Cobit 5 Framework Free Download Pdf

COBIT, currently in its fifth edition, is a good-practice framework for the enterprise governance of IT. There is limited academic research that either analyzes COBIT or leverages COBIT as an instrument in executing research programs. Through linking core elements and principles of COBIT to insights from IT-related and general management literature, this paper explores the use of COBIT in future research activities. This paper positions COBIT as a framework for enterprise governance of IT. The major directions and core principles of the framework are described. Connections are made of these directions and principles to the relevant literature. Research questions for future research around enterprise governance of IT and COBIT 5 are proposed and discussed.

Figures - uploaded by Steven De Haes

Author content

All figure content in this area was uploaded by Steven De Haes

Content may be subject to copyright.

ResearchGate Logo

Discover the world's research

  • 20+ million members
  • 135+ million publications
  • 700k+ research projects

Join for free

JOURNAL OF INFORMATION SYSTEMS American Accounting Association

Vol. 27, No. 1 DOI: 10.2308/isys-50422

Spring 2013

pp. 307–324

COBIT 5 and Enterprise Governance of

Information Technology: Building Blocks and

Research Opportunities

Steven De Haes

Wim Van Grembergen

University of Antwerp

Roger S. Debreceny

University of Hawai'i at M

¯

anoa

ABSTRACT: COBIT, currently in its fifth edition, is a good-practice framework for the

enterprise governance of IT. There is limited academic research that either analyzes

COBIT or leverages COBIT as an instrument in executing research programs. Through

linking core elements and principles of COBIT to insights from IT-related and general

management literature, this paper explores the use of COBIT in future research

activities. This paper positions COBIT as a framework for enterprise governance of IT.

The major directions and core principles of the framework are described. Connections

are made of these directions and principles to the relevant literature. Research questions

for future research around enterprise governance of IT and COBIT 5 are proposed and

discussed.

Keywords: enterprise governance of IT; IT governance; COBIT; business/IT alignment;

balanced scorecard; organizational systems; IT controls.

I. INTRODUCTION

I

nformation technology (IT) has become crucial in the support, sustainability, and growth of

enterprises. Previously, governing boards and senior management executives could minimize

their involvement in the direction of IT, leaving most decisions to functional management. In

most sectors and industries, such attitudes are now impossible, as enterprises are increasingly

completely dependent on IT for survival and growth. These organizations also face a wide spectrum

of external threats arising from IT including abuse, cybercrime, fraud, errors, and omissions. IT has

the potential to support both existing business strategies, as well as shaping new strategies. IT

increasingly becomes not only a success factor for day-to-day operations, but also as a critical

facilitator for enhancement of competitive advantage ( Van Grembergen and De Haes 2009; Weill

We thank Miklos Vasarhelyi (editor) and two anonymous referees for their guidance on an earlier version of this

commentary.

Editor's note: Accepted by Miklos A. Vasarhelyi.

Published Online: February 2013

307

and Ross 2009). Given the centrality of IT for enterprise risk management and value generation, a

specific focus on enterprise governance of IT (EGIT) has arisen over the last two decades ( De Haes

and Van Grembergen 2008b; Thorp 2003; Wilkin and Chenhall 2010). Enterprise governance of IT

is an integral part of enterprise governance. EGIT addresses the definition and implementation of

processes, structures, and relational mechanisms in the organization that enable the board and senior

business and IT management to execute their responsibilities in support of risk and value

management ( Van Grembergen and De Haes 2009).

Enterprises are increasingly making tangible and intangible investments in improving

enterprise governance of IT. In support of this, enterprises are drawing upon the practical

relevance of generally accepted good-practice frameworks such as COBIT ( ISACA 2009a).

COBIT, now in its fifth edition, describes a set of good practices for the board and senior

operational and IT management (ISACA 2012b).

1

It sets out a set of controls over information

technology and organizes them around a logical framework of IT-related processes.

2

COBIT is

part of a suite of products including: implementation; service management and assurance

guides; low-level practices; and mapping to cognate frameworks and standards. Research

indicates that organizations are adopting COBIT in practice (Debreceny and Gray 2013; ISACA

2011c; Van Grembergen and De Haes 2009). Given COBIT's historical origins in the audit

community, there is a particular connection between the COBIT framework and the conduct of

IT assurance. However, there has been limited academic research that leverages or explores

COBIT. Many of the core principles of COBIT build on models, concepts, and theories from

the IT and general management literatures. There are, as a result, opportunities for research that

references and leverages COBIT. In this paper, we discuss how the COBIT 5 framework

embraces concepts from the professional and academic literatures and builds upon earlier

iterations of COBIT. The main contribution of this paper is that it seeks to provide directions

and challenges for undertaking research that draws upon COBIT 5. As such, a principal

objective of the paper is to narrow the gap between academic research and practice.

The paper provides an overview of the directions COBIT is taking and offers suggestions on

research that takes COBIT as its unit of analysis or as a source of models, practices, and knowledge

for the design of research. The paper proceeds as follows. In Section II, the concept of Enterprise

Governance of IT is defined in more detail. COBIT is then positioned as a framework for enterprise

governance of IT. Next, in Section III, the manner by which COBIT 5 embraces insights from the

IT and general management literature is explored. Some directions for future research around

enterprise governance of IT and COBIT are set out in Section IV. Finally, Section V brings some

concluding remarks together.

II. BACKGROUND

This section of the paper provides background on the shape of EGIT, places COBIT within the

historical development of EGIT, and describes some of the core dimensions of the COBIT approach

to IT governance.

1

The authors of this paper have been actively engaged in COBIT development over the past decade, including

membership of the COBIT Steering Committee and development teams at various times over the period.

2

A framework is a set of guiding principles and good practices that are explicitly designed to be adapted by

adopting organizations. Frameworks are distinguished from standards that are designed for monolithic adoption.

Standards are also more typically associated with certification of adopting organizations. Confusingly, some of

the '' standards'' promulgated by the International Standards Organization are essentially frameworks (e.g., ISO/

IEC 2008).

308 De Haes, Van Grembergen, and Debreceny

Journal of Information Systems

Spring 2013

Enterprise Governance of IT

The concept of IT governance has been in existence for less than two decades. In the early

1990s key strands of IT governance could be discerned in the academic literature. The first strand

studied alternative forms of organization of the IT function and the impact of those forms on

business outcomes (ITGI 2005; Ives and Jarvenpaa 1993). A second strand explored the nature and

effect of alignment between enterprise consumers of IT services ('' the business '' ) and the IT

function ( Henderson and Venkatraman 1993; Luftman 1996; Venkatraman et al. 1993). A third

strand, inspired by Porter's research on strategy and competitive advantage ( Porter 1979, 1985),

addressed links between enterprise strategy, investment in IT, and enterprise performance (Andreu

and Ciborra 1996; Chan et al. 1997; Weill 1990, 1992). This strand received considerable impetus

as researchers reacted to research by Brynjolfsson (1993) that pointed to a seeming paradox

between high levels of investment in IT and an absence of evidence on returns on that investment. It

was only in the late 1990s that articles first mentioned IT governance in the title or abstract (e.g.,

Brown 1997; Sambamurthy and Zmud 1999), although these papers mostly focused on debates

about the most effective form of IT organization. In the practitioner arena, ISACA created the IT

Governance Institute (ITGI) (www.itgi.org) in 1998 to promote the IT governance concept. As

explored in more detail shortly, the various publications of ISACA and ITGI explicitly incorporated

IT governance notions in COBIT 3 (ITGI 2000) and the board briefing on IT governance ( ITGI

2001).

Current perspectives on enterprise governance of IT see EGIT as an integral part of corporate

governance. The recent ISO/IEC Standard 38500 '' Corporate Governance of IT'' defines IT

governance as '' The system by which the current and future use of IT is directed and controlled.

Corporate governance of IT involves evaluating and directing the use of IT to support the

organization and monitoring this use to achieve plans. It includes the strategy and policies for using

IT within an organization'' (ISO/IEC 2008). Van Grembergen and De Haes (2009) define EGIT as

the '' Board overseeing the definition and implementation of processes, structures, and relational

mechanisms in the organization that enable both business and IT to execute their responsibilities in

support of business/IT alignment and the creation of business value from IT enabled investments. ''

Both definitions indicate clearly that IT governance is the responsibility of governing boards and

that execution lies with senior management.

The IT governance concept has received considerable attention in the academic literature over

the last decade. Wilkin and Chenhall (2010), in a recent survey of IT governance, establish a

taxonomy of IT governance. They see concepts of strategic alignment, performance measurement,

risk management, and value delivery as the most significant enablers of IT governance. Wilkin

and Chenhall (2010) note that broader organizational structures, business processes and

technology, and resource capabilities influence the enablers and by extension IT governance.

Wilkin and Chenhall (2010) see corporate governance as being a primary influence on the shape

of IT governance. This focus on corporate governance was in response to two directions in the

academic and professional communities. First, the increasing importance of corporate governance

in general management and the academic literature influenced research in IT governance, as did

professional guidance in the U.S. (COSO 1992) and its counterparts in other parts of the world.

