Measure COBIT 5.0

Measure COBIT 5.0

A quick scan based on the full-lifecycle approach

Master thesis, MSc BA, specialization Change Management University of Groningen, Faculty of Economics and Business

2 August 2014

Gijs van der Woerd Studentnumber: 2383861

Vrydemalaan 388 9713 WV, Groningen tel.: +31 (0)6-24630264 e-mail: gijs510@gmail.com

First Supervisor / University:

prof. dr. E.W. Berghout / Rijksuniversiteit Groningen Second Supervisor / University:

dr. U.Y. Eseryel/ Rijksuniversiteit Groningen

Abstract:

This thesis takes the first step in de the development of a quick scan to measure IT control with the use of COBIT 5. By gradual narrowing the scope from control to corporate governance and then from IT governance to COBIT 5. It creates a theoretical foundation that justifies the development of a quick scan, and at the same time exposes the organizational need for a structural approach of managing and governing their IT. The final deliverables of this master thesis are a list of questions/ propositions that measure compliance with COBIT 5 and a theoretical founded definition of IT governance. This list can be used as input for the next phases of the development process, in which with the use of an expert panel the quick scan itself will be developed.

Table of Contents

1. Introduction ... 7

2. The path from control to IT governance ... 10

2.1. Control ... 10 2.2. Corporate governance ... 11 2.3. IT Governance ... 15 2.4. IT Governance in practice ... 18 3. COBIT 5 ... 21 3.1. COBIT 5 literature ... 21 3.2. Integrator framework ... 23

3.3. Stakeholder and value driven/ Business and context focused ... 24

3.4. Enabler based ... 26

3.5. Governance and management structured ... 27

4. Methodology ... 29

4.1. Problem definition ... 29

4.2. Problem specification ... 29

4.3. Generation of possible solutions ... 29

4.4. Testing solutions (outside the scope of this thesis) ... 30

4.5. Verification.(outside the scope of this thesis) ... 31

5. Comparison and development ... 32

5.1. Comparison: Full life-cycle vs COBIT 5 ... 32

5.2. Development ... 35

6. Discussion ,conclusion and limitations ... 37

6.1. Discussion and conclusion ... 37

Preface

Although this thesis is the final deliverable of the master change management, the concept of change itself is outside the scope of this thesis. Instead this thesis focusses on an specific tool that brings about change in organizations by focusing on control of IT, with the use of an governance framework. This tool focusses on planned change and helps organizations in the transition from the As-IS (present) to the To-Be (desired) future. Herein the focus, unlike most concepts of change, lays not only on increasing effectiveness but also on compliance and risk avoidance.

The added value from a change minded approach is the structural thinking that focuses on enablement rather than disablement. As latter will be explained, aligns this view with one of the key aspects of the main framework under review (COBIT 5). Although not specifically mention, COBIT 5 has recognizable elements that can directly be linked to the theoretical field of (technical) change management e.g.: planned change, organizational development, principal-agent dilemma, institutionalism and isomorphism. COBIT 5 even recognizes the need for a structural approach to change and the importance of e.g. change readiness as it has specific processes that are focused on maximizing the effectiveness of change.

By choosing a topic that is more focused on information technology (IT) and control. The research was able to combine different prior acquired skills, as he has a history in accounting and took elective courses in IT governance and Managerial Decision Making and Control. Therefore this thesis is more a logical consequence of prior choices than a radical course change at the end of his master.

Last but certainly not least, do I want to use this opportunity to thank prof. dr. Egon Berghout for his patient and guidance, and my sister, Alinde van der Woerd, for her constructive feedback, time and afford that made this thesis to what it is now.

7

1. Introduction

Organizations depend more and more on information and the technology that supports it. In fact, for most organizations Information Technology (IT) is their most valuable asset. Successful organizations understand this and take great care in managing and avoiding risk associated with their IT (Lainhart, 2000). IT governance is integral to the success of overall enterprise governance and senior management awareness is the single best predictor of IT effectiveness (Stekhoven, 2012; Weill & Ross, 2004a). In the last decades organizations have become more aware of the necessity to govern their IT. As the awareness is growing, so is the need for a full-lifecycle framework that guarantees Governance of Enterprise IT (GEIT). The problem with finding and implementing such a framework are the complexity and resources (time, capital, expertise and etc.) necessary to implement and maintain it (Kearns & Sabherwal, 2006; Qumer, 2007).

The purpose of this master thesis is to develop a quick-scan that measures the overall level of IT control with the use of one of the most used IT governance frameworks: Control Objectives for Information related Technologies (COBIT) 5 (Mishra & Weistroffer, 2007; Damianides, 2004; Fox, 2004). With such a quick-scan, senior management is able to analyze their overall compliance with COBIT 5 and with that, their GEIT, by answering thirty-seven yes/no questions. Because the questions are directly linked to the individual processes within COBIT 5, the board or senior management can take quick and proportional action when areas of improvement are identified.

As trillions of dollars are wasted each year on IT (projects) that fail or do not deliver what was expected (Krigsman, 2012). Organizations are in need of guidelines that can help them in their quest for maximizing organizational value. As the dependency on IT is growing, so is the influence of IT governance in overall corporate governance (IT Governance Institute (ITGI), 2003) - This is the

task set for senior and executive management to control and direct the organization in peruse of its objectives- (De Haes, 2007; OECD, 2004). For a long time top management could minimize their

8 Creating value from IT can be challenging and is linked to the organization understanding and implementation of the underlying IT governance framework and therefore plays a key role in the enterprise search for value (Berghout & Nijland, 2002; ISACA, 2012; Anisjngaraju, 2013). Cook (2007) claims that 65% of all IT project are a (financial) failure. In their research, Berghout, Nijland, & Powell, (2011) link this to the cost/benefit analysis managers make when starting a new project. According to them, only 20-40% of all cost regarding a project are made in the development stage, which in practice are the only cost considered when performing a cost/benefit analysis. That means that organizations fail to recognize the origins of 80-60% of all project related cost. To acquire a more thorough understanding of cost/benefit analysis, research suggest a lifecycle approach (Farbey, Land, & Targett, 1999; Willcocks, 1996; Suardi, 2004).

GEIT is not only important for the creation of value and prevention of risk involving IT, but also for compliance with emerging (fiscal) regulations e.g. the Sarbanes Oxley Act (SOX) in de United States and the Corporate Governance Code in the Netherlands. Furthermore, a well implemented framework secures resources from leaving the organization for individual gain (fraud) (Bloem, Doorn, & Mittal, 2005). In the search for a framework along which organizations can design and maintain their IT governance, there is a long list of frameworks that focus on just a part of IT governance. According to International Systems Audit and Control Association (ISACA) (2012a) COBIT 5 is the only framework that can assure end-to-end governance. Based on four previous versions of COBIT and years of experience in the field, COBIT 5 describes a set of good practices for the board, and (senior) operational and IT management, to create and maintain value from IT (ISACA, 2012b). In this framework, where control over IT is organized around logical placed IT-related processes, IT is governed as an enabler for business objectives. As the roots of COBIT lay in the audit community, there is a direct link between the framework and IT assurances (De Haes, et.al., 2013). This means that there is particular attention for risk management and protection of information in the digital and physical form.

