See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/301271831

Adoption and Impact of IT Governance and Management Practices:: A COBIT 5

Perspective

Article  in  International Journal on IT/Business Alignment and Governance · January 2016

DOI: 10.4018/IJITBAG.2016010104

CITATIONS READS

16 1,945

4 authors:

Steven De Haes Tim Huygh

University of Antwerp Open Universiteit Nederland
94 PUBLICATIONS   3,878 CITATIONS    41 PUBLICATIONS   304 CITATIONS   

SEE PROFILE SEE PROFILE

Anant Joshi Wim van grembergen

Maastricht University University of Antwerp
33 PUBLICATIONS   387 CITATIONS    103 PUBLICATIONS   4,475 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Antifragile Organizations View project

IT Governance View project

All content following this page was uploaded by Tim Huygh on 24 December 2020.

The user has requested enhancement of the downloaded file.

Adoption and Impact of IT Governance and Management Practices: A
COBIT 5 Perspective

Steven De Haes – Tim Huygh – Anant Joshi – Wim Van Grembergen

Abstract
This paper empirically investigates how adoption of IT governance and management
processes, as identified in the IT governance framework COBIT 5, relates to the level of IT-
related goals achievement, which in turn associates to the level of enterprise goals
achievement. Simultaneously, this research project provides an international benchmark on
how organizations are currently adopting the governance and management processes as
identified in COBIT 5. The findings suggest that organizations are best in adopting the “IT
factory” related management processes and that implementation scores drop in management
and governance processes when more business and board involvement is required.
Additionally, there are significant differences in perceived implementation maturity of COBIT
5 processes between SME’s and larger organizations. Also, the data offers empirical evidence
that the COBIT 5 processes have a positive association with enterprise value creation.

Keywords: Enterprise governance and management of IT, COBIT 5, enterprise goals

1. Introduction
In today’s competitive business environment, organizations are relying heavily on IT for
business value creation (Anderson, Banker, & Ravindran, 2006; Chari, Devaraj, & David, 2008;
Kohli & Grover, 2008). This leads to an increased focus on the governance and management
of IT (De Haes & Van Grembergen, 2015; Wilkin & Chenhall, 2010), required to ensure that the
expected business value creation is effectively realized and the associated risks are under
control. In order to implement governance and management of enterprise IT, organizations
are often drawing upon the practical relevance of industry frameworks such as “Control
Objectives for Information and Related Technology” (COBIT), currently in its fifth edition, and
released by the “Information Systems Audit & Control Association” (ISACA). The framework is
built around a set of governance and management enablers and their support in the
achievement of IT-related goals and, ultimately, enterprise goals (ISACA, 2012a).

COBIT-based implementations are gaining popularity as COBIT is the framework of choice for
enterprise governance and management of IT in many organizations (Debreceny & Gray, 2013;
IT Governance Institute (ITGI), 2011; Smits & Hillegersberg, 2013). However, adopting the
guidance as described in the COBIT framework requires a considerable amount of effort and
is often perceived as complex and costly, while return in stakeholder value is difficult to
measure in tangible outcomes (De Haes, Van Grembergen, & Debreceny, 2013; Pereira & da
Silva, 2012).

COBIT-based research is still scarce, especially empirical research (Mangalaraj, Singh, &
Taneja, 2014). As COBIT is an extensive framework, empirical research often requires large
datasets, which are not easily collected. Moreover, with the release of COBIT 5 in 2012,
incorporating some significant changes towards a better focus on IT governance, most of the
existing research is somewhat outdated. As stated by Mangalaraj et al. (2014), “It is time for
IS researchers to examine this important framework, as research on COBIT is highly relevant
to IS as its principles directly match with IT governance.”

In answer to this call, this research has two objectives:

- Provide an international benchmark on how organizations are adopting COBIT 5
proposed management and governance processes around enterprise IT.
- Investigate if adoption of these management and governance processes relates to
better achievement of enterprise goals.

The conceptual model used in this research is entirely based on COBIT 5 (Figure 1). The three
main constructs are discussed in the next section.

Figure 1. Conceptual model

The remainder of this paper is structured as follows. Section 2 provides a theoretical

background by discussing the main constructs for this research. Section 3 presents the
research approach. A discussion of the results is presented in section 4, followed by the
conclusion in section 5.

2. Theoretical background
2.1. Enterprise governance and management of IT
The impact of IT on organizations has increased noticeably over the last decades (Sabherwal
& Chan, 2001). Over time, IT has become a crucial asset to create current and future business
value for organizations (Anderson et al., 2006; Chari et al., 2008; De Haes & Van Grembergen,
2015). This increased dependency on IT implies that business executives and board members
can no longer avoid making important IT-related decisions (Bart & Turel, 2010; Nolan &
McFarlan, 2005; Trites, 2004; Valentine & Stewart, 2013). It also implies a huge potential
vulnerability associated with a spectrum of risks that need to be managed like technical errors
(e.g. system downtime) or external threats (e.g. cybercrime) (De Haes & Van Grembergen,
2015; Raghupathi, 2007). IT both has the potential to support existing business strategies and
to shape new ones. This means that IT can be leveraged to achieve competitive advantage. In
order to enable the business value creation from IT, organizations need a specific focus on IT
governance (De Haes & Van Grembergen, 2009; Weill & Ross, 2004; Wilkin & Chenhall, 2010).
The incentive for organizations appears to be significant: Empirical research indicates that
organizations with better IT governance generate on average 20% higher profits compared to
similar organizations that perform poor on their IT governance (Weill & Ross, 2004).
While a shared definition for the IT governance construct is lacking (Buchwald, Urbach, &
Ahlemann, 2014), we use the following operational definition in this paper, as it clearly
indicates the need for all stakeholders (i.e. both business and IT) to be involved in the process,
in support of organizational goals: “Enterprise governance of IT [EGIT] is an integral part of
corporate governance and addresses the definition and implementation of processes,
structures and relational mechanisms in the organization that enable both business and IT
people to execute their responsibilities in support of business/IT alignment and the creation of
business value from IT-enabled business investments.” (De Haes & Van Grembergen, 2015).
This definition is based on the ITGI (2003) definition, and emphasizes that the governance of
IT should be a focus area of corporate governance (i.e. it required board involvement).
Drawing on corporate governance, researchers in contemporary IT governance literature take
a holistic approach on IT governance, acknowledging that it can be implemented using a set
of structures, processes, and relational mechanisms (Peterson, 2004; Weill & Ross, 2004).

