JOURNAL OF INFORMATION SYSTEMS

Vol. 27, No. 1

Spring 2013
pp. 307324

American Accounting Association

DOI: 10.2308/isys-50422

COBIT 5 and Enterprise Governance of

Information Technology: Building Blocks and
Research Opportunities
Steven De Haes
Wim Van Grembergen
University of Antwerp
Roger S. Debreceny
University of Hawaii at Manoa
ABSTRACT: COBIT, currently in its fifth edition, is a good-practice framework for the
enterprise governance of IT. There is limited academic research that either analyzes
COBIT or leverages COBIT as an instrument in executing research programs. Through
linking core elements and principles of COBIT to insights from IT-related and general
management literature, this paper explores the use of COBIT in future research
activities. This paper positions COBIT as a framework for enterprise governance of IT.
The major directions and core principles of the framework are described. Connections
are made of these directions and principles to the relevant literature. Research questions
for future research around enterprise governance of IT and COBIT 5 are proposed and
discussed.
Keywords: enterprise governance of IT; IT governance; COBIT; business/IT alignment;
balanced scorecard; organizational systems; IT controls.

I. INTRODUCTION

nformation technology (IT) has become crucial in the support, sustainability, and growth of
enterprises. Previously, governing boards and senior management executives could minimize
their involvement in the direction of IT, leaving most decisions to functional management. In
most sectors and industries, such attitudes are now impossible, as enterprises are increasingly
completely dependent on IT for survival and growth. These organizations also face a wide spectrum
of external threats arising from IT including abuse, cybercrime, fraud, errors, and omissions. IT has
the potential to support both existing business strategies, as well as shaping new strategies. IT
increasingly becomes not only a success factor for day-to-day operations, but also as a critical
facilitator for enhancement of competitive advantage (Van Grembergen and De Haes 2009; Weill

We thank Miklos Vasarhelyi (editor) and two anonymous referees for their guidance on an earlier version of this
commentary.
Editors note: Accepted by Miklos A. Vasarhelyi.

Published Online: February 2013

307

308

De Haes, Van Grembergen, and Debreceny

and Ross 2009). Given the centrality of IT for enterprise risk management and value generation, a
specific focus on enterprise governance of IT (EGIT) has arisen over the last two decades (De Haes
and Van Grembergen 2008b; Thorp 2003; Wilkin and Chenhall 2010). Enterprise governance of IT
is an integral part of enterprise governance. EGIT addresses the definition and implementation of
processes, structures, and relational mechanisms in the organization that enable the board and senior
business and IT management to execute their responsibilities in support of risk and value
management (Van Grembergen and De Haes 2009).
Enterprises are increasingly making tangible and intangible investments in improving
enterprise governance of IT. In support of this, enterprises are drawing upon the practical
relevance of generally accepted good-practice frameworks such as COBIT (ISACA 2009a).
COBIT, now in its fifth edition, describes a set of good practices for the board and senior
operational and IT management (ISACA 2012b).1 It sets out a set of controls over information
technology and organizes them around a logical framework of IT-related processes.2 COBIT is
part of a suite of products including: implementation; service management and assurance
guides; low-level practices; and mapping to cognate frameworks and standards. Research
indicates that organizations are adopting COBIT in practice (Debreceny and Gray 2013; ISACA
2011c; Van Grembergen and De Haes 2009). Given COBITs historical origins in the audit
community, there is a particular connection between the COBIT framework and the conduct of
IT assurance. However, there has been limited academic research that leverages or explores
COBIT. Many of the core principles of COBIT build on models, concepts, and theories from
the IT and general management literatures. There are, as a result, opportunities for research that
references and leverages COBIT. In this paper, we discuss how the COBIT 5 framework
embraces concepts from the professional and academic literatures and builds upon earlier
iterations of COBIT. The main contribution of this paper is that it seeks to provide directions
and challenges for undertaking research that draws upon COBIT 5. As such, a principal
objective of the paper is to narrow the gap between academic research and practice.
The paper provides an overview of the directions COBIT is taking and offers suggestions on
research that takes COBIT as its unit of analysis or as a source of models, practices, and knowledge
for the design of research. The paper proceeds as follows. In Section II, the concept of Enterprise
Governance of IT is defined in more detail. COBIT is then positioned as a framework for enterprise
governance of IT. Next, in Section III, the manner by which COBIT 5 embraces insights from the
IT and general management literature is explored. Some directions for future research around
enterprise governance of IT and COBIT are set out in Section IV. Finally, Section V brings some
concluding remarks together.
II. BACKGROUND
This section of the paper provides background on the shape of EGIT, places COBIT within the
historical development of EGIT, and describes some of the core dimensions of the COBIT approach
to IT governance.

1
2

The authors of this paper have been actively engaged in COBIT development over the past decade, including
membership of the COBIT Steering Committee and development teams at various times over the period.
A framework is a set of guiding principles and good practices that are explicitly designed to be adapted by
adopting organizations. Frameworks are distinguished from standards that are designed for monolithic adoption.
Standards are also more typically associated with certification of adopting organizations. Confusingly, some of
the standards promulgated by the International Standards Organization are essentially frameworks (e.g., ISO/
IEC 2008).