9 lays on proactive rather than reactive control systems in order to prevent problems rather than to detect them. This increases the probability of organizational success and effective use of available resources (Merchant & van der Stede, 2012).

This thesis is about enabling (senior) management to have that much needed control over IT, not only by giving them an inside in how their IT is governed, but by telling them where their vulnerabilities may lay. COBIT 5 provides a solution, but the problem is that COBIT 5 is a comprehensive and complex tool (de Haes, et.al., 2013). This makes it hard for (senior) management to (cost) effectively measure their IT Governance. This leads to the following problem definition:

“The inability of managers to efficiently and effectively measure IT governance is one of the major causes of IT governance related projects failures and hence creates business risks because of wrong allocation of resources”

The derived research question for this master thesis is:

“How to measure the strengths and weaknesses of an organization, in terms COBIT 5.0, with

the use of a quick scan?”

With the help of an existing quick scan developed by Berghout & Nijland (2002) this thesis will focus on answering the main question which is divided into the following sub questions:

 How is COBIT 5 related to overall control and corporate governance?

 What is the difference between COBIT 5 and other frameworks of IT governance?  What is COBIT 5.0?

 How to develop a quick scan for COBIT 5?

 Is it possible to measure COBIT 5 compliance with a quick-scan?

10

2. The path from control to IT governance

This chapter provides an introduction into the field of IT governance. In the first three paragraphs the scope is narrowed from overall control to IT governance after which in paragraphs four and five an overview of popular IT governance frameworks is given. This chapter will serve as the basis for the rest of this thesis, as relevant concepts and definitions are explained and scoped in this chapter.

2.1. Control

As discussed in the introduction, IT governance is about control of IT, but what is control? According to Flamholtz, Das, & Tsui (1985): ”Control is defined as attempts by the organization to

increase the probability that individuals will behave in ways that will lead to the attainment of organizational objectives”. As explained by Merchant & van der Stede (2012) the organization has

no need for control but the people within that organization do. The problem is that human behavior cannot, or only to an extent, be controlled. According to Gigantes (2002), human beings will do everything to fulfil their five principal needs: security, shelter, sustenance, sex and self-expression and in combination with greed this means that people are never satisfied. He therefore argues that the only way to avoid total chaos is to limit the freedom of individuals and groups in peruse of their desires (Gigantes, 2002). Management control systems (MCS’s) are the means of an organization to limit the freedom of its employees. Proper designed and implemented MCS’s limit employees in their organizational task to increase the chance that they will do what is in the best interest of the organization (Merchant & van der Stede, 2012).

Organizational control finds its roots in the sociological, administrative, and psychological perspectives (Flamholtz, et.al, 1985). Table 1 gives an overview of the differences between the three perspectives based on the comparison of Flamholtz, et.al (1985).

Sociological Administrative Psychological

Level of analysis Marco: organization as

a whole and large sub-groups

Individual or

departments Individual: individual behavior in relation to group or organizational objectives.

Mechanism of

control Rules, policies, hierarchy of authority or coordinative units

Plans, measurement, supervision,

evaluation and feedback

Goal and standard setting, extrinsic or intrinsic

rewards, feedback or interpersonal influence

11 As control of organizational elements refers to the process of influencing human behavior as members of a formal organization, the organizational and management control systems are the mechanisms designed to increase the likelihood of organization desired behavior by individuals within that organization (Flamholtz et.al., 1985). These processes and techniques are captured in a framework of “packages” by Malmi & Brown (2008) that together form the internal control mechanisms of an organization. These mechanisms help the board and senior management in their tasks of corporate governance. In their article Malmi & Brown (2008) come up with a schematic overview of organizational control. Table 2 is an overview of the MCS packages linked to authors of origin as discussed in their literature review.

In their task of controlling and directing the organization, senior management relies on a mixture of the structures, processes and mechanisms described in Table 2 (Peterson, 2004; Weill & Ross, 2004b; Peterson, Parker, & Ribbers, 2002). In the next paragraph the task of controlling and directing the organization, better known as corporate or enterprise governance is discussed

2.2. Corporate governance

12 Cultural Controls

The established values, beliefs and social norms that influence employee behavior:

Birnberg & Snodgrass (1988); Dent (1991); Pratt & Beaulieu (1992)

Clans

Ouchi (1979) Simons (1995) Values Schein (1997) Symbols

Planning Ex-ante form of control

Flamholtz, et.al. (1985)

Cybernetic Controls

Control through: (1) quantification of the underlying phenomenon, (2) setting of performance standards/targets, (3) feedback processes, (4) variance analysis of 2 and 3, and lastly (5) adjustment and modification of behavior

and/ or activities: Green & Welsh (1988)

Reward and compensation Compensation and rewards attached to the achievement of goals: Flamholtz, et.al. (1985); Bonner & Sprinkle (2002) Long range planning Goals and actions for the medium- long run - Strategic focus - Action planning Goals and actions for the present till 1 year from now - Tactical focus – Budgets: Bunce, Fraser, & Woodcock (1995); Hansen, Otley,

& Van der Stede (2003)

Financial measurement

systems:

Ittner & Larcker (1998)

Non-financial measurement

systems:

Ittner & Larcker (1998)

Hybrid measurement systems

Combination of financial and non-financial measurement

systems: Greenwood, (1981);

Kondrasuk, 1981); Ittner & Larcker (1998); Kaplan & Norton (1992, 1996a, b,

2001a, b); Malina & Selto, (2001)

Administrative Controls

MCS’s focused on direction of employee behavior by organization design and structure, monitoring of behavior, accountability and process/task specification including policies and procedures that describe performance and desired behavior: Simons (1987) Governance Structure:

Abernethy & Chua (1996)

Organization structure:

Otley & Berry (1980); Emmanuel, Otley, & Merchant (1990); Abernethy & Chua, (1996); Alvesson & Karreman (2004)

Policies and procedures:

Macintosh & Daft (1987); Simons (1987)

13 As can been seen in Figure 1Error! Reference source not found. and said before in the introduction, the importance of IT is growing and so is the debate about the role of IT governance in corporate governance. For a part, this debate is influenced by the social changes that have a major impact on the use and light under which the opportunities and use of IT are viewed by the public, e.g. the commotion about a pilot of ING to use Big Data1 _{to provide customers with personal offers} of not bank related products, earlier this year. This example affects all but the physical assets of the organization in a direct or in-direct manner. This “small” example does not only show the power of (social) media but also the speed at which IT opportunities can become IT risks.