COBIT 5 is a good-practices framework for the Enterprise Governance and Management of IT

developed by ISACA that consists of a set of good practices for the board and senior
operational and IT management aimed at controlling IT through IT-related processes. COBIT 5
assists organizations in their governance and management of enterprise IT (ISACA, 2012a).
The framework identifies a set of governance and management enablers that support the IT-
related -and enterprise goals. An enabler in COBIT 5 is defined as: “Enablers are factors that,
individually and collectively, influence whether something will work – in this case, governance
and management of enterprise IT” (ISACA, 2012a). The following seven enablers are
mentioned in COBIT 5: Principles, policies and frameworks; processes; organizational
structures; culture, ethics and behavior; information; services, infrastructure and applications;
people, skills and competencies. This research focuses on the process enabler, as this enabler
guide is fully developed for the COBIT 5 product suite (as the result of a long history of COBIT
processes development). Additionally, prior research also indicates that processes are the
most important IT governance mechanisms (with the goal of business value creation), as well
as perceived to be the most difficult to implement (De Haes & Van Grembergen, 2009).

The COBIT 5 framework contains both IT governance and IT management content. In fact,
“Separating governance from management” is one of the COBIT 5 key principles. COBIT 5 puts
forward the following definitions for governance: “Governance ensures that stakeholder
needs, conditions and options are evaluated to determine balanced, agreed-on enterprise
objectives to be achieved; setting direction through prioritization and decision making; and
monitoring performance and compliance against agreed-on direction and objectives”, and
management: “Management plans, builds, runs and monitors activities in alignment with the
direction set by the governance body to achieve enterprise objectives” (ISACA, 2012a). In
summary, governance sets the direction of management, while management operates in
alignment with the directions set by governance.

2.1.1. COBIT 5 governance and management of enterprise IT processes

The purpose of the COBIT 5 process enabler is to guide the organization in implementing IT-
related governance and management processes such that certain key areas are covered
(Figure 2).
Figure 2. COBIT 5 governance and management key areas (ISACA, 2012a)

In COBIT 5, a process is defined as follows: “A process is a collection of practices influenced by

the enterprise’s policies and procedures that takes inputs from a number of sources (including
other processes), manipulates the inputs and produces outputs (e.g., products, services)”
(ISACA, 2012b).

The COBIT 5 process enabler consists of 37 IT-related processes, which are divided over
governance and management domains. The complete set of processes included in the COBIT
5 process enabler is summarized in Appendix A. The “Evaluate, direct and monitor (EDM)”
domain consists of five governance processes that reflect the board’s responsibilities in IT
covering the setting of the governance framework, responsibilities in terms of value (e.g.,
investment criteria), risks (e.g., risk appetite), resources (e.g., resource optimization), and
providing transparency regarding IT to the stakeholders. The management processes are
classified over four management domains. The “Align, plan and organize (APO)” domain
consists of 13 management processes that are concerned with the identification of how IT can
best contribute to the achievement of business objectives. The domain states that a
management framework is required and contains specific processes related to the IT strategy
and tactics, enterprise architecture, innovation, and portfolio management. Other important
processes in this domain address the management of budgets and costs, human resources,
relationships, service agreements, suppliers, quality, risk, and security. The “Build, acquire and
implement (BAI)” consists of 10 management processes that are aimed at making the IT
strategy concrete through identifying, in detail, the requirements for IT and managing the
investment program and projects. This domain further considers managing capacity,
organizational change, IT changes, acceptance and transitioning, knowledge, assets, and
configurations. The “Deliver, service and support (DSS)” domain is concerned with the actual
delivery of required IT services. It contains six processes on managing operations, service
requests and incidents, problems, continuity, security services, and business process controls.
Finally, the “Monitor, evaluate and asses (MEA)” domain consists of three management
processes that are responsible for the quality assessment in compliance with the control
requirements for all previously mentioned processes. It addresses performance management,
monitoring of internal control, and regulatory compliance (De Haes et al., 2013; ISACA, 2012b).

2.1.2. IT-related goals and enterprise goals

COBIT identifies 17 IT-related goals and 17 enterprise goals as outcomes of enterprise
governance and management of IT. These two sets of goals are classified over the balanced
scorecard dimensions (i.e. financial, customer, internal, and learning & growth) (Kaplan &
Norton, 1992). The balanced scorecard was developed in order to provide a balanced set of
measures over these four perspectives, instead of a traditional set of financial measures only.
This way, organizations were provided with a more holistic way of measuring organizational
performance. The generic enterprise goals of COBIT 5 represent a list of commonly used goals
that an organization might put forward. Achievement of these generic enterprise goals
requires a number of IT-related outcomes, represented by the IT-related goals (ISACA, 2012a).
The complete set of IT-related goals and enterprise goals, as well as a mapping between them
(i.e. which IT-related goals contribute in a primary or a secondary way to the achievement of
the enterprise goals) is presented in Appendix B.

