EVALUATION OF THE STATE-OF-THE-ART IT CONTROL FRAMEWORKS AND MODELS

(1)

EVALUATION OF THE

STATE-OF-THE-ART

IT CONTROL

FRAMEWORKS AND

MODELS

DEVELOPMENT OF C-LEVEL QUESTIONNAIRE

ANNA ROZHKOVA

E-mail: a.rozhkova@student.rug.nl

Supervisor: Prof. Dr. E. W. Berghout

Co-Assessor: Dr. Y. Eseryel

Submission Date: AUGUST 8, 2014

Word Count: 11,568

(2)

ABSTRACT

(3)

LIST OF TABLES

Table 1. Keywords………..10

Table 2. Tradeoffs and the best of both………..13

Table 3. IT vs. Corporate Governance………. ………..15

Table 4. Roles and Responsibilities………17

Table 5. IT Strategy vs. IT Steering Committee……….19

Table 6. IT Governance vs IT Management………...21

Table 7. Comparison of Control Frameworks………23

Table 8. ITIL Phases………...28

Table 9. PMBOK………31

Table 10. Process Overview………...36

Table 11. Bibliometric Analysis – Journals………39

Table 12. Bibliometric Analysis – Authors………40

Table 13. Bibliometric Analysis – Organizations………...41

(5)

LIST OF FIGURES

Figure 1. Methodology Outline………9

Figure 2. Governance and Management...………..12

Figure 3. Link between corporate governance and IT governance……….14

Figure 4. Five focus areas of IT Governance………..15

Figure 5. Elements of IT governance………..16

Figure 6. IT Governance on One Page………...18

Figure 7. IT Governance on One Page – Example……….18

Figure 8. Strategic Alignment Model……….20

Figure 9. Balanced Scorecard……….22

Figure 10. CobiT 5 – Five Principles………..24

Figure 11. CobiT 5 – Components………..24

Figure 12. CobiT 5 – Processes………..26

Figure 13. ITIL………...27

Figure 14. Balanced Scorecard for IT……….29

Figure 15. Balanced Scorecards Link……….29

Figure 16. CMMI………30

Figure 17. DoDAF………..33

(6)

1. INTRODUCTION

The dependence in organizations on Information and Communication Technologies (ICT) has grown exponentially in the last few decades. Companies rely on the right information, knowledge and communication to be in the right place in the right time in order to make right decisions and successfully perform tasks (Van Grembergen & De Haes, 2008). Information Technology (IT) develops, secures and is part of an increasing number of products and services. IT is considered one of the most valuable assets (Weill & Ross, 2004a), and thus should be planned, designed, governed and managed thoroughly. IT is the primary drive for innovation and growth in some organizations (Selig, 2008; McDavid, 2003), while in others its efficiency determines who survives and who fails (ISACA, 2012a).

Along with the dependence on ICT, investments also grow tagging along higher risks. The return on investments in many cases is much lower than predicted, and in most cases – unpredictable and hard to control (Cresswell, 2004). Forrester Research (2013) reports that only 39% of the IT projects are successful. Thus, IT still more frequently does not meet the business expectations (Weill & Ross, 2004a; Willcocks et. al, 2007).

Among the main reasons for the low return on investments and failed IT projects is the so called Business-IT Gap, caused by miscommunication between business and IT people, and misalignment of organizational factors (McDavid, 2003). Companies need to consider a complex approach to business and technology altogether in order to create value in their organizations (Thorp, 2008). This is known as the IT-Business alignment. Studies show that the better the alignment, the better the business performance (Van Grembergen & De Haes, 2008).

Clear indicator of the scale and seriousness of the issue is shown through the increasing amount of conferences, research, books and developed frameworks and models on the topic. There is an agreement that there should be a more comprehensive, thorough and consistent approach which combines the business and IT (Thorp, 2008). Nevertheless, there is still confusion about what IT governance is, who is responsible for it, or how to achieve the alignment between the business and IT. The main goal of this thesis is to provide an overview of the most important and commonly used state-of-the-art corporate and IT governance, and corporate and IT control models and frameworks, which changed substantially after the introduction of regulations such as Sarbanes-Oxley. The unique contribution of this scientific work is that it analyzes, classifies and compares the frameworks and models and addresses the question:

What are the frameworks used to control Information Technology related activities at the board level?

The comparison and analysis of the frameworks will help outline core issues, which board of directors and executive managers should consider. This thesis presents an extensive literature review of areas of corporate governance and control, and IT governance and control, which will serve as a foundation for development of a questionnaire which measures how companies align and control IT activities. An additional unique part of the thesis is the detailed weighted comparison of IT frameworks and models and creation of cluster analysis which groups the models and shows how similar they are to one another. Such weighted comparison does not exist yet.

(7)

The thesis is structured as follows:

 Methodology – presents used methods;

 Literature review – divisions in Corporate governance, IT governance, Corporate control and IT control sections – presents some of the most used and important theories, models and frameworks;

 Cluster Analysis – presents and discusses a cluster analysis of outlined IT frameworks;

 Bibliometric Analysis - presents findings from the executed comparison of areas of IT control and corporate control in science through bibliometric analysis;

 Discussion – discusses findings based on the executed analyses and reviews and suggests the components for the development of the questionnaire based on the presented theory and analysis from the previous sections;

(8)

2. METHODOLOGY

The approach in this thesis is adopted from CRISP-DM methodology (IBM Corp, CROSP-DM 1.0, 2010) and follows the following process:

 IT Control Business understanding

 IT Control Frameworks and Methods data collection and understanding

 IT Control Data preparation

 IT Control Frameworks and Methods analysis and modeling

 Frameworks and Methods comparison

 Discussions, evaluation and conclusion The methodology outline is:

Fig. 1. Methodology outline

Literature review was used for outlining the most valuable and suitable articles and books in the

areas of IT and corporate governance and control. One of the most used and accepted database for conducting the literature review is Web of Science (Gomez-Jaugerui et.al, 2014). This database covers practically all global research articles and trends and gives opportunity for conducting various statistical analysis and comparisons. The main research journals are part of the system and best describe the field of scientific research. For example, the area “Computer Science, Information Systems” contains 132 journals, which in 2012 published 9,910 publications and received 170,090 citations. It could be stated that the most relevant theoretical and practical publications are stored there.