But risks do not only come from interaction with the external environment, many risks come from within the organization and even from the one’s burdened with the task of assuring that risks are managed in an acceptable manner; Senior management. In the well know examples of Enron, Worldcom and more recent Société Générale (2010) -Where a rogue trader gambled and lost € 4.9

billion in fraudulent trades and with that brought France second biggest bank on the brake of bankruptcy- (Merchant & van der Stede, 2012). The action or inactions of the senior managers in

these cases endangered, or even brought down, companies in peruse of personal gain. In these examples, (corporate) governance failed, not because MCS’s were not in place or not affected, but

1 _{Big Data: Collection of data from traditional and digital sources inside and outside a company that represents a source} for ongoing discovery and analysis. (Lisa Arthur, Forbes, 8/15/2013, accessed 28-5-2014, 11:25),

14 because of the subsequent manipulation of the information provided by these MCS’s by (corporate) management (Aagther, 2003).

As a reaction to these scandals, governments and branch organizations are increasing the number of laws and regulations that increase the liability of individuals and management within limited liability companies and at the same time increase the likelihood of a conviction. The SOX act of 2002 is one of these laws that have a major impact on the GEIT. The main section of this act is section 404a; “State the responsibility of management for establishing and maintaining an adequate

internal control structure and procedures for financial reporting” (U.S. Congress, 2002). Because

‘adequate’ is a subjective definition, different organizations such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and ISACA developed frameworks that help organizations to comply with these regulations. The SOX version of the Dutch government is called the ‘Corporate Governance Code’ or ‘Code Tabaksblad’, in this code of conduct the commission Tabaksblad describes how people and parties involved with limited liability companies within the Netherland should act (Rijksoverheid, 2003).

The focus of Code Tabaksblad is corporate governance where as in SOX IT has a prominent role. Although the two are interrelated their focus and goals can differ. It is therefore important that IT facilitates the achievement of organizational goals and existing sources of competitive advantage

15 (Santhanam & Hartono, 2003). This task is called strategic integration and is in the hands of the board. Henderson & Venkatraman (1993) capture this task in a framework of strategic alignment that combines the internal and external environment with the business and IT domains (figure 2). The framework makes a clear distinction between the functional integration and the strategic fit, it defines the internal integration as ‘operational integration’ and the external as ‘strategic integration’. The importance of separating operational- and strategic integration will be explained in the second half of the next paragraph.

2.3. IT Governance

As discussed in the previous paragraphs, the importance of IT governance is growing. Unfortunately for most decision makers, IT governance is still a ‘mystery’. Within most companies, only 38% of senior management knows how their IT is governed (Weil and Ross, 2004). In these modern days companies depend heavily on IT, ISACA (2012b) describes it as the: “key resource for

all enterprises”. Moreover, IT needs to be evaluated because it represents a strategic resource and

plays a key role in generating business opportunities(De Haes & Van Grembergen, 2008a). Herein lays the challenge for many organizations; creating value from IT (Berghout, et.al., 2011).

Tiwana, Konsynski, & Venkatraman (2013) define the ‘who’, ‘what’ and ‘how’ of IT governance in the form of a cube (Figure 3) 2,3_{. The ‘who’ refers to the earlier mentioned sociological and}

2 _{The shaded cells represent the existing disciplinary knowledge of IT governance, the circled numbers represent newly}

submitted papers by other authors used in their paper, and the remaining cells represents unexplored theoretical territory.

3 _{Newly submitted papers: 1: (Winkler & Brown, 2013), 2: (Di Tullio & Staples, 2013), 3: (Huber, Fischer, Dibbern, &}

Hirschheim, 2013), 4: (Cao, Mohan, Ramesh, & Sarkar, 2013), 5: (Tallon, Ramirez, & Short, 2013)

16 administrative subjects of control with the addition of a third level: ecosystems. The ecosystems refer to inter-organizational relations and networks (Tiwana, et.al., 2013). The ‘what’ incorporates the IT elements and their content (information and information systems (IS)) and the stakeholders who benefit from it. Lastly, the ‘how’ refers to a selection of the packages of MCS’s earlier mentioned in Table 2. The cube shows the that theory is increasingly able to describe IT governance on a small to medium scale, but the effects on a large scale have yet to be researched.

Now that there is some understanding about the ‘who’, ‘what’ and ‘how’ of IT governance the search for a definition continues. As IT governance is a ‘mystery’, there are many definition that describe, or try to describe IT governance. Webb, Pollard, & Ridley (2006) have devoted their entire paper in finding an all-inclusive definition for IT governance. They closely examined the twelve most popular definitions till 2006 (appendix 1), and found six elements that should be incorporated in the definition of IT governance. The six are; strategic alignment, delivery of business value through IT, performance management, risk management, policies and procedures, and control and accountability. Incorporating these six elements in one definition leads to the following definition of IT governance:

“IT Governance is the strategic alignment of IT with the business such that maximum business value is achieved through the development and maintenance of effective IT control and accountability, performance management and risk management” (Webb et.al., 2006).

17 designed by van Van Grembergen (2004), it has a clear distinction between governance and management processes, and assigns accountability of governance to board and not senior or executive management (ISACA, 2012c).

Similarly ISACA (2012b) recognizes five elements in IT governance, in there design of COBIT 5, that are comparable to the six earlier mentioned elements of Webb et.al. (2006). The elements of IT governance, as recognized in COBIT 5, are: value delivery, risk management, resource management, performance measurement and strategic alignment (ISACA, 2012b). Main difference is that in COBIT 5 ‘performance measurement’ includes the elements of; ‘performance management’, ‘policies and procedures’ and to a degree even ‘Control and accountability’ as there were defined by Webb et.al. (2006), and adds resource management as one of the pillars of IT governance (ISACA, 2012b).

This means that the real definition for IT governance still has to be found. In the search for this definition, this thesis focusses on the work from 2006 till now. The forty first results on Google Scholar and the EBSCO database4 _{are scanned for new definitions of IT governance since 2006, the} authors and their definitions can be found in Table 3.

Author Definition of IT governance

De Heas & van Grembergen, 2009

IT governance consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategy and objectives Bowen, CheungmM.Y.D., &

Rohde, 2007 IT related decision making structure and methodologies implemented to plan, organize, and control IT activities. Sethibe, Campbel, &

McDonald.C., 2007 IT governance is the structure of relationships, processes and mechanisms used to develop, direct and control IT strategy and resources so as to best achieve the goals and objectives of an enterprise. It is a set of processes aimed at adding value to an organization while balancing the risk and return aspects associated with IT investments.

