de Haes COBIT 5.pdf

7/21/2019 de Haes COBIT 5.pdf

1/18

JOURNAL OF INFORMATION SYSTEMS American Accounting AssociationVol. 27, No. 1 DOI: 10.2308/isys-50422Spring 2013pp. 307324

COBIT 5 and Enterprise Governance ofInformation Technology: Building Blocks and

Research Opportunities

Steven De Haes

Wim Van Grembergen

University of Antwerp

Roger S. Debreceny

University of Hawaii at M anoa

ABSTRACT: COBIT, currently in its fifth edition, is a good-practice framework for the

enterprise governance of IT. There is limited academic research that either analyzes

COBIT or leverages COBIT as an instrument in executing research programs. Through

linking core elements and principles of COBIT to insights from IT-related and general

management literature, this paper explores the use of COBIT in future research

activities. This paper positions COBIT as a framework for enterprise governance of IT.

The major directions and core principles of the framework are described. Connections

are made of these directions and principles to the relevant literature. Research questions

for future research around enterprise governance of IT and COBIT 5 are proposed and

discussed.

Keywords: enterprise governance of IT; IT governance; COBIT; business/IT alignment;

balanced scorecard; organizational systems; IT controls.

I. INTRODUCTION

Information technology (IT) has become crucial in the support, sustainability, and growth of

enterprises. Previously, governing boards and senior management executives could minimize

their involvement in the direction of IT, leaving most decisions to functional management. In

most sectors and industries, such attitudes are now impossible, as enterprises are increasingly

completely dependent on IT for survival and growth. These organizations also face a wide spectrum

of external threats arising from IT including abuse, cybercrime, fraud, errors, and omissions. IT has

the potential to support both existing business strategies, as well as shaping new strategies. IT

increasingly becomes not only a success factor for day-to-day operations, but also as a critical

facilitator for enhancement of competitive advantage (Van Grembergen and De Haes 2009; Weill

We thank Miklos Vasarhelyi (editor) and two anonymous referees for their guidance on an earlier version of thiscommentary.

Editors note: Accepted by Miklos A. Vasarhelyi.

Published Online: February 2013

307


2/18

and Ross 2009).Given the centrality of IT for enterprise risk management and value generation, a

specific focus on enterprise governance of IT (EGIT) has arisen over the last two decades (De Haes

and Van Grembergen 2008b;Thorp 2003; Wilkin and Chenhall 2010).Enterprise governance of IT

is an integral part of enterprise governance. EGIT addresses the definition and implementation of

processes, structures, and relational mechanisms in the organization that enable the board and senior

business and IT management to execute their responsibilities in support of risk and value

management (Van Grembergen and De Haes 2009).

Enterprises are increasingly making tangible and intangible investments in improving

enterprise governance of IT. In support of this, enterprises are drawing upon the practical

relevance of generally accepted good-practice frameworks such as COBIT (ISACA 2009a).

COBIT, now in its fifth edition, describes a set of good practices for the board and senior

operational and IT management (ISACA 2012b).1 It sets out a set of controls over information

technology and organizes them around a logical framework of IT-related processes.2 COBIT is

part of a suite of products including: implementation; service management and assurance

guides; low-level practices; and mapping to cognate frameworks and standards. Research

indicates that organizations are adopting COBIT in practice ( Debreceny and Gray 2013;ISACA2011c; Van Grembergen and De Haes 2009). Given COBITs historical origins in the audit

community, there is a particular connection between the COBIT framework and the conduct of

IT assurance. However, there has been limited academic research that leverages or explores

COBIT. Many of the core principles of COBIT build on models, concepts, and theories from

the IT and general management literatures. There are, as a result, opportunities for research that

references and leverages COBIT. In this paper, we discuss how the COBIT 5 framework

embraces concepts from the professional and academic literatures and builds upon earlier

iterations of COBIT. The main contribution of this paper is that it seeks to provide directions

and challenges for undertaking research that draws upon COBIT 5. As such, a principal

objective of the paper is to narrow the gap between academic research and practice.The paper provides an overview of the directions COBIT is taking and offers suggestions on

research that takes COBIT as its unit of analysis or as a source of models, practices, and knowledge

for the design of research. The paper proceeds as follows. In Section II, the concept of Enterprise

Governance of IT is defined in more detail. COBIT is then positioned as a framework for enterprise

governance of IT. Next, in Section III, the manner by which COBIT 5 embraces insights from the

IT and general management literature is explored. Some directions for future research around

enterprise governance of IT and COBIT are set out in Section IV. Finally, Section V brings some

concluding remarks together.

II. BACKGROUND

This section of the paper provides background on the shape of EGIT, places COBIT within the

historical development of EGIT, and describes some of the core dimensions of the COBIT approach

to IT governance.

1 The authors of this paper have been actively engaged in COBIT development over the past decade, includingmembership of the COBIT Steering Committee and development teams at various times over the period.

2 A framework is a set of guiding principles and good practices that are explicitly designed to be adapted byadopting organizations. Frameworks are distinguished from standards that are designed for monolithic adoption.Standards are also more typically associated with certification of adopting organizations. Confusingly, some ofthe standardspromulgated by the International Standards Organization are essentially frameworks (e.g., ISO/

IEC 2008).

308 De Haes, Van Grembergen, and Debreceny

Journal of Information Systems

Spring 2013


3/18

Enterprise Governance of IT

The concept of IT governance has been in existence for less than two decades. In the early

1990s key strands of IT governance could be discerned in the academic literature. The first strand

studied alternative forms of organization of the IT function and the impact of those forms on

business outcomes (ITGI 2005; Ives and Jarvenpaa 1993).A second strand explored the nature andeffect of alignment between enterprise consumers of IT services (the business) and the IT

function (Henderson and Venkatraman 1993; Luftman 1996; Venkatraman et al. 1993). A third

strand, inspired by Porters research on strategy and competitive advantage (Porter 1979, 1985),

addressed links between enterprise strategy, investment in IT, and enterprise performance (Andreu

and Ciborra 1996; Chan et al. 1997;Weill 1990, 1992). This strand received considerable impetus

as researchers reacted to research by Brynjolfsson (1993) that pointed to a seeming paradox

between high levels of investment in IT and an absence of evidence on returns on that investment. It

was only in the late 1990s that articles first mentioned IT governance in the title or abstract (e.g.,

Brown 1997; Sambamurthy and Zmud 1999), although these papers mostly focused on debates

about the most effective form of IT organization. In the practitioner arena, ISACA created the ITGovernance Institute (ITGI) (www.itgi.org) in 1998 to promote the IT governance concept. As

explored in more detail shortly, the various publications of ISACA and ITGI explicitly incorporated

IT governance notions in COBIT 3 (ITGI 2000) and the board briefing on IT governance (ITGI

2001).