The Sarbanes-Oxley Act in the U.S. in 2002 provided significant impetus to widespread adoption

of corporate governance methods in the field and a dramatic expansion in the academic literature,

along with specialist journals. Second, the increasing importance of IT in meeting enterprise goals

coupled with the inherent tension in aligning business and IT management has led to a recognition

of the importance of setting IT goals and decision rights at the governance level (i.e., governing

boards) (De Haes and Van Grembergen 2008a; Thorp 2003; Weill and Ross 2009). These forces

initiated a shift in the naming of the concept from '' IT governance'' toward '' enterprise

COBIT 5 and Enterprise Governance of Information Technology 309

Journal of Information Systems

Spring 2013

governance of IT,'' that focuses on board and senior business management involvement in

strategic and tactical directions for IT.

Origins and Positioning of COBIT

COBIT is an IT governance framework developed by ISACA. Figure 1 shows the major

milestones in the development of COBIT. The COBIT framework arose from initiatives by

members of ISACA in the financial and IT audit communities. These audit professionals confronted

increasingly automated environments. To guide their work, the initial development of COBIT was

as a framework for the execution of IT audit assignments. It was constructed around a

comprehensive set of so-called '' Control Objectives for IT Processes'' (IASCF 1994). Over

successive versions, COBIT transitioned toward a broader IT governance and management

framework with management tools including metrics, critical success factors, maturity models, and

tools for the assignment of roles and responsibilities for IT processes. COBIT 4 saw the

development of tools to align business and IT goals and their relationship with supporting IT

processes. COBIT 4 also strengthened the connection with other relevant governance frameworks

and IT frameworks and standards (ITGI 2005). More recently, COBIT was complemented with the

Val IT and Risk IT frameworks (ISACA 2009c, 2010). These addressed the IT-related business

processes and responsibilities in value creation (Val IT) and risk management (Risk IT). In each

case, Val IT and Risk IT drew key concepts and processes from COBIT and added domain-specific

guidance.

In April 2012, COBIT 5 was released, with the concept of enterprise governance of IT as a

foundation (ISACA 2012b). According to ISACA, '' COBIT 5 provides a comprehensive

framework that assists enterprises to achieve their objectives for the governance and management

of enterprise IT. COBIT 5 enables IT to be governed and managed in a holistic manner for the

whole enterprise, taking in the full end-to-end business and IT functional areas of responsibility,

considering the IT-related interests of internal and external stakeholders'' (ISACA 2012b). COBIT

5 integrates the knowledge previously dispersed over the three ISACA frameworks, viz: COBIT,

Val IT, and Risk IT (ISACA 2009c, 2010; ITGI 2005). COBIT, to some degree in the fourth edition

and more systematically in the fifth edition, covers the lifecycle of governance, strategic, and

tactical management within the IT domain. The relative roles of several general governance, IT

FIGURE 1

Timeline of COBIT Developments

310 De Haes, Van Grembergen, and Debreceny

Journal of Information Systems

Spring 2013

governance, and IT management frameworks are illustrated in Figure 2, along two dimensions: the

level of abstraction of the framework or standard and the extent to which the framework covers the

lifecycle of IT from design of governance systems through tactical IT management.

General-purpose corporate governance frameworks such as COSO are at a high degree of

abstraction and cover only issues of governance and organization. At the other end of the

continuum, standards such as TickIT (a standard for quality software development), are related only

to a particular aspect of IT. TickIT and other IT standards relate are relevant at the tactical level

within the IT function. Other well-known standards such as ITIL and CMMI relate primarily to

management rather than governance and to tactics rather than strategy (Ahern et al. 2008; Cabinet

Office 2011). In recent releases, both ITIL and CMMI have moved more toward strategy and at

least some aspects of governance.

Concepts of Control in COBIT

The concept of control in COBIT builds on the general literature of management control and

management control systems. Management control theory arose from commerce, particularly with

the development of the private corporation as enterprises grew such that ownership became

separated from management ( Berle and Means 1932), and from theories including Fayol's general

FIGURE 2

IT-Related Frameworks-Level of Abstraction and Lifecycle of IT

COBIT 5 and Enterprise Governance of Information Technology 311

Journal of Information Systems

Spring 2013

theory of management, organizational theory (Cyert and March 1963; March and Simon 1958), and

the cybernetics of Stafford Beer ( Beer 1959, 1972). Earlier views of management control were

strongly influenced by the scientific management approaches of Anthony and others (Anthony

1965) and related primarily to the acquisition and use of resources in pursuit of organizational

objectives. Later, however, management control theory gravitated more toward seeing control as a

suite of tools for achieving the strategic goals of the firm (Simons 1990, 2000). For example,

Simons sees management control as a suite of informal norms and formal processes designed to

bind organizational outcomes to organizational strategic goals.

Simons (1990, 2000) defines four types of formal systems: beliefs systems ('' formal systems

used by top managers to define, communicate, and reinforce the basic values, purpose, and

direction for the organization'' ), boundary systems ('' formal systems used by top managers to

establish explicit limits and rules that must be respected), diagnostic control systems ('' formal

feedback systems used to monitor organizational outcomes and correct deviations from preset

standards of performance'' ), and interactive control systems ('' formal systems used by top managers

to regularly and personally involve themselves in the decision activities of subordinates'').

The view of control within COBIT is broadly in line with Simons' perspective. For example,

the definition of control in COBIT 3 is '' the policies, procedures, practices, and organizational

structures designed to provide reasonable assurance that business objectives will be achieved and

that undesired events will be prevented or detected and corrected '' (ITGI 2000, 12). The concept of

a control objective is unique to COBIT. It sees the institution of control as leading to a necessary

outcome or end state. As will be discussed in next sections, the word '' control'' is not in use in

COBIT 5 and is replaced by '' good practices.'' These are in highly active and prescriptive language,

and their debt to the former COBIT control objectives assumptions is clear. These new good

practices are defined as '' a proven activity or process that has been successfully used by multiple

enterprises and has been shown to produce reliable results'' (ISACA 2012b).

III. MAJOR DIRECTIONS IN COBIT 5

This section analyzes and places in context some of the key directions taken in COBIT 5. This

provides a foundation for development of a set of research questions. First, the COBIT 5 framework

is built around five core principles: (1) meeting stakeholder needs; (2) covering the enterprise

end-to-end; (3) applying a single, integrated framework; (4) enabling a holistic approach; and (5)

separating governance from management. This section discusses each of these principles and relates

them to concepts and insights from the general management, accounting, and IT literatures. Second,

consideration of implementing COBIT now has a more central role in the framework. Third,

COBIT made significant changes in the measurement of IT process maturity, changing the concept

to process capability. This change aligns COBIT with the ISO/IEC 15504 standard. Finally,

changes in the domain and process structure of the framework are reviewed.

Meeting Stakeholder Needs: Strategic Business/IT Alignment

According to ISACA, Principle 1 (Meeting Stakeholder Needs) implies that COBIT 5 provides

all of the required processes and other enablers to support business value creation and risk

management through use of IT. This principle closely links to the notion of strategic alignment

initiated by Henderson and Venkatraman (1993). The idea behind strategic alignment between the

board, operational management, and IT is comprehensive and has been present in the COBIT

framework from the outset. However, the challenge is how organizations can achieve alignment.

The COBIT framework is large and complex. It normally will take some years for full adoption

even for a relatively small enterprise. Some of the important issues that the board and management

must address include: Which processes should be managed with COBIT? In which order should

312 De Haes, Van Grembergen, and Debreceny

Journal of Information Systems

Spring 2013

those processes be introduced and developed? How deep should the investment be in implementing

the suite of processes? The COBIT 5 development team undertook research to understand how

enterprise goals drive IT-related goals and vice versa. These research projects used in-depth

interviews in different sectors together with Delphi surveys of subject matter experts. This research

established a generic list of enterprise goals, IT-related goals, and their inter-relationship or

'' cascade.'' This cascade now constitutes the core entry point for COBIT 5. In COBIT 5, there is an

explicit assumption that organizations should commence by analyzing their business/IT alignment

state through definition of enterprise goals, linking those goals to IT-related goals and subsequently

to the IT processes within COBIT ( De Haes and Van Grembergen 2010; Van Grembergen et al.

2008).

In the goals cascade, enterprise and IT-related goals are categorized into financial, customer,

internal, and learning and growth perspectives (Figure 3). This follows the commonly accepted

dimensions of balanced scorecard analysis. Each perspective holds a number of commonly

referenced goals in organizations in that area based on earlier executed exploratory research ( Van

Grembergen et al. 2008). Next, primary (P) and secondary (S) relationships between enterprise and

IT-related goals are provided, based on experts' opinions. These relationships indicate how

enterprise goals drive IT-related goals and/or how IT-related goals support enterprise goals. As an

illustration of this cascade, Figure 4 shows that the enterprise goal of '' External compliance with

laws and regulation'' requires a primary focus (P) on the IT-related goals of '' IT compliance and

support for business compliance with external laws and regulations'' and ''security of information

and processing infrastructure.'' When adopting COBIT 5, organizations will take the weighted

importance of IT-related goals to guide them in deciding which subset of the framework's 37 IT

processes are the most important for early adoption.