Journal of Information Systems

Spring 2013

COBIT 5 and Enterprise Governance of Information Technology

309

Enterprise Governance of IT
The concept of IT governance has been in existence for less than two decades. In the early
1990s key strands of IT governance could be discerned in the academic literature. The first strand
studied alternative forms of organization of the IT function and the impact of those forms on
business outcomes (ITGI 2005; Ives and Jarvenpaa 1993). A second strand explored the nature and
effect of alignment between enterprise consumers of IT services (the business) and the IT
function (Henderson and Venkatraman 1993; Luftman 1996; Venkatraman et al. 1993). A third
strand, inspired by Porters research on strategy and competitive advantage (Porter 1979, 1985),
addressed links between enterprise strategy, investment in IT, and enterprise performance (Andreu
and Ciborra 1996; Chan et al. 1997; Weill 1990, 1992). This strand received considerable impetus
as researchers reacted to research by Brynjolfsson (1993) that pointed to a seeming paradox
between high levels of investment in IT and an absence of evidence on returns on that investment. It
was only in the late 1990s that articles first mentioned IT governance in the title or abstract (e.g.,
Brown 1997; Sambamurthy and Zmud 1999), although these papers mostly focused on debates
about the most effective form of IT organization. In the practitioner arena, ISACA created the IT
Governance Institute (ITGI) (www.itgi.org) in 1998 to promote the IT governance concept. As
explored in more detail shortly, the various publications of ISACA and ITGI explicitly incorporated
IT governance notions in COBIT 3 (ITGI 2000) and the board briefing on IT governance (ITGI
2001).
Current perspectives on enterprise governance of IT see EGIT as an integral part of corporate
governance. The recent ISO/IEC Standard 38500 Corporate Governance of IT defines IT
governance as The system by which the current and future use of IT is directed and controlled.
Corporate governance of IT involves evaluating and directing the use of IT to support the
organization and monitoring this use to achieve plans. It includes the strategy and policies for using
IT within an organization (ISO/IEC 2008). Van Grembergen and De Haes (2009) define EGIT as
the Board overseeing the definition and implementation of processes, structures, and relational
mechanisms in the organization that enable both business and IT to execute their responsibilities in
support of business/IT alignment and the creation of business value from IT enabled investments.
Both definitions indicate clearly that IT governance is the responsibility of governing boards and
that execution lies with senior management.
The IT governance concept has received considerable attention in the academic literature over
the last decade. Wilkin and Chenhall (2010), in a recent survey of IT governance, establish a
taxonomy of IT governance. They see concepts of strategic alignment, performance measurement,
risk management, and value delivery as the most significant enablers of IT governance. Wilkin
and Chenhall (2010) note that broader organizational structures, business processes and
technology, and resource capabilities influence the enablers and by extension IT governance.
Wilkin and Chenhall (2010) see corporate governance as being a primary influence on the shape
of IT governance. This focus on corporate governance was in response to two directions in the
academic and professional communities. First, the increasing importance of corporate governance
in general management and the academic literature influenced research in IT governance, as did
professional guidance in the U.S. (COSO 1992) and its counterparts in other parts of the world.
The Sarbanes-Oxley Act in the U.S. in 2002 provided significant impetus to widespread adoption
of corporate governance methods in the field and a dramatic expansion in the academic literature,
along with specialist journals. Second, the increasing importance of IT in meeting enterprise goals
coupled with the inherent tension in aligning business and IT management has led to a recognition
of the importance of setting IT goals and decision rights at the governance level (i.e., governing
boards) (De Haes and Van Grembergen 2008a; Thorp 2003; Weill and Ross 2009). These forces
initiated a shift in the naming of the concept from IT governance toward enterprise
Journal of Information Systems
Spring 2013

De Haes, Van Grembergen, and Debreceny

310

governance of IT, that focuses on board and senior business management involvement in
strategic and tactical directions for IT.
Origins and Positioning of COBIT
COBIT is an IT governance framework developed by ISACA. Figure 1 shows the major
milestones in the development of COBIT. The COBIT framework arose from initiatives by
members of ISACA in the financial and IT audit communities. These audit professionals confronted
increasingly automated environments. To guide their work, the initial development of COBIT was
as a framework for the execution of IT audit assignments. It was constructed around a
comprehensive set of so-called Control Objectives for IT Processes (IASCF 1994). Over
successive versions, COBIT transitioned toward a broader IT governance and management
framework with management tools including metrics, critical success factors, maturity models, and
tools for the assignment of roles and responsibilities for IT processes. COBIT 4 saw the
development of tools to align business and IT goals and their relationship with supporting IT
processes. COBIT 4 also strengthened the connection with other relevant governance frameworks
and IT frameworks and standards (ITGI 2005). More recently, COBIT was complemented with the
Val IT and Risk IT frameworks (ISACA 2009c, 2010). These addressed the IT-related business
processes and responsibilities in value creation (Val IT) and risk management (Risk IT). In each
case, Val IT and Risk IT drew key concepts and processes from COBIT and added domain-specific
guidance.
In April 2012, COBIT 5 was released, with the concept of enterprise governance of IT as a
foundation (ISACA 2012b). According to ISACA, COBIT 5 provides a comprehensive
framework that assists enterprises to achieve their objectives for the governance and management
of enterprise IT. COBIT 5 enables IT to be governed and managed in a holistic manner for the
whole enterprise, taking in the full end-to-end business and IT functional areas of responsibility,
considering the IT-related interests of internal and external stakeholders (ISACA 2012b). COBIT
5 integrates the knowledge previously dispersed over the three ISACA frameworks, viz: COBIT,
Val IT, and Risk IT (ISACA 2009c, 2010; ITGI 2005). COBIT, to some degree in the fourth edition
and more systematically in the fifth edition, covers the lifecycle of governance, strategic, and
tactical management within the IT domain. The relative roles of several general governance, IT
FIGURE 1
Timeline of COBIT Developments

Journal of Information Systems

Spring 2013

COBIT 5 and Enterprise Governance of Information Technology

311

governance, and IT management frameworks are illustrated in Figure 2, along two dimensions: the
level of abstraction of the framework or standard and the extent to which the framework covers the
lifecycle of IT from design of governance systems through tactical IT management.
General-purpose corporate governance frameworks such as COSO are at a high degree of
abstraction and cover only issues of governance and organization. At the other end of the
continuum, standards such as TickIT (a standard for quality software development), are related only
to a particular aspect of IT. TickIT and other IT standards relate are relevant at the tactical level
within the IT function. Other well-known standards such as ITIL and CMMI relate primarily to
management rather than governance and to tactics rather than strategy (Ahern et al. 2008; Cabinet
Office 2011). In recent releases, both ITIL and CMMI have moved more toward strategy and at
least some aspects of governance.
Concepts of Control in COBIT
The concept of control in COBIT builds on the general literature of management control and
management control systems. Management control theory arose from commerce, particularly with
the development of the private corporation as enterprises grew such that ownership became
separated from management (Berle and Means 1932), and from theories including Fayols general
FIGURE 2
IT-Related Frameworks-Level of Abstraction and Lifecycle of IT