3. Research approach
The main objective of this paper is to empirically investigate how the level of implementation
of the COBIT 5 process enabler relates to the level of IT-related goals achievement, which in
turn associates to the level of enterprise goals achievement, while simultaneously establishing
a benchmark on how organizations are adopting the COBIT 5 process enabler. In support of
this, we build on the conceptual model as proposed in Figure 1 and further explained in section
2.

3.1. Data collection

The dataset for this research project was collected through an online survey between 24th of
July and 1st of September, 2014. Business, IT, and audit representatives were solicited through
local ISACA chapters. All descriptions provided in the survey were based on COBIT 5, but
expressed in a way that prior knowledge of COBIT 5 was not required. The first part of the
survey collected respondents’ demographics. The second part of the survey focused on the
implementation status of each of the 37 processes contained in the COBIT 5 process enabler.
In the final part of the survey respondents were asked to indicate how well their organization
is performing in the achievement of the 17 IT-related goals and the 17 enterprise goals. In
summary, the online survey captured the respondents’ perceived assessment of the
implementation status of the COBIT 5 processes, the achievement of the IT-related goals, and
the achievement of the enterprise goals. In total 896 respondents completed the survey, of
which 878 were accepted as complete responses for the final analysis.

3.2. Operationalization of the conceptual model

The operationalization of the conceptual model is presented in Figure 3. All three constructs
will be operationalized using COBIT 5. The construct ‘enterprise governance & management
of IT processes’ is operationalized through the COBIT 5 process enabler. Specifically, this
construct will be measured through a unique question for each of the 37 processes about the
implementation status on a 5-point ordinal scale (not implemented – somewhat implemented
– partly implemented – mainly implemented – fully implemented). For both the IT-related
goals and the enterprise goals, a unique question for each goal about the degree of
achievement of the goal on a 5-point ordinal scale (not achieved – somewhat achieved – partly
achieved – mainly achieved – fully achieved) makes up the measurement instrument. All three
scales also included a sixth option (“don’t know”).

Figure 3. Operationalization of the conceptual model

4. Results
4.1. Respondent demographics
Demographic information is provided in Table 1 (N=878). As can be seen from this table, the
survey obtained a good distribution of respondents across regions, firm sizes, industries,
functional area of the respondents, and work experience of the respondents. North America
(31.0%), Europe (23.8%), and Asia (20.4%) are the three major regions in which the
respondents were professionally active. The majority of organizations in the sample (60.4%)
are large or very large (i.e. 1500 employees or more). The financial/banking industry is best
represented in the sample (25.9%), followed by the governmental sector (13.7%). Most
respondents categorized themselves as being an audit/risk/compliance professional (45.3%),
followed by an IT professional (43.7%). The vast majority (86.2%) of respondents indicated
having at least 10 years of professional experience.

Abs. Frequency Rel. Frequency

(Percent)
Region 878 100%
Africa 81 9.2%
Asia 179 20.4%
Caribbean 3 0.3%
Central America 6 0.7%
Europe 209 23.8%
Middle East 50 5.7%
North America 272 31.0%
Oceania 27 3.1%
South America 51 5.8%
Firm size (# employees) 878 100%
<50 43 4.9%
50-149 32 3.6%
150-499 127 14.5%
500-1499 146 16.6%
1500-4999 172 19.6%
 5000-9999 108 12.3%
10000-14999 55 6.3%
>14999 195 22.2%
Industry 878 100%
Advertising/Marketing/Media 7 0.8%
Aerospace 8 0.9%
Agriculture 3 0.3%
Education 33 3.8%
Financial/Banking 227 25.9%
Governmental 120 13.7%
Healthcare/Medical 38 4.3%
Insurance 44 5.0%
Legal/Law/Real estate 6 0.7%
Manufacturing/Engineering 57 6.5%
Mining/Construction/Petroleum 30 3.4%
Pharmaceutical 17 1.9%
Public accounting 14 1.6%
Retail/Wholesale/Distribution 38 4.3%
Technology Services/Consulting 94 10.7%
Telecommunications 22 2.5%
Transportation 22 2.5%
Utilities 24 2.7%
Other 74 8.4%
Functional Area 878 100%
Business 43 4.9%
IT 384 43.7%
Audit/Risk/Compliance 398 45.3%
Other 53 6.0%
Work Experience 878 100%
0 to 10 years 121 13.8%
11 to 20 years 384 43.7%
21 to 30 years 271 30.9%
31 years or more 102 11.6%
Table 1. Descriptive statistics (N=878)

4.2. Benchmarking process domains

This section reports the average score on each governance and management process of COBIT
5. Figure 4 presents the domain level scores for the five domains of the COBIT 5 Process
Reference Model (PRM). The average score for each domain is above +3.0, which suggests
that respondent perceived that their organizations have on average “partly” implemented
processes for five domains. The figure also shows that for the Deliver, Service and Support
(DSS) domain processes, the real “executional” (IT factory) type of operational and support
processes, the implementation level is higher compared to other domains. Respondents
indicated that the process implementation level for Evaluate, Direct, and Monitor (EDM)
domain is lower compared to other domains. This might be explained by the factor that these
processes require high-level executive and non-executive board involvement. From the COBIT
5 process reference model view, the findings suggest that the implementation level of
‘governance’ processes in general is perceived to be relatively lower when compared to
‘management’ processes, which is in line with other international studies who report the low
involvement of boards in EGIT (Andriole, 2009). However, other studies underline the
importance of board involvement, demonstrating a clear association between board level
involvement in EGIT and organizational performance (Turel & Bart, 2014). As such, these
results are a call for action for board members in the area of EGIT.