Literature review generally follows three steps: data collection, data analysis and data synthesis (Crossan and Apaydin, 2010). These were the steps conducted in this thesis as well.

Data collection: There are various ways to collect data: either by consulting experts to identify

relevant articles; by using existing literature knowledge; or by specifying keywords to identify suitable publications. In science, it is accepted that the publications with the highest number of citations are the most important ones and contain the most valuable information (Garfield, 1979). This is the reason why they are the most cited in the works of other authors. Sometimes publications do not reach high number of citations, because the new information is not yet understood by the members of the scientific society. This is one of the limitations of the method. But these cases are rare and, as a rule, are temporary.

In this work, literature review was conducted based on keywords in the areas of IT control and IT governance. These publications were then ordered by the number of citations and the most cited were chosen for the scope of analysis. Table 1 presents the researched IT control frameworks keywords and the corresponding number of citations for each keyword in four database systems: Web of Science, AISeL, Scholar Google and generally in Google. Looking for publications could be done by specifying keywords in the title, and/or in the abstract, and/or in the specific area for keywords. There

Literature review

Frameworks and Methods description

(9)

is also an opportunity to select the keywords in the whole text. For selecting publications for the literature review in this thesis, keywords were searched everywhere besides in the whole text. Limitation of this method is that not always the researched problem is specified as a keyword.

Table 1. Keywords

Data analysis: Once the relevant publications are identified, the following step is to analyze them. As

the goal of this thesis is to comprehensively outline the literature, the analysis follows a descriptive rather than statistical method.

Data synthesis: The final step of the literature review is the data synthesis, i.e. to organize the theory

around specific topics. In this thesis, the most important publications from the theory are presented in section 3, Literature Review, divided in four sections as follows:

 Corporate governance

 IT governance

 Corporate control

 IT control

(10)

 0 = Not addressed

 1 = A few aspects addressed

 2 = Some aspects addressed

 3 = Many aspects addressed

 4 = Complete coverage

 5 = Exceeded

ISACA, the development organization of COBIT, has published a comparison between the processes of the previous version of COBIT – COBIT4, with four IT models, namely ITIL, PMBOK, TOGAF, and ISO/IEC 17799 (ISACA, 2008; ISACA, 2006a; ISACA, 2006b; ISACA, 2007). In addition, the governance section of the newest version of COBIT is based on ISO/IEC 38500. Finally, CobiT 5 Enabling Processes (ISACA, 2012) provides similar mapping comparison between the processes of CobiT 4 and CobiT 5. Taken all these publications together was the foundation for creating a comparison table between CobiT 5 processes and five IT frameworks (Appendix A). Such comparison is unique and has not been created. Unfortunately, such official measures are provided for limited number of IT control frameworks. It could be stated, though, that in case more official data is gained for other models, they could be added in this method for comparison as well.

The information from this comparison table helped execute classification procedure “Cluster Analysis”. STATISTICA was the used software. The applied procedure was Joining (Tree Clustering) with the following conditions: Distance Measure – Euclidean distance, Amalgamation (Linkage) Rules – Single linkage. These chosen conditions are the most used and frequently applied ones (…). This classification gives opportunity for more complex interpretation of the differences of the models, accounting the common structure of the concrete measures. The data and process of the Cluster analysis and the graph is presented in Section 4, Classification by cluster analysis: comparing the

trend of IT Control frameworks.

(11)

3. LITERATURE REVIEW:

CORPORATE AND IT GOVERNANCE AND CONTROL

In order to analyze and reach conclusions about the IT control on corporate level, it is important to first look at the theory of corporate governance, IT governance and corporate control. This section presents the relevant theory outlined in the respective subsections.

3.1. Corporate Governance

OECD (2004) defines corporate governance as

procedures and processes according to which an organization is directed and controlled. The corporate governance structure specifies the distribution of rights and responsibilities among the different participants in the organization – such as the board, managers, shareholders and other stakeholders – and lays down the rules and procedures for decision-making

This definition emphasizes the importance of accountability and control.

Tricker (2008) claims that today governance is more important than management. Governance consists of compliance and performance. Management operates through hierarchies, regardless of their nature. But in these hierarchical organizational charts the governance board is rarely included. Therefore, Tricker proposes a model where he includes the governing and the management bodies (fig. 2).

Fig.2 Governance and Management

Source: Tricker, 2008

corresponds to externals and non-Executive Directors corresponds to Executive Directors

 corresponds to other managers not on the board

This figure is supported by Barger (2004), who outlined three levels of control in organization: owners, governing body and management.

(12)

At the highest level, owners possess all the assets and liabilities of an organization. The governing

body is responsible for protecting owners’ investment through strategically directing the organization

and leading the management on all aspects. Governing body specifies the policies, procedures, strategy and approves plans. It consists of a board of directors. Governing body is responsible for selecting the management team.

Management is responsible for the day-to-day operations. They are responsible for fulfilling the

requests of the governing body following the set procedures and policies. Management consists of managers and executives.

Corporate governance is well developed. In fact, more than 100 countries have their corporate governance codes (ECGI, 2014).

Strategy, structures and systems are among the most important points regarding corporate governance and are thus presented in the following subsection.

3.1.1. Strategy

There are many models which distinguish types of companies. Treacy and Wiersema (1995) propose a value discipline model which differentiates between three types of strategies which a company should choose to pursue:

 Operational excellence – the competitive advantage of these organizations is a reliable and fluent organization of operational processes. Companies which employ this strategy have effective process design and a small number of product variations;

 Product leadership – the competitive advantage of these organizations is on product improvement and product innovation. Companies which employ this strategy offer the best products in their class and use new technologies to improve their products;

 Customer intimacy – the competitive advantage of these organizations is a focus on customers and providing a unique ‘customized’ service for every customer through understanding customers’ needs.

3.1.2. Structures and Systems

Structures and systems are other important points in regards to the governance, as they play important coordination, communication and control function and define how decisions are made. Organizations define the structures and systems, which define the behavior of the organizational employees (Cawsey, 2012). There are six dimensions of organizational design:

 Differentiation – the degree to which tasks are subdivided into separate jobs or tasks.

 Integration – the coordination of the various tasks or jobs into a department or group.