ISO 38500, 2008 The system by which the current and future use of IT is directed and controlled. Corporate governance of IT involves evaluating and directing the use of IT to support the organization and monitoring this use to achieve plans. It includes the strategy and policies for using IT within an organization’’

Debrenceny & Gray, 2013 IT governance is the process by which the objectives of the entity that impact on information technology are agreed upon, directed, and controlled. IT governance includes establishment of decision rights, setting of objectives and goals, building of organizational capability to meet those objectives and goals, and in feedback

4

18 loops that employ a variety of measurement and metrics

Winkler & Brown, 2013 The locus of application-related decision rights (i.e., on business application needs, IT investment, and IT architecture) at the level of the overall IT function

Table 3: Definitions of IT Governance since 2006

When continuing on the reasoning from Peterson (2004), this means that the definition of ISO 38500 (2008) is discarded because it is focused on current activities. The definition of Winkler & Brown (2013) and Bowen, et.al (2007) are also eliminated, because they are either vague and/or limited in their scope. Of the remaining three definitions, only De Heas & Van Grembergen (2009) and Sethibe, et.al. (2007) clearly focus on the strategic element of IT governance. From the two remaining definitions, only Sethibe, et.al. (2007) complies with all the elements of both Webb et.al. (2006) and ISACA (2012b). Therefore, in the remaining of this study IT governance is defined as:

“The structure of relationships, processes and mechanisms used to develop, direct and control IT

strategy and resources so as to best achieve the goals and objectives of an enterprise. It is a set of processes aimed at adding value to an organization while balancing the risk and return aspects associated with IT investment” (Sethibe, et.al., 2007).

In the next paragraph this theoretical definition of IT governance is the starting point to find out how this is translated into practice.

2.4. IT Governance in practice

As with the definition of IT governance, there are many frameworks that claim to measure and guide IT governance. Because this thesis heavily focusses on COBIT 5, it is important to provide the reader with a background into other and/or previous frameworks that focus on IT governance. When using databases such as EBSCO and Google Scholar, it becomes clear that there are more frameworks that govern IT then there are definitions (table 4).

Key words EBSCO-database

(journals) Google Scholar Google Normal Peer reviewed IT governance framework (1994)5 _{23 11 8.420 5.370.000} it governance5 framework 5 393 198 IT framework5 _{43.145 22.744 3.720.000 459.000.000} it framework5 _{69.229 40.554} 5

19 IT governance 7.743 2.896 2.070.000 259.000.000 it governance 43.438 10.132 management and governance framework 1.693 1.026 1.660.000 14.000.000 governance framework 3.489 1.949 1.860.000 23.700.000 management framework 16.223 8.984 3.390.000 81.700.000

Table 4: Results database search

In a recent study by Debrenceny & Gray (2013) among fifty-one organizations in North America, Europe and Asia, it became clear that most of these frameworks are minimally used or just as vague guidelines. In in-depths interviews with the CIO’s, Debrenceny and Grey (2013) asked about the usage of the thirty-nine most common frameworks. Appendix 2 gives an overview of their results.

Most interesting findings are the 4.59 averaged frameworks in use (at any time in one organization) and the low average intensity of use. From the thirty-nine proposed frameworks, only twenty-five where actually in use, and only three beyond just influential. The top five, in use, IT governance frameworks according to their research are: COBIT6 _(1.6/0.88)7_{, ITIL/ISO 20000} (1.5,/.0.86), Prince 2/PMBOK (0.96/0.99), CMM/CMMI (0.66/0.8) and ITGI SOX Control Objectives (0.56/0.99) (Debrenceny & Gray, 2013). Appendix 3 provides a short description of the different frameworks mentioned in Debrenceny & Gray (2013) and De Haes et.al. (2013). When the results of Debrenceny & Gray (2013) are combined with the work of De Haes, et.al. (2013) (Figure 4), an educated guess can be made about the underlying reason. Although not all of the frameworks mentioned in the paper of Debrenceny & Gray (2013) are represented in Figure 4, it becomes clear that only COBIT can deliver value in corporate- and IT governance at both the strategic (the board) and management level. The reason for this is that COBIT 5 (and previously COBIT 4) covers the task spectrum end-to-end, and does this on a medium level of abstraction which allows access to both management and the board. However in the last year(s), CMMI and ITIL have been modified to incorporate more strategic and governance elements to broaden their usage De Haes et.al. (2013).

6 _{COBIT 4.1}

7 _{(Mean/ Standard deviation) 0 = Not used; 1 = Influences own internal standards; 2 = Partially followed; 3 =Thoroughly}

20

21

3. COBIT 5

Where the previous chapter was used to scope the broad field of control and (IT) governance, this chapter focusses on the very specific topic of COBIT 5. In this chapter the strong and weak sides of COBIT 5 are explored with the use of various authors.

3.1. COBIT 5 literature

Key element of any academic research is an extensive literature review to ensure a comprehensive and unbiased collection of resources (Berry & Beckmann, 2004). This efficient way of structuring and summarizing previous research (findings) makes it possible to assess relevance and explore consistency of previous research (Magarey, 2001). The first step in any literature research is identifying key words, the second is identifying the databases in which to enter these keywords. Table 5 is an overview of the key words and the hits in the different databases.

EBSCO EBSCO (peer

reviewed)

Google Scholar Google

COBIT 5 framework 23 11 8.420 5.370.000

COBIT 5 66 39 12.000 1.470.000

COBIT 347 217 14.500 2.330.000

Table 5: Literature review COBIT

All the peer reviewed articles were reviewed and all the other hits from the EBSCO-database were judged based on abstract and title for relevancy. Table 6 gives an overview of the relevant articles used in this literature review.

COBIT Focus Journal of Information systems

COBIT 5 framework - -

COBIT 5  Anisjngaraju, 2013  Jorge & Barrena, 2013  Suer, 2013

 Stekhoven, 2012  Heschl, 2012

Haes, Grembergen, & Debreceny, 2013

Wilkon, Campbell, Moore, & Grembergen, 2013

COBIT Debrenceny & Gray, 2013

Brandas, Stirbu, & Didraga, 2013

22 Most of the articles that show up in the third row of table 4 only briefly mention COBIT 5 and hence are very homogenies and therefore not relevant for a literature review. The keyword ‘COBIT’ delivers a lot of results, but in most of those articles the focus lays either on a previous versions of the COBIT framework and/or are not focused on the framework itself but use COBIT as an example for e.g. risk assessment, audit tool, framework to implement SOX, or good governance e.g.; Merhout & Havelka, 2008; Mishra & Weistroffer, 2007; Panko, 2006 ; Smith & McKeen, 2006; Lainhart, 2000. ISACA has its own COBIT periodical called: COBIT Focus. In this periodical, respected authors and respected users from the work field write about COBIT. Most of these articles are either reviews of new versions or additions to the COBIT family or are small case studies in which (a part of) COBIT is integrated. Although EBSCO lists this magazine as a journal and the articles are sometimes written by highly cited authors, most of the articles are of no use to this literature review, only the articles in the second column of table 6 are usable for this literature review. Lastly, the different publications of COBIT 5 by ISACA e.g. COBIT 5: Process Reference Guide, COBIT 5: The

Framework and the self-assessment guide: Using COBIT 5 are used.