Current perspectives on enterprise governance of IT see EGIT as an integral part of corporate

governance. The recent ISO/IEC Standard 38500 Corporate Governance of IT defines IT

governance as The system by which the current and future use of IT is directed and controlled.

Corporate governance of IT involves evaluating and directing the use of IT to support the

organization and monitoring this use to achieve plans. It includes the strategy and policies for using

IT within an organization

(ISO/IEC 2008).Van Grembergen and De Haes (2009)define EGIT asthe Board overseeing the definition and implementation of processes, structures, and relational

mechanisms in the organization that enable both business and IT to execute their responsibilities in

support of business/IT alignment and the creation of business value from IT enabled investments.

Both definitions indicate clearly that IT governance is the responsibility of governing boards and

that execution lies with senior management.

The IT governance concept has received considerable attention in the academic literature over

the last decade. Wilkin and Chenhall (2010), in a recent survey of IT governance, establish a

taxonomy of IT governance. They see concepts of strategic alignment, performance measurement,

risk management, and value delivery as the most significant enablers of IT governance. Wilkin

and Chenhall (2010) note that broader organizational structures, business processes andtechnology, and resource capabilities influence the enablers and by extension IT governance.

Wilkin and Chenhall (2010)see corporate governance as being a primary influence on the shape

of IT governance. This focus on corporate governance was in response to two directions in the

academic and professional communities. First, the increasing importance of corporate governance

in general management and the academic literature influenced research in IT governance, as did

professional guidance in the U.S. (COSO 1992) and its counterparts in other parts of the world.

The Sarbanes-Oxley Act in the U.S. in 2002 provided significant impetus to widespread adoption

of corporate governance methods in the field and a dramatic expansion in the academic literature,

along with specialist journals. Second, the increasing importance of IT in meeting enterprise goals

coupled with the inherent tension in aligning business and IT management has led to a recognition

of the importance of setting IT goals and decision rights at the governance level (i.e., governing

boards) (De Haes and Van Grembergen 2008a; Thorp 2003; Weill and Ross 2009). These forces

initiated a shift in the naming of the concept from IT governance toward enterprise

COBIT 5 and Enterprise Governance of Information Technology 309


Spring 2013
http://www.itgi.org/http://www.itgi.org/


4/18

governance of IT, that focuses on board and senior business management involvement in

strategic and tactical directions for IT.

Origins and Positioning of COBIT

COBIT is an IT governance framework developed by ISACA. Figure 1 shows the majormilestones in the development of COBIT. The COBIT framework arose from initiatives by

members of ISACA in the financial and IT audit communities. These audit professionals confronted

increasingly automated environments. To guide their work, the initial development of COBIT was

as a framework for the execution of IT audit assignments. It was constructed around a

comprehensive set of so-called Control Objectives for IT Processes (IASCF 1994). Over

successive versions, COBIT transitioned toward a broader IT governance and management

framework with management tools including metrics, critical success factors, maturity models, and

tools for the assignment of roles and responsibilities for IT processes. COBIT 4 saw the

development of tools to align business and IT goals and their relationship with supporting IT

processes. COBIT 4 also strengthened the connection with other relevant governance frameworksand IT frameworks and standards(ITGI 2005).More recently, COBIT was complemented with the

Val IT and Risk IT frameworks (ISACA 2009c, 2010). These addressed the IT-related business

processes and responsibilities in value creation (Val IT) and risk management (Risk IT). In each

case, Val IT and Risk IT drew key concepts and processes from COBIT and added domain-specific

guidance.

In April 2012, COBIT 5 was released, with the concept of enterprise governance of IT as a

foundation (ISACA 2012b). According to ISACA, COBIT 5 provides a comprehensive

framework that assists enterprises to achieve their objectives for the governance and management

of enterprise IT. COBIT 5 enables IT to be governed and managed in a holistic manner for the

whole enterprise, taking in the full end-to-end business and IT functional areas of responsibility,

considering the IT-related interests of internal and external stakeholders(ISACA 2012b).COBIT

5 integrates the knowledge previously dispersed over the three ISACA frameworks, viz: COBIT,

Val IT, and Risk IT(ISACA 2009c, 2010; ITGI 2005).COBIT, to some degree in the fourth edition

and more systematically in the fifth edition, covers the lifecycle of governance, strategic, and

tactical management within the IT domain. The relative roles of several general governance, IT

FIGURE 1

Timeline of COBIT Developments



Spring 2013


5/18

governance, and IT management frameworks are illustrated in Figure 2, along two dimensions: the

level of abstraction of the framework or standard and the extent to which the framework covers the

lifecycle of IT from design of governance systems through tactical IT management.

General-purpose corporate governance frameworks such as COSO are at a high degree of

abstraction and cover only issues of governance and organization. At the other end of thecontinuum, standards such as TickIT (a standard for quality software development), are related only

to a particular aspect of IT. TickIT and other IT standards relate are relevant at the tactical level

within the IT function. Other well-known standards such as ITIL and CMMI relate primarily to

management rather than governance and to tactics rather than strategy ( Ahern et al. 2008; Cabinet

Office 2011). In recent releases, both ITIL and CMMI have moved more toward strategy and at

least some aspects of governance.

Concepts of Control in COBIT

The concept of control in COBIT builds on the general literature of management control and

management control systems. Management control theory arose from commerce, particularly with

the development of the private corporation as enterprises grew such that ownership became

separated from management (Berle and Means 1932), and from theories including Fayols general

FIGURE 2

IT-Related Frameworks-Level of Abstraction and Lifecycle of IT



Spring 2013


6/18

theory of management, organizational theory (Cyert and March 1963;March and Simon 1958), and

the cybernetics of Stafford Beer (Beer 1959, 1972). Earlier views of management control were

strongly influenced by the scientific management approaches of Anthony and others (Anthony

1965) and related primarily to the acquisition and use of resources in pursuit of organizational

objectives. Later, however, management control theory gravitated more toward seeing control as a

suite of tools for achieving the strategic goals of the firm (Simons 1990, 2000). For example,

Simons sees management control as a suite of informal norms and formal processes designed to

bind organizational outcomes to organizational strategic goals.

Simons (1990, 2000)defines four types of formal systems: beliefs systems (formal systems

used by top managers to define, communicate, and reinforce the basic values, purpose, and

direction for the organization), boundary systems (formal systems used by top managers to

establish explicit limits and rules that must be respected), diagnostic control systems (formal

feedback systems used to monitor organizational outcomes and correct deviations from preset

standards of performance), and interactive control systems (formal systems used by top managers

to regularly and personally involve themselves in the decision activities of subordinates).