Meeting Stakeholder Needs: The Balanced Scorecard

To verify whether stakeholder needs are indeed being met, a sound measurement process needs

to be established (Elbashir et al. 2008; Hyvo¨nen 2007; O'Connor and Martinsons 2006).

Traditional performance methods such as return on investment (ROI) capture the financial worth of

IT projects and systems, but reflect only a limited part of the value that can be delivered by IT

(Davern and Wilkin 2010; Van Grembergen and De Haes 2009). COBIT builds on balanced

FIGURE 3

Cascade of Enterprise Goals and IT-Related Goals

a

Source: COBIT 5.

a

P: Primary goal; S: Secondary goal.

COBIT 5 and Enterprise Governance of Information Technology 313

Journal of Information Systems

Spring 2013

scorecard concepts as developed by Kaplan and Norton (1996), and as adapted for the IT domain

(Hu and Huang 2006; Van Grembergen et al. 2003).

COBIT 5 provides outcome measures at the IT process level. Figure 5 shows an example for

the process of '' Managing Security,'' providing specific process goals and related metrics.

Consolidation of these metrics at the enterprise, IT-related, and COBIT process levels, enables

organizations to build a comprehensive scorecard for the entire IT environment. This allows

organizations to develop a measurement instrument to verify meeting of stakeholder needs.

Covering the Enterprise End-to-End

The second principle (Covering the Enterprise End- to-End) articulates that COBIT 5 covers all

functions and processes within the enterprise. COBIT 5 does not focus only on the ''IT function,''

but treats information and related technologies as assets or capabilities that need examination along

with other assets in the enterprise. This perspective aligns with Weill and Ross (2009) on the notion

FIGURE 4

Primary and Secondary IT Goals for Enterprise Goal ''External Compliance with Laws and

Regulation''

Source: COBIT 5.

a

P: Primary goal; S: Secondary goal.

FIGURE 5

Balanced Scorecard Metrics for the Security Process

Source: COBIT 5.

314 De Haes, Van Grembergen, and Debreceny

Journal of Information Systems

Spring 2013

of '' IT Savviness'' and the resource-based view and capabilities literatures (Andreu and Ciborra

1996; Feeny and Willcocks 1998; Law and Ngai 2007; Tarafdar and Gordon 2007). Weill and Ross

clarify the need for general business management to take ownership of, and accountability for,

governing the use of IT in creating value from IT-enabled business investments. In many

organizations, this implies a crucial shift in attitudes and behavior of general business and IT

management as well as the governing board. As Weill and Ross (2009) note: '' If senior managers do

not accept accountability for IT, the company will inevitably throw its IT money to multiple tactical

initiatives with no clear impact on organizational capabilities. IT becomes a liability instead of a

strategic asset.''

Related to this discussion, COBIT 5 encompasses both IT processes and IT-related business

processes. Collaboration and reciprocal relationships and task dependencies between business

management, IT management, and external parties is an important element of IT governance (Cragg

et al. 2011; Zarvi

c et al. 2012). COBIT 5 provides RACI charts (Responsible, Accountable,

Consulted, Informed) in which both business and IT roles are included. To illustrate this, Figure 6

provides an example RACI chart for the process '' Manage Service Agreements.'' This RACI chart

indicates that for the SLA process, both business and IT functions have primary (P) and secondary

(S) accountabilities and responsibilities.

Applying a Single, Integrated Framework: COBIT, Risk IT, and Val IT

Principle 3 (Applying a Single, Integrated Framework) explains that COBIT 5 aligns at a high

level with other relevant standards and frameworks. It can thus serve as the overarching framework

for governance and management of enterprise IT. COBIT 5 integrates all of the previous ISACA IT

FIGURE 6

End-to-End Responsibility in Managing Service Agreements

Source: COBIT 5.

COBIT 5 and Enterprise Governance of Information Technology 315

Journal of Information Systems

Spring 2013

governance materials in COBIT 4, Val IT, and Risk IT ( ISACA 2007, 2009c, 2010). In this

overarching approach, COBIT identifies 37 IT processes spread over governance and management

domains. The five governance processes are the board's responsibilities in IT covering the setting of

the governance framework, responsibilities in terms of value (e.g., investment criteria), risks (e.g.,

risk appetite), resources (e.g., resource optimization), and providing transparency regarding IT to

the stakeholders. We return to governance later in this section. In the management domain, there are

four subdomains: '' Align, Plan, and Organize '' (APO); '' Build, Acquire and Implement'' (BAI);

'' Deliver, Service, and Support '' (DSS); and '' Monitor, Evaluate and Assess '' (MEA). The domain

APO concerns the identification of how IT can best contribute to the achievement of business

objectives. A management framework is required and specific processes related to the IT strategy

and tactics, enterprise architecture, innovation, and portfolio management. Other important

processes in this domain address the management of budgets and costs, human resources,

relationships, service agreements, suppliers, quality, risk, and security.

The domain BAI makes the IT strategy concrete through identifying, in detail, the requirements

for IT and managing the investment program and projects. This domain further considers managing

capacity, organizational change, IT changes, acceptance and transitioning, knowledge, assets, and

configurations. The domain Delivery, Service and Support (DSS) refers to the actual delivery of

required IT services. It contains processes on managing operations, service requests and incidents,

problems, continuity, security services, and business process controls. The fourth management

domain, MEA, includes those processes that are responsible for the quality assessment in

compliance with the control requirements for all previously mentioned processes. It addresses

performance management, monitoring of internal control, and regulatory compliance ( ISACA

2012b).

COBIT 5 emphasizes the requirement of general business management being accountable for

managing IT. Processes that address specific business roles are APO3: Manage Enterprise

Architecture, APO4: Manage Innovation, and BAI05: Manage Organizational Change. A specific

process on business process controls (application controls) is included ('' DSS06: Manage Business

Process Controls'' ).

Enabling a Holistic Approach: Organizational Systems

The fourth principle (Enabling a Holistic Approach) explains that efficient and effective

implementation of governance and management of enterprise IT requires a holistic approach. This

approach takes into account several interacting components: processes, organizational structures,

and human resources. This implementation challenge is related to what is described in the strategic

management literature as the need for an organizational system, i.e., '' the way a firm gets its people

to work together to carry out the business'' ( De Wit and Meyer 2005 ). Such an organizational

system requires the definition and application of structures (e.g., organizational units and functions)

and processes (to ensure tasks are coordinated and integrated), and attention to people and relational

aspects (e.g., culture, values, joint beliefs).

Peterson (2004) and De Haes and Van Grembergen (2009) have applied this organizational

system theory to EGIT. Organizations can and are deploying EGIT by using a mixture of various

structures, processes, and relational mechanisms. EGIT structures include organizational units and

roles responsible for making IT decisions and for enabling contacts between business and IT

management decision-making functions (e.g., IT steering committees). EGIT processes refer to the

formalization and institutionalization of strategic IT decision making and IT monitoring procedures,

to ensure that day-to-day outcomes are consistent with policies and provide a feedback loop (e.g.,

IT balanced scorecard). These relational mechanisms are ultimately about the active participation

316 De Haes, Van Grembergen, and Debreceny

Journal of Information Systems

Spring 2013

of, and collaborative relationship among the board, senior corporate executives, IT management,

and business management.

COBIT 5 builds on these insights and incorporates formal discussion on so-called '' Enablers''

in its framework. These are factors that, individually and collectively, influence whether something

will work—in this case, governance and management over enterprise IT. The framework describes

seven categories of enablers, of which the '' processes,'' ''organizational structures,'' and '' culture,

behavior, and ethics'' closely relate to the organizational systems concept.

Separating Governance from Management

Finally, Principle 5 is about the distinction COBIT 5 makes between governance and

management. This draws heavily on the guidance in the ISO/IEC standard on '' Corporate

Governance of IT'' (ISO 38500) ( ISO/IEC 2008) and general governance frameworks such as

COSO. There were governance elements within earlier versions of COBIT but they were mixed in

with management aspects. In COBIT 5, the organization of governance processes follows the EDM

model ('' Evaluate—Direct—Monitor'' ) as set out in ISO 38500. IT governance processes are the

responsibility of the board of directors and ensure that enterprise objectives are achieved by

evaluating stakeholder needs; setting direction through prioritization and decision making; and

monitoring performance, compliance, and progress against plans. Based on these governance

activities, business and IT management plans, builds, runs, and monitors activities (a COBIT

translation of Deming's PDCA circle Plan, Do, Check, Act) in alignment with the direction set by

the governance body to achieve enterprise objectives.

Implementing Enterprise Governance of IT

Another important change in COBIT 5 is close attention to the challenges of implementing

EGIT within the enterprise. ISACA had previously provided systematic guidance on implementing

IT governance (ISACA 2009a, 2009b) but this guidance was separate from the core COBIT

framework. As a result, the adopting organizations often overlooked the considerable challenges of

implementation of COBIT. The guidance on implementation has been updated ( ISACA 2012a) but

now, however, the core messages from this guidance are incorporated into the COBIT framework.

The guidance sets out a seven-stage lifecycle for implementing EGIT, from EGIT program

initiation to review of effectiveness and sustaining the implementation. Core messages from the

guidance include the need to build an appropriate environment for the changes involved in

implementing EGIT, and recognizing the critical importance of building a realistic business case for

undertaking EGIT.