In the previous chapter, an overview of the different frameworks that precede COBIT 5 was presented. COBIT 5 differs from these frameworks, in that it is more complete and includes most of these frameworks, and it is the first to integrate business framework for the governance and management of enterprise IT.

COBIT 5.0, as the name suggests, is the fifth version of the lifecycle framework: COBIT. ISACA describes the purpose of COBIT 5 as: “COBIT 5 aims to research, develop, publish and promote an

authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers, IT professionals and assurance professionals”

thirty-23 seven sub-processes within the five main processes which are leading in the framework (Figure 5) (ISACA, 2012b).

Figure 5: COBIT Framework (International Systems Audit and Control Association (ISACA), 2012d)

3.2. Integrator framework

One of the key principals of COBIT 5 is integration. This is important, not only for value creation but also for the increased service that IT delivers to organizations. In most organization, IT is a facilitator rather than a primary source of value creation. It is important that the framework for GEIT facilitates existing sources of competitive advantage rather than being a source of competitive advantage itself (Santhanam & Hartono, 2003). In this view, IT is seen as a service, were success means that it has to provide sufficient value-in-use, in the form of outcomes that the ‘customer’ wants to achieve (Cartlidge, et al., 2007). With value-in-use is meant, both the intra- and inter- organizational context relevant to GEIT (Wilkon, Campbell, Moore, & van Grembergen, 2013). Similarly marketing research argues that the real value lays only in use through the exchange of service(Vargo & Lusch, 2008; Gronroos, 2008; Kotler, 1977). Therefore, only through the exchange of service and the release of resources, value is created (Ha°kansson & Prenkert, 2004). Herein, service is defined as “the application of one’s resources for the benefit of another entity’’ and ‘‘the

24 2008) and value: “as the total life cycle benefits net of related costs, adjusted for risk and (in the case

of financial value) for the time value of money” (ITGI, 2009). The core of value creation through

service is that it has to become more than customization, it has to become a joined effort to create unique value for the organization (Schrage, 1995).

Figure 6: Integration of other frameworks in COBIT 5 (Jorge & Barrena, 2013)

As is shown in Figure 6, COBIT 5 is better in creating total lifecycle value because it includes multiple frameworks that previously serviced different parts of the (IT) organization and integrates them as a whole with the addition of a few new elements which enhance the GEIT service.

Although ISO 38500 (2008) and COBIT 5 have similar principals and tasks (e.g. EDM), COBIT 5 distinguishes itself by focusing on a process view rather than to the avowedly guiding principles of ISO 38500 (2008) (Wilkon, et. Al., 2013). Furthermore, COBIT 5 also includes management domains such as APO, BAI and DSS, in addition to the existing governance domains. With this, “COBIT is able

to govern and manage enterprise IT in a holistic manner, with full end-to-end business and IT functional, strategic and tactical areas of responsibility, while taking into account the IT-related interest of internal and external stakeholders’’ (ISACA, 2012a).

3.3. Stakeholder and value driven/ Business and context focused

25 Therefore, COBIT 5 assists organizations in the processes of navigating through the As-Is state of the organization and identifies areas of improvements, issues with control and safety and at the same time it focuses on ease of use (ISACA, 2012b). All this is done by comparing the different areas of IT governance and IT management of the As-Is organization with, what by COBIT, is defined as the desired To-Be state of the organization. The developments of the To-Be state of the organization is based on 15 years of experience with previous COBIT frameworks, COBIT related frameworks and best practice feedback from the environment (ISACA, 2012b). This assessment of the As-Is state of the organization with the To-Be state according to COBIT 5 standards is a complex and time consuming activity. For this, COBIT 5 uses an updated version of the balanced scorecard (BSC) of COBIT 4.1 (Suer, 2013). In COBIT 5, the BSC has a more prominent role and is placed at the front of the framework in the goal cascade. The goal cascade is a mechanism that translates specific business drivers and stakeholders needs in ready to use and customized IT related enabler goals (ISACA, 2011). The importance of the goal cascade lays in the fact that it allows the prioritization for implementation, improvement and assurance of GEIT based on (strategic) objectives (ISACA, 2012b).

In this process the BSC-method is important because the IT domain is historically the only one which performance is not actively managed in a balanced scorecard (Suer, 2013). Suer (2013) contributes this to the moment of performance measurement of the IT department (usually 60-120 days after the first entry point is created). In his opinion, this has to change before IT can get a seat at the business table. For this transition from historical to real time view, IT managers have to abandon holistic and passive IT reporting on quarterly basis and start controlling IT actively. The difference being that with the use of hybrid controls (figure 2), management has the possibility to intervene because they get feedback from the system rather than a report of the system. This means that data must be timely and available at intervals that are effective for intervention (Suer, 2013; Abell, 1993).

26 In combination with the goal cascade, it is possible to link business-goals with IT related goals and monitor them in the four areas specified in the BSC (financial, customer, internal and organizational learning). This enables the verification of meeting stakeholders needs (Elbashir, Collier, & Davern, 2008; Hyvönen, 2007; O’Connor & Martinsons, 2006). The two main principals: ‘Shareholder and value driven’ and ‘Business and context focused’, are closely related as they identify stakeholders and their needs, and closely examine their link with governance and management decisions and activities (ISACA, 2012b). And although all stakeholders have their own ‘expectations’, ‘concerns’ and/or ‘requirements’, in the end they all want three things: benefit realization, risk balancing and cost optimization (ISACA, 2012b). In COBIT 5, this is a called the strategic alignment of board, operational management and IT (De Haes, et.al., 2013).

3.4. Enabler based

As shown earlier in figure 3, COBIT 5 is the most up-to-date framework that can combine governance and management in one framework and enables the board and management to control and direct the organization as one. ISACA (2012) defines these enablers as: “anything that can help

to achieve the governance objectives of the enterprises. This includes resources, such as information and people”. These tangible and intangible assets that make governance and management work are

shown in Figure 7. The importance of these enablers are their interrelation and focus on all eights elements rather than one or two. ISACA (2012) says: “Enablers interact in a systemic way,

meaning that a governance and management system cannot succeed unless all enablers are dealt with and the major interactions are understood”. Strategic management literature supports this and

describes it as the need for an organizational system -which is the way an organization gets

27

employees to work together and carry out their business- (De Haes, et.al., 2013; De Wit & Meyer,

2005).