Journal of Information Systems

Spring 2013

312

De Haes, Van Grembergen, and Debreceny

theory of management, organizational theory (Cyert and March 1963; March and Simon 1958), and
the cybernetics of Stafford Beer (Beer 1959, 1972). Earlier views of management control were
strongly influenced by the scientific management approaches of Anthony and others (Anthony
1965) and related primarily to the acquisition and use of resources in pursuit of organizational
objectives. Later, however, management control theory gravitated more toward seeing control as a
suite of tools for achieving the strategic goals of the firm (Simons 1990, 2000). For example,
Simons sees management control as a suite of informal norms and formal processes designed to
bind organizational outcomes to organizational strategic goals.
Simons (1990, 2000) defines four types of formal systems: beliefs systems (formal systems
used by top managers to define, communicate, and reinforce the basic values, purpose, and
direction for the organization), boundary systems (formal systems used by top managers to
establish explicit limits and rules that must be respected), diagnostic control systems (formal
feedback systems used to monitor organizational outcomes and correct deviations from preset
standards of performance), and interactive control systems (formal systems used by top managers
to regularly and personally involve themselves in the decision activities of subordinates).
The view of control within COBIT is broadly in line with Simons perspective. For example,
the definition of control in COBIT 3 is the policies, procedures, practices, and organizational
structures designed to provide reasonable assurance that business objectives will be achieved and
that undesired events will be prevented or detected and corrected (ITGI 2000, 12). The concept of
a control objective is unique to COBIT. It sees the institution of control as leading to a necessary
outcome or end state. As will be discussed in next sections, the word control is not in use in
COBIT 5 and is replaced by good practices. These are in highly active and prescriptive language,
and their debt to the former COBIT control objectives assumptions is clear. These new good
practices are defined as a proven activity or process that has been successfully used by multiple
enterprises and has been shown to produce reliable results (ISACA 2012b).
III. MAJOR DIRECTIONS IN COBIT 5
This section analyzes and places in context some of the key directions taken in COBIT 5. This
provides a foundation for development of a set of research questions. First, the COBIT 5 framework
is built around five core principles: (1) meeting stakeholder needs; (2) covering the enterprise
end-to-end; (3) applying a single, integrated framework; (4) enabling a holistic approach; and (5)
separating governance from management. This section discusses each of these principles and relates
them to concepts and insights from the general management, accounting, and IT literatures. Second,
consideration of implementing COBIT now has a more central role in the framework. Third,
COBIT made significant changes in the measurement of IT process maturity, changing the concept
to process capability. This change aligns COBIT with the ISO/IEC 15504 standard. Finally,
changes in the domain and process structure of the framework are reviewed.
Meeting Stakeholder Needs: Strategic Business/IT Alignment
According to ISACA, Principle 1 (Meeting Stakeholder Needs) implies that COBIT 5 provides
all of the required processes and other enablers to support business value creation and risk
management through use of IT. This principle closely links to the notion of strategic alignment
initiated by Henderson and Venkatraman (1993). The idea behind strategic alignment between the
board, operational management, and IT is comprehensive and has been present in the COBIT
framework from the outset. However, the challenge is how organizations can achieve alignment.
The COBIT framework is large and complex. It normally will take some years for full adoption
even for a relatively small enterprise. Some of the important issues that the board and management
must address include: Which processes should be managed with COBIT? In which order should
Journal of Information Systems
Spring 2013

COBIT 5 and Enterprise Governance of Information Technology

313

those processes be introduced and developed? How deep should the investment be in implementing
the suite of processes? The COBIT 5 development team undertook research to understand how
enterprise goals drive IT-related goals and vice versa. These research projects used in-depth
interviews in different sectors together with Delphi surveys of subject matter experts. This research
established a generic list of enterprise goals, IT-related goals, and their inter-relationship or
cascade. This cascade now constitutes the core entry point for COBIT 5. In COBIT 5, there is an
explicit assumption that organizations should commence by analyzing their business/IT alignment
state through definition of enterprise goals, linking those goals to IT-related goals and subsequently
to the IT processes within COBIT (De Haes and Van Grembergen 2010; Van Grembergen et al.
2008).
In the goals cascade, enterprise and IT-related goals are categorized into financial, customer,
internal, and learning and growth perspectives (Figure 3). This follows the commonly accepted
dimensions of balanced scorecard analysis. Each perspective holds a number of commonly
referenced goals in organizations in that area based on earlier executed exploratory research (Van
Grembergen et al. 2008). Next, primary (P) and secondary (S) relationships between enterprise and
IT-related goals are provided, based on experts opinions. These relationships indicate how
enterprise goals drive IT-related goals and/or how IT-related goals support enterprise goals. As an
illustration of this cascade, Figure 4 shows that the enterprise goal of External compliance with
laws and regulation requires a primary focus (P) on the IT-related goals of IT compliance and
support for business compliance with external laws and regulations and security of information
and processing infrastructure. When adopting COBIT 5, organizations will take the weighted
importance of IT-related goals to guide them in deciding which subset of the frameworks 37 IT
processes are the most important for early adoption.
Meeting Stakeholder Needs: The Balanced Scorecard
To verify whether stakeholder needs are indeed being met, a sound measurement process needs
to be established (Elbashir et al. 2008; Hyvonen 2007; OConnor and Martinsons 2006).
Traditional performance methods such as return on investment (ROI) capture the financial worth of
IT projects and systems, but reflect only a limited part of the value that can be delivered by IT
(Davern and Wilkin 2010; Van Grembergen and De Haes 2009). COBIT builds on balanced
FIGURE 3
Cascade of Enterprise Goals and IT-Related Goalsa

Source: COBIT 5.
a
P: Primary goal; S: Secondary goal.

Journal of Information Systems

Spring 2013

De Haes, Van Grembergen, and Debreceny

314

FIGURE 4
Primary and Secondary IT Goals for Enterprise Goal External Compliance with Laws and
Regulation

Source: COBIT 5.
a
P: Primary goal; S: Secondary goal.

scorecard concepts as developed by Kaplan and Norton (1996), and as adapted for the IT domain
(Hu and Huang 2006; Van Grembergen et al. 2003).
COBIT 5 provides outcome measures at the IT process level. Figure 5 shows an example for
the process of Managing Security, providing specific process goals and related metrics.
Consolidation of these metrics at the enterprise, IT-related, and COBIT process levels, enables
organizations to build a comprehensive scorecard for the entire IT environment. This allows
organizations to develop a measurement instrument to verify meeting of stakeholder needs.
Covering the Enterprise End-to-End
The second principle (Covering the Enterprise End- to-End) articulates that COBIT 5 covers all
functions and processes within the enterprise. COBIT 5 does not focus only on the IT function,
but treats information and related technologies as assets or capabilities that need examination along
with other assets in the enterprise. This perspective aligns with Weill and Ross (2009) on the notion
FIGURE 5
Balanced Scorecard Metrics for the Security Process

Source: COBIT 5.