Process Maturity and Process Capability

Process maturity has been a core component of COBIT for more than a decade. Determining

the level of process maturity for given processes allows organizations to determine which processes

are essentially under control and those that represent potential management challenges ( Weill

1992). Assessment of process maturity is arguably a necessary condition for implementation of

EGIT. The concept of process maturity in earlier versions of COBIT was adopted and adapted from

the Software Engineering Institute's Capability Maturity Model (Debreceny and Gray 2013). In

COBIT 5, process maturity has been replaced by the concept of process capability ( ISACA 2011b),

based on the ISO/IEC 15504 (SPICE) standard '' Information Technology—Process Assessment.''

A benefit of this assessment model is the improved focus on confirming that a given process is

actually achieving its purpose and delivering the required outcomes as expected. Indeed, a

requirement to meet level one of the five-level maturity model under COBIT 5 is that the

COBIT 5 and Enterprise Governance of Information Technology 317

Journal of Information Systems

Spring 2013

'' implemented process achieves its process purpose'' and at level two, the process is '' implemented

in a managed fashion (planned, monitored, and adjusted), and its work products are appropriately

established, controlled, and maintained.'' These can be challenging for organizations to demonstrate

and, as a result, process maturity levels under the new assessment model will be considerably lower

than under the earlier CMM-based process maturity model in COBIT 4. This may present some

implementation challenges.

IV. COBIT 5 AND RESEARCH OPPORTUNITIES

This section builds on the previous sections that sought to develop an understanding of core

principles and concepts in COBIT 5 to explore potential new research opportunities. Wilkin and

Chenhall (2010) set out some 20 research questions across various domains in their IT governance

taxonomy (strategic alignment, value delivery, risk management, resource management, and

performance measurement). Our objective is to complement Wilkin and Chenhall by pointing to

research that (1) investigates COBIT as an artifact; (2) sees COBIT within an ecosystem of

competing and complementary frameworks and standards; or (3) uses COBIT as a common

measurement foundation for investigation of some particular aspect of EGIT or cognate areas of

inquiry such as IT audit and assurance.

Researching COBIT as an Artifact

COBIT and its associated suite of products is a large, multifaceted, and complex set of

guidance. The content in COBIT is considerably more complex than COSO or the high-level

frameworks such as ISO/IEC 38500. COBIT is systematically designed to encompass the complete

investment lifecycle, with both governance and management aspects. This complexity gives rise to

the need for research on COBIT as an artifact.

The Quality and Consistency of COBIT as an Artifact

There is a need to investigate COBIT's intellectual foundations, design, applicability, and

internal consistency, or lack thereof. For example, COBIT 5 integrates three significant but related

frameworks covering IT governance and management (COBIT), value generation (Val IT), and risk

management (Risk IT). This integration is a major undertaking and the success of this integration is

not yet clear. An example of research on COBIT as an artifact is Boritz (2005), who considered

notions of information integrity in COBIT, other practice frameworks, and the academic literature.

Boritz (2005), after surveying practitioners, concluded that the way information attributes and

information integrity were established in COBIT should be significantly modified to incorporate

information. The Boritz study is the only research that systematically investigates the design of any

aspect of COBIT. There is a clear need for additional research.

The Association between Prescription and Real-World Conditions

COBIT and other similar frameworks are drawn from good practice in the field and are

essentially prescriptive. The quality of this prescription is only as good as the process of

identification of good practice. The various iterations of COBIT are based on (1) original research,

(2) widespread use of experts in workshops and workgroups, and (3) input from cognate standards

and frameworks. This approach is, necessarily, only a partial sampling of real-world conditions.

Tuttle and Vandervelde (2007) research the applicability of COBIT 3 as an internal control

framework for the financial statement audit and find that COBIT can be employed in this manner.

There is a need for research to understand the relationship between COBIT's prescriptions and real-

world conditions.

318 De Haes, Van Grembergen, and Debreceny

Journal of Information Systems

Spring 2013

COBIT as a Framework

COBIT is a framework rather than a standard and, as a result, is designed to be adapted by

adopting organizations. Yet, little is known as to which components of the framework are necessary

to be retained in order for adoption to still be effective. This applies both horizontally (choice of

processes) and vertically (components including process capability, RACI charts, etc.). For example:

Could it be feasible to adopt COBIT with only the five processes at the governance layer,

shorn of RACI charts, process capability modeling, and other core COBIT attributes?

Could COBIT be used only by the board and audit committee and still be functional?

Researching COBIT within an Ecosystem of Competing and Complementary Frameworks

A core principle of the design of COBIT 5 is to align systematically with cognate frameworks

and standards. These include governance frameworks of higher abstraction (e.g., ISO/IEC 2008)

and more specific frameworks that are positioned at the level of IT-related management (e.g.,

TOGAF [Open Group 2009]). Understanding how COBIT operates in an ecosystem of competing

and collaborating frameworks is an important area of research.

The Relationship between COBIT, COSO, ISO/IEC 38500, and Other Governance Frameworks

ISACA has made a major investment over the years in mapping COBIT to other frameworks,

with detailed mappings of COBIT 4 to ten other frameworks including COSO, ITIL, PMBOK, and

TOGAF ( ISACA 2011a). There is no academic research about the inter-operation of these

relationships. Questions include:

How does an enterprise manage multiple frameworks and standards?

How do enterprises measure and manage performance across multiple frameworks and

standards?

The Board of Directors Involvement in Enterprise Governance of IT

As we discuss above, there is strong influence upon COBIT from general governance

frameworks, including the COSO internal control framework, and from ISO/IEC 38500. COBIT 5

clearly distinguishes between governance and management. Limited research is available on how

boards are taking up responsibility for governing and monitoring IT. From analysis of annual

reports and Management's Discussion and Analyses (MD&As), or through case, field study, or

survey research, it would be interesting to understand whether the board is taking up the five areas

of responsibility as discussed in COBIT:

Which of the five governance processes are really taken up by boards?

What are boards reporting on their IT governance roles in the annual report?

What is the relationship between boards' involvement and IT governance performance?

COBIT 5 and the Audit of Internal Controls

In the U.S. context, the Sarbanes-Oxley Act requires that SEC registrants certify whether there

are material weaknesses in internal control, as lined up against a control framework. Larger

registrants must have their internal controls audited. While the Sarbanes-Oxley Act does not

mandate a single internal control framework, effectively all registrants choose the COSO

framework. The COSO framework includes some limited commentary on the role of information

technology in maintaining internal controls and the exposure draft for a revised version of COSO

makes this link even stronger (Janvrin et al. 2012). It is now seven years since a customized version

COBIT 5 and Enterprise Governance of Information Technology 319

Journal of Information Systems

Spring 2013

of COBIT for IT control objectives under the Sarbanes-Oxley act was promulgated by ISACA

(ITGI 2006). Research questions include:

What role does COBIT play in support of internal and external audit programs?

COSO makes explicit mention of application controls. Business application controls are now

more central in COBIT 5. To what extent does the guidance on business application controls

in both COBIT and COSO correlate? What are the practical applications and use of this

guidance?

COBIT as a Common Measurement Foundation

COBIT provides good practice guidance for the complete lifecycle of IT investment. It comes

with a suite of management tools together with supporting guidance. COBIT offers, then, a

foundation for measurement of a wide variety research on EGIT. Debreceny and Gray (2013) draw

explicitly on the IT processes and process maturity components of COBIT 4 in a large international

field study. Similar research can allow us to both understand the EGIT landscape and validate the

design of COBIT.

Alignment of Enterprise and IT-Related Goals

The concept of business/IT alignment is not new, but it is still high on the agenda of many

organizations. Building on the strategic alignment model of Henderson and Venkatraman (1993) and

original research ( Van Grembergen et al. 2008), COBIT provides an approach on how to define

enterprise goals and IT-related goals. It will be important to understand how robust this relationship

is. Case study research could reveal whether organizations are clearly articulating enterprise goals and

IT-related goals, and the degree to which these goals are symbiotic. Specific questions can include:

Are businesses clearly articulating their priorities to IT?

Is IT pro-actively engaged in the business strategic discussion?

Is the business involved in defining the IT-related goals?

How Do Organizations Measure the Performance of IT?

Measuring the value of IT is a complex challenge. As COBIT leverages the balanced scorecard

insights, it provides a reference to build conceptual measurement frameworks for IT as a whole or

for specific processes of IT. Research projects could work on building such conceptual frameworks

based on COBIT, and then validate whether such measurements instruments are in use and

optimized based on empirical findings. Examples of specific questions are:

Are organizations using COBIT to build balanced scorecards?

Are the metrics in COBIT 5 usable for practice?

How are enterprises organizing the performance management process?

How Involved Is the Business in Enterprise Governance of IT?

There is an emphasis in COBIT 5 on establishing end-to-end responsibilities in governing and

managing IT assets and capabilities. The RACI charts in COBIT 5 provide usable templates for

analysis of whether general business management is taking up their IT-related responsibilities.

Research questions include:

Are business managers aware of the responsibilities as assigned in the COBIT 5 RACI

charts?