 Chain of command – the reporting architecture in a hierarchical organization. It defines how individuals and/or units within an organization report to one another up and down the organizational ladder.

 Span of Control – number of subordinates a manager can efficiently and effectively direct.

 Formal vs. informal: the degree to which organizational charts exist, are codified, and are followed. The extent to which structures and processes of the organization are set down in writing and expected to be followed.

(13)

Table 2. Tradeoffs and the best of both

Source: Peterson, 2004

Structures and systems are impacted by the strategy the company employs, the size of the organization, its technology and the constantly changing environment.

Weill and Ross (2004, b) propose a framework (Fig.3) which shows the relationship of the board (the top of the model) and its responsibilities, and the six core assets of an organization (the lower part of the model). The executive board is responsible for governing the management to use these assets through structures, processes, procedures, etc.). The bottom of the figure presents the mechanisms for governing these assets.

Fig. 3 Link between corporate governance and IT governance

(14)

This framework shows that IT should be governed the same way as other assets in an organization, such as finance. ISACA (2009) supports this statement through suggesting that IT governance should be an integral part of the corporate governance. It is the role of the executive board to balance between growth and profitability, striving for effectiveness and complying with regulations (Selig, 2008). To achieve this, there has to be effective IT governance.

3.2. IT Governance

In today’s technological age, ICT governance complements corporate governance. Nevertheless, there are differences between two areas. The differences are presented in Table 3.

Table 3. IT vs. corporate governance

IT Governance Institute (ITGI) identifies five focus areas for governing IT governance (Fig. 4):

 Value delivery – aiming at optimizing costs and providing value for IT;

 Strategic alignment – focusing on business-IT alignment;

 Risk management – concentrating on safeguarding IT assets, disaster recovery and continuity of operations;

 Performance measurement – monitoring IT services and project delivery

 Resource optimization – concerning knowledge and IT infrastructure.

Source: Neto & Neto, 2013

(15)

Although there is no one best way to govern IT, it is agreed that the end goal is to create value for all stakeholders, i.e. board members, executive managers, customers, investors, regulators, etc. This is achieved through strategic alignment. The two elements used to achieve the alignment are risk and performance management. Finally, this requires management of resources.

Similar to the definition of ITGI, Van Gremberbergen & De Haes (2008) created a model of necessary elements of an IT governance framework. They claim that these required elements are a mixture of structures, processes and relational mechanisms as outlined in their model (fig. 5).

Fig. 5 – Elements of IT governance

Source: Van Grembergen & De Haes, 2008

These components will be presented more in detail.

3.2.1. Structures

3.2.1.1. Roles and Responsibilities

(16)

Table 4. Roles and Responsibilities

Source: ITGI, 2006

3.2.1.2. IT organizational structure

Important premise for effective IT governance is the structure and the place of IT decision-making authority.

Weill & Ross (2004b) create the famous IT Governance on One Page framework. They consider four objectives for evaluating IT governance:

 cost effective use of IT,

 effective use of IT for asset utilization,

 effective use of IT for growth,

(17)

The authors extend the common centralized, decentralized and federal structure for decision making presented above and create a matrix which identifies the IT decision influencers (domains) and decision makers (archetypes) in an organization which presents the authority levels for the core IT areas (fig.6).

Fig. 6. IT Governance on One Page

Source: Weill & Ross, 2004

The five domains (IT principles, IT architecture, IT infrastructure, Business application needs and IT investment) are the decisions which the governing and management body of an organization needs to make concerning the IT governance.

The six decision makers or input givers are:

 Business Monarchy – consists of executives (CxOs);

 IT Monarchy – IT executives alone

 Federal – C-level executives together with one other business unit group;

 IT Duopoly – IT executives together with one other business unit group;

 Feudal – business unit leaders, process owners, etc;

 Anarchy – each individual user

The groups are ordered by the level of centralization, starting from Business Monarchy being most centralized to Anarchy being most decentralized.

(18)

Fig. 7. IT governance on One Page – Example

Source: Weill & Ross, 2004

3.2.1.3. IT committees

(19)

Table 5. IT Strategy vs IT. Steering Committees

Source: McFarlan, 2005

ITGI (2006) promotes the perfect IT strategy committee, consisting of a board member as chairman, other board members, non-board independent members and ex-official representation of key executives.

3.2.1.4. Strategic Information Systems Planning

Strategic Information Systems Planning (SISP) is used for achieving the business-IT alignment. Earl (1993) listed four components of the SISP:

 Aligning IT with business goals

 Exploiting IT for competitive advantage

 Directing efficient and effective management of IT resources

 Developing technology policies and architecture

(20)

3.2.2. Strategic Alignment Model

Various authors have tried to compose a strategic alignment model (Henderson & Venkatraman, 1993; Luftman & Brier, 1999; Burn & Szeto, 2000). Henderson and Venkatraman (1993) were one of the first to develop a model for business-IT alignment more than 20 years ago (fig.8). The model presents two dimensions: strategic fit and functional integration. The upper two blocks have an external dimension and deal with fit between business and IT strategy; while the bottom two blocks are internal and deal with fit between organizational infrastructure and processes, and IS infrastructure and processes.

The strategic alignment is achieved when choices between the four domains are balanced. For example, if managers consider only the external perspective, i.e. business and IT strategy, internal difficulties might occur, e.g. wrongly redesigning business processes.

Fig 8. Strategic Alignment

Source: Henderson and Venkatraman, 1993

3.2.3. Maturity models

IT governance is a journey towards higher levels of IT maturity and integration with the business (Selig, 2007). Organizations usually measure the existence of a certain process from non-existent (0) to optimized (5). Organizations can only consider higher levels, once all the conditions in a certain level are achieved. The maturity levels companies should strive to achieve depend on the nature of the companies. For example, a banking company should strive to achieve higher level of maturity (Van Grembergen and De Haes, 2008) than a manufacturing company.

(21)

3.2.4. IT Governance vs. IT Management

Just as with the distinction between corporate governance and corporate management presented above, it is important to note that there is a difference between IT governance and IT management. ISACA as well stresses these differences, which will be further discussed when presenting CobiT 5. Table 9 presents the summarized differences between the two areas:

Table 9. IT Governance vs IT Management

(22)

3.3. Corporate Control Frameworks

Management Control Systems is used by managers to achieve goals through the use of set of formal and informal routines, procedures and processes (Bisbe and Otley, 2004). They also have to help balance between short-term and long-term goals (Nixon and Burns, 2005).