Journal of Information Systems

Spring 2013

COBIT 5 and Enterprise Governance of Information Technology

315

of IT Savviness and the resource-based view and capabilities literatures (Andreu and Ciborra
1996; Feeny and Willcocks 1998; Law and Ngai 2007; Tarafdar and Gordon 2007). Weill and Ross
clarify the need for general business management to take ownership of, and accountability for,
governing the use of IT in creating value from IT-enabled business investments. In many
organizations, this implies a crucial shift in attitudes and behavior of general business and IT
management as well as the governing board. As Weill and Ross (2009) note: If senior managers do
not accept accountability for IT, the company will inevitably throw its IT money to multiple tactical
initiatives with no clear impact on organizational capabilities. IT becomes a liability instead of a
strategic asset.
Related to this discussion, COBIT 5 encompasses both IT processes and IT-related business
processes. Collaboration and reciprocal relationships and task dependencies between business
management, IT management, and external parties is an important element of IT governance (Cragg
et al. 2011; Zarvic et al. 2012). COBIT 5 provides RACI charts (Responsible, Accountable,
Consulted, Informed) in which both business and IT roles are included. To illustrate this, Figure 6
provides an example RACI chart for the process Manage Service Agreements. This RACI chart
indicates that for the SLA process, both business and IT functions have primary (P) and secondary
(S) accountabilities and responsibilities.
Applying a Single, Integrated Framework: COBIT, Risk IT, and Val IT
Principle 3 (Applying a Single, Integrated Framework) explains that COBIT 5 aligns at a high
level with other relevant standards and frameworks. It can thus serve as the overarching framework
for governance and management of enterprise IT. COBIT 5 integrates all of the previous ISACA IT
FIGURE 6
End-to-End Responsibility in Managing Service Agreements

Source: COBIT 5.

Journal of Information Systems

Spring 2013

316

De Haes, Van Grembergen, and Debreceny

governance materials in COBIT 4, Val IT, and Risk IT (ISACA 2007, 2009c, 2010). In this
overarching approach, COBIT identifies 37 IT processes spread over governance and management
domains. The five governance processes are the boards responsibilities in IT covering the setting of
the governance framework, responsibilities in terms of value (e.g., investment criteria), risks (e.g.,
risk appetite), resources (e.g., resource optimization), and providing transparency regarding IT to
the stakeholders. We return to governance later in this section. In the management domain, there are
four subdomains: Align, Plan, and Organize (APO); Build, Acquire and Implement (BAI);
Deliver, Service, and Support (DSS); and Monitor, Evaluate and Assess (MEA). The domain
APO concerns the identification of how IT can best contribute to the achievement of business
objectives. A management framework is required and specific processes related to the IT strategy
and tactics, enterprise architecture, innovation, and portfolio management. Other important
processes in this domain address the management of budgets and costs, human resources,
relationships, service agreements, suppliers, quality, risk, and security.
The domain BAI makes the IT strategy concrete through identifying, in detail, the requirements
for IT and managing the investment program and projects. This domain further considers managing
capacity, organizational change, IT changes, acceptance and transitioning, knowledge, assets, and
configurations. The domain Delivery, Service and Support (DSS) refers to the actual delivery of
required IT services. It contains processes on managing operations, service requests and incidents,
problems, continuity, security services, and business process controls. The fourth management
domain, MEA, includes those processes that are responsible for the quality assessment in
compliance with the control requirements for all previously mentioned processes. It addresses
performance management, monitoring of internal control, and regulatory compliance (ISACA
2012b).
COBIT 5 emphasizes the requirement of general business management being accountable for
managing IT. Processes that address specific business roles are APO3: Manage Enterprise
Architecture, APO4: Manage Innovation, and BAI05: Manage Organizational Change. A specific
process on business process controls (application controls) is included (DSS06: Manage Business
Process Controls).
Enabling a Holistic Approach: Organizational Systems
The fourth principle (Enabling a Holistic Approach) explains that efficient and effective
implementation of governance and management of enterprise IT requires a holistic approach. This
approach takes into account several interacting components: processes, organizational structures,
and human resources. This implementation challenge is related to what is described in the strategic
management literature as the need for an organizational system, i.e., the way a firm gets its people
to work together to carry out the business (De Wit and Meyer 2005). Such an organizational
system requires the definition and application of structures (e.g., organizational units and functions)
and processes (to ensure tasks are coordinated and integrated), and attention to people and relational
aspects (e.g., culture, values, joint beliefs).
Peterson (2004) and De Haes and Van Grembergen (2009) have applied this organizational
system theory to EGIT. Organizations can and are deploying EGIT by using a mixture of various
structures, processes, and relational mechanisms. EGIT structures include organizational units and
roles responsible for making IT decisions and for enabling contacts between business and IT
management decision-making functions (e.g., IT steering committees). EGIT processes refer to the
formalization and institutionalization of strategic IT decision making and IT monitoring procedures,
to ensure that day-to-day outcomes are consistent with policies and provide a feedback loop (e.g.,
IT balanced scorecard). These relational mechanisms are ultimately about the active participation
Journal of Information Systems
Spring 2013

