IT Governance Global Status Report

IT Governance Institute
The IT Governance Institute (ITGI) strives to assist enterprise leaders in their responsibility to make IT
successful in supporting their enterprises mission and goals. ITGIs goals are to raise awareness and
understanding amongst, and provide guidance and tools to, boards of directors, executive management and
chief information officers (CIOs) such that they are able to ensure within their enterprises that IT meets
and exceeds expectations, and its risks are mitigated.
Information Systems Audit and Control Association
The Information Systems Audit and Control Association (ISACA) is an international professional,
technical and educational organisation dedicated to being a recognised global leader in IT governance,
control and assurance. With members in more than 100 countries, ISACA is uniquely positioned to fulfil
the role of a central harmonising source of IT control practice standards the world over. Its strategic
alliances with other organisations in the financial, accounting, auditing and IT professions ensure an
unparalleled level of integration and commitment by business process owners.
Disclaimer
The IT Governance Institute, Information Systems Audit and Control Association and the authors of
IT Governance Global Status Report have designed this product primarily as an educational resource
for boards of directors, executive management and information technology control professionals. The
IT Governance Institute, Information Systems Audit and Control Association and authors make no claim
that use of this product will assure a successful outcome. This product should not be considered inclusive
of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed
to obtaining the same results. In determining the propriety of any specific procedure or test, the controls
professional should apply his/her own professional judgment to the specific control circumstances
presented by the particular systems or information technology environment.
Disclosure
Copyright 2004 by the IT Governance Institute. Reproduction of selections of this publication for
academic use is permitted and must include full attribution of the materials source. Reproduction or
storage in any form for commercial purpose is not permitted without ITGIs prior written permission.
No other right or permission is granted with respect to this work. All rights reserved.
IT Governance Institute
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.590.7491
Fax: +1.847.253.1443
E-mail: [email protected]
Web sites: www.itgi.org and www.isaca.org
ISBN 1-893209-32-6
IT Governance Global Status Report
Printed in the United States of America

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

Acknowledgements
The IT Governance Institute wishes to recognise:
The PricewaterhouseCoopers Research Team, for its leadership of the project
Floris Ampe, CISA, CIA, Belgium
Dirk Steuperaert, CISA, Belgium
Pieter Van Den Bulck, Belgium
Jill Hassan, Northern Ireland, UK
Claire Peacocke, Northern Ireland, UK
Geraldine OConnor, Northern Ireland, UK
Christopher Fox, USA
Ton Dohmen, CISA, RE, The Netherlands
The ITGI Steering Committee, for its guidance on the project
Tony Hayes, Queensland Government, Australia, Co-chair
John W. Lainhart IV, CISA, CISM, IBM Business Consulting Services, USA, Co-chair
Georges Ataya, CISA, CISM, Solvay Business School, Belgium
Reynaldo de la Fuente, CISA