The view of control within COBIT is broadly in line with Simons perspective. For example,

the definition of control in COBIT 3 is the policies, procedures, practices, and organizational

structures designed to provide reasonable assurance that business objectives will be achieved and

that undesired events will be prevented or detected and corrected(ITGI 2000,12). The concept of

a control objective is unique to COBIT. It sees the institution of control as leading to a necessary

outcome or end state. As will be discussed in next sections, the word control is not in use in

COBIT 5 and is replaced by good practices.These are in highly active and prescriptive language,

and their debt to the former COBIT control objectives assumptions is clear. These new good

practices are defined as a proven activity or process that has been successfully used by multiple

enterprises and has been shown to produce reliable results (ISACA 2012b).

III. MAJOR DIRECTIONS IN COBIT 5

This section analyzes and places in context some of the key directions taken in COBIT 5. This

provides a foundation for development of a set of research questions. First, the COBIT 5 framework

is built around five core principles: (1) meeting stakeholder needs; (2) covering the enterprise

end-to-end; (3) applying a single, integrated framework; (4) enabling a holistic approach; and (5)

separating governance from management. This section discusses each of these principles and relates

them to concepts and insights from the general management, accounting, and IT literatures. Second,

consideration of implementing COBIT now has a more central role in the framework. Third,

COBIT made significant changes in the measurement of IT process maturity, changing the concept

to process capability. This change aligns COBIT with the ISO/IEC 15504 standard. Finally,

changes in the domain and process structure of the framework are reviewed.

Meeting Stakeholder Needs: Strategic Business/IT Alignment

According to ISACA, Principle 1 (Meeting Stakeholder Needs) implies that COBIT 5 provides

all of the required processes and other enablers to support business value creation and risk

management through use of IT. This principle closely links to the notion of strategic alignment

initiated byHenderson and Venkatraman (1993).The idea behind strategic alignment between the

board, operational management, and IT is comprehensive and has been present in the COBIT

framework from the outset. However, the challenge is how organizations can achieve alignment.

The COBIT framework is large and complex. It normally will take some years for full adoption

even for a relatively small enterprise. Some of the important issues that the board and management

must address include: Which processes should be managed with COBIT? In which order should



Spring 2013


7/18

those processes be introduced and developed? How deep should the investment be in implementing

the suite of processes? The COBIT 5 development team undertook research to understand how

enterprise goals drive IT-related goals and vice versa. These research projects used in-depth

interviews in different sectors together with Delphi surveys of subject matter experts. This research

established a generic list of enterprise goals, IT-related goals, and their inter-relationship orcascade.This cascade now constitutes the core entry point for COBIT 5. In COBIT 5, there is an

explicit assumption that organizations should commence by analyzing their business/IT alignment

state through definition of enterprise goals, linking those goals to IT-related goals and subsequently

to the IT processes within COBIT (De Haes and Van Grembergen 2010; Van Grembergen et al.

2008).

In the goals cascade, enterprise and IT-related goals are categorized into financial, customer,

internal, and learning and growth perspectives (Figure 3). This follows the commonly accepted

dimensions of balanced scorecard analysis. Each perspective holds a number of commonly

referenced goals in organizations in that area based on earlier executed exploratory research (Van

Grembergen et al. 2008).Next, primary (P) and secondary (S) relationships between enterprise and

IT-related goals are provided, based on experts opinions. These relationships indicate how

enterprise goals drive IT-related goals and/or how IT-related goals support enterprise goals. As an

illustration of this cascade, Figure 4 shows that the enterprise goal of External compliance with

laws and regulation requires a primary focus (P) on the IT-related goals of IT compliance and

support for business compliance with external laws and regulations and security of information

and processing infrastructure. When adopting COBIT 5, organizations will take the weighted

importance of IT-related goals to guide them in deciding which subset of the frameworks 37 IT

processes are the most important for early adoption.

Meeting Stakeholder Needs: The Balanced Scorecard

To verify whether stakeholder needs are indeed being met, a sound measurement process needs

to be established (Elbashir et al. 2008; Hyvonen 2007; OConnor and Martinsons 2006).

Traditional performance methods such as return on investment (ROI) capture the financial worth of

IT projects and systems, but reflect only a limited part of the value that can be delivered by IT

(Davern and Wilkin 2010; Van Grembergen and De Haes 2009). COBIT builds on balanced

FIGURE 3

Cascade of Enterprise Goals and IT-Related Goalsa

Source: COBIT 5.a P: Primary goal; S: Secondary goal.



Spring 2013


8/18

scorecard concepts as developed byKaplan and Norton (1996), and as adapted for the IT domain

(Hu and Huang 2006;Van Grembergen et al. 2003).

COBIT 5 provides outcome measures at the IT process level. Figure 5 shows an example for

the process of Managing Security, providing specific process goals and related metrics.

Consolidation of these metrics at the enterprise, IT-related, and COBIT process levels, enables

organizations to build a comprehensive scorecard for the entire IT environment. This allows

organizations to develop a measurement instrument to verify meeting of stakeholder needs.

Covering the Enterprise End-to-End

The second principle (Covering the Enterprise End- to-End) articulates that COBIT 5 covers all

functions and processes within the enterprise. COBIT 5 does not focus only on the IT function,

but treats information and related technologies as assets or capabilities that need examination along

with other assets in the enterprise. This perspective aligns with Weill and Ross (2009)on the notion

FIGURE 4

Primary and Secondary IT Goals for Enterprise Goal External Compliance with Laws and

Regulation

Source: COBIT 5.a P: Primary goal; S: Secondary goal.

FIGURE 5

Balanced Scorecard Metrics for the Security Process

Source: COBIT 5.



Spring 2013


9/18

of IT Savviness and the resource-based view and capabilities literatures (Andreu and Ciborra

1996;Feeny and Willcocks 1998; Law and Ngai 2007;Tarafdar and Gordon 2007).Weill and Ross

clarify the need for general business management to take ownership of, and accountability for,

governing the use of IT in creating value from IT-enabled business investments. In many

organizations, this implies a crucial shift in attitudes and behavior of general business and IT

management as well as the governing board. AsWeill and Ross (2009)note: If senior managers do

not accept accountability for IT, the company will inevitably throw its IT money to multiple tactical

initiatives with no clear impact on organizational capabilities. IT becomes a liability instead of a

strategic asset.