COBIT 5 and Enterprise Governance of Information Technology

317

of, and collaborative relationship among the board, senior corporate executives, IT management,
and business management.
COBIT 5 builds on these insights and incorporates formal discussion on so-called Enablers
in its framework. These are factors that, individually and collectively, influence whether something
will workin this case, governance and management over enterprise IT. The framework describes
seven categories of enablers, of which the processes, organizational structures, and culture,
behavior, and ethics closely relate to the organizational systems concept.
Separating Governance from Management
Finally, Principle 5 is about the distinction COBIT 5 makes between governance and
management. This draws heavily on the guidance in the ISO/IEC standard on Corporate
Governance of IT (ISO 38500) (ISO/IEC 2008) and general governance frameworks such as
COSO. There were governance elements within earlier versions of COBIT but they were mixed in
with management aspects. In COBIT 5, the organization of governance processes follows the EDM
model (EvaluateDirectMonitor) as set out in ISO 38500. IT governance processes are the
responsibility of the board of directors and ensure that enterprise objectives are achieved by
evaluating stakeholder needs; setting direction through prioritization and decision making; and
monitoring performance, compliance, and progress against plans. Based on these governance
activities, business and IT management plans, builds, runs, and monitors activities (a COBIT
translation of Demings PDCA circle Plan, Do, Check, Act) in alignment with the direction set by
the governance body to achieve enterprise objectives.
Implementing Enterprise Governance of IT
Another important change in COBIT 5 is close attention to the challenges of implementing
EGIT within the enterprise. ISACA had previously provided systematic guidance on implementing
IT governance (ISACA 2009a, 2009b) but this guidance was separate from the core COBIT
framework. As a result, the adopting organizations often overlooked the considerable challenges of
implementation of COBIT. The guidance on implementation has been updated (ISACA 2012a) but
now, however, the core messages from this guidance are incorporated into the COBIT framework.
The guidance sets out a seven-stage lifecycle for implementing EGIT, from EGIT program
initiation to review of effectiveness and sustaining the implementation. Core messages from the
guidance include the need to build an appropriate environment for the changes involved in
implementing EGIT, and recognizing the critical importance of building a realistic business case for
undertaking EGIT.
Process Maturity and Process Capability
Process maturity has been a core component of COBIT for more than a decade. Determining
the level of process maturity for given processes allows organizations to determine which processes
are essentially under control and those that represent potential management challenges (Weill
1992). Assessment of process maturity is arguably a necessary condition for implementation of
EGIT. The concept of process maturity in earlier versions of COBIT was adopted and adapted from
the Software Engineering Institutes Capability Maturity Model (Debreceny and Gray 2013). In
COBIT 5, process maturity has been replaced by the concept of process capability (ISACA 2011b),
based on the ISO/IEC 15504 (SPICE) standard Information TechnologyProcess Assessment.
A benefit of this assessment model is the improved focus on confirming that a given process is
actually achieving its purpose and delivering the required outcomes as expected. Indeed, a
requirement to meet level one of the five-level maturity model under COBIT 5 is that the
Journal of Information Systems
Spring 2013

De Haes, Van Grembergen, and Debreceny

318

implemented process achieves its process purpose and at level two, the process is implemented
in a managed fashion (planned, monitored, and adjusted), and its work products are appropriately
established, controlled, and maintained. These can be challenging for organizations to demonstrate
and, as a result, process maturity levels under the new assessment model will be considerably lower
than under the earlier CMM-based process maturity model in COBIT 4. This may present some
implementation challenges.
IV. COBIT 5 AND RESEARCH OPPORTUNITIES
This section builds on the previous sections that sought to develop an understanding of core
principles and concepts in COBIT 5 to explore potential new research opportunities. Wilkin and
Chenhall (2010) set out some 20 research questions across various domains in their IT governance
taxonomy (strategic alignment, value delivery, risk management, resource management, and
performance measurement). Our objective is to complement Wilkin and Chenhall by pointing to
research that (1) investigates COBIT as an artifact; (2) sees COBIT within an ecosystem of
competing and complementary frameworks and standards; or (3) uses COBIT as a common
measurement foundation for investigation of some particular aspect of EGIT or cognate areas of
inquiry such as IT audit and assurance.
Researching COBIT as an Artifact
COBIT and its associated suite of products is a large, multifaceted, and complex set of
guidance. The content in COBIT is considerably more complex than COSO or the high-level
frameworks such as ISO/IEC 38500. COBIT is systematically designed to encompass the complete
investment lifecycle, with both governance and management aspects. This complexity gives rise to
the need for research on COBIT as an artifact.
The Quality and Consistency of COBIT as an Artifact
There is a need to investigate COBITs intellectual foundations, design, applicability, and
internal consistency, or lack thereof. For example, COBIT 5 integrates three significant but related
frameworks covering IT governance and management (COBIT), value generation (Val IT), and risk
management (Risk IT). This integration is a major undertaking and the success of this integration is
not yet clear. An example of research on COBIT as an artifact is Boritz (2005), who considered
notions of information integrity in COBIT, other practice frameworks, and the academic literature.
Boritz (2005), after surveying practitioners, concluded that the way information attributes and
information integrity were established in COBIT should be significantly modified to incorporate
information. The Boritz study is the only research that systematically investigates the design of any
aspect of COBIT. There is a clear need for additional research.
The Association between Prescription and Real-World Conditions
COBIT and other similar frameworks are drawn from good practice in the field and are
essentially prescriptive. The quality of this prescription is only as good as the process of
identification of good practice. The various iterations of COBIT are based on (1) original research,
(2) widespread use of experts in workshops and workgroups, and (3) input from cognate standards
and frameworks. This approach is, necessarily, only a partial sampling of real-world conditions.
Tuttle and Vandervelde (2007) research the applicability of COBIT 3 as an internal control
framework for the financial statement audit and find that COBIT can be employed in this manner.
There is a need for research to understand the relationship between COBITs prescriptions and realworld conditions.
Journal of Information Systems
Spring 2013

COBIT 5 and Enterprise Governance of Information Technology

319

COBIT as a Framework
COBIT is a framework rather than a standard and, as a result, is designed to be adapted by
adopting organizations. Yet, little is known as to which components of the framework are necessary
to be retained in order for adoption to still be effective. This applies both horizontally (choice of
processes) and vertically (components including process capability, RACI charts, etc.). For example:



Could it be feasible to adopt COBIT with only the five processes at the governance layer,
shorn of RACI charts, process capability modeling, and other core COBIT attributes?
Could COBIT be used only by the board and audit committee and still be functional?