Do business managers take up the responsibilities as assigned in the COBIT 5 RACI charts?

320 De Haes, Van Grembergen, and Debreceny

Journal of Information Systems

Spring 2013

What are enablers and inhibitors for business managers to take up the responsibilities as

assigned in the COBIT 5 RACI charts?

How Are Organizations Implementing Enterprise Governance of IT?

Enterprises increasingly recognize the importance of EGIT. Many organizations struggle with

implementing and embedding these governance practices into their organizations. Through case and

survey research, it will be vital to verify how organizations are adopting EGIT. Building on

organizational systems theory, COBIT 5 can be a foundation for interview and survey protocols.

Some specific questions are:

Which COBIT 5 processes and related practices/structures are most adopted in

organizations?

Which COBIT 5 processes and related practices/structures are perceived as being most

effective?

Which COBIT 5 processes and related practices/structures are perceived as being easy/

difficult to implement?

V. SUMMARY AND CONCLUSION

Over the last two decades, the role of information technology in organizations has changed

from primarily a supportive and transactional function to being an essential prerequisite for strategic

value generation. Further, while IT plays an important role in mitigating enterprise risk, information

technologies also create risks. These risks include potential monetary losses, reduction in

operational capability and, particularly important in an increasingly networked world, losses to

enterprise reputation. The increased focus on IT for value generation as well as meeting compliance

obligations in a host of industries has resulted in enhanced board and senior management attention

to IT. The early 1990s saw introduction of the term IT governance, now increasingly and

appropriately rebranded in the professional and academic literatures as the '' Enterprise Governance

of IT'' (EGIT).

Over a similar period, ISACA has promulgated five versions of the good practice EGIT

framework, COBIT. The IT audit community was a strong influence on the first version in 1996. It

served as a blueprint for conducting audits of IT functions. COBIT has matured and adapted to

changes in the external environment. The latest iteration, COBIT 5, includes several important

developments influenced by changes in the external environment and by new and revised

frameworks to which COBIT aligns. First, there is a distinct separation between governance and

management. The new governance domain has five processes that would be in the hands of the

board and the most senior management. Second, COBIT 5 integrates the guidance in COBIT 4, Val

IT, and Risk IT. Third, the important contribution that IT makes in achievement of organizational

goals is central to the framework. Fourth, assessment of process maturity, a core metric in COBIT,

now aligns with international standards. Fifth, responding to the challenges of adoption of

governance frameworks such as COBIT has been more directly integrated in the framework.

COBIT is a complete and overarching governance and management framework that benefits

from many years of experience and alignment with other frameworks and standards. Yet there is

little academic research that leverages COBIT as an instrument in executing research programs.

Through clearly indicating how the core elements of COBIT 5 are built on IT and general

management insights, this paper contributes to the exploration of the use of COBIT in future

research activities. A catalog of potential research questions is provided that (1) investigates COBIT

as an artifact; (2) sees the framework within an ecosystem of competing and complementary

frameworks and standards; or (3) uses it as a common measurement foundation for investigation of

COBIT 5 and Enterprise Governance of Information Technology 321

Journal of Information Systems

Spring 2013

some particular aspect of EGIT or cognate areas of inquiry such as IT audit and assurance. These

research questions can be a source of inspiration for researchers in this field. There are many

research opportunities on EGIT and aligned research domains. Finally and probably most

importantly, these opportunities have implications for both theory and practice.

REFERENCES

Ahern, D. M., A. Clouse, and R. Turner. 2008. CMMI Distilled: A Practical Introduction to Integrated

Process Improvement. 3rd edition. Boston, MA: Addison-Wesley.

Andreu, R., and C. Ciborra. 1996. Organizational learning and core capabilities development: The role of

IT. Journal of Strategic Information Systems 5 (2): 111–127.

Anthony, R. N. 1965. Planning and Control Systems: A Framework for Analysis. Boston, MA: Division of

Research, Graduate School of Business Administration, Harvard University.

Beer, S. 1959. Cybernetics and Management. London, U.K.: English Universities Press.

Beer, S. 1972. Brain of the Firm. London, U.K.: The Penguin Press.

Berle, A. A., and G. C. Means. 1932. The Modern Corporation and Private Property. New York, NY: The

Macmillan Company.

Boritz, J. E. 2005. IS practitioners' views on core concepts of information integrity. International Journal of

Accounting Information Systems 6 (4): 260–279.

Brown, C. 1997. Examining the emergence of hybrid IS governance solutions: Evidence from a single case

site. Information Systems Research 8 (1): 69–94.

Brynjolfsson, E. 1993. The productivity paradox of information technology. Communications of the ACM

36 (12): 66–77.

Cabinet Office. 2011. ITIL Lifecycle Suite. London, U.K.: The Stationery Office.

Chan, Y. E., S. L. Huff, D. W. Barclay, and D. G. Copeland. 1997. Business strategic orientation,

information systems strategic orientation, and strategic alignment. Information Systems Research:

ISR: A Journal of the Institute of Management Sciences 8 (2): 125–150.

Committee of Sponsoring Organizations of the Treadway Commission (COSO). 1992. Internal Control—

Integrated Framework. New York, NY: Committee of Sponsoring Organizations of the Treadway

Commission.

Cragg, P., M. Caldeira, and J. Ward. 2011. Organizational information systems competences in small and

medium-sized enterprises. Information and Management 48 (8): 353–363.

Cyert, R. M., and J. G. March. 1963. A Behavioral Theory of the Firm. Englewood Cliffs, NJ: Prentice Hall,

Inc.

Davern, M. J., and C. L. Wilkin. 2010. Towards an integrated view of IT value measurement. International

Journal of Accounting Information Systems 11 (1): 42–60.

De Haes, S., and W. Van Grembergen. 2008a. Analyzing the Relationship between IT Governance and

Business/IT Alignment Maturity. Proceedings of the 41st Hawaii International Conference on System

Sciences, Kailua-Kona, HI, Shidler College of Business, University of Hawai'i at Manoa.

De Haes, S., and W. Van Grembergen. 2008b. An exploratory study into the design of an IT governance

minimum baseline through Delphi research. Communications of AIS 22: 443–458.

De Haes, S., and W. Van Grembergen. 2009. An exploratory study into IT governance implementations and

its impact on business/IT alignment. Information Systems Management 26 (2): 123–137.

De Haes, S., and W. Van Grembergen. 2010. Analyzing the impact of enterprise governance of IT practices

on business performance. International Journal on IT/Business Alignment and Governance 1 (1): 14–

38.

De Wit, B., and R. Meyer. 2005. Strategy Synthesis: Revolving Strategy Paradoxes to Create Competitive

Advantage. London, U.K.: Cengage Learning EMEA.

Debreceny, R. S., and G. L. Gray. 2013. IT governance and process maturity: A multinational field study.

Journal of Information Systems 27 (1).

322 De Haes, Van Grembergen, and Debreceny

Journal of Information Systems

Spring 2013

Elbashir, M. Z., P. A. Collier, and M. J. Davern. 2008. Measuring the effects of business intelligence

systems: The relationship between business process and organizational performance. International

Journal of Accounting Information Systems 9 (3): 135–153.

Feeny, D., and L. Willcocks. 1998. Core IS capabilities for exploiting information technology. Sloan

Management Review 39 (3): 9–21.

Henderson, J. C., and N. Venkatraman. 1993. Strategic alignment: Leveraging information technology for

transforming organizations. IBM Systems Journal 32 (1): 4–16.

Hu, Q., and C. D. Huang. 2006. Using the balanced scorecard to achieve sustained IT-business alignment:

A case study. Communications of AIS 17: 2–45.

Hyvo¨nen, J. 2007. Strategy, performance measurement techniques, and information technology of the firm

and their links to organizational performance. Management Accounting Research 18 (3): 343–366.

ISACA. 2007. COBIT

t

4.1. Rolling Meadows, IL: ISACA.

ISACA. 2009a. Building the Business Case for COBIT

t

and Val ITe: Executive Briefing. Rolling

Meadows, IL: ISACA.

ISACA. 2009b. Implementing and Continually Improving IT Governance. Rolling Meadows, IL: ISACA.

ISACA. 2009c. The Risk IT Framework: Risk IT Based on COBIT. Rolling Meadows, IL: ISACA.

ISACA. 2010. Enterprise Value: Governance of IT Investments. The Val IT Framework 2.0. Rolling

Meadows, IL: ISACA.

ISACA. 2011a. COBIT Mapping: Overview of International IT Guidance. Rolling Meadows, IL: ISACA.

ISACA. 2011b. COBIT

t

Process Assessment Model (PAM): Using COBIT

t

4.1. Rolling Meadows, IL:

ISACA.

ISACA. 2011c. Global Status Report on the Governance of Enterprise IT (GEIT)—2011. Rolling Meadows,

IL: ISACA.

ISACA. 2012a. COBIT 5 Implementation. Rolling Meadows, IL: ISACA.

ISACA. 2012b. COBIT 5: A Business Framework for the Governance and Management of Enterprise IT.

Rolling Meadows, IL: ISACA.