3.3.1. Balanced Scorecard

The Balanced Scorecard was created by Kaplan and Norton in 1992. At first it was used as a performance management system in response to the inefficient at that time systems. The authors found that the focus on the traditional financial measures on one hand did not respond to the reality of the economy, in which intangible assets constituted predominant amounts of companies, and on the other, that they measure the historical data and do not serve as factors for making decisions based on the reasons for these results. Kaplan and Norton propose a balance system, in which the financial and customer measures are balanced to leading measures connected to the internal business processes and the ability to innovate through learning and growth (people, education, innovation, and technology). The four components of the model are financial, customer, internal processes, and learning and growth (Fig. 9).

Fig 9. Balanced Scorecard

Source: Kaplan & Norton, 1992

The balanced scorecard is composed of a four-layer structure for each of the four perspectives: mission, objectives, measures and initiatives.

(23)

3.3.2. Other Management Control Frameworks

The variety of control systems available was a premise for O’Grady et al (2010) to evaluate three of the most used control frameworks: Ferreira and Otley’s (2006) performance management and control framework, Simons’(2000) levers of control and Beer’s (1994) viable system model. They compared the components of the frameworks in a table (Table 10).

Table 10. Comparison of Control Frameworks

Source: O’Grady, 2010

3.4. IT Control Frameworks

Most of the widely accepted frameworks and models for IT governance fail to address the entire lifecycle of IT governance, do not provide “how to” processes and checklists, or methods and guidance for improvement of IT governance process. Some of the methods provide either too flexible or too rigid structure (Selig, 2008). Before CobiT 5, there was no one universal framework which covers the overall enterprise needs, but instead each framework was used to serve specific needs (Kadam, 2012).

This section presents an overview of the main IT control frameworks used in organizations. They can be characterized in several main groups of methods:

 IT Service Management (ITSM) models

 Project Management models

 Enterprise Architecture Management models

 Security Management models

 Motivation models

Most commonly used examples of these groups will be discussed from the perspective of the outlined above problem of IT control. In the end, generalized comparison will be presented.

3.4.1. ITSM Models

3.4.1.1. CobiT 5

(24)

Although ISACA (2012a) defines CobiT 5 as “the only business framework for GEIT”, it does not aim at being an alternative framework, but units other ISACA detailed frameworks, such as Val IT, Risk IT, the Business Model for Information Security (BMIS) and the IT Assurance Framework (ATAF) (ISACA, 2012a) and adopts other frameworks and standards, discussed further in the thesis.

CobiT 5 is based on five principle and seven enablers. The five principles are shown in fig. 10. The main objective of CobiT, the first principle, is to satisfy the needs of various stakeholders (IT and non-IT business functions) by creating value through applying non-IT in congruence with the strategies and objectives of the organization, using least resources and exposing to minimum risk (ISACA, 2012a). CobiT 5 considers internal and external factors for creating the value. In the internal factors, it focuses on the enterprise-wide activities and responsibilities by addressing the processes, structure, principles and policies, culture, skills, and service capabilities of the organization. Externally, it asks the business to assess its market, industry, geopolitical situation, etc.

Fig. 10 Five Principles of Cobit5

Source: ISACA, 2012

The second principle, Covering Enterprise End-to-end, indicates that just as the board and the executive managers are responsible for governing finance, the same way they should finance IT. Additionally, CobiT 5 addresses all relevant internal and external business processes and IT services. The end-to-end approach is achieved through the components outlined in Fig. 11

Fig. 11, COBIT 5 Components

(25)

CobiT defines four role groups:

 owners and stakeholders,

 governing body,

 management,

 operations and execution.

This is similar to the presented above Barger’s (2004) corporate governance division of roles.

ISACA claims that CobiT 5 integrates all existing frameworks which are needed for governing enterprise IT, which is the third principle of CobiT 5.

To enable a holistic approach (the forth principle), CobiT 5 outlines 7 groups of enablers (Fig 12):

 principles, policies and framework;

 processes;

 organizational structure;

 culture, ethics and behavior;

 information;

 services, infrastructure and applications;

 people, skills and competencies

These enablers need to be interconnected. Each enabler has four dimensions: shareholders, goals, life cycle and good practices. Setting targets and metrics helps monitor the activities.

The fifth principle, separating governance from management, refers to the division between governance and management, outlined in corporate governance section. CobiT defines governance as:

... all the means and mechanisms that enable multiple stakeholders in an enterprise to have an

organized say in evaluating conditions and options; setting direction; and monitoring compliance, performance and progress against plans, to satisfy specific enterprise objective…

The management is defined as

… the judicious use of means (resources, people, processes, practices et al) to achieve an identified end… Management is about planning, building, organizing and controlling operational activities to align with the direction set by the governance body.

(26)

Fig. 13. CobiT 5 Processes

Source: ISACA, 2012

These processes are based on the balanced scorecard, i.e. they consider more than just the financial metrics, but include metrics for customer, internal processes and learning and growth metrics. The 32 management processes are linked to IT-related goals, clearly defined goals and metrics, the RACI chart, management practices, input/output and activities.

These 37 processes, together with their 220?! subprocesses, were the foundation for the development of a cluster analysis of CobiT 5 and five IT models (Appendix A).

Additionally, CobiT includes a maturity model, which helps companies describe current and future states. The first level (0) suggests that a company lacks any IT governance process. The second level (1) suggests that the organization has recognized the importance of having IT governance. The final level suggests that all IT and business processes are completely aligned. According to a survey from Guldentops (2003), the average maturity level for the processes is only 2.0.

Each company selects which set of processes to employ. Generally, the bigger the company, the more processes it uses.

CobiT 5 also provides steps for its implementation. It steps on the Kotter’s (1996) eight step model and suggests seven phases (fig. 14):

 Initiate program

 Define problems and approaches

 Define road map

 Plan program

 Execute plan

 Realize benefits

(27)

CobiT is an excellent framework to identify what needs to be governed. ITIL is used to provide the

how for service management (ISACA, 2012).