Figure 4. Benchmarking process domains

At the level of the detailed processes within these domains (see next sections), the relatively
better implemented COBIT 5 processes are “manage service request and incidents “and
“manage costs and budgets”. The relatively weak implemented processes of COBIT 5 are
“manage innovation”, “ensure benefits delivery” and “manage knowledge”. In general, many
processes that required more business involvement achieved lower implementation scores
(e.g. managing organizational changes, business process controls etc.). This again is a call for
action, as the importance of business involvement in IT enabled value creation has been
stressed by many researchers (De Haes & Van Grembergen, 2015; Turel & Bart, 2014; Weill
& Ross, 2009). Or in the words of Weill & Ross (2009): “If senior managers do not accept
accountability for IT, the company will inevitable throw its IT money to multiple tactical
initiatives with no clear impact on the organizational capabilities. IT becomes a liability
instead of a strategic assets”.

4.2.1. Benchmarking Evaluate, Direct and Monitor (EDM) processes

This domain represents a set of 5 governance processes. The results are reported in Figure 5.
The results suggest that most of the governance processes are partly implemented (with an
average score of around 3.0). It appears stakeholder transparency scores relatively highest in
terms of implementation status, maybe due to the impact laws and external regulations on
enterprises in this process area (EDM05). The biggest challenge seems to rest in the area of
ensure value delivery (EDM02). Of course, if the board want to overcome the productivity
paradox (i.e. the perception large amounts of investment go to IT, but not business value
comes out of it), this governance process play a crucial role.

Figure 5. Benchmarking EDM

4.2.2. Benchmarking Align, Plan and Organize (APO) processes

The APO domain contains 13 management processes. The findings in Figure 6 indicate that
majority of APO processes are on average are partly implemented. Managing budget and costs
(APO06) and security management processes (APO13) appeared to be on the priority of most
of the firms in terms of getting high implementation rates. The findings hint towards a low
implementation status on managing innovation process (APO04), which might correspond to
the low score in the EDM area on Ensuring Benefits Delivery. This governance process in COBIT
5 is positioned as an important antecedent to initiating the “Manage Innovation” process.
Also, the lower score on “manage innovation” might have a root-cause that this process clearly
requires a close and intensive partnership relationship between business and IT management.
Figure 6. Benchmarking APO

4.2.3. Benchmarking Build, Acquire and Implement (BAI) processes

BAI consists of 10 key management processes. The survey analysis suggest that on overall level
all of the BAI processes on average are partly implemented (Average Score of 3.0 or more).
Among the 10 BAI management processes, respondents considered the level of
implementation of management of “programme and projects and management of assets”
(BAI01) to be close to mainly implemented status. The existence of well-known and adopted
programme and project management frameworks, including Prince2, PMBOK, MSP (Managing
Successful Programs) might explain these positive results. Figure 7 shows the implementation
status of each of the BAI process. Organizations appears to have more challenges with getting
processes implemented around “Manage Knowledge” (BAI08) and “Manage Organizational
Change” (BAI05). Again, as noted in previous section on the innovation process, these two
processes require very close collaboration between business and IT roles, and certainly the
latter is a key process in ensuring that the business benefits out of IT enabled are achieved.
Figure 7. Benchmarking BAI

4.2.4. Benchmarking Deliver Service Support (DSS) processes

DSS processes implementation assessment show that the respondents have rated the
implementation of all DSS processes on average partly implemented. Figure 8 indicates that
the DSS process of management of service request and incident (DSS02) is assessed to be best
implemented in comparison to other DSS processes. Again, the processes very close to the
business responsibilities “Manage Business Process Controls” (DSS06) received in the group
the lowest implementation score.
Figure 8. Benchmarking DSS

4.2.5. Benchmarking Monitor, Evaluate and Assess (MEA) processes

The MEA domain is composed of three processes. Figure 9 indicates that on average all three
processes are assessed to be partly implemented. Respondents on average have assessed the
implementation status the MEA process of monitoring, evaluating, assessment of compliance
with external requirements relatively higher when compared to other MEA processes. This
corresponds to the relatively high score in the EDM area for ensuring stakeholder
transparency (EDM05). Also, acknowledging that 45% respondents of the survey belong to
auditing background; this might also represent certain degree of inclined weightage towards
MEA03 when compared to other two MEA processes.
Figure 9. Benchmarking MEA