Information Systems Audit and Control Foundation (IASCF). 1994. Control Objectives for Information and

Related Technology: COBIT . Rolling Meadows, IL: Information Systems Audit and Control

Foundation.

International Organization for Standardization/International Electrotechnical Commission (ISO/IEC). 2008.

ISO/IEC 38500 Corporate Governance of Information Technology. Geneva, Switzerland:

International Organization for Standardization/International Electrotechnical Commission.

IT Governance Institute (ITGI). 2000. COBIT. Rolling Meadows, IL: IT Governance Institute.

IT Governance Institute (ITGI). 2001. Board Briefing on IT Governance. Rolling Meadows, IL: IT

Governance Institute.

IT Governance Institute (ITGI). 2005. COBIT

t

4. Rolling Meadows, IL: IT Governance Institute.

IT Governance Institute (ITGI). 2006. IT Control Objectives for Sarbanes-Oxley: The Role of IT in the

Design and Implementation of Internal Control over Financial Reporting. 2nd Ed. Rolling Meadows,

IL: IT Governance Institute.

Ives, B., and S. L. Jarvenpaa. 1993. Organizing for global competition: The fit of information technology.

Decision Sciences 24 (3): 547–580.

Janvrin, D. J., E. A. Payne, P. Byrnes, G. P. Schneider, and M. B. Curtis. 2012. The updated COSO Internal

Control—Integrated Framework: Recommendations and opportunities for future research. Journal of

Information Systems 26 (2): 189–213.

Kaplan, R. S., and D. P. Norton. 1996. The Balanced Scorecard: Translating Strategy into Action. Boston,

MA: Harvard Business School Press.

Law, C. C. H., and E. W. T. Ngai. 2007. IT infrastructure capabilities and business process improvements:

Association with IT governance characteristics. Information Resources Management Journal 20 (4):

25–47.

Luftman, J. N. 1996. Competing in the Information Age: Strategic Alignment in Practice. Oxford, U.K.:

Oxford University Press.

March, J., and H. Simon. 1958. Organizations. New York, NY: John Wiley.

COBIT 5 and Enterprise Governance of Information Technology 323

Journal of Information Systems

Spring 2013

O'Connor, N. G., and M. G. Martinsons. 2006. Management of information systems: Insights from

accounting research. Information and Management 43 (8): 1014–1024.

Open Group. 2009. The Open Group Architecture Framework (TOGAF), Version 9. Zaltbommel, The

Netherlands: Van Haren Publishing.

Peterson, R. 2004. Crafting information technology governance. Information Systems Management 21 (4):

7–22.

Porter, M. E. 1979. How competitive forces shape strategy. Harvard Business Review (March-April): 137–

145.

Porter, M. E. 1985. Competitive Advantage: Creating and Sustaining Superior Performance. New York,

NY: Free Press.

Sambamurthy, V., and R. W. Zmud. 1999. Arrangements for information technology governance: A theory

of multiple contingencies. MIS Quarterly 23 (2): 261–290.

Simons, R. 1990. The role of management control systems in creating competitive advantage: New

perspectives. Accounting, Organizations and Society 15 (1/2): 127–143.

Simons, R. 2000. Performance Measurement and Control Systems for Implementing Strategy. Upper

Saddle River, NJ: Prentice Hall.

Tarafdar, M., and S. Gordon. 2007. Understanding the influence of information systems competencies on

process innovation: A resource-based view. The Journal of Strategic Information Systems 16 (4):

353–392.

Thorp, J. 2003. The Information Paradox. New York, NY: McGraw-Hill Ryerson.

Tuttle, B., and S. D. Vandervelde. 2007. An empirical examination of CobiT as an internal control

framework for information technology. International Journal of Accounting Information Systems 8

(4): 240–263.

Van Grembergen, W., and S. De Haes. 2009. Enterprise Governance of Information Technology: Achieving

Strategic Alignment and Value. New York, NY: Springer.

Van Grembergen, W., R. Saull, and S. J. De Haes. 2003. Linking the IT balanced scorecard to the business

objectives at a major Canadian financial group. Journal for Information Technology Cases and

Applications 5 (1): 23–45.

Van Grembergen, W., S. De Haes, and H. Van Brempt. 2008. Understanding How Business Goals Drive IT

Goals. Rolling Meadows, IL: ISACA.

Venkatraman, N., J. C. Henderson, and S. Oldach. 1993. Continuous strategic alignment: Exploiting

information technology capabilities for competitive success. European Management Journal 11 (2):

139–149.

Weill, P. 1990. Strategic investment in information technology: An empirical study. Information Age 12 (3):

141–147.

Weill, P. 1992. The relationship between investment in information technology and firm performance: A

study of the value-manufacturing sector. Information Systems Research 3 (4): 307–333.

Weill, P., and J. W. Ross. 2009. IT Savvy: What Top Executives Must Know to Go From Pain to Gain.

Boston, MA: Harvard Business School Press.

Wilkin, C. L., and R. H. Chenhall. 2010. A review of IT governance: A taxonomy to inform accounting

information systems. Journal of Information Systems 24 (2): 107–146.

Zarvi

c, N., C. Stolze, M. Boehm, and O. Thomas. 2012. Dependency-based IT governance practices in

inter-organizational collaborations: A graph-driven elaboration. International Journal of Information

Management 32 (6): 541–549.

324 De Haes, Van Grembergen, and Debreceny

Journal of Information Systems

Spring 2013

... Often the processes end by not being consistent and properly defined [Rohloff, 2008]. Plus, most of these IT frameworks overlap each other [de Haes et al., 2013]. This implies a duplication of investment, costs, and human resources for organizations [Gama et al., 2013]. ...

... As pointed out by several authors such as [Aguiar et al., 2018;Schlarman, 2007] IT frameworks can easily overlap one another. Moreover, IT frameworks are complex to understand and implement [de Haes et al., 2013;Evelina et al., 2010;Herrera, Hillegersberg, 2019;Serenko et al., 2016]. By way of response, the maturity model (MM) concept was introduced to assess the level of a process [Becker et al., 2009]. ...

... Therefore, such findings strengthen the aim and relevance of this research. It can be observed that the inquiry into the implementation of multi-frameworks and how it can be handled and measured has been financially rewarded [de Haes et al., 2013]. ...

Many different information technology frameworks have been proposed to assist organizations implementing information technology. However, these frameworks are complex, difficult to implement, and overlap with one another making their simultaneous implementation even more difficult to accomplish by organizations. This study proposes to develop an overlapless maturity model that helps organizations deal with the aforementioned problems. The model was applied and evaluated by experts at five organizations. This approach was recognized as useful, complete, and helpful in a multi-framework implementation by problem management (PM) experts. This research provides contributions for academics since it distinguishes itself from the existing studies in the body of knowledge and is a baseline for further investigation.

... Framework Cobit 2019 menjadi salah satu panduan yang dapat digunakan untuk menerapkan Teknologi Informasi untuk tata kelola Teknologi Informasi pada Institusi Teknologi Bisnis dan Dinniyah Lampung karena dapat memberikan masukan dalam membantu pengelolaan kerangka keja manajemen Teknologi Informasi Penelitian ini bertujuan menerapkan Framework Cobit 2019 untuk membangun rancangan tata kelola teknologi informasi dalam pengelolaan bisnis dan teknologi sehingga didapatkan informasi berhubungan dengan tatakelola yang telah berjalan. (Abdulrasool and Turnbull 2020;Evangelista et al. 2020;Fantini, Pinzone, and Taisch 2020;De Haes et al. 2020, 2013Haouam 2020;Majumdar, Garg, and Jain 2021;Nachrowi, Nurhadryani, and Sukoco 2020;Syuhada 2021) sehingga atas dasar penelitian penelitian sebelumnya framework cobit ini menjadi panduan untuk menerapkan tata kelola teknologi informasi. ...

  • M Adie Saputra
  • M Reza Redo

Berkembangnya teknologi informasi memaksa perguruan tinggi untuk dapat mengikuti dan meningkatkan sumber daya dengan teknologi informasi untuk menghadapi persaingan dan perkembangan zaman. Framework Cobit 2019 menjadi salah satu panduan yang dapat digunakan untuk menerapkan Teknologi Informasi untuk tata kelola Teknologi Informasi pada Institusi Teknologi Bisnis dan Dinniyah Lampung karena dapat memberikan masukan dalam membantu pengelolaan kerangka keja manajemen Teknologi Informasi Penelitian ini bertujuan menerapkan Framework Cobit 2019 untuk membangun rancangan tata kelola teknologi informasi dalam pengelolaan bisnis dan teknologi sehingga didapatkan informasi berhubungan dengan tatakelola yang telah berjalan.

... The authors initially refer to existing KPI frameworks such as COBIT (Control Objectives for Information and Related Technology) and ITIL (Information Technology Infrastructure Library). CO-BIT is a standard defining typical objectives for an IT organisation together with related KPIs [10]. ITIL is a collection of best practices for IT management [11]. ...