3.4.1.2. ITIL

Global Status Report CGEIT (2012) found that the most used model is the IT Infrastructure Library (ITIL). It is a framework of principles and practices for governing IT services based on three key

areas:

 Services – IT applications which support business processes

 Processes – they are used for controlling IT services. There are 26 processes

 Functions – organizational units in IT department. There are four functions:

o Service desk

o Technical management o Application management

o IT operations Management, which comprises of IT Operations control and facilities management

ITIL comprises and is structured around the lifecycle of IT services (Fig. 15):

 Service strategy

 Service design

 Service Transition

 Service Operation

 Continual Service Improvement

Table 28 (ISACA, 2012) provides a detailed overview of the five phases.

ITIL contains main concepts, which are used for planning, integration and realization of IT services. The part about design of services gives recommendations and principles for projecting new services, as well as projecting changes in existing principles for realizing the needed improvements, in order to ensure and enlarge the value for customers.

ITIL contains main concepts, which are used for planning, integration and realization of IT services.

Fig. 15. ITIL Lifecycle

(28)

Table 28, ITIL phases

Source: ISACA, 2012

The part about design of services gives recommendations and principles for projecting new services, as well as projecting changes in existing principles for realizing the needed improvements, in order to ensure and enlarge the value for customers.

Service transition aims at methodologically helping the transition of services from projecting to

realization and respectively focuses on managing processes and the respective risks. Helping achieve maximum effectiveness and efficiency is a focus of Service operation.

Continuous Service Improvement aims at managing the changes and improving organizational

capabilities, to support the efforts for projecting, integrating and offering IT service. This is achieved through methods for quality management.

There is a clear causal relationship between CobiT and ITIL by proving that when there is a lack of support from IT processes for the IT goals, a result is an insufficient IT support for the business (Van Grembergen and De Haes, 2008).

3.4.1.3. Balance Scorecard for IT

(29)

Van Grembergen and De Haes (2005) suggested a performance management system, which consists of four perspectives which show cause-effect relationships. Their version starts with Corporate

Contribution perspective, as the ultimate goal of the IT governance is the alignment between IT and

the business. The Stakeholder perspective presents the user evaluation of IT. The Operational

Excellence perspective presents the IT structures and processes for development and delivery of

applications. The Future Orientation perspective presents human and technology assets needed to deliver the services. The last three perspectives have a cause-and-effect relationship, and drive the

Corporate Contribution.

Fig. 29. Balanced Scorecard for IT

Source: Van Grembergen & De Haes, 2005

The Balance scorecard for IT links with the business primarily through business contribution perspective. As with the Balance Scorecard, the final goal for the IT scorecard is to reach higher financial results. The difference is that the Balanced Scorecard for IT completely focuses on IT governance processes.

This management system is useful for managers, because it identifies areas to focus. When managers identify problems with e.g. risk management (corporate contribution), other tools such as CobiT or ITIL can be employed to tackle the problem (Van Grembergen and De Haes, 2008).

3.4.1.4. CMMI

(30)

Fig. 17. CMMI

Source: CMMi, 2000

Each process is measured according to six capability levels, which are:

 Incomplete process – processes which are lacking or are only partially executed

 Performed process – only specific goals of the processes are met

 Managed process – corresponds to maturity level 1 that has the basic infrastructure to manage the process

 Defined process – corresponds to maturity level 2 that has achieved the defined standard level. It provides important information to the company such as products, measurements

 Quantitatively managed process – corresponds to maturity level 3 and quantifies statistically and quantitatively the process

 Optimized process – corresponds to maturity level 4 and presents quantitatively managed process that is improved

There are three main areas of interest according to CMMI:

1. Product and service development – CMMI for development (CMMI-DEV) 2. Service establishment, management – CMMI for services (CMMI-SVC) 3. Product and service acquisition – CMMI for acquisition (CMMI-ACQ).

CMMI models offer control for increasing or improving processes that meet the business targets of an organization. CMMI model may also be used as a basis for assessing the process maturity of the organization.

3.4.2. Project Management Models

3.4.2.1. PMBOK

(31)

Table 13. PMBOK

Knowledge Areas

Project Management Process Groups

Initiating Planning Executing Monitoring Closing

Project Integration Management Develop Project Charter Develop Project Management Plan Direct and Manage Project Execution

Monitor and Control Project Work Perform Integrated Change Control

Close Project or Phase

Project Scope Management

Collect Requirements Define Scope Create WBS

Verify Scope Control Scope

Project Time Management

Define Activities Sequence Activities Estimate Activity Resources Estimate Activity Durations Develop Schedule

Control Schedule

Project Quality Management

Plan Quality Perform

Quality Assurance

Perform Quality Control

Project Human Resources

Develop Human Resource Plan Acquire Project Team Develop Project Team Manage Project Team Project Communication Management Identify Stakehold ers

Plan Communication Distribute

Information Manage Stakeholder Expectations Report Performance Project Risk Management

Plan Risk Management Identify Risks Perform Qualitative Risk Analysis Perform Quantitative Risk Analysis Plan Risk Responses

Monitor and Control Risks

Project Procurement Management

Plan Procurements Conduct

Procurements

Administer Procurements Close

Procurements

Source: PMBOK, 2012

For each Knowledge areas, there are corresponding processes which are part of the five Process groups. In total, there are 47 processes.

3.4.2.2. PRINCE2

(32)

Prince2 describes procedures for coordination of activities of a project in seven processes:

 Starting up a project;

 Initiating a project;

 Directing a project;

 Controlling a stage;

 Managing stage boundaries;

 Managing product delivery;

 Closing a project;

This method also provides opportunity for effective managing of resources. The model follows seven core principles:

 Continued business justification

 Manage by exception

 Learn from experience

 Defined roles and responsibilities

 Manage by stages

 Focus on products

 Tailoring

Most of the organizations in Europe adopt it for managing their projects (Harmer, 2014). 3.4.3. Enterprise Architecture Management

3.4.3.1. TOGAF

The Open Group Architecture Framework (TOGAF) is probably the most widely accepted framework for corporate architecture at the moment (Zachman, 2008). It is open for various taxonomies and notations, while at the same time providing a detailed Architecture Development Method (ADM). ADM consists of eight phases and additional one for organizations, which institutionalize an architecture approach for the first time. In addition to the ADM, TOGAF also provides Enterprise Continuum, Repository, guidelines for developing a capability for governing institutional architectures, and two reference models – the Technical reference model, and the Integrated Information Infrastructure Reference Model. One of the biggest achievements of TOGAF is the defined and widespread architecture fields:

 Business architecture – it defines the strategy, governance, organization and processes;

 Information Systems architecture

 Data architecture – describes the structures of logical and physical assets of data and resources for their governance

 Application architecture – serves for specification of application software systems, their relationships and the way they automate the business processes

 Technology architecture – includes IT infrastructure, mid-level user, networks, communications, standards, etc.