Researching COBIT within an Ecosystem of Competing and Complementary Frameworks

A core principle of the design of COBIT 5 is to align systematically with cognate frameworks
and standards. These include governance frameworks of higher abstraction (e.g., ISO/IEC 2008)
and more specific frameworks that are positioned at the level of IT-related management (e.g.,
TOGAF [Open Group 2009]). Understanding how COBIT operates in an ecosystem of competing
and collaborating frameworks is an important area of research.
The Relationship between COBIT, COSO, ISO/IEC 38500, and Other Governance Frameworks
ISACA has made a major investment over the years in mapping COBIT to other frameworks,
with detailed mappings of COBIT 4 to ten other frameworks including COSO, ITIL, PMBOK, and
TOGAF (ISACA 2011a). There is no academic research about the inter-operation of these
relationships. Questions include:



How does an enterprise manage multiple frameworks and standards?

How do enterprises measure and manage performance across multiple frameworks and
standards?

The Board of Directors Involvement in Enterprise Governance of IT

As we discuss above, there is strong influence upon COBIT from general governance
frameworks, including the COSO internal control framework, and from ISO/IEC 38500. COBIT 5
clearly distinguishes between governance and management. Limited research is available on how
boards are taking up responsibility for governing and monitoring IT. From analysis of annual
reports and Managements Discussion and Analyses (MD&As), or through case, field study, or
survey research, it would be interesting to understand whether the board is taking up the five areas
of responsibility as discussed in COBIT:




Which of the five governance processes are really taken up by boards?

What are boards reporting on their IT governance roles in the annual report?
What is the relationship between boards involvement and IT governance performance?

COBIT 5 and the Audit of Internal Controls

In the U.S. context, the Sarbanes-Oxley Act requires that SEC registrants certify whether there
are material weaknesses in internal control, as lined up against a control framework. Larger
registrants must have their internal controls audited. While the Sarbanes-Oxley Act does not
mandate a single internal control framework, effectively all registrants choose the COSO
framework. The COSO framework includes some limited commentary on the role of information
technology in maintaining internal controls and the exposure draft for a revised version of COSO
makes this link even stronger (Janvrin et al. 2012). It is now seven years since a customized version
Journal of Information Systems
Spring 2013

De Haes, Van Grembergen, and Debreceny

320

of COBIT for IT control objectives under the Sarbanes-Oxley act was promulgated by ISACA
(ITGI 2006). Research questions include:



What role does COBIT play in support of internal and external audit programs?
COSO makes explicit mention of application controls. Business application controls are now
more central in COBIT 5. To what extent does the guidance on business application controls
in both COBIT and COSO correlate? What are the practical applications and use of this
guidance?

COBIT as a Common Measurement Foundation

COBIT provides good practice guidance for the complete lifecycle of IT investment. It comes
with a suite of management tools together with supporting guidance. COBIT offers, then, a
foundation for measurement of a wide variety research on EGIT. Debreceny and Gray (2013) draw
explicitly on the IT processes and process maturity components of COBIT 4 in a large international
field study. Similar research can allow us to both understand the EGIT landscape and validate the
design of COBIT.
Alignment of Enterprise and IT-Related Goals
The concept of business/IT alignment is not new, but it is still high on the agenda of many
organizations. Building on the strategic alignment model of Henderson and Venkatraman (1993) and
original research (Van Grembergen et al. 2008), COBIT provides an approach on how to define
enterprise goals and IT-related goals. It will be important to understand how robust this relationship
is. Case study research could reveal whether organizations are clearly articulating enterprise goals and
IT-related goals, and the degree to which these goals are symbiotic. Specific questions can include:




Are businesses clearly articulating their priorities to IT?

Is IT pro-actively engaged in the business strategic discussion?
Is the business involved in defining the IT-related goals?

How Do Organizations Measure the Performance of IT?

Measuring the value of IT is a complex challenge. As COBIT leverages the balanced scorecard
insights, it provides a reference to build conceptual measurement frameworks for IT as a whole or
for specific processes of IT. Research projects could work on building such conceptual frameworks
based on COBIT, and then validate whether such measurements instruments are in use and
optimized based on empirical findings. Examples of specific questions are:




Are organizations using COBIT to build balanced scorecards?

Are the metrics in COBIT 5 usable for practice?
How are enterprises organizing the performance management process?

How Involved Is the Business in Enterprise Governance of IT?

There is an emphasis in COBIT 5 on establishing end-to-end responsibilities in governing and
managing IT assets and capabilities. The RACI charts in COBIT 5 provide usable templates for
analysis of whether general business management is taking up their IT-related responsibilities.
Research questions include:



Are business managers aware of the responsibilities as assigned in the COBIT 5 RACI
charts?
Do business managers take up the responsibilities as assigned in the COBIT 5 RACI charts?
Journal of Information Systems
Spring 2013

COBIT 5 and Enterprise Governance of Information Technology



321

What are enablers and inhibitors for business managers to take up the responsibilities as
assigned in the COBIT 5 RACI charts?

How Are Organizations Implementing Enterprise Governance of IT?

Enterprises increasingly recognize the importance of EGIT. Many organizations struggle with
implementing and embedding these governance practices into their organizations. Through case and
survey research, it will be vital to verify how organizations are adopting EGIT. Building on
organizational systems theory, COBIT 5 can be a foundation for interview and survey protocols.
Some specific questions are:




Which COBIT 5 processes and related practices/structures are most adopted in

organizations?
Which COBIT 5 processes and related practices/structures are perceived as being most
effective?
Which COBIT 5 processes and related practices/structures are perceived as being easy/
difficult to implement?
V. SUMMARY AND CONCLUSION