4.3. Benchmarking process domains using organizational size as a

contingency factor
Organizational size is often referred to as an important contingency factor in relation to IT
governance (Bergeron, Croteau, Uwizeyemungu, & Raymond, 2015; Devos, Van Landeghem,
& Deschoolmeester, 2012; Wilkin, 2012). It cannot be denied that the basic premise of IT
governance (i.e. generating business value through IT assets) is important for SMEs as well as
larger organizations. However, academic research also reports that IT governance
mechanisms are not as frequently used in SMEs (Small –and Medium Enterprises) as in larger
organizations (Huang, Zmud, & Price, 2010), indicating that SMEs are still struggling with
getting IT governance up and running. For this analysis, the control variable ‘organizational
size (number of employees)’ was divided in two groups (Table 2). Our classification of an SME
is consistent with the small business association (i.e. up to 500 employees), which is commonly
applied in the US. It should be noted however that there is no universally agreed-upon
classification of SME’s versus larger enterprises (for instance in the EU the cut-off tends to be
at 250 employees). The goal of this analysis is to check for statistically significant differences
between SME’s and larger enterprises in relation to the mean perceived implementation
maturity of the COBIT 5 processes, the mean perceived achievement of the COBIT 5 IT-related
goals, and the mean perceived achievement of the COBIT 5 enterprise goals. Following
academic literature, we expect to find some interesting differences between SME’s and larger
organizations. All of the statistical tests reported in this section are performed at the 0.05
significance level.
 Group Firm size # Observations (N = 878)
SME’s 1 to 500 employees 202
Larger enterprises 500 to > 14,999 employees 676
Table 2. Organizational size classification for two-group comparison

As the objective is to test for statistical significance on the mean of a set of variables, and we
are dealing with a cross-sectional dataset, independent samples t-tests are performed. If this
test shows a significant p-value, the null hypothesis is rejected, so there is a significant
difference in the mean between both groups. The results of this analysis are presented in
Table 3. Statistically significant results are shaded grey.

Means tested Mean of SME’s Mean of larger t-statistic (p-value), df

enterprises
Processes
Mean of all COBIT 5 3.30 3.49 -2.7437 (0.006419),
processes df=318
Mean of EDM 3.05 3.21 -2.0826 (0.03807),
processes df=326
Mean of APO processes 3.39 3.54 -2.2389 (0.02584),
df=323
Mean of BAI processes 3.32 3.47 -2.0728 (0.03899),
df=319
Mean of DSS processes 3.51 3.75 -3.1716 (0.001673),
df=300
Mean of MEA processes 3.25 3.50 -2.8242 (0.005026),
df=333
IT-related goals
Mean of all IT-related 3.43 3.46 -0.43327 (0.6651),
goals df=316
Mean of financial IT- 3.41 3.50 -1.2603 (0.2085),
related goals df=320
Mean of customer IT- 3.49 3.55 -0.81699 (0.4146),
related goals df=316
Mean of internal IT- 3.34 3.41 -0.93252 (0.3518),
related goals df=324
Mean of learning and 3.50 3.40 1.1075 (0.2689), df=317
growth IT-related goals
Enterprise goals
Mean of all enterprise 3.42 3.54 -1.7446 (0.08201),
goals df=319
Mean of financial 3.55 3.77 -2.9376 (0.003548),
enterprise goals df=319
Mean of customer 3.41 3.51 -1.3177 (0.1885),
enterprise goals df=331
Mean of internal 3.34 3.48 -1.7955 (0.07352),
enterprise goals df=320
 Mean of learning and 3.37 3.41 -0.54611 (0.5854),
growth enterprise goals df=319
Table 3. Results of independent samples t-tests between SME’s and larger enterprises

The results show that significant differences exist between SME’s and larger enterprises when
it comes to the mean perceived implementation maturity of the whole set of COBIT 5
processes, as well as for each set of process domains (i.e. EDM, APO, BAI, DSS, and MEA).
Despite significant differences in the mean perceived implementation maturity for all of these
categories, only one significant difference exists at the level of the goals, i.e. for the mean
perceived achievement of financial enterprise goals. This suggests that despite having a lower
mean perceived implementation maturity for the COBIT 5 processes, SME’s have a
comparable mean perceived achievement of IT-related goals and enterprise goals, with
exception of the financial enterprise goals.

4.4. Business Value Assessment of COBIT 5

To validate the COBIT 5 cascade model presented in Figure 3, the Pearson correlation analysis
is used to determine the relationship between variables. The correlation analysis coefficient
(denoted as r) is used to indicate the measure of the linear association between two variables;
the value of this coefficient always lies between +1 to -1. A correlation coefficient of +1
indicates perfect positive relationship between two variables. That is, if the amount of one
variable increases the other variable also increases with a proportionate amount. Inversely, -
1 indicates prefect negative association between two variables. That is, if the amount of one
variables increases the other variable decreases with a proportionate amount. A zero value of
the coefficient indicates that there is no linear association between the two variables.
Following often used interpretation for the correlation strength will be used to explain the
association between the variables for the COBIT 5 cascade model.
- A very strong relationship if r => 0.70
- A strong relationship if 0.50 <= r < 0.70
- A small relationship if r < 0.50

The relevant variables are the level of enterprise goal achievement, the level of IT-related goal
achievement, and the level of process implementation status. The values for each of these
variables are also computed at an aggregate level. That is, average score for 17 enterprise
goals, average score for 17 IT-related goals, , and average score for 37 process implementation
statuses is computed for each respondent. The correlation analysis is also conducted at the
category level of enterprise and IT-related goals. That is, the average score were computed at
the four dimensions of the IT balance scorecard (IT BSC) and enterprise balance scorecard
(BSC). These dimensions include Financial, Customer, Internal, and Learning and Growth.
Related to the COBIT 5 process reference model, the average score for each domain (EDM,
APO, DSS, BAI, and MEA) is also calculated.