All the seven enablers share key elements which are captured in the generic enabler model shown in figure 8. When these enablers are combined with the goals generated from the goal cascade, it becomes possible to measure the capability level of the organization. COBIT 5 uses the principles from ISO/IEC 15504 to measure these capabilities on a scale from 0-5 (De Haes, et.al, 2013). This is a different measurement method then the previous version of COBIT as they all focused on process maturity. The problem with process maturity was the interpretation of for instance, level 2 maturity: ‘‘implemented in a managed fashion (planned, monitored, and adjusted),

and its work products are appropriately established, controlled, and maintained” (De Haes, et.al.,

2013). But what is appropriate? COBIT 5 therefore uses capabilities that focus on whether or not the process actually does what it is supposed to do and whether or not it delivers the expected and required outcomes (De Haes, et.al., 2013).

Figure 8: Generic enabler model (ISACA, 2012b)

3.5. Governance and management structured

28 The difference becomes even clearer when the definition and origin of the concepts management and governance are examined. Governance derives from the Greek verb that means “to steer” and is about commitment to the organization. Commitment is defined as all the means and mechanisms that stakeholder of the organization have to influence specific organization objectives (ISACA, 2012b). The goal of governance is to both enable the organization to achieve its goals (in the broadest sense of the word) and limiting that same organization so that it uses it resources only for that purposes. The board of directors is accountable for this process, however it is usually led by the CEO (ISACA, 2012c). Management, on the other hand, is about involvement and the use of resources, people, practices and structures to achieve the goals set by the board.

As mentioned in the previous paragraph, COBIT 5 is about capabilities and focusses on the achievement of goals rather than prescribing what an organization should do. This is an important element that acknowledges that all organization are different, and returns in this section as COBIT 5 advocates and not enforces the use of governance and management processes. With the use of both the governance and management processes, COBIT 5 provides a holistic solution for managing, directing, controlling and monitoring the organization as a whole. This effective and efficient solution gives organization both the freedom to be unique and use experience of experts and many others in their pursue of creating organizational value while managing risks and compliance with external regulations.

29

4. Methodology

As said in the introduction, this thesis focusses on the development of a quick-scan that measures the level of (IT) control with the use of COBIT 5. Development falls under the theory-informed stream of designed focused problem solving (van Aken, Berends, & van der Bij, 2007). In this research stream the researcher assumes the role of an expert, and the research itself is usually focused on problems with a large technical-economic component (van Aken, et al., 2007). Kepner & Tregoe (1981) identify five phases in problem solving projects; problem definition, problem specification, generation of possible solutions, testing solutions and verification. This chapter will discuss each of the phases along with the controllability, reliability and validity of the development process.

4.1. Problem definition

This phase focusses on the theoretical foundation of the problem. In this phase the researcher does a literature review to define and build a scope for his problem (van Aken, et al., 2007). Chapter 1 provides this small scale literature review and leads to the problem definition:

“The inability of managers to efficiently and effectively measure IT governance is one of the major

causes of IT governance related projects failures and hence creates business risks because of wrong allocation of resources”

4.2. Problem specification

After the problem has been defined an in-depth study is needed to specify the problem. In this problem specification a thorough literature review provides the foundation on which solutions can be build. Chapters 2 and 3 provide this literature review and at the same time justify the choice for COBIT 5. The in-depth analysis of chapter 3 also shows the comprehensiveness of the framework and further elaborates on the need for a cost effective solution for IT-control compliance with the use of COBIT 5.

4.3. Generation of possible solutions

Next phase in the development process is the generation of possible solutions. For this the scan of the Full-lifecycle approach by Berghout, et.al. (2011) is used. The first version of this quick-scan was developed in 2002 by Berghout & Nijland, and measures the extent to which managers apply elements of the full-lifecycle approach in practice. Since the introduction of the quick-scan in 2002 more than a hundred CIO, CEO and senior IT specialist have used the scan. Based on the results Berghout, Nijland, & Powell have published an article in 2011: Management of lifecycle costs

30 full-lifecycle approach to COBIT 5 in his thesis: Assessment of IT governance. He argues that the five main processes of COBIT 5 have a similar focus as the five stages in the lifecycle approach as it was designed by Berghout & Nijland (2002). Based on his conclusions the quick-scan of the full-lifecycle approach is used to develop a quick-scan for COBIT 5.

Because the focus of Avila (2012) is the resemblance between the full-lifecycle approach and COBIT 5, and not the development of a new quick scan, chapter 5 starts with a comprehensive comparison between the individual processes of COBIT 5 and the stages and corresponding questions of the full-lifecycle approach. This assessment is the basis for the development of new questions for the COBIT 5 quick-scan. In this first round of question development the questions of the full-lifecycle quick-scan (2011) are, where possible, converted into questions that measure the main processes of COBIT 5. In this assessment the process description of the thirty-seven COBIT 5 processes and the elaboration on the forty-two questions of Berghout & Nijland (2002) are compared in a directive manner to identify common areas. The full comparison, including arguments and question development can be found in appendix 4 and will be further discussed in chapter 5.

After the first round of question development a second round of question development is needed, because the full-lifecycle approach resembles just a portion of the total COBIT 5 framework. In this second round of question development the individual process description and process- and IT related goals, of each of the thirty-seven COBIT 5 main processes, are used to develop between two and four questions for each main process. These questions/ propositions have four main criteria: they have to be short, can only be interpreted in one way , the answer can only be yes or no, and they should capture the essential elements of the corresponding process. The results of this second round of question development can be found in appendix 5. The full underpinning of the second round of questions development is documented in an supplementary document: Measure COBIT 5.0: The comparison. and is available on request. In this thirty page document the foundation for, and the reasoning behind the questions of appendix 5 is documented. Examples of the reasoning in the second round of question development will be presented in chapter 5.

4.4. Testing solutions (outside the scope of this thesis)

31 processes, the most relevant question from the list of possible questions in appendix 4. The value of an interview over an internet based questionnaire lays is the possibility of immediate feedback. Van Aken, et. al. (2007) argue that design and development studies should go through multiple (smaller) rounds of development and redesign for which expert feedback is essential. These interviews are both vital as problematic to the development of the quick scan. On the one hand, only with the use of feedback can the development continue and on the other hand are the experts scares and is their time valuable. This means that the interviews and rounds of development and redesign have to be effective as the options of re-consult are limited. In terms of validation it would be preferable to re-visited a small group of experts multiple times as every expert has his own opinion, but at the same time will the reliability increase with an bigger panel. This point will be elaborated in the recommendation section of this thesis. At the end of this phase the analysis of the interviews will lead to the development of the intended quick scan for COBIT 5 compliance.