Over the last two decades, the role of information technology in organizations has changed
from primarily a supportive and transactional function to being an essential prerequisite for strategic
value generation. Further, while IT plays an important role in mitigating enterprise risk, information
technologies also create risks. These risks include potential monetary losses, reduction in
operational capability and, particularly important in an increasingly networked world, losses to
enterprise reputation. The increased focus on IT for value generation as well as meeting compliance
obligations in a host of industries has resulted in enhanced board and senior management attention
to IT. The early 1990s saw introduction of the term IT governance, now increasingly and
appropriately rebranded in the professional and academic literatures as the Enterprise Governance
of IT (EGIT).
Over a similar period, ISACA has promulgated five versions of the good practice EGIT
framework, COBIT. The IT audit community was a strong influence on the first version in 1996. It
served as a blueprint for conducting audits of IT functions. COBIT has matured and adapted to
changes in the external environment. The latest iteration, COBIT 5, includes several important
developments influenced by changes in the external environment and by new and revised
frameworks to which COBIT aligns. First, there is a distinct separation between governance and
management. The new governance domain has five processes that would be in the hands of the
board and the most senior management. Second, COBIT 5 integrates the guidance in COBIT 4, Val
IT, and Risk IT. Third, the important contribution that IT makes in achievement of organizational
goals is central to the framework. Fourth, assessment of process maturity, a core metric in COBIT,
now aligns with international standards. Fifth, responding to the challenges of adoption of
governance frameworks such as COBIT has been more directly integrated in the framework.
COBIT is a complete and overarching governance and management framework that benefits
from many years of experience and alignment with other frameworks and standards. Yet there is
little academic research that leverages COBIT as an instrument in executing research programs.
Through clearly indicating how the core elements of COBIT 5 are built on IT and general
management insights, this paper contributes to the exploration of the use of COBIT in future
research activities. A catalog of potential research questions is provided that (1) investigates COBIT
as an artifact; (2) sees the framework within an ecosystem of competing and complementary
frameworks and standards; or (3) uses it as a common measurement foundation for investigation of
Journal of Information Systems
Spring 2013

De Haes, Van Grembergen, and Debreceny

322

some particular aspect of EGIT or cognate areas of inquiry such as IT audit and assurance. These
research questions can be a source of inspiration for researchers in this field. There are many
research opportunities on EGIT and aligned research domains. Finally and probably most
importantly, these opportunities have implications for both theory and practice.

REFERENCES
Ahern, D. M., A. Clouse, and R. Turner. 2008. CMMI Distilled: A Practical Introduction to Integrated
Process Improvement. 3rd edition. Boston, MA: Addison-Wesley.
Andreu, R., and C. Ciborra. 1996. Organizational learning and core capabilities development: The role of
IT. Journal of Strategic Information Systems 5 (2): 111127.
Anthony, R. N. 1965. Planning and Control Systems: A Framework for Analysis. Boston, MA: Division of
Research, Graduate School of Business Administration, Harvard University.
Beer, S. 1959. Cybernetics and Management. London, U.K.: English Universities Press.
Beer, S. 1972. Brain of the Firm. London, U.K.: The Penguin Press.
Berle, A. A., and G. C. Means. 1932. The Modern Corporation and Private Property. New York, NY: The
Macmillan Company.
Boritz, J. E. 2005. IS practitioners views on core concepts of information integrity. International Journal of
Accounting Information Systems 6 (4): 260279.
Brown, C. 1997. Examining the emergence of hybrid IS governance solutions: Evidence from a single case
site. Information Systems Research 8 (1): 6994.
Brynjolfsson, E. 1993. The productivity paradox of information technology. Communications of the ACM
36 (12): 6677.
Cabinet Office. 2011. ITIL Lifecycle Suite. London, U.K.: The Stationery Office.
Chan, Y. E., S. L. Huff, D. W. Barclay, and D. G. Copeland. 1997. Business strategic orientation,
information systems strategic orientation, and strategic alignment. Information Systems Research:
ISR: A Journal of the Institute of Management Sciences 8 (2): 125150.
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 1992. Internal Control
Integrated Framework. New York, NY: Committee of Sponsoring Organizations of the Treadway
Commission.
Cragg, P., M. Caldeira, and J. Ward. 2011. Organizational information systems competences in small and
medium-sized enterprises. Information and Management 48 (8): 353363.
Cyert, R. M., and J. G. March. 1963. A Behavioral Theory of the Firm. Englewood Cliffs, NJ: Prentice Hall,
Inc.
Davern, M. J., and C. L. Wilkin. 2010. Towards an integrated view of IT value measurement. International
Journal of Accounting Information Systems 11 (1): 4260.
De Haes, S., and W. Van Grembergen. 2008a. Analyzing the Relationship between IT Governance and
Business/IT Alignment Maturity. Proceedings of the 41st Hawaii International Conference on System
Sciences, Kailua-Kona, HI, Shidler College of Business, University of Hawaii at Manoa.
De Haes, S., and W. Van Grembergen. 2008b. An exploratory study into the design of an IT governance
minimum baseline through Delphi research. Communications of AIS 22: 443458.
De Haes, S., and W. Van Grembergen. 2009. An exploratory study into IT governance implementations and
its impact on business/IT alignment. Information Systems Management 26 (2): 123137.
De Haes, S., and W. Van Grembergen. 2010. Analyzing the impact of enterprise governance of IT practices
on business performance. International Journal on IT/Business Alignment and Governance 1 (1): 14
38.
De Wit, B., and R. Meyer. 2005. Strategy Synthesis: Revolving Strategy Paradoxes to Create Competitive
Advantage. London, U.K.: Cengage Learning EMEA.
Debreceny, R. S., and G. L. Gray. 2013. IT governance and process maturity: A multinational field study.
Journal of Information Systems 27 (1).
Journal of Information Systems
Spring 2013