4.4.1. Do IT-related goals contribute to the achievement of enterprise goals?

Figure 10 shows a very strong positive relationship between IT-related and enterprise goals.
The graph shows a very healthy linear association to validate the claim that the increase in the
achievement of the IT-related goals is associated with the increase in the achievement of
enterprise goals.
Figure 10. A spline chart between IT-related goals and enterprise goals

Table 2 indicates the correlation coefficient of 0.89 for this relationship, which confirms a very
strong association between the two metric variables. Among the four IT-related dimensions,
IT Internal dimension is the strongest associated dimension, holding IT related goals such as
“IT agility”, “security”, “enabling business processes by integration of application in business
processes” and “delivery of programmes on time, budget and functionality”. Overall
correlation strength of each dimension is in the range of strong to very strong association and
is statistically significant.

Enterprise goals dimensions Overall

Financial Customer Internal Learning and Overall
Growth Enterprise Goals
IT Financial 0.78 0.79 0.80 0.66 0.84
IT Customer 0.74 0.77 0.78 0.66 0.81
IT-related

IT Internal 0.77 0.83 0.85 0.71 0.86

IT Learning and
l

0.68 0.73 0.73 0.79 0.78

Growth
Overall Process
Score
Overall

0.80 0.85 0.86 0.74 0.89

Table 4. Correlations between IT-related goals and enterprise goals at the dimensional level

To elaborate further on the relationship between IT-related goals and enterprise goals, a
scatter plot is developed in Figure 11. The small circles on the graph indicate observed values
for enterprise goals when plotted against IT-related goal observations. The graph clearly
indicates a linear trend between IT-related goals and enterprise goals. A trend line is also fitted
into the graph to imply a strong positive and significant association between IT-related goals
and enterprise goals.

Figure 11. Scatterplot and regression line for the relationship between IT-related goals and enterprise goals

4.4.2. Do COBIT 5 processes contribute to the achievement of IT related goals?

Figure 12 shows a very strong positive association between the overall implementation score
of 37 COBIT process and the achievement IT-related goals.

Figure 12. A spline chart between overall process implementation scores and IT-related goals

The positive association is also confirmed in Table 3 with a positive correlation coefficient of
0.87. The domain level analysis in Table 3 shows that all COBIT 5 process domains demonstrate
very strong correlations with the achievement of the IT related goals. All the correlations
reported are statistically significant. The highest correlations score is attributed to the Align,
Plan and Organise (APO), which considering the strategic nature of the domain might not be
a surprise.

IT-related goals dimensions Overall

IT IT IT IT Learning and Overall IT-
Financial Customer Internal Growth related Goals
EDM 0.75 0.64 0.73 0.63 0.76
APO 0.80 0.71 0.80 0.70 0.83
BAI 0.76 0.71 0.80 0.67 0.81
Process
i

DSS 0.75 0.71 0.76 0.63 0.78

MEA 0.70 0.61 0.72 0.59 0.73
d

Overall
Process Score
Overall

0.83 0.76 0.84 0.72 0.87

Table 5. Correlations between COBIT 5 process domains and IT-related goals

Figure 13 shows a scatter plot between overall process scores and IT-related goals. The graph
plots all the observation for IT-related goals (Y-axis) in relation to process scores (X-axis). Next,
the graph fits a trend line to suggest a strong and positive association between the two
variables. The analysis suggests that the two variables share a strong positive upward trend,
which is statistically significant. This finding also corroborates the trend depicted in Figure 12.

Figure 13. Scatterplot and regression line for the relationship between process implementation scores and IT-related
goals achievement

5. Conclusion and contribution

The COBIT 5 framework is stated to be “the next generation of ISACA’s guidance on the
enterprise governance and management of IT” (ISACA, 2012a). It is considered to be a holistic
and generic framework, which can be useful for organizations with different firm sizes, public
or private, profit or non-profit, and industry segments. However, implementation of COBIT 5
framework guidance warrants an organization to assess and re-think the governance and
management enablers and how they support enterprise business goals. Firms often perceive
governance and management investments for their information and related technology as
costly and complex.

To acknowledge and address these topics, the objective of this research was twofold. First, a
detailed benchmarking of current adoption of governance and management processes as
proposed in COBIT 5 was performed. Second, drawing on the COBIT 5 goal cascade overview,
the focus was to assess the association between the implementation of
management/governance processes and the achievement of IT-related goals and enterprise
goals.

The findings suggest that better implementation rates of the COBIT management and
governance processes clearly show positive correlations with the achievement of IT related
goals. It was also demonstrated that the achievement of these IT related goals in turn strongly
associated to the achievement of enterprise goals, which as such confirms the proposed
conceptual cascade model in COBIT 5. The research also showed that in general organizations
are best in adopting the “IT factory” related management processes and that implementation
scores drop in management and governance processes when more business and board
involvement is required. Additionally, there are significant differences in perceived
implementation maturity between SME’s and larger enterprises for all of the COBIT 5 process
domains. However, despite having a lower mean perceived implementation maturity for the
COBIT 5 process domains, SME’s have a comparable mean perceived achievement of IT-
related goals and enterprise goals, with exception of the financial enterprise goals.