  • Sandra Castro
  • Jürgen Jung Jürgen Jung

Enterprise Architecture Management is a well-established discipline fostering business-IT alignment and driving innovation in an organisation. It provides an extensive set of methods and tools for visualising and analysing an organisation using several perspectives. However, critical voices are increasing in recent years. A significant amount of initiatives for establishing Enterprise Architecture are not meeting expectations. Furthermore, Enterprise Architecture is often recognised as a burden to corporate stakeholders rather than providing benefits. Current research is aiming at providing a stronger focus on corporate needs while performing Enterprise Architecture work. There seems to be a shift towards collaborative and agile approaches. The paper at hand presents the results of a survey among Enterprise Architecture practitioners to understand the expected benefits from Enterprise Architecture. The results of the survey are used to develop a framework that supports measuring the success of Enterprise Architecture decisions. This framework does not only focus on specific Enterprise Architecture goals but also incorporates the impact of Enterprise Architecture Management on corporate objectives. A first version of such a framework has been specifically developed for a German logistics company. This specific framework will be the starting point for future research on a generic framework for determining EA benefits in a company.

... Dynamism in the environment denotes the unpredictability and rate of changes in the environment including the obsolescence of products and services, changes in technology, moves by rivals, and rapid changes in demands by consumers (De Haes et al., 2013).Due to the current fast moving technology-based business environment, managers are constantly faced with uncertainty in keeping with the demands with more information as well as the capability of processing this information quickly (Bermejo, 2014). This is why at present having IT capability is of utmost importance and value of this type of dynamic environment since it enables firms to mobilize their resources quickly and effectively. ...

During the last decade, information technology (IT) has been playing a more important role for organizations in achieving their goals. Recently, information technology governance has become a critical issue for many companies in various industries. The aim of this study is to examine the extent to which the influence of external environment characteristics affects the effectiveness of IT governance as well as the performance of organizations in Malaysian manufacturing companies. Moreover, the mediating influence of effective IT governance was also being tested. 357 questionnaires were used in order to conduct the analyses. Structural Equation Modeling (SEM) is used for testing the developed hypotheses generating from the theoretical framework of the study. The data was obtained from managers in the manufacturing industry; Samples were selected from seven states of Malaysia (Selangor, Penang, Johor, Sarawak and Negeri Sembilan, Melaka, Pahang). This topic of research has considerable significance in Malaysia; A significant contribution of this study is the construction of a theoretically based model which assimilates the external environment characteristics, effective information technology governance, and organizational performance.

... Enterprise SPICE was accepted by ISO/IEC 2 as international standard 33071 in 2016, but is rooting deeply in traditional quality management concepts developed prior to the digital era (e.g., [41]). Existing research on ITM standards often concentrates on certain subareas of ITM like IT governance (e.g., [42]) and IT service management (e.g., [43]) or even single standards like COBIT (e.g., [44]) and ITIL (e.g., [45]). Several authors empirically analyzed the dissemination of standards (e.g., [11,46]) often connected to questions for perceived and measured benefits after standard implementation (e.g., [45,47]). ...

  • Gunnar Auth Gunnar Auth

For more than three decades professional standards have been popular as guidance and orientation to manage IT organizations. Although major standards like ITIL and COBIT have been updated with several versions to reflect changing requirements, their basic goals, concepts, and structures remained stable over time. In recent years this situation changed, when a number of new standards appeared to support new requirements for mastering digital transformation. This study explores the evolution of ITM standards during the last 20 years through analyzing a set of 60 formal, de facto, and emerging standards. Besides the rapid increase in number and update frequency starting in 2015, a shift of goals towards agility, lean management, and innovation was found. Finally, new problems and research questions raised by this evolution are presented.

... This recent adaptation of this framework was released presenting essential highlights. One of those highlights is the advancement from COBIT 4. Such a process should be done in association to enable both business and IT staff to fulfill their responsibilities and help the business/IT course of action (See in [66]). COBIT 5, the advanced equivalent of COBIT 4.1, offers a mapping apparatus that is easy to be implemented in order to map the strategic objectives of the association toward the related IT goals in order to accomplish the required model of governance (See in [67]). ...

  • Elias Jreisat Elias Jreisat

In recent times we have witnessed the investment renascence in technology world through various aspects. The era of innovation and investment in information and communication technology has become sophisticated, especially in business and economic sectors. However one of the most valued new fashion trends, which is leading the market lately and is considered as an outsource service aligned with the IT department in most institutions, is called Cloud Computing. Cloud is divided into several main kinds, (Public cloud, hybrid cloud, and private cloud). It has become commonplace lately for many institutions to use such effectuation of Cloud services, considering its' positive effects on various levels in any company by facilitating business process and simplifying information storage methods, saving time and efforts, and enabling the company to reduce expenses allocated to cover the I.T Department needs, though such a choice would raise the red flag of risk therefore definitely in such cases we need to focus on increasing the security level as well as assigning some serious controls to mitigate all risks, moreover IT audit and IT risk concepts has become vital and necessary to get a reasonable assurance of mitigating risks, ensuring that the entire work process are under control, and complied with the general policies and procedures in any organization. Abu Bakar and Tasmin (2012) indicate that the competition, globalization and innovation related to technology, services and products' types which are offered to the customers in the banking industry affect on their satisfaction and loyalty, besides it enhances institution's profitability.[1] on the other hand Flowerday and Von Solms (2005); Hamaker and Hutton (2004) concentrated on the utilization of IT and how it will helps the institution's built and maintain new governance processes.[2-3] Weidenmier and Ramamoorti (2006) stated that the organizational risk could be increased with information technology; therefore, the organizations have to implement the control with a view to integrated controls and process linkages on IT. [4] The huge number of factors indicated the expansion in information technology, which needs environmental controls for information technology focusing on the growing demand of reducing risks and controlling IT costs. Nowadays, the control on the IT surroundings should be effective and designed in particular for the IT used by stakeholders. In order to face the challenges in business and achieve goals and objectives of the information technology, also the executives have to ensure that they had utilized the technology in the greatest possible efficiency. [5]. Nowadays, we are witnessing a dramatic era of rapid developments in some domains in IT sector, intended to facilitate work processes and procedures. For instance "Cloud computing is known as a type of computing 8 that relies on sharing computing resources rather than having local servers or personal devices to handle applications. Cloud computing is comparable to grid computing, a type of computing where unused processing cycles of all computers in a network are harnesses to solve problems, too intensive for any stand-alone machine" [6]. It has now become commonplace for many institutions to use the effectuation of Cloud Computing services. Conversely, Organizations are also increasingly exposed to various operational risks related to the use of IT such as virus attacks, unauthorized access to data, breakdown of infrastructure, system and infrastructure contingency, performance problems. Preventing such risks efficiently by identifying, analyzing and evaluating potential IT related operational risks. Since several financial related establishments announced operational misfortunes, there has been a developing enthusiasm for operational risk management, For instance UBS (Swiss multinational investment bank and financial services company) confronted an operational misfortune/loss due to one of its dealer's deceitful conduct (Fraud). Another precedent showing the seriousness of the disturbance in the monetary administration industry surprisingly better is that, in 2008, 119 banks announced the total amounts caused by operating losses to SIGOR (the Standards Implementation Group) reporting a total of € 59.6 billion. As clarified by the previous samples, the events of operational loss are complicated, They vary in classifications between the internal and external categories to business intrusions caused by system breakdowns.[8] Moreover, SOX & EUROSOX are considered to be kind of essential regulations to protect the financial sectors from exposing to any kind of losses caused by the operational risk in the organizations. Also it is worth to mention that EUROSOX was issued by the European Parliament which was joined by all EU members other than SOX that was regulated by the US Government in the early of 2000.[9] therefore all arranged security and different risks related to all business directors and sheets require a technique to upgrade partners esteem and control its risk utilizing, and here the concept of IT governance came out where it is much needed since it incorporates reception of control structures and best practices to encourage monitor and enhance critical IT activities to expand business esteem and diminish business risk. In 1996 ISACA issued the primary adaptation of "The Control Objectives for Information and related Technology" (COBIT) which is the answer that can apply the IT governance in Enterprise. ISACA attempted to create COBIT until achieved COBIT 4.1 and the last form was COBIT 5. [10]

... 07(ISACA , 2009c(ISACA , 2010. COBIT5 identifies -37‖ IT processes spread over governance and management domains. The five governance processes are the board's responsibilities in IT, covering the setting of the governance framework, responsibilities in terms of value, risks and resources and providing transparency regarding IT to the stakeholders.(Steven, Wim and Roger, 2013) ...

  • Elias Jreisat Elias Jreisat
  • M Gall

In the last decades we have witnessed the investment renascence in technology world through various aspects. Consequently audit concepts has become vital and necessary to get a reasonable assurance of mitigating risks, ensuring that the entire work process are under control, and complied with the general policies and procedures in any organization. This paper intends to shed light on the IT Governance / Audit and Cobit frameworks and practices in the MENA region. A desk based research was adopted with the purpose of using content analysis as a tool of research to assess Arabic and English literature studies. The context of the paper included a critical literature review of previous researchers publications with the objective to spotlight on the IT Governance and IT Audit process frameworks and technologies used to mitigate all kinds of risks, focusing on Public, private and governmental sectors in MENA region, conducted through a desk-based research with the purpose to analysis methods of IT governance / audit. This paper clarifies the extent of the previous researches' contributions in measuring the level of applying several frameworks such as IT Governance, Cobit, IT Audit and IT risk on several sectors in MENA region, also it illustrates the collaboration of some countries rather than the other in such scientific publication, showing the influence of applying such frameworks on the extent of improving institutions' growth, evolvement, stability, competency and profitability. Finally, we suggested some recommendation for future improvements in such regard.