4.5. Verification.(outside the scope of this thesis)

The last phase of problem solving research is verification. In this phase the quick scan of the previous phase is verified by putting it into practice. Verification is important because only through this process the business value of the quick scan can be measured. Only if the quick scan can measure COBIT 5 compliance accurate and reliable on a practical level the scan has true business value.

Accuracy can be measured by comparing the results of the quick can with the results of a full COBIT 5 audit. An example of how this can be measured is asking senior (IT) managers or executives of organization that use COBIT 5 to use the quick scan for an assessment of their IT control. Afterwards the researcher preforms a qualitative analysis of the results of the quick scan and the documentation of COBIT 5 compliance in the organization. For the usability of the quick scan it is important that the participants have the opportunity to give feedback. The purpose of their feedback is not to improve the content, as it was with the experts, but improving quality and understanding of the actual questions.

32

5. Comparison and development

Building on the method presented in the previous chapter, this chapter focusses on the comparison of COBIT 5 and the full-lifecycle approach, and question development.

5.1. Comparison: Full life-cycle vs COBIT 5

As was mentioned in the previous section, the master thesis of Avila (2012) suggest that there is an overlap between the COBIT 5.0 principles and the full-lifecycle approach of Berghout & Nijland (2002). The full life-cycle approach of Berghout & Nijland (2002) focusses on the paradox managers face when implementing IT projects (e.g. developing a new Information Systems). This paradox describes the dilemmas managers face when working on such a project; a lot of freedom and uncertainty at the beginning, and clear understanding but limited possibilities for change at the end of a project (Berghout & Nijland, 2002). With the help of the full-lifecycle quick scan organization get a better understanding of cost and benefit distribution in the different stages of the development process (Berghout et al., 2011). The full-lifecycle identifies five phases; Identification,

Justification, Realization, Exploitation and Evaluation. In table 7 the different stage of the

full-lifecycle approach are briefly discussed and linked to the main processes of COBIT 5. Phases Full life-cycle approach Corresponding processes in COBIT 5

Identification phase: focusses on questions that involve decisions about areas of IT investments (or IT

divestments).

Both the EDM and APO processes concentrate on guidelines for business proposals and

identification of areas of improvement. Justification phase: careful selection

and identification of preferred projects (including impact analysis)

Spread out over the processes EDM, APO and BAI there is attention for the different aspects of justification e.g. risk assessment of proposals in BAI, the involvement of strategic management in justification of investments in APO.

Realization phase: is focused on managing costs and benefits during the development and implementation. This phase is critical as new insights emerge and perspectives change.

On a general level BAI has the same focus as the realization phase in the full life-cycle approach. On a more detailed level processes of EDM, DSS and APO also focus on this phase.

Exploitation phase: In this phase the project is made operational. This phase is focused on managing both cost and benefits as all of the benefits and most of the cost are occur in this phase.

The exploitation phase has a direct link with the DDS process of COBIT 5, although the specific attention of DSS is focused at (partly) different issues, both the exploitation phase and DSS focus on the period in which the system is in use. Evaluation phase: re-assessment of

information function as a whole (information value, cost and benefits, effectiveness and efficiency).

In principle MEA and the evaluation phase focus on the same areas, but on a more detailed level the questions of the evaluation phase of the full-lifecycle are spread out over the different processes of COBIT 5.

33 Most interesting about the general comparison is that several of the full-lifecycle phases have, in name, a direct link with the focus areas of COBIT 5 e.g.: EDM (Evaluate, Direct and Monitor) and MEA (Manage, Evaluate and Asses) with the Evaluation phase, and BAI (Build , Acquire and Implement) with the realization phase. But, when the processes are viewed on a more detailed level only half of the subjects of the full-lifecycle approach can be linked to the detailed process description of the individual COBIT 5 processes. Moreover the subjects are linked to the various processes across the whole framework and usually not to expected main process. Appendix 4 provides an overview of the comparison of the two frameworks. In this comparison the full-lifecycle is viewed from the perspective of COBIT 5, this is an important detail as COBIT 5 is much more detailed and in the end this thesis focusses on development of questions for COBIT 5. Table 8 provides a summary of the results of the comparison of appendix 4. In the table the first column indicates the COBIT 5 process, the 00: the process which is followed by activity within that sub-process that corresponds with the phase of the full lifecycle approach. In total COBIT 5 has five domains, thirty-seven processes, 196 sub-processes and more than 800 activities.

34 APO08 02: 01 APO09 01: 01 03: 01-05 04: 01:05 APO10 APO11 APO12 APO13 BAI01 06: 04 10:03/04/06 02: 06 06:04 13: 01/02 BAI02 BAI03 BAI04 BAI05 BAI06 BAI07 01: 05 BAI08 BAI09 BAI10 BAI11 BAI12 BAI13 BAI14 DSS01 DSS02 DSS03 01: 01/02/06 01: 01/02/06 DSS04 DSS05 DSS06 MEA01 01: 01/06 MEA02 MEA03

35

5.2. Development

In this step the comparison of the previous paragraph is used to develop new questions that measure compliance with COBIT 5. As discussed in the method section the first round of question development is based on the comparison of the full-lifecycle approach and COBIT 5. Based on the comparison and the individual process description and goals of the individual COBIT 5 processes, the questions of the full-lifecycle approach are redesigned to questions that measure COBIT 5. The questions of the first development round can be found in the fifth column of appendix 4 of which table 9 is an example. Process Full-lifecycle question Arguments Concept question(s) EDM01 1.1 Senior management is involved and

determines how new IT investment proposals be investigated. EDM01.01.06/08, EDM01.02.01, require the articulation of principals to guide the design of governance and IT decision making, these principals are set forward by senior management Q1. Senior management sets principals to guide the design of governance and IT decision making

Table 9: Example of question development

36

Process Proses goals Primary IT goals Questions

EDM01 Ensure Governance Framework Setting and Maintenance

Process Description Analyze and articulate the requirements for the governance of enterprise IT, and put in place and maintain effective enabling structures, principles,

processes and practices, with clarity of responsibilities and authority to achieve the enterprise’s mission, goals and objectives.

Process Purpose Statement Provide a consistent approach integrated and aligned with the enterprise governance approach. To ensure that IT-related

decisions are made in line with the enterprise’s strategies and objectives, ensure that IT-related processes are overseen effectively and transparently, compliance with legal and regulatory requirements is confirmed, and the governance requirements for board members are met.

1. Strategic decision-making model for IT is effective and aligned with the enterprise’s internal and external environment and stakeholder requirements. 2. The governance system for IT is embedded in the enterprise. 3. Assurance is obtained that the governance system for IT is operating effectively.