Related to this discussion, COBIT 5 encompasses both IT processes and IT-related business

processes. Collaboration and reciprocal relationships and task dependencies between business

management, IT management, and external parties is an important element of IT governance (Cragg

et al. 2011; Zarvic et al. 2012). COBIT 5 provides RACI charts (Responsible, Accountable,

Consulted, Informed) in which both business and IT roles are included. To illustrate this, Figure 6

provides an example RACI chart for the process Manage Service Agreements.This RACI chart

indicates that for the SLA process, both business and IT functions have primary (P) and secondary(S) accountabilities and responsibilities.

Applying a Single, Integrated Framework: COBIT, Risk IT, and Val IT

Principle 3 (Applying a Single, Integrated Framework) explains that COBIT 5 aligns at a high

level with other relevant standards and frameworks. It can thus serve as the overarching framework

for governance and management of enterprise IT. COBIT 5 integrates all of the previous ISACA IT

FIGURE 6

End-to-End Responsibility in Managing Service Agreements

Source: COBIT 5.



Spring 2013


10/18

governance materials in COBIT 4, Val IT, and Risk IT (ISACA 2007, 2009c, 2010). In this

overarching approach, COBIT identifies 37 IT processes spread over governance and management

domains. The five governance processes are the boards responsibilities in IT covering the setting of

the governance framework, responsibilities in terms of value (e.g., investment criteria), risks (e.g.,

risk appetite), resources (e.g., resource optimization), and providing transparency regarding IT tothe stakeholders. We return to governance later in this section. In the management domain, there are

four subdomains: Align, Plan, and Organize (APO); Build, Acquire and Implement (BAI);

Deliver, Service, and Support(DSS); and Monitor, Evaluate and Assess(MEA). The domain

APO concerns the identification of how IT can best contribute to the achievement of business

objectives. A management framework is required and specific processes related to the IT strategy

and tactics, enterprise architecture, innovation, and portfolio management. Other important

processes in this domain address the management of budgets and costs, human resources,

relationships, service agreements, suppliers, quality, risk, and security.

The domain BAI makes the IT strategy concrete through identifying, in detail, the requirements

for IT and managing the investment program and projects. This domain further considers managingcapacity, organizational change, IT changes, acceptance and transitioning, knowledge, assets, and

configurations. The domain Delivery, Service and Support (DSS) refers to the actual delivery of

required IT services. It contains processes on managing operations, service requests and incidents,

problems, continuity, security services, and business process controls. The fourth management

domain, MEA, includes those processes that are responsible for the quality assessment in

compliance with the control requirements for all previously mentioned processes. It addresses

performance management, monitoring of internal control, and regulatory compliance (ISACA

2012b).

COBIT 5 emphasizes the requirement of general business management being accountable for

managing IT. Processes that address specific business roles are APO3: Manage EnterpriseArchitecture, APO4: Manage Innovation, and BAI05: Manage Organizational Change. A specific

process on business process controls (application controls) is included ( DSS06: Manage Business

Process Controls).

Enabling a Holistic Approach: Organizational Systems

The fourth principle (Enabling a Holistic Approach) explains that efficient and effective

implementation of governance and management of enterprise IT requires a holistic approach. This

approach takes into account several interacting components: processes, organizational structures,

and human resources. This implementation challenge is related to what is described in the strategic

management literature as the need for an organizational system, i.e., the way a firm gets its people

to work together to carry out the business (De Wit and Meyer 2005). Such an organizational

system requires the definition and application of structures (e.g., organizational units and functions)

and processes (to ensure tasks are coordinated and integrated), and attention to people and relational

aspects (e.g., culture, values, joint beliefs).

Peterson (2004) and De Haes and Van Grembergen (2009) have applied this organizational

system theory to EGIT. Organizations can and are deploying EGIT by using a mixture of various

structures, processes, and relational mechanisms. EGIT structures include organizational units and

roles responsible for making IT decisions and for enabling contacts between business and IT

management decision-making functions (e.g., IT steering committees). EGIT processes refer to the

formalization and institutionalization of strategic IT decision making and IT monitoring procedures,

to ensure that day-to-day outcomes are consistent with policies and provide a feedback loop (e.g.,

IT balanced scorecard). These relational mechanisms are ultimately about the active participation



Spring 2013


11/18

of, and collaborative relationship among the board, senior corporate executives, IT management,

and business management.

COBIT 5 builds on these insights and incorporates formal discussion on so-called Enablers

in its framework. These are factors that, individually and collectively, influence whether something

will workin this case, governance and management over enterprise IT. The framework describesseven categories of enablers, of which the processes, organizational structures,and culture,

behavior, and ethicsclosely relate to the organizational systems concept.

Separating Governance from Management

Finally, Principle 5 is about the distinction COBIT 5 makes between governance and

management. This draws heavily on the guidance in the ISO/IEC standard on Corporate

Governance of IT (ISO 38500) (ISO/IEC 2008) and general governance frameworks such as

COSO. There were governance elements within earlier versions of COBIT but they were mixed in

with management aspects. In COBIT 5, the organization of governance processes follows the EDM

model (

EvaluateDirectMonitor

) as set out in ISO 38500. IT governance processes are theresponsibility of the board of directors and ensure that enterprise objectives are achieved by

evaluating stakeholder needs; setting direction through prioritization and decision making; and

monitoring performance, compliance, and progress against plans. Based on these governance

activities, business and IT management plans, builds, runs, and monitors activities (a COBIT

translation of Demings PDCA circle Plan, Do, Check, Act) in alignment with the direction set by

the governance body to achieve enterprise objectives.

Implementing Enterprise Governance of IT

Another important change in COBIT 5 is close attention to the challenges of implementing

EGIT within the enterprise. ISACA had previously provided systematic guidance on implementing

IT governance (ISACA 2009a, 2009b) but this guidance was separate from the core COBIT

framework. As a result, the adopting organizations often overlooked the considerable challenges of

implementation of COBIT. The guidance on implementation has been updated (ISACA 2012a)but

now, however, the core messages from this guidance are incorporated into the COBIT framework.

The guidance sets out a seven-stage lifecycle for implementing EGIT, from EGIT program

initiation to review of effectiveness and sustaining the implementation. Core messages from the

guidance include the need to build an appropriate environment for the changes involved in

implementing EGIT, and recognizing the critical importance of building a realistic business case for

undertaking EGIT.