COBIT 5 and Enterprise Governance of Information Technology

323

Elbashir, M. Z., P. A. Collier, and M. J. Davern. 2008. Measuring the effects of business intelligence
systems: The relationship between business process and organizational performance. International
Journal of Accounting Information Systems 9 (3): 135153.
Feeny, D., and L. Willcocks. 1998. Core IS capabilities for exploiting information technology. Sloan
Management Review 39 (3): 921.
Henderson, J. C., and N. Venkatraman. 1993. Strategic alignment: Leveraging information technology for
transforming organizations. IBM Systems Journal 32 (1): 416.
Hu, Q., and C. D. Huang. 2006. Using the balanced scorecard to achieve sustained IT-business alignment:
A case study. Communications of AIS 17: 245.
Hyvonen, J. 2007. Strategy, performance measurement techniques, and information technology of the firm
and their links to organizational performance. Management Accounting Research 18 (3): 343366.
ISACA. 2007. COBITt 4.1. Rolling Meadows, IL: ISACA.
ISACA. 2009a. Building the Business Case for COBITt and Val ITe: Executive Briefing. Rolling
Meadows, IL: ISACA.
ISACA. 2009b. Implementing and Continually Improving IT Governance. Rolling Meadows, IL: ISACA.
ISACA. 2009c. The Risk IT Framework: Risk IT Based on COBIT. Rolling Meadows, IL: ISACA.
ISACA. 2010. Enterprise Value: Governance of IT Investments. The Val IT Framework 2.0. Rolling
Meadows, IL: ISACA.
ISACA. 2011a. COBIT Mapping: Overview of International IT Guidance. Rolling Meadows, IL: ISACA.
ISACA. 2011b. COBITt Process Assessment Model (PAM): Using COBITt 4.1. Rolling Meadows, IL:
ISACA.
ISACA. 2011c. Global Status Report on the Governance of Enterprise IT (GEIT)2011. Rolling Meadows,
IL: ISACA.
ISACA. 2012a. COBIT 5 Implementation. Rolling Meadows, IL: ISACA.
ISACA. 2012b. COBIT 5: A Business Framework for the Governance and Management of Enterprise IT.
Rolling Meadows, IL: ISACA.
Information Systems Audit and Control Foundation (IASCF). 1994. Control Objectives for Information and
Related Technology: COBIT. Rolling Meadows, IL: Information Systems Audit and Control
Foundation.
International Organization for Standardization/International Electrotechnical Commission (ISO/IEC). 2008.
ISO/IEC 38500 Corporate Governance of Information Technology. Geneva, Switzerland:
International Organization for Standardization/International Electrotechnical Commission.
IT Governance Institute (ITGI). 2000. COBIT. Rolling Meadows, IL: IT Governance Institute.
IT Governance Institute (ITGI). 2001. Board Briefing on IT Governance. Rolling Meadows, IL: IT
Governance Institute.
IT Governance Institute (ITGI). 2005. COBITt 4. Rolling Meadows, IL: IT Governance Institute.
IT Governance Institute (ITGI). 2006. IT Control Objectives for Sarbanes-Oxley: The Role of IT in the
Design and Implementation of Internal Control over Financial Reporting. 2nd Ed. Rolling Meadows,
IL: IT Governance Institute.
Ives, B., and S. L. Jarvenpaa. 1993. Organizing for global competition: The fit of information technology.
Decision Sciences 24 (3): 547580.
Janvrin, D. J., E. A. Payne, P. Byrnes, G. P. Schneider, and M. B. Curtis. 2012. The updated COSO Internal
ControlIntegrated Framework: Recommendations and opportunities for future research. Journal of
Information Systems 26 (2): 189213.
Kaplan, R. S., and D. P. Norton. 1996. The Balanced Scorecard: Translating Strategy into Action. Boston,
MA: Harvard Business School Press.
Law, C. C. H., and E. W. T. Ngai. 2007. IT infrastructure capabilities and business process improvements:
Association with IT governance characteristics. Information Resources Management Journal 20 (4):
2547.
Luftman, J. N. 1996. Competing in the Information Age: Strategic Alignment in Practice. Oxford, U.K.:
Oxford University Press.
March, J., and H. Simon. 1958. Organizations. New York, NY: John Wiley.
Journal of Information Systems
Spring 2013

324

De Haes, Van Grembergen, and Debreceny

OConnor, N. G., and M. G. Martinsons. 2006. Management of information systems: Insights from
accounting research. Information and Management 43 (8): 10141024.
Open Group. 2009. The Open Group Architecture Framework (TOGAF), Version 9. Zaltbommel, The
Netherlands: Van Haren Publishing.
Peterson, R. 2004. Crafting information technology governance. Information Systems Management 21 (4):
722.
Porter, M. E. 1979. How competitive forces shape strategy. Harvard Business Review (March-April): 137
145.
Porter, M. E. 1985. Competitive Advantage: Creating and Sustaining Superior Performance. New York,
NY: Free Press.
Sambamurthy, V., and R. W. Zmud. 1999. Arrangements for information technology governance: A theory
of multiple contingencies. MIS Quarterly 23 (2): 261290.
Simons, R. 1990. The role of management control systems in creating competitive advantage: New
perspectives. Accounting, Organizations and Society 15 (1/2): 127143.
Simons, R. 2000. Performance Measurement and Control Systems for Implementing Strategy. Upper
Saddle River, NJ: Prentice Hall.
Tarafdar, M., and S. Gordon. 2007. Understanding the influence of information systems competencies on
process innovation: A resource-based view. The Journal of Strategic Information Systems 16 (4):
353392.
Thorp, J. 2003. The Information Paradox. New York, NY: McGraw-Hill Ryerson.
Tuttle, B., and S. D. Vandervelde. 2007. An empirical examination of CobiT as an internal control
framework for information technology. International Journal of Accounting Information Systems 8
(4): 240263.
Van Grembergen, W., and S. De Haes. 2009. Enterprise Governance of Information Technology: Achieving
Strategic Alignment and Value. New York, NY: Springer.
Van Grembergen, W., R. Saull, and S. J. De Haes. 2003. Linking the IT balanced scorecard to the business
objectives at a major Canadian financial group. Journal for Information Technology Cases and
Applications 5 (1): 2345.
Van Grembergen, W., S. De Haes, and H. Van Brempt. 2008. Understanding How Business Goals Drive IT
Goals. Rolling Meadows, IL: ISACA.
Venkatraman, N., J. C. Henderson, and S. Oldach. 1993. Continuous strategic alignment: Exploiting
information technology capabilities for competitive success. European Management Journal 11 (2):
139149.
Weill, P. 1990. Strategic investment in information technology: An empirical study. Information Age 12 (3):
141147.
Weill, P. 1992. The relationship between investment in information technology and firm performance: A
study of the value-manufacturing sector. Information Systems Research 3 (4): 307333.
Weill, P., and J. W. Ross. 2009. IT Savvy: What Top Executives Must Know to Go From Pain to Gain.
Boston, MA: Harvard Business School Press.
Wilkin, C. L., and R. H. Chenhall. 2010. A review of IT governance: A taxonomy to inform accounting
information systems. Journal of Information Systems 24 (2): 107146.
Zarvic, N., C. Stolze, M. Boehm, and O. Thomas. 2012. Dependency-based IT governance practices in
inter-organizational collaborations: A graph-driven elaboration. International Journal of Information
Management 32 (6): 541549.

Journal of Information Systems

Spring 2013