3.4.3.2. ZEAF

(33)

In essence, the framework presents taxonomy, which forms a matrix with 36 cells. The columns in the model are formed from the classification of the main questions:

 What – recently known as the column of the inventor, or previously known as data column

 How – function column

 Where – network column

 Who – people column

 When – time column

 Why – motivation column

And the rows present, on one hand, the transformation levels, and on one the other, the perspectives and interests of the following groups of specialists:

 Objective/Scope (Contextual) – perspective of the strategies as theorists, known as the perspective of the planner

 Enterprise model (Conceptual) – perspective of directors as owners

 System model (Logical) – perspective of the architects as designers

 Technology model (Physical) – perspective of engineers as builders

 Detailed reprentation (out of context) – perspective of technicians as programmers

 Functioning enterprise – perspective of employees as users

To big extent, rows 2, 3 and 4 are the traditional conceptual, logical and physical levels of modeling, which use is solidified from OGM in 2001, when they introduce MDA (OMG, 2003). Level 5 is analogical to the Solution architecture of TOGAF, and level 6 concerns the actual functionality of the architecture elements.

Special interest for this thesis is the last column, motivation. On contextual level, goals and strategies are defined presented without a method for measuring them and unbounded with any specific period. Although Zachman calls them goals, they are closer related to the governing practices of organizational vision.

The cells in column six follow the central for taxonomy transformation mechanism regarding the motivation: identification -> definition -> presentation -> specification -> configuration -> realization.

3.4.3.3. DoDAF

The US Department of Defense created an architecture framework which is used by many military organizations but also in the private, public and voluntary sector. Its second version consists of 12 viewpoints, which contain altogether 52 models. Meta-model is divided in three levels – conceptual, logical and physical (Fig.17), following the routines and standards for information modeling (DoD, 2009).

Fig. 17, DoDAF

(34)

DoDAF defines 12 data concepts, which help all levels executives and managers understand the data basis of Architectural description (DoDAF V.2.02, 2011). The concepts are:

 Activity  Resource  Capability  Condition  Desired Effect  Measure  Measure Type  Location  Guidance  Project  Vision  Skill

It is important to specify three of the concepts: capability, desired effect and measures. Capability links specific resources (people, processes, technology, knowledge) with the desired effect. Most of the elements of the meta-model capability are linked directly or indirectly with measure. One of the main distinctive features of DoDAF is the introduction of measure as a core object and linking it with the rest of the meta-model (White, 2011).

3.4.4. Security Management Models

3.4.4.1. ISO/IEC 27000

ISO/IEC 27000 is part of the international security standards. It consists of various standards, but two, ISO/IEC 27001 and ISO/IEC 27002 are the core ones.

ISO/IEC 27001 is essentially the new version of BS7799 standard. Its goal is to provide requirements for successfully managing and improving Information Security Management System, which are influenced by the needs, goals, requirements, size, structure and processes of an organization. It emphasizes the measurement and evaluation of organization’s performance. Additionally, it provides information for outsourcing and organizational context of information security (ISO 27001 update, 2013).

ISO/IEC 27002 is supposed to be used together with ISO/IEC 27001 and is the new version of ISO 17799. It contains 114 controls and is also developed for specific industries (e.g. health sector, manufacturing, etc.). It follows the three principles important when implementing and maintaining information security management systems, i.e. confidentiality, integrity and availability.

3.4.4.2. ISO 31000 Risk Management

ISO 31000 is one of the frameworks which identifies and analyzes IT-related risks. It aligns the IT and business risks, suggesting how to mitigate, manage and monitor them. It is applicable for all industries and types of organization or individuals.

The framework looks at risk as an “effect of uncertainty on objectives”. It suggests a list of actions to deal with risk such as:

 Avoiding risk by terminating an activity that exposes risks

 Removing the resource of the risk

 Changing the consequences

 Risk sharing with another party

(35)

3.4.4.3. ISO/IEC 38500 Governance

ISO/IEC 38500 is a standard for effective governance of IT that proposes three activities for board members and senior executives:

 Evaluate

 Direct

 Monitor

These activities were adopted for the processes related to the governance practices of CobiT 5 (Harmer, 2014).

(36)

4. CLASSIFICATION BY CLUSTER ANALYSIS: COMPARING THE

TREND OF IT CONTROL FRAMEWORKS

As could be seen, the outlined IT control frameworks cover various aspects and are applicable for concrete cases. Overall, these models could be differentiated based on their processes. This is related to their depth and scope, area of application, and their effectiveness. In this case, it is interesting to measure them based on the differences between the models, which could give more common orientation regarding their capabilities, and with that help managers choose suitable models for their specific needs.

CobiT 5 was developed based on more than 80 frameworks and models (Harmer, 2014). Additionally, this is the only framework which addresses separately the areas of governance and management. It could be considered as the fullest framework for governing enterprise IT and is thus, taken as a basis for comparison between its processes and other outlined and analyzed above models and frameworks. Appendix A presents this detailed comparison.

In that regard, table 15 summarizes how many of the processes have received the corresponding grade for each model. It is immediately visible that CobiT 5 differs from other models. In that regards, other models are limited to the relation of degree and number of processes which they include. This is a result of their specialization, while CobiT 5 is a model which pretends to be the most universal and to cover all the processes in an organization.

Table 15. Process Overview

This type of comparison, though, could raise many questions, which are hard to answer, while in this case the structural differences between models should be of interest. Therefore, a cluster analysis more effectively presents an overall picture of the situation. The acquired classification allows more complex interpretation of various models, accounting the common structure of the concrete measures. The cluster analysis process follows four steps process:

 Data understanding

 Data preparation

 Model and analysis

 Visualization of the results

Therefore, the outlined groups (classes) of models should present more common trends. Fig. 18 presents the final outcome of the analysis.