Process Maturity and Process Capability

Process maturity has been a core component of COBIT for more than a decade. Determining

the level of process maturity for given processes allows organizations to determine which processes

are essentially under control and those that represent potential management challenges (Weill

1992). Assessment of process maturity is arguably a necessary condition for implementation of

EGIT. The concept of process maturity in earlier versions of COBIT was adopted and adapted from

the Software Engineering Institutes Capability Maturity Model (Debreceny and Gray 2013). In

COBIT 5, process maturity has been replaced by the concept of process capability ( ISACA 2011b),

based on the ISO/IEC 15504 (SPICE) standard Information TechnologyProcess Assessment.

A benefit of this assessment model is the improved focus on confirming that a given process is

actually achieving its purpose and delivering the required outcomes as expected. Indeed, a

requirement to meet level one of the five-level maturity model under COBIT 5 is that the



Spring 2013


12/18

implemented process achieves its process purposeand at level two, the process is implemented

in a managed fashion (planned, monitored, and adjusted), and its work products are appropriately

established, controlled, and maintained.These can be challenging for organizations to demonstrate

and, as a result, process maturity levels under the new assessment model will be considerably lower

than under the earlier CMM-based process maturity model in COBIT 4. This may present some

implementation challenges.

IV. COBIT 5 AND RESEARCH OPPORTUNITIES

This section builds on the previous sections that sought to develop an understanding of core

principles and concepts in COBIT 5 to explore potential new research opportunities. Wilkin and

Chenhall (2010)set out some 20 research questions across various domains in their IT governance

taxonomy (strategic alignment, value delivery, risk management, resource management, and

performance measurement). Our objective is to complement Wilkin and Chenhall by pointing to

research that (1) investigates COBIT as an artifact; (2) sees COBIT within an ecosystem of

competing and complementary frameworks and standards; or (3) uses COBIT as a commonmeasurement foundation for investigation of some particular aspect of EGIT or cognate areas of

inquiry such as IT audit and assurance.

Researching COBIT as an Artifact

COBIT and its associated suite of products is a large, multifaceted, and complex set of

guidance. The content in COBIT is considerably more complex than COSO or the high-level

frameworks such as ISO/IEC 38500. COBIT is systematically designed to encompass the complete

investment lifecycle, with both governance and management aspects. This complexity gives rise to

the need for research on COBIT as an artifact.

The Quality and Consistency of COBIT as an Artifact

There is a need to investigate COBITs intellectual foundations, design, applicability, and

internal consistency, or lack thereof. For example, COBIT 5 integrates three significant but related

frameworks covering IT governance and management (COBIT), value generation (Val IT), and risk

management (Risk IT). This integration is a major undertaking and the success of this integration is

not yet clear. An example of research on COBIT as an artifact is Boritz (2005), who considered

notions of information integrity in COBIT, other practice frameworks, and the academic literature.

Boritz (2005), after surveying practitioners, concluded that the way information attributes and

information integrity were established in COBIT should be significantly modified to incorporate

information. The Boritz study is the only research that systematically investigates the design of any

aspect of COBIT. There is a clear need for additional research.

The Association between Prescription and Real-World Conditions

COBIT and other similar frameworks are drawn from good practice in the field and are

essentially prescriptive. The quality of this prescription is only as good as the process of

identification of good practice. The various iterations of COBIT are based on (1) original research,

(2) widespread use of experts in workshops and workgroups, and (3) input from cognate standards

and frameworks. This approach is, necessarily, only a partial sampling of real-world conditions.

Tuttle and Vandervelde (2007) research the applicability of COBIT 3 as an internal control

framework for the financial statement audit and find that COBIT can be employed in this manner.

There is a need for research to understand the relationship between COBITs prescriptions and real-

world conditions.



Spring 2013


13/18

COBIT as a Framework

COBIT is a framework rather than a standard and, as a result, is designed to be adapted by

adopting organizations. Yet, little is known as to which components of the framework are necessary

to be retained in order for adoption to still be effective. This applies both horizontally (choice of

processes) and vertically (components including process capability, RACI charts, etc.). For example:

Could it be feasible to adopt COBIT with only the five processes at the governance layer,

shorn of RACI charts, process capability modeling, and other core COBIT attributes? Could COBIT be used only by the board and audit committee and still be functional?

Researching COBIT within an Ecosystem of Competing and Complementary Frameworks

A core principle of the design of COBIT 5 is to align systematically with cognate frameworks

and standards. These include governance frameworks of higher abstraction (e.g., ISO/IEC 2008)

and more specific frameworks that are positioned at the level of IT-related management (e.g.,

TOGAF[Open Group 2009]).Understanding how COBIT operates in an ecosystem of competingand collaborating frameworks is an important area of research.

The Relationship between COBIT, COSO, ISO/IEC 38500, and Other Governance Frameworks

ISACA has made a major investment over the years in mapping COBIT to other frameworks,

with detailed mappings of COBIT 4 to ten other frameworks including COSO, ITIL, PMBOK, and

TOGAF (ISACA 2011a). There is no academic research about the inter-operation of these

relationships. Questions include:

How does an enterprise manage multiple frameworks and standards? How do enterprises measure and manage performance across multiple frameworks and

standards?

The Board of Directors Involvement in Enterprise Governance of IT

As we discuss above, there is strong influence upon COBIT from general governance

frameworks, including the COSO internal control framework, and from ISO/IEC 38500. COBIT 5

clearly distinguishes between governance and management. Limited research is available on how

boards are taking up responsibility for governing and monitoring IT. From analysis of annual

reports and Managements Discussion and Analyses (MD&As), or through case, field study, or

survey research, it would be interesting to understand whether the board is taking up the five areas

of responsibility as discussed in COBIT: Which of the five governance processes are really taken up by boards? What are boards reporting on their IT governance roles in the annual report? What is the relationship between boards involvement and IT governance performance?

COBIT 5 and the Audit of Internal Controls

In the U.S. context, the Sarbanes-Oxley Act requires that SEC registrants certify whether there

are material weaknesses in internal control, as lined up against a control framework. Larger

registrants must have their internal controls audited. While the Sarbanes-Oxley Act does not

mandate a single internal control framework, effectively all registrants choose the COSO

framework. The COSO framework includes some limited commentary on the role of information

technology in maintaining internal controls and the exposure draft for a revised version of COSO

makes this link even stronger (Janvrin et al. 2012). It is now seven years since a customized version



Spring 2013


14/18

of COBIT for IT control objectives under the Sarbanes-Oxley act was promulgated by ISACA

(ITGI 2006). Research questions include:

What role does COBIT play in support of internal and external audit programs? COSO makes explicit mention of application controls. Business application controls are now

more central in COBIT 5. To what extent does the guidance on business application controlsin both COBIT and COSO correlate? What are the practical applications and use of this

guidance?