Purpose With the increasing digitalization processes taking place in different industries, the success of family small and medium-sized enterprises (SMEs) appears to be more under threat than for any other types of organizations, especially when information technologies (ITs) are not adequately used and managed. To grow and increase the chances of survival, family SMEs need more than ever IT. Stemming from agency theory, the aim of this article is to understand whether family harmony impacts the performance of family SMEs and to what extent IT mediates this relationship. Design/methodology/approach The research follows a quantitative approach, based on a sample of 182 family SMEs. Structured equation modeling, through SmartPLS, was employed to validate the research model. Findings This study's main findings suggest that family harmony positively impacts firm performance and that IT governance and strategy mediate positively this relationship. Research limitations/implications First, the relatively limited number of respondents limits the degree of representativeness of all family SMEs. Replicating the research with a larger number of respondents could strengthen the findings. Second, this study is limited to French firms and future research could extend the findings by looking at cross-country comparisons. Practical implications Family SMEs are encouraged to link their IT governance with their IT strategy in order to increase their organizational performance. A favorable family harmony will make it easier to choose and implement a richer IT strategy and put in place an adequate IT governance function. Originality/value This research offers an enriched knowledge of the roles of family harmony and technological innovation in family SMEs and IT contexts as significant predictors of organizational performance. It contributes to family firm theory through the identification of three determinants of family SMEs' performance.

  • IR. Erwin Setiawan Panjaitan
  • Fandi Halim
  • Darwin Siallagan

IT governance is the responsibility of the board of directors and executive management in the organization. This, is an integrated part of organizational governance and contains leadership and organizational structures and processes that ensure that IT organizations contain and support IT organizational strategies and objectives implemented through applications or systems in the organization will provide added value to everyone who uses IT such as staff, managerial and directors, therefore IT is very much needed by organizations because it can provide added value to the organization. Application of IT as a supporting instrument in the administrative process as well as providing useful information for all circles, so that it is in accordance with the goals previously set. This is to ensure the use of information technology that can truly support the expected IT goals while also taking into account the efficient use of resources and risk management as the basis for IT governance. Keywords: Frame work COBIT 5 from ISACA.

This paper advances our knowledge of information systems (IS) management by applying ideas and insights from accounting. An integrative cost–benefit framework is developed and applied to four areas of research: chargeback, outsourcing, decision support, and business process re-engineering and improvement. We show that the accounting literature contributes significantly to scholarship on the management of IS. #

To achieve lasting competitiveness through IT, according to the authors, companies face three enduring challenges: focusing IS efforts to support business strategies and using IT innovations to develop new, superior strategies; devising and managing effective strategies for the delivery of low-cost, high-quality IS services; and choosing the technical platform on which to mount IS services. Three strands of research - on the CIO's role and experience, the CIO's capabilities, and IS/IT outsourcing - demonstrate that businesses need nine core IS capabilities to address these challenges: 1. Leadership. Integrating IS/IT effort with business purpose and activity. 2. Business systems thinking. Envisioning,he business process that technology makes possible. 3. Relationship building. Getting the business constructively engaged in IS/IT issues. 4. Architecture planning. Creating the blueprint for a technical platform that responds to current and future business needs. 5. Making technology work. Rapidly achieving technical progress - by one means or another. 6. Informed buying. Managing the IS/IT sourcing strategy that meets the interests of the business. 7. Contract facilitation. Ensuring the success of existing contracts for IS/IT services. 8. Contract monitoring. Protecting the business's contractual position, cu:rent and future. 9. Vendor development. Identifying the potential added value of IS/IT service suppliers. IS professionals and managers need to demonstrate a changing mix of technical, business, and interpersonal skills. The authors trace the role these skills play in achieving the core IS capabilities and discuss the challenges of adapting core IS capabilities to particular organizational contexts. Their core IS capability model implies migration to a relatively small IS function, staffed by highly able people. To sustain their ability to exploit IT, the authors conclude, organizations must make the design of flexible IS arrangements a high-priority task and take an anticipatory rather than a reactive approach to that task.

In many organisations, information technology (IT) has become crucial in the support, sustainability and growth of the business. This pervasive use of technology has created a critical dependency on IT that calls for a specific focus on IT governance. IT governance consists of the leadership and organisational structures and processes that enable the required alignment between business and IT. This practice-oriented research concentrates on the IT governance practices that organisations can leverage to implement IT governance in reality. Based on literature research, pilot case research and delphi research, this paper provides insights regarding the effectiveness and ease of implementation of IT governance practices and provides a minimum baseline of practices that organisations at least should have. Via this research, we want to contribute to new theory building and assist practitioners by providing more guidance on how IT governance can be effectively implemented.

Enterprise governance of IT is a relatively new concept that is gaining traction in both the academic and practitioner worlds. Going well beyond the implementation of a superior IT infrastructure, enterprise governance of IT is about defining and embedding processes and structures throughout the organizations that enable both business and IT people to execute their responsibilities, while maximizing the value created from their IT-enabled investments. At the forefront of the field, the authors draw from years of research and advising corporate clients to present the first comprehensive resource on the topic. Featuring numerous case examples from companies around the world, the book integrates theoretical advances and empirical data with practical application, including in-depth discussion of such frameworks as COBIT and VALIT, which are used to measure and audit the value of IT investments and ensuring regulatory compliance. A variety of elements, including executive summaries and sidebars, extensive references, and questions and activities (with additional materials available on-line) ensure that the book will be an essential resource for professionals, researchers, and students alike. "At last we have a solidly research-based text on the enterprise governance of IT that successfully fuses business and IT perspectives. With its emphasis on the creation of business value, and on the use of relevant metrics, this book offers a distinctive view of these key processes. The authors, whose reputation and experience in the field is second to none, have created a guide to the strategic management of IT that will be an essential source for managers." Professor James W. Bryant Centre for Individual & Organisational Development Sheffield Hallam University United Kingdom "IT governance is a hot topic today and this book provides a wealth of practical and useful information. Regardless of whether you are concerned about compliance issues, or worried about the alignment of your IT investment with the corporate goals, this book will provide guidance to assist your efforts. As well as academic models and practice oriented frameworks such as CobiT, Val-IT and balanced scorecard, the volume includes recent case studies illustrating how the concepts and frameworks are applied in real life companies. I strongly recommend this book to Corporate and IT Managers as well as MBA and IT Graduate students." Aileen Cater-Steel, Ph.D Senior Lecturer (Information Systems) School of Information Systems University of Southern Queensland Australia. © Springer Science+Business Media, LLC 2009 All rights reserved.

  • Carla Wilkin Carla Wilkin
  • Robert H. Chenhall

This paper reviews Information Systems (IS) literature that is relevant to Information Technology Governance (ITG) and examines how it informs Accounting Information Systems (AIS). We present a taxonomy of research encompassing the focus areas identified by the IT Governance Institute (ITGI), namely Strategic Alignment (SA), Risk Management (RK), Resource Management (RM), Value Delivery (VD) and Performance Measurement (PM). Based upon 496 papers in ten IS/AIS and two Management Accounting journals over the period 1998-2008, we discuss research perspectives and identify avenues for future research. Results revealed a lack of integration between focus areas, with little about ITG as a whole.

To address the changing business environment and increased shareholder interest, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently issued an exposure draft updating its 1992 Internal Control-Integrated Framework. We review the updated Framework and discuss the comments we (as the Environmental Scanning Committee of the American Accounting Association's Information Systems Section) offered COSO regarding how to improve the Framework. In addition, we identify research opportunities for accounting information system scholars related to the new Framework.

It has been widely discussed in the management information systems (MIS) literature that the outcomes of information technologies (IT) and systems may be subject to the influence of the characteristics of the organization, including those of the IT and business leadership. This study was conducted to examine the relationships that may exist between IT infrastructure capabilities (ITC), business process improvements (BPI), and such IT governance-related constructs as the reporting relationship between the chief executive officer (CEO) and chief information officer (CIO), and senior management support of IT and BPI projects. Using a sample of 243 multinational and Hong Kong-listed firms operating in Greater China, this study yielded empirical support for the perceived achievement of capabilities in some dimensions of the IT infrastructure in the companies under study. It was found that the BPI construct was related to the reporting relationship between the CEO and CIO (CEO-CIO distance), and to the levels of senior management support. The dimensions of the ITC construct were also investigated and identified by an exploratory factor analysis (EFA). Associations were found between the selected organizational constructs and the ITC dimensions, except in two hypothesized relationships. Those between CEO-CIO distance and the ITC dimensions of data integration and training were not supported at the significance level of 0.05.

Source: https://www.researchgate.net/publication/247778781_COBIT_5_and_Enterprise_Governance_of_Information_Technology_Building_Blocks_and_Research_Opportunities

Posted by: keithkeithpieffere0274325.blogspot.com

Post a Comment

0 Comments