.blogspot.com
0 Comments