(37)

Fig. 18. Cluster Analysis

This classification suggests the following common trends:

 Tendency for universality – demonstrated in this case from CobiT 5 through its drastic differentiation from all other models. CobiT 5 covers all outlined areas, i.e. governance, project management, architecture, security, etc. The other methods are concentrated on specific areas only and, therefore, they are similar to CobiT 5 only to some extent.

 Covering various processes from the areas of governance and management – tendency, demonstrated by ITIL. This model is the most similar one to CobiT 5. It exceeds coverage is certain processes and is represented in many areas, although to a much narrower extent.

 Concentration on governance – tendency demonstrated by ISO/IEC 38500 and to some extent by TOGAF. ISO/IEC 38500 is fully covered in the governance section of CobiT 5, while TOGAF, although is an architecture model, has certain aspects in the governance processes of CobiT 5, as well.

 Concentration on management – tendency, demonstrated by PMBOK and ISO 17799.

Concerning the last two tendencies, it is important to outline that TOGAF has a limited scope, but has full or almost full coverage in processes such as Ensure Resource Optimization, Manage IT management Framework, and, of course, Manage Enterprise Architecture. The case with ISO/IEC 38500 is identical, as it is the foundation for all governance processes of CobiT5, namely 15 subprocesses. It has no coverage in any other processes.

PMBOK is most strongly covered in the processes of Manage Programs and Projects (BAI01), although the coverage is at the highest measured with 4 (completely covered). PMBOK has also lower but existing coverage with other processes, which makes it closer to CobiT5. ISO 17999 was evaluated with more 4s than PMBOK, but it has less coverage with the rest of the processes.

Tree Diagram for 6 Variables Single Linkage Euclidean distances (D li n k /D ma x )* 1 0 0 40 50 60 70 80 90 100 110

(38)

5. BIBLIOMETRIC ANALYSIS

A bibliometric analysis was conducted to compare the trends of IT control frameworks and corporate control frameworks. To what extent is one scientific trend related to another; to what extent do interests of research communities and their researchers cross; how to use results received from one trend in another? To those and many other questions bibliometric analysis could give answers.

This analysis was also used for defining the relationship between the field of corporate control and IT control. The assumption was that these areas should be related through respective publications, because IT control is a subset and is used in the corporate control. Therefore, publications should contain common origins and authors.

Web of Science in that respect is a suitable and widely accepted database. It provides appropriate section which was used for the analysis of these two areas.

To check the hypothesis and outline the research real conditions of the problem, an analysis of the two fields was conducted: one related to IT control, and another related to corporate control. Publications related to either area were based on respective keywords. The used IT control keywords were: CobiT,

ITIL, Prince2, PMBOK, TOGAF and ISO/IEC. Respectively, the corporate control keywords were: viable system model, levers of control, framework for management control and balanced scorecard.

The use of only keywords has its limitations. For example, only publications containing those keywords were considered, and therefore, some of the relevant publications are omitted because they did not contain the mentioned keywords.

(39)

Table 11. Journals

(40)

Table 12. Authors

(41)

Table 13. Organizations

(42)

6. DISCUSSION

As stated earlier, the aim of the thesis is to outline and set a basis for the development of a questionnaire, through which to measure IT control in organizations in practice and which can be used as an instrument for its improvement. The executed bibliometric analysis has proven that the areas of IT and corporate control do not coincide in science. Thus, such an empirical study will check how the situation is in practice. For the development of this questionnaire was used the outlined theories and the conducted weighted comparison analysis, focusing on those processes which are most frequently met in the models, presuming that they are the most important processes identified by the developers of these models.

The board and the responsible executives in an organization should adopt a framework for governance of enterprise IT as an integral part of the corporate governance. This framework should be aligned with the business needs and organization’s policies, strategies, structures, processes, plans and all other business approaches. When organizations decide to implement an IT control, either with their own resources or by hiring external professionals, they should consider and evaluate the most suitable framework. The frameworks described and analyzed in the previous chapters are wide-ranging and, therefore, there should be a clear comparison between them which might help managers select their framework.

The classification of the models by cluster analysis provides objective information for suggesting four trends:

 Tendency for universality

 Tendency for covering various processes from the areas of governance and management

 Concentration on governance

 Concentration on management

The detailed measures which helped compose the cluster analysis can be found in Appendix A, where for every subprocess, included in CobiT 5 is given a grade from 0 to 5, which shows whether and to what extent these subprocess are covered in the other frameworks or models. After conducting analysis in Sections 4 and 5, a list of common characteristics for IT control frameworks is summarized in Table 14. This table compares all outlined IT control methods and gives an overview for choosing a preferred method. From this table, there are certain conclusions which could be made.

ITIL is the most evenly spread among all processes of CobiT 5, having full coverage in processes

such as Manage Strategy, Manage Budgets and Costs, Manage Service Agreement, Manage Suppliers,

Manage Quality, Manage Availability and Capacity, Manage changes, Manage Change Acceptance and transitions, Manage Configuration, Manage Service requirements, Manage Problems, and Manage Continuity. Therefore, it could be stated that ITIL, as the most preferred IT control framework

(43)

(44)

full coverage are Manage Programs and Projects. PMBOK provides knowledge guidelines for adopting project management in organizations. The difference between PMBOK and Prince2 is that Prince2 is a process-based project management tool. Thus, PMBOK is more suitable for knowledge guidance, while Prince2 should be used for the actual managing of projects.

ISO/IEC 31000 is a world-wide recognized standard for managing risks in an organization and should

be adopted to provide a structural approach to enterprise risk management. All types of organizations need to be able to evaluate their risks and seek ways to overcome them. ISO/IEC 38500 is fully adopted by CobiT 5 and provides excellent standard for governance. ISO/IEC 27000 is a standard for information security management systems. It is adapted for various industries, and thus, every enterprise will benefit from implementing it.

TOGAF is a complete standard for enterprise architecture that is used by many organizations in

various industries worldwide. It has coverage with CobiT 5 in processes such as Ensure Resource

Optimization, Manage the IT management framework, and, of course, Manage Enterprise Architecture. DoDAF is very similar to TOGAF, but is more focused on providing taxonomies to help

keep track of processes. Adopting both methods would add a great value for implementing IT architecture.