COBIT as a Common Measurement Foundation

COBIT provides good practice guidance for the complete lifecycle of IT investment. It comes

with a suite of management tools together with supporting guidance. COBIT offers, then, a

foundation for measurement of a wide variety research on EGIT.Debreceny and Gray (2013)draw

explicitly on the IT processes and process maturity components of COBIT 4 in a large international

field study. Similar research can allow us to both understand the EGIT landscape and validate the

design of COBIT.

Alignment of Enterprise and IT-Related Goals

The concept of business/IT alignment is not new, but it is still high on the agenda of many

organizations. Building on the strategic alignment model ofHenderson and Venkatraman (1993)and

original research (Van Grembergen et al. 2008), COBIT provides an approach on how to define

enterprise goals and IT-related goals. It will be important to understand how robust this relationship

is. Case study research could reveal whether organizations are clearly articulating enterprise goals and

IT-related goals, and the degree to which these goals are symbiotic. Specific questions can include:

Are businesses clearly articulating their priorities to IT? Is IT pro-actively engaged in the business strategic discussion? Is the business involved in defining the IT-related goals?

How Do Organizations Measure the Performance of IT?

Measuring the value of IT is a complex challenge. As COBIT leverages the balanced scorecard

insights, it provides a reference to build conceptual measurement frameworks for IT as a whole or

for specific processes of IT. Research projects could work on building such conceptual frameworks

based on COBIT, and then validate whether such measurements instruments are in use and

optimized based on empirical findings. Examples of specific questions are:

Are organizations using COBIT to build balanced scorecards? Are the metrics in COBIT 5 usable for practice? How are enterprises organizing the performance management process?

How Involved Is the Business in Enterprise Governance of IT?

There is an emphasis in COBIT 5 on establishing end-to-end responsibilities in governing and

managing IT assets and capabilities. The RACI charts in COBIT 5 provide usable templates for

analysis of whether general business management is taking up their IT-related responsibilities.

Research questions include:

Are business managers aware of the responsibilities as assigned in the COBIT 5 RACI

charts? Do business managers take up the responsibilities as assigned in the COBIT 5 RACI charts?



Spring 2013


15/18

What are enablers and inhibitors for business managers to take up the responsibilities as

assigned in the COBIT 5 RACI charts?

How Are Organizations Implementing Enterprise Governance of IT?

Enterprises increasingly recognize the importance of EGIT. Many organizations struggle withimplementing and embedding these governance practices into their organizations. Through case and

survey research, it will be vital to verify how organizations are adopting EGIT. Building on

organizational systems theory, COBIT 5 can be a foundation for interview and survey protocols.

Some specific questions are:

Which COBIT 5 processes and related practices/structures are most adopted in

organizations? Which COBIT 5 processes and related practices/structures are perceived as being most

effective? Which COBIT 5 processes and related practices/structures are perceived as being easy/

difficult to implement?

V. SUMMARY AND CONCLUSION

Over the last two decades, the role of information technology in organizations has changed

from primarily a supportive and transactional function to being an essential prerequisite for strategic

value generation. Further, while IT plays an important role in mitigating enterprise risk, information

technologies also create risks. These risks include potential monetary losses, reduction in

operational capability and, particularly important in an increasingly networked world, losses to

enterprise reputation. The increased focus on IT for value generation as well as meeting compliance

obligations in a host of industries has resulted in enhanced board and senior management attentionto IT. The early 1990s saw introduction of the term IT governance, now increasingly and

appropriately rebranded in the professional and academic literatures as the Enterprise Governance

of IT(EGIT).

Over a similar period, ISACA has promulgated five versions of the good practice EGIT

framework, COBIT. The IT audit community was a strong influence on the first version in 1996. It

served as a blueprint for conducting audits of IT functions. COBIT has matured and adapted to

changes in the external environment. The latest iteration, COBIT 5, includes several important

developments influenced by changes in the external environment and by new and revised

frameworks to which COBIT aligns. First, there is a distinct separation between governance and

management. The new governance domain has five processes that would be in the hands of theboard and the most senior management. Second, COBIT 5 integrates the guidance in COBIT 4, Val

IT, and Risk IT. Third, the important contribution that IT makes in achievement of organizational

goals is central to the framework. Fourth, assessment of process maturity, a core metric in COBIT,

now aligns with international standards. Fifth, responding to the challenges of adoption of

governance frameworks such as COBIT has been more directly integrated in the framework.

COBIT is a complete and overarching governance and management framework that benefits

from many years of experience and alignment with other frameworks and standards. Yet there is

little academic research that leverages COBIT as an instrument in executing research programs.

Through clearly indicating how the core elements of COBIT 5 are built on IT and general

management insights, this paper contributes to the exploration of the use of COBIT in future

research activities. A catalog of potential research questions is provided that (1) investigates COBIT

as an artifact; (2) sees the framework within an ecosystem of competing and complementary

frameworks and standards; or (3) uses it as a common measurement foundation for investigation of



Spring 2013


16/18

some particular aspect of EGIT or cognate areas of inquiry such as IT audit and assurance. These

research questions can be a source of inspiration for researchers in this field. There are many

research opportunities on EGIT and aligned research domains. Finally and probably most

importantly, these opportunities have implications for both theory and practice.

REFERENCES

Ahern, D. M., A. Clouse, and R. Turner. 2008. CMMI Distilled: A Practical Introduction to Integrated

Process Improvement. 3rd edition. Boston, MA: Addison-Wesley.

Andreu, R., and C. Ciborra. 1996. Organizational learning and core capabilities development: The role of

IT. Journal of Strategic Information Systems 5 (2): 111127.

Anthony, R. N. 1965. Planning and Control Systems: A Framework for Analysis . Boston, MA: Division of

Research, Graduate School of Business Administration, Harvard University.

Beer, S. 1959. Cybernetics and Management. London, U.K.: English Universities Press.

Beer, S. 1972. Brain of the Firm. London, U.K.: The Penguin Press.Berle, A. A., and G. C. Means. 1932. The Modern Corporation and Private Property. New York, NY: The

Macmillan Company.

Boritz, J. E. 2005. IS practitioners views on core concepts of information integrity. International Journal of

Accounting Information Systems6 (4): 260279.

Brown, C. 1997. Examining the emergence of hybrid IS governance solutions: Evidence from a single case

site. Information Systems Research 8 (1): 6994.

Brynjolfsson, E. 1993. The productivity paradox of information technology. Communications of the ACM

36 (12): 6677.

Cabinet Office. 2011. ITIL Lifecycle Suite. London, U.K.: The Stationery Office.