By offering empirical evidence that governing and managing those IT governance and
management processes does have a positive association with enterprise value creation,
decision-makers will find it easier to support investment propositions related to EGIT.
Additionally, the results of this research will contribute to the relatively new domain of
knowledge around COBIT 5, and it will assist practitioners by providing an international
benchmark and more guidance on how governance and management frameworks, such as
COBIT 5, can lead to higher enterprise value creation from their IT assets and resources.
References
Anderson, M. C., Banker, R. D., & Ravindran, S. (2006). Value Implications of Investments in
Information Technology. Management Science, 52(9), 1359–1376.
http://doi.org/10.1287/mnsc.1060.0542
Andriole, S. (2009). Boards of Directors and Technology Governance: The Surprising State of
the Practice. Communications of the Association for Information Systems.
Bart, C., & Turel, O. (2010). IT and the Board of Directors: An Empirical Investigation into the
“Governance Questions” Canadian Board Members Ask about IT.
Bergeron, F., Croteau, A.-M., Uwizeyemungu, S., & Raymond, L. (2015). IT Governance
Theories and the Reality of SMEs: Bridging the Gap. In 2015 48th Hawaii International
Conference on System Sciences (pp. 4544–4553). IEEE.
http://doi.org/10.1109/HICSS.2015.542
Buchwald, A., Urbach, N., & Ahlemann, F. (2014). Business value through controlled IT:
toward an integrated model of IT governance success and its impact. Journal of
Information Technology, 29(2), 128–147. http://doi.org/10.1057/jit.2014.3
Chari, M. D. R., Devaraj, S., & David, P. (2008). Research Note —The Impact of Information
Technology Investments and Diversification Strategies on Firm Performance.
Management Science, 54(1), 224–234. http://doi.org/10.1287/mnsc.1070.0743
De Haes, S., & Van Grembergen, W. (2009). An Exploratory Study into IT Governance
Implementations and its Impact on Business/IT Alignment. Information Systems
Management, 26(2), 123–137. http://doi.org/10.1080/10580530902794786
De Haes, S., & Van Grembergen, W. (2015). Enterprise governance of information
technology, second edition. Springer.
De Haes, S., Van Grembergen, W., & Debreceny, R. S. (2013). COBIT 5 and Enterprise
Governance of Information Technology: Building Blocks and Research Opportunities.
Journal of Information Systems, 27(1), 307–324. http://doi.org/10.2308/isys-50422
Debreceny, R. S., & Gray, G. L. (2013). IT Governance and Process Maturity: A Multinational
Field Study. Journal of Information Systems, 27(1), 157–188.
http://doi.org/10.2308/isys-50418
Devos, J., Van Landeghem, H., & Deschoolmeester, D. (2012). Rethinking IT governance for
SMEs. Industrial Management & Data Systems, 112(2), 206–223.
http://doi.org/10.1108/02635571211204263
Huang, R., Zmud, R. W., & Price, R. L. (2010). Influencing the effectiveness of IT governance
practices through steering committees and communication policies. European Journal
of Information Systems, 19(3), 288–302. http://doi.org/10.1057/ejis.2010.16
ISACA. (2012a). COBIT 5: A Business Framework for the Governance and Management of
Enterprise IT. Retrieved from http://www.isaca.org/COBIT/Pages/COBIT-5-Framework-
product-page.aspx
ISACA. (2012b). COBIT 5: Enabling Processes. Retrieved from
http://www.isaca.org/COBIT/Pages/COBIT-5-Enabling-Processes-product-page.aspx
IT Governance Institute (ITGI). (2003). Board Briefing on IT Governance, 2nd Edition.
Retrieved from http://www.isaca.org/knowledge-
center/research/researchdeliverables/pages/board-briefing-on-it-governance-2nd-
edition.aspx
IT Governance Institute (ITGI). (2011). Global Status Report on the Governance of Enterprise
IT (GEIT). Retrieved from http://www.isaca.org/knowledge-
center/research/researchdeliverables/pages/itgi-global-survey-results.aspx
Kaplan, R. S., & Norton, D. P. (1992). The Balanced Scorecard - Measures That Drive
Performance. Harvard Business Review, 70(1), 71–79.
Kohli, R., & Grover, V. (2008). Business Value of IT: An Essay on Expanding Research
Directions to Keep up with the Times. Journal of the Association for Information
Systems.
Mangalaraj, G., Singh, A., & Taneja, A. (2014). IT Governance Frameworks and COBIT - A
Literature Review. In AMCIS 2014 Proceedings. Retrieved from
http://aisel.aisnet.org/amcis2014/StrategicUse/GeneralPresentations/13
Nolan, R., & McFarlan, F. (2005). Information technology and the board of directors.
HARVARD BUSINESS REVIEW, 83(10), 96–+.
Pereira, R., & da Silva, M. M. (2012). IT Governance Implementation: The Determinant
Factors. Communications of the IBIMA, 2012, 1–16.
Peterson, R. R. (2004). Crafting Information Technology Governance. Information Systems
Management, 21(4), 7–22. http://doi.org/10.1201/1078/44705.21.4.20040901/84183.2
Raghupathi, W. (2007). Corporate Governance of IT: A Framework For Development.
Communications of the ACM, 50(8), 94–99. http://doi.org/10.1145/1278201.1278212
Sabherwal, R., & Chan, Y. E. (2001). Alignment Between Business and IS Strategies: A Study
of Prospectors, Analyzers, and Defenders. Information Systems Research. Retrieved
from http://pubsonline.informs.org/doi/abs/10.1287/isre.12.1.11.9714
Smits, D., & Hillegersberg, J. (2013). The Continuing Mismatch Between IT Governance
Theory and Practice: Results from a Delphi Study with CIO’s. AMCIS 2013 Proceedings.
Trites, G. (2004). Director responsibility for IT governance. International Journal of
Accounting Information Systems, 5(2), 89–99.
http://doi.org/10.1016/j.accinf.2004.01.001
Turel, O., & Bart, C. (2014). Board-level IT governance and organizational performance.
European Journal of Information Systems, 23(2), 223–239.
http://doi.org/10.1057/ejis.2012.61