Nevertheless, CobiT 5 still remains an assessment tool, which is covered in all parts of governing enterprise IT and should be used together with the other frameworks and methods which provide more implementation guidelines, as suggested by ISACA.

The development of the questionnaire should follow the outlined theories of corporate and IT governance and control, presented in Section 3. The following questions should be addressed as part of the future evaluation of IT control in organizations, so that the value of project can be determined and conclusions about value can be made on the basis of confirmation CDC (2014):

 What functionality will be evaluated? (i.e. what is “IT control frameworks and methods” and in what context does it exist?)

 What aspects of the IT control frameworks and methods will be considered when evaluating performance?

(45)

7. CONCLUSION

This thesis used several scientific methods for analyzing and comparing models and frameworks of corporate and IT governance, and corporate and IT control. The bibliometric analysis suggested that these areas do not coincide in science. An extensive comparison of six IT control models was conducted. These models were representatives of four groups of IT control types of models:

 IT Service Management (ITSM) models – CobiT 5 and ITIL

 Project management models - PMBOK

 Enterprise Architecture Management - TOGAF

 Security Management Models – ISO/IEC 38500 and ISO/IEC 17799

The results from this comparison served for executing a classification by cluster analysis. This method groups frameworks according to their similarity and suggests specific trends for them.

The biggest limitation is the lack of data to compare wider range of models. The data used for the development of the comparison table was officially published by ISACA and can thus be regarded as fully reliable. No similar comparison has been done until now. In addition, a table comparing all IT control frameworks was created based on specific criteria to present an overview of the methods. A bibliometric analysis was used for comparing how common areas of corporate and IT control are in view of formalized indicators, i.e. the publications’ journals, authors and organizations. One of the limitations of this analysis is the possibility to have omitted publications because keywords were not specified by the authors. Nevertheless, the database Web of Science provides reliable information that fits perfectly to the needs for this analysis.

The weighted comparison between the frameworks is first of a kind and provides important points for governing IT in organizations. Future research should try to combine and expand this comparison by adding more IT models. It would be useful to take into account more models and draw more specific conclusions.

(46)

BIBLIOGRAPHY

1.0, C.-D. (2010). Step-by-step data mining guide. IBM Corporations. Aldenderfre, M., & Blashfield, R. (1984). Cluster Analysis. Sage. Barger, T. (2004). International Corporate Governance Meeting. Beer, S. (1994). Head of the enterprise. NY: John Wiley & Sons.

Bisbe, J., & Otley, D. (2004). The effects of the interactive use of management control system on product innovation. Accounting, Organizations and Society, 709-737.

Burn, J., & Szeto, C. (2000). A comparison on the views of business and it management on success factors for strategic alignment. Information & Management, 197-216.

Cawsey, T., Deszca, G., & Ingols, C. (2012). Organizational Change: An Action-Oriented Toolkit. SAGE Publications.

Center for Decese Control and Prevention. (2014). Retrieved from Program Performance and

Evaluation Office: http://www.cdc.gov/eval/framework/index.htm Cresswell, A. M. (2004). Return on Investment in IT: A Guide for Managers.

Crossan, M., & Apaydin, M. (2010). A Multi-Dimensional Framework of Organizational Innovation: A

Systematic Review of the Literature. Journal of Management Studies.

Defence, D. o. (2009). DoDAF 2. Defence, D. o. (2011). DoDAF V.2.02.

Earl, J. (1993). Experiences in Strategic Information Systems Planning. MIS Quarterly. ECGI. (2014). European Corporate Governance Institute. Retrieved from

http://www.ecgi.org/codes/all_codes.php

Ferreira, A., & Otley, D. (2006). The design and use of management control systems: an extended framework for analysis. Management Accounting Section.

Forrester, R. (2013). Integrated Thinking: The Answer To Enterprise IT’s Perpetual. Forrester.

Garfield, E. (1979). The epidemiology of knowledge and the spread of scientific information. Current

Contents, 5-10.

Gomez-Jauregui, V., Gomez-Jauregui, C., Manchado, C., & Otero, C. (2014). Information management and improvement of citation indices. International Journal of Information Management, 257-271.

(47)

Henderson, J., & Venkatraman, N. (1993). Strategic alignment: leveraging information technology for transforming organizations. IBM Systems journal.

Hoving, W., & Van Bon, J. (2012). The ISM Method: Past, Present and Future of IT Service

Management. The Stationery Office.

ISACA. (2005). IT alignment - who is in charge?

ISACA. (2006). Mapping of ISO/IEC 17799:2005 with CobiT 4.0. ITGI. ISACA. (2006). Mapping of PMBOK with Cobit 4.0. ITGI.

ISACA. (2007). Mapping of ITIL V3 with Cobit 4.1. ISACA. ISACA. (2007). Mapping of TOGAF 8.1 with Cobit 4.1. ITGI.

ISACA. (2008). Aligning Cobit 4.1, ITIL V3 and ISO/IEC 27002 for Business Benefit. ISACA. (2011). CobiT 5: The Framework.

ISACA. (2012). Cobit 5: Enabling Processes. ITGI. ISACA. (2012). CobiT 5: Implementation Guide. ISACA. ISACA. (2012). COBIT 5: The Framework.

ISACA. (2012). ISACA CGEIT Glossary.

ISO 27001 update is around the corner. (2013, May 14). Retrieved from British Assessment:

http://www.british-assessment.co.uk/news/iso-27001-update-is-around-the-corner IT, G. o. (2011). Global Status Report. ISACA.

ITGI. (2006). Information Security Governance: Guids for Board of Directors and Executive

Management.

ITGI. (2006). IT control objectives for Sarbonex-Oxley.

Kadam, A. (2012). Why do we need the CobiT 5 business framework? CSI Communications, 25-27. Kaplan, R., & Norton, D. (1992). The Balanced Scorecard - Measures That Drive Performance. Harvard

Business Review.

Kaplan, R., & Norton, D. (2001). On Balance. Harvard Business Review.

Kaplan, R., & Norton, D. (2004). Strategy Maps: Concerting Intangible Assets into Intangible

Outcomes. Harvard Business Review.

Kotter, J. (1996). Leading Change. Harvard Business Press.

EVALUATION OF THE STATE-OF-THE-ART IT CONTROL FRAMEWORKS AND MODELS