Chan, Y. E., S. L. Huff, D. W. Barclay, and D. G. Copeland. 1997. Business strategic orientation,

information systems strategic orientation, and strategic alignment. Information Systems Research:ISR: A Journal of the Institute of Management Sciences8 (2): 125150.

Committee of Sponsoring Organizations of the Treadway Commission (COSO). 1992. Internal Control

Integrated Framework. New York, NY: Committee of Sponsoring Organizations of the Treadway

Commission.

Cragg, P., M. Caldeira, and J. Ward. 2011. Organizational information systems competences in small and

medium-sized enterprises. Information and Management48 (8): 353363.

Cyert, R. M., and J. G. March. 1963. A Behavioral Theory of the Firm. Englewood Cliffs, NJ: Prentice Hall,

Inc.

Davern, M. J., and C. L. Wilkin. 2010. Towards an integrated view of IT value measurement. International

Journal of Accounting Information Systems11 (1): 4260.

De Haes, S., and W. Van Grembergen. 2008a. Analyzing the Relationship between IT Governance and

Business/IT Alignment Maturity. Proceedings of the 41st Hawaii International Conference on System

Sciences, Kailua-Kona, HI, Shidler College of Business, University of Hawaii at Manoa.

De Haes, S., and W. Van Grembergen. 2008b. An exploratory study into the design of an IT governance

minimum baseline through Delphi research. Communications of AIS 22: 443458.

De Haes, S., and W. Van Grembergen. 2009. An exploratory study into IT governance implementations and

its impact on business/IT alignment. Information Systems Management26 (2): 123137.

De Haes, S., and W. Van Grembergen. 2010. Analyzing the impact of enterprise governance of IT practices

on business performance.International Journal on IT/Business Alignment and Governance 1 (1): 14

38.

De Wit, B., and R. Meyer. 2005. Strategy Synthesis: Revolving Strategy Paradoxes to Create CompetitiveAdvantage. London, U.K.: Cengage Learning EMEA.

Debreceny, R. S., and G. L. Gray. 2013. IT governance and process maturity: A multinational field study.

Journal of Information Systems27 (1).



Spring 2013
http://dx.doi.org/10.1016/S0963-8687(96)80039-4http://dx.doi.org/10.1016/j.accinf.2005.07.001http://dx.doi.org/10.1016/j.accinf.2005.07.001http://dx.doi.org/10.1287/isre.8.1.69http://dx.doi.org/10.1145/163298.163309http://dx.doi.org/10.1287/isre.8.2.125http://dx.doi.org/10.1287/isre.8.2.125http://dx.doi.org/10.1016/j.im.2011.08.003http://dx.doi.org/10.1016/j.accinf.2009.12.005http://dx.doi.org/10.1016/j.accinf.2009.12.005http://dx.doi.org/10.1080/10580530902794786http://dx.doi.org/10.4018/jitbag.2010120402http://dx.doi.org/10.4018/jitbag.2010120402http://dx.doi.org/10.1080/10580530902794786http://dx.doi.org/10.1016/j.accinf.2009.12.005http://dx.doi.org/10.1016/j.accinf.2009.12.005http://dx.doi.org/10.1016/j.im.2011.08.003http://dx.doi.org/10.1287/isre.8.2.125http://dx.doi.org/10.1287/isre.8.2.125http://dx.doi.org/10.1145/163298.163309http://dx.doi.org/10.1287/isre.8.1.69http://dx.doi.org/10.1016/j.accinf.2005.07.001http://dx.doi.org/10.1016/j.accinf.2005.07.001http://dx.doi.org/10.1016/S0963-8687(96)80039-4


17/18

Elbashir, M. Z., P. A. Collier, and M. J. Davern. 2008. Measuring the effects of business intelligence

systems: The relationship between business process and organizational performance. International

Journal of Accounting Information Systems9 (3): 135153.

Feeny, D., and L. Willcocks. 1998. Core IS capabilities for exploiting information technology. Sloan

Management Review 39 (3): 921.

Henderson, J. C., and N. Venkatraman. 1993. Strategic alignment: Leveraging information technology fortransforming organizations. IBM Systems Journal32 (1): 416.

Hu, Q., and C. D. Huang. 2006. Using the balanced scorecard to achieve sustained IT-business alignment:

A case study. Communications of AIS 17: 245.

Hyvonen, J. 2007. Strategy, performance measurement techniques, and information technology of the firm

and their links to organizational performance. Management Accounting Research 18 (3): 343366.

ISACA. 2007. COBITt 4.1. Rolling Meadows, IL: ISACA.

ISACA. 2009a. Building the Business Case for COBITt and Val ITe: Executive Briefing. Rolling

Meadows, IL: ISACA.

ISACA. 2009b. Implementing and Continually Improving IT Governance. Rolling Meadows, IL: ISACA.

ISACA. 2009c. The Risk IT Framework: Risk IT Based on COBIT. Rolling Meadows, IL: ISACA.

ISACA. 2010. Enterprise Value: Governance of IT Investments. The Val IT Framework 2.0. Rolling

Meadows, IL: ISACA.

ISACA. 2011a. COBIT Mapping: Overview of International IT Guidance. Rolling Meadows, IL: ISACA.

ISACA. 2011b. COBITt Process Assessment Model (PAM): Using COBITt 4.1. Rolling Meadows, IL:

ISACA.

ISACA. 2011c.Global Status Report on the Governance of Enterprise IT (GEIT)2011. Rolling Meadows,

IL: ISACA.

ISACA. 2012a. COBIT 5 Implementation. Rolling Meadows, IL: ISACA.

ISACA. 2012b. COBIT 5: A Business Framework for the Governance and Management of Enterprise IT.

Rolling Meadows, IL: ISACA.

Information Systems Audit and Control Foundation (IASCF). 1994.Control Objectives for Information and

Related Technology: COBIT. Rolling Meadows, IL: Information Systems Audit and Control

Foundation.

International Organization for Standardization/International Electrotechnical Commission (ISO/IEC). 2008.

ISO/IEC 38500 Corporate Governance of Information Technology. Geneva, Switzerland:

International Organization for Standardization/International Electrotechnical Commission.

IT Governance Institute (ITGI). 2000. COBIT. Rolling Meadows, IL: IT Governance Institute.

IT Governance Institute (ITGI). 2001. Board Briefing on IT Governance. Rolling Meadows, IL: IT

Governance Institute.

IT Governance Institute (ITGI). 2005. COBITt 4. Rolling Meadows, IL: IT Governance Institute.

IT Governance Institute (ITGI). 2006. IT Control Objectives for Sarbanes-Oxley: The Role of IT in the

Design and Implementation of Internal Control over Financial Reporting. 2nd Ed. Rolling Meadows,IL: IT Governance Institute.