Valentine, E., & Stewart, G. (2013). The emerging role of the Board of Directors in enterprise
business technology governance. International Journal of Disclosure and Governance,
10(4), 346–362. http://doi.org/10.1057/jdg.2013.11
Weill, P., & Ross, J. W. (2004). IT Governance: How Top Performers Manage IT Decision
Rights for Superior Results. Harvard Business Press.
Weill, P., & Ross, J. W. (2009). IT savvy: what top executives must know to go from pain to
gain. Harvard Business Press.
Wilkin, C. L. (2012). The Role of IT Governance Practices in Creating Business Value in SMEs.
Journal of Organizational and End User Computing, 24(2), 1–17.
http://doi.org/10.4018/joeuc.2012040101
Wilkin, C. L., & Chenhall, R. H. (2010). A Review of IT Governance: A Taxonomy to Inform
Accounting Information Systems. Journal of Information Systems, 24(2), 107–146.
Appendix A. List of COBIT 5 processes
Code Domain Process Governance/Management
EDM01 Evaluate, Direct Ensure governance framework Governance
and Monitor setting and maintenance
EDM02 Evaluate, Direct Ensure benefits delivery Governance
and Monitor
EDM03 Evaluate, Direct Ensure risk optimisation Governance
and Monitor
EDM04 Evaluate, Direct Ensure resource optimisation Governance
and Monitor
EDM05 Evaluate, Direct Ensure stakeholder Governance
and Monitor transparency
APO01 Align, Plan and Manage the IT management Management
Organise framework
APO02 Align, Plan and Manage strategy Management
Organise
APO03 Align, Plan and Manage enterprise architecture Management
Organise
APO04 Align, Plan and Manage innovation Management
Organise
APO05 Align, Plan and Manage portfolio Management
Organise
APO06 Align, Plan and Manage budget and costs Management
Organise
APO07 Align, Plan and Manage human resources Management
Organise
APO08 Align, Plan and Manage relationships Management
Organise
APO09 Align, Plan and Manage service agreements Management
Organise
APO10 Align, Plan and Manage suppliers Management
Organise
APO11 Align, Plan and Manage quality Management
Organise
APO12 Align, Plan and Manage risk Management
Organise
APO13 Align, Plan and Manage security Management
Organise
BAI01 Build, Acquire Manage programmes and Management
and Implement projects
BAI02 Build, Acquire Manage requirements definition Management
and Implement
BAI03 Build, Acquire Manage solutions identification Management
and Implement and build
BAI04 Build, Acquire Manage availability and capacity Management
and Implement
BAI05 Build, Acquire Manage organisational change Management
and Implement enablement
BAI06 Build, Acquire Manage changes Management
and Implement
BAI07 Build, Acquire Manage change acceptance and Management
and Implement transitioning
BAI08 Build, Acquire Manage knowledge Management
and Implement
BAI09 Build, Acquire Manage assets Management
and Implement
BAI10 Build, Acquire Manage configuration Management
and Implement
DSS01 Deliver, Service Manage operations Management
and Support
DSS02 Deliver, Service Manage service requests and Management
and Support incidents
DSS03 Deliver, Service Manage problems Management
and Support
DSS04 Deliver, Service Manage continuity Management
and Support
DSS05 Deliver, Service Manage security services Management
and Support
DSS06 Deliver, Service Manage business process Management
and Support controls
MEA01 Monitor, Monitor, evaluate and assess Management
Evaluate and performance and conformance
Assess
MEA02 Monitor, Monitor, evaluate and assess Management
Evaluate and the system of internal control
Assess
MEA03 Monitor, Monitor, evaluate and assess Management
Evaluate and compliance with external
Assess requirements
Appendix B. IT-related goals and enterprise goals
IT-related goals (over the dimensions of the balanced scorecard)
Financial Customer
01: Alignment of IT and business strategy 07: Delivery of IT services in line with
02: IT compliance and support for business business requirements
compliance with external laws and 08: Adequate use of applications,
regulations information and technology solutions
03: Commitment of executive management
for making IT-related decisions
04: Managed IT-related business risk
05: Realized benefits from IT-enabled
investments and services portfolio
06: Transparency of IT costs, benefits and
risk
Internal Learning and growth
09: IT agility 16: Competent and motivated business and
10: Security of information, processing IT personnel
infrastructure and applications 17: Knowledge, expertise and initiatives for
11: Optimization of IT assets, resources and business innovation
capabilities
12: Enablement and support of business
processes by integrating applications and
technology into business processes
13: Delivery of programmes delivering
benefits, on time, on budget, and meeting
requirements and quality standards
14: Availability of reliable and useful
information for decision making
15: IT compliance with internal policies
 Enterprise goals (over the dimensions of the balanced scorecard)
Financial
01: Stakeholder value of business
investments
02: Portfolio of competitive products and
services
03: Managed business risk (safeguarding of
assets)
04: Compliance with external laws and
regulations
05: Financial transparency
Internal
11: Optimization of business process
functionality
12: Optimization of business process costs
13: Managed business change programmes
14: Operational and staff productivity
15: Compliance with internal policies
View publication stats
Customer
06: Customer-oriented service culture
07: Business service continuity and
availability
08: Agile responses to a changing business
environment
09: Information-based strategic decision
making
10: Optimization of service delivery costs
Learning and growth
16: Skilled and motivated people
17: Product and business innovation culture