01 Alignment of IT and Business strategy

03 Commitment of executives for making IT-related decisions 07 Delivery of IT services in line with business requirements

1.1. Senior management sets principals to guide the design of governance and IT decision making

1.2. Governance of IT mechanisms is periodically checked to see whether they are established according to agreed on standards and whether it is necessary to discard or improve them

1.3 External developments with respect to competition,

customers, changes in society, government regulations and advice from external parties are analyzed, and their needs are aligned with governance and enterprise IT

1.4 Requirements for governance of enterprise IT are analyzed and articulated, and supported by clear, effective and enabling structures, principles and practices to achieve enterprise objectives

37

6. Discussion ,conclusion and limitations

In this last chapter the conclusions are presented first by answering the sub- and main research questions of this thesis. Thereafter, the road ahead, along with the recommendation and limitation will be discussed.

6.1. Discussion and conclusion

With the use of the different sub-questions this thesis has focused on the development of a quick-scan that can measure the strengths and weaknesses of IT control with the use of COBIT 5. However in this final section of the thesis the researcher has to conclude that he was only able to take the first step in the development of this tool. The complexity of the task at hand, combined with the inexperience of the researcher and dependency on experts has led to segregation of the development process. This thesis has focused on the first phase of the development process, which by Van Aken, et.al. (2007) is called learning-before-doing. In this phase a large theoretical foundation is built to identify problems and prepare for the next phase in which learning-by-doing will take over(van Aken, Eet.al., 2007).

In the beginning of this thesis the focus laid on justification of the choice for COBIT 5 and the necessity of a tool that can help organizations in their GEIT. With trillions of dollars waste annually on failing (IT) projects, the increasing dependency on IT and an environment that is ever changing organization need to be in control in order to stay ahead (Krigsman, 2012; ITGI, 2003). Chapters 2 and 3 provide evidence that COBIT 5 is better at controlling enterprise IT then any of the other frameworks, because it views IT not as a singular object, but as an interdepend service that enables other sources of competitive advantage to create maximum value. Herein the goal cascade plays a crucial role as it translates specific business drivers and stakeholders needs in ready to use and customized IT related enabler goals (ISACA, 2011). Research from e.g. De Haes, et.al. (2013) and Debrenceny & Gray (2013) provide evidence that organization are increasingly recognizing the value of COBIT 5, as it is the only framework that combines both the management and governance aspects of IT in one framework.

This strength is also the origin of the main problem organizations face when using COBIT 5: complexity. De Haes, et.al. (2013) call this the need for COBIT 5 as an artifact8_{. With the} development of this artifact, that can help organization in measuring their IT control in terms of COBIT 5, this thesis is trying to solve this problem. Before this research organization depend on

8 _{Artifact: object made by human beings, with a view to subsequent us (TheFreeDictionary 23-6-2014,}

38 either a COBIT 5 expert to measure the level of capability, or had to do an complex and time consuming self-assessment of COBIT 5. Both required the use of scare resources such as time, expertise and money. This thesis takes the first step in the development of a quick scan that helps organizations to measure their IT control with the use of clear and practice-oriented questions. These question have a direct link with the individual processes of COBIT 5, which enables the board and/or management to take direct action or provide them with the opportunity to investigate specific areas of the framework without having to waste resources on a full audit.

As said before this thesis merely provides the first step in the development process, therefore critical notes have to be placed with the actual feasibly of the quick scan. In the method section is explained that there is still a long way to go. First with the help of experts the real quick scan has to be developed. In this phase experts chose the most relevant questions from the proposed questions in appendix 5. With the use of feedback from the expert panel further research should focus on redesign of the questions and the actual development of the quick scan. This phase is both critical and difficult as the complexity of the task requires experts that are limited. Without experts the quick scan will lack the credibility and probably the quality to create business value.

If this second step of the development process has been successful a final and third step is necessary to validate the usage and accuracy of the quick scan. This final round will be an quantitative analysis in which the quick scan is tested in practice across different industries, with special attention for organizational characteristics and risk tolerance in the various industries.

Because of the complexity of COBIT 5, and potential value of a quick scan for the business environment the last two phases of the development process should be handled with care. In further research the method of analysis will be critical along with timing and access to experts. Especially with regard to the method of the second step, the researcher has to be both creative and critical, as attempts to include this step into this research were met with critical remarks about the method (telephonic, structured interview) by experts and was one of the causes this research was unable to generate result.

6.2. Limitations

39 problem solving research and therefore propose that future research re-assess the step of question development before acquiring expert feedback.

40

Bibliografie

Aagther, C. (2003, september 1). Who does what to whom? closing the gap of section 404. p. 6. Abell, D. (1993). Managing With Dual Strategies. New York: The Free Press.

Abernethy, A., & Chua, W. (1996). A Field Study of Control System "Redesign": The Impactof Institutional Processes on Strategic Choice. Contemporary Accounting Research, 13(2), 569-606.

Ahern, D., Clouse, A., & Turner, R. (2008). CMMI Distilled: A Practical Introduction to Integrated Process

Improvement (3rd Edition ed.). Boston: Addison-Wesley.

Alemanni, m., & Alessia, G. (2008). Key performance indicators for PLM benefits evaluation: The Alcatel Alenia Space case study. Computers in Industry Computers in Industry(59(8)), 833-841.

Ali, S., & Green, P. (2012). Effective Information Technology (IT) governance mechanisms: an IT outsourcing perspective. Information Systems Frontiers(Volume 14, Issue 2), 179-193.

Alvesson, M., & Karreman, D. (2004). Interfaces of control. technocratic and socio-ideological control in a global management consultancy firm. Alvesson, M., Karreman, D., 29, 423-444.

Anisjngaraju, A. (2013, October). What Does COBIT 5 Mean for Your Business. COBIT Focus, 4, pp. 1-2. Avila, P. (2012). Assessment of IT Governance. Groningen.

Benlian, A., & Hess, T. (2011). Opportunities and risks of software-as-a-service: Findings from a survey ot IT executives. Decision Support Systems(52), 232-246.

Berghout, E., & Nijland, M. (2002). Full life-cycle management and the IT Management Pradox:. In D. Remenyi, & A. Brown, make or break issues in IT management (pp. 77-107). Oxford:

Butterworth-Heinemann.

Berghout, E., Nijland, M., & Powell, P. (2011). Management of lifecycle costs and benefits: Lessons from information systems. Computers in Industry(62), 755–764.

Berry, E., & Beckmann, E. (2004, june 8). Systematic Literature Reviewing. Retrieved from University of Leeds: http://www.comp.leeds.ac.uk/

Binberg, J., Turoplec, L., & Young, M. (1983). The Organizational Context of Accounting. Accounting,

Organizations and Society, 111-129.

Birnberg, J., & Snodgrass, C. (1988). Culture and control: a field study. Accounting Organizations and