Ives, B., and S. L. Jarvenpaa. 1993. Organizing for global competition: The fit of information technology.

Decision Sciences24 (3): 547580.

Janvrin, D. J., E. A. Payne, P. Byrnes, G. P. Schneider, and M. B. Curtis. 2012. The updated COSO Internal

ControlIntegrated Framework: Recommendations and opportunities for future research. Journal of

Information Systems26 (2): 189213.

Kaplan, R. S., and D. P. Norton. 1996. The Balanced Scorecard: Translating Strategy into Action. Boston,

MA: Harvard Business School Press.

Law, C. C. H., and E. W. T. Ngai. 2007. IT infrastructure capabilities and business process improvements:

Association with IT governance characteristics. Information Resources Management Journal20 (4):

2547.Luftman, J. N. 1996. Competing in the Information Age: Strategic Alignment in Practice. Oxford, U.K.:

Oxford University Press.

March, J., and H. Simon. 1958. Organizations. New York, NY: John Wiley.



Spring 2013
http://dx.doi.org/10.1016/j.accinf.2008.03.001http://dx.doi.org/10.1016/j.accinf.2008.03.001http://dx.doi.org/10.1147/sj.382.0472http://dx.doi.org/10.1016/j.mar.2007.02.001http://dx.doi.org/10.1111/j.1540-5915.1993.tb01293.xhttp://dx.doi.org/10.2308/isys-50255http://dx.doi.org/10.2308/isys-50255http://dx.doi.org/10.4018/irmj.2007100103http://dx.doi.org/10.4018/irmj.2007100103http://dx.doi.org/10.2308/isys-50255http://dx.doi.org/10.2308/isys-50255http://dx.doi.org/10.1111/j.1540-5915.1993.tb01293.xhttp://dx.doi.org/10.1016/j.mar.2007.02.001http://dx.doi.org/10.1147/sj.382.0472http://dx.doi.org/10.1016/j.accinf.2008.03.001http://dx.doi.org/10.1016/j.accinf.2008.03.001


18/18

OConnor, N. G., and M. G. Martinsons. 2006. Management of information systems: Insights from

accounting research. Information and Management43 (8): 10141024.

Open Group. 2009. The Open Group Architecture Framework (TOGAF), Version 9. Zaltbommel, The

Netherlands: Van Haren Publishing.

Peterson, R. 2004. Crafting information technology governance. Information Systems Management21 (4):

722.Porter, M. E. 1979. How competitive forces shape strategy.Harvard Business Review (March-April): 137

145.

Porter, M. E. 1985. Competitive Advantage: Creating and Sustaining Superior Performance. New York,

NY: Free Press.

Sambamurthy, V., and R. W. Zmud. 1999. Arrangements for information technology governance: A theory

of multiple contingencies. MIS Quarterly 23 (2): 261290.

Simons, R. 1990. The role of management control systems in creating competitive advantage: New

perspectives. Accounting, Organizations and Society 15 (1/2): 127143.

Simons, R. 2000. Performance Measurement and Control Systems for Implementing Strategy. Upper

Saddle River, NJ: Prentice Hall.

Tarafdar, M., and S. Gordon. 2007. Understanding the influence of information systems competencies onprocess innovation: A resource-based view. The Journal of Strategic Information Systems 16 (4):

353392.

Thorp, J. 2003. The Information Paradox. New York, NY: McGraw-Hill Ryerson.

Tuttle, B., and S. D. Vandervelde. 2007. An empirical examination of CobiT as an internal control

framework for information technology. International Journal of Accounting Information Systems 8

(4): 240263.

Van Grembergen, W., and S. De Haes. 2009. Enterprise Governance of Information Technology: Achieving

Strategic Alignment and Value. New York, NY: Springer.

Van Grembergen, W., R. Saull, and S. J. De Haes. 2003. Linking the IT balanced scorecard to the business

objectives at a major Canadian financial group. Journal for Information Technology Cases and

Applications5 (1): 2345.Van Grembergen, W., S. De Haes, and H. Van Brempt. 2008. Understanding How Business Goals Drive IT

Goals. Rolling Meadows, IL: ISACA.

Venkatraman, N., J. C. Henderson, and S. Oldach. 1993. Continuous strategic alignment: Exploiting

information technology capabilities for competitive success. European Management Journal11 (2):

139149.

Weill, P. 1990. Strategic investment in information technology: An empirical study. Information Age12 (3):

141147.

Weill, P. 1992. The relationship between investment in information technology and firm performance: A

study of the value-manufacturing sector. Information Systems Research 3 (4): 307333.

Weill, P., and J. W. Ross. 2009. IT Savvy: What Top Executives Must Know to Go From Pain to Gain.

Boston, MA: Harvard Business School Press.Wilkin, C. L., and R. H. Chenhall. 2010. A review of IT governance: A taxonomy to inform accounting

information systems. Journal of Information Systems 24 (2): 107146.

Zarvic, N., C. Stolze, M. Boehm, and O. Thomas. 2012. Dependency-based IT governance practices in

inter-organizational collaborations: A graph-driven elaboration.International Journal of Information

Management32 (6): 541549.


http://dx.doi.org/10.1016/j.im.2006.10.001http://dx.doi.org/10.1201/1078/44705.21.4.20040901/84183.2http://dx.doi.org/10.2307/249754http://dx.doi.org/10.1016/0361-3682(90)90018-Phttp://dx.doi.org/10.1016/j.jsis.2007.09.001http://dx.doi.org/10.1016/j.accinf.2007.09.001http://dx.doi.org/10.1016/0263-2373(93)90037-Ihttp://dx.doi.org/10.1287/isre.3.4.307http://dx.doi.org/10.2308/jis.2010.24.2.107http://dx.doi.org/10.1016/j.ijinfomgt.2012.03.004http://dx.doi.org/10.1016/j.ijinfomgt.2012.03.004http://dx.doi.org/10.2308/jis.2010.24.2.107http://dx.doi.org/10.1287/isre.3.4.307http://dx.doi.org/10.1016/0263-2373(93)90037-Ihttp://dx.doi.org/10.1016/j.accinf.2007.09.001http://dx.doi.org/10.1016/j.jsis.2007.09.001http://dx.doi.org/10.1016/0361-3682(90)90018-Phttp://dx.doi.org/10.2307/249754http://dx.doi.org/10.1201/1078/44705.21.4.20040901/84183.2http://dx.doi.org/10.1016/j.im.2006.10.001

de Haes COBIT 5.pdf

Documents

Transcript of de Haes COBIT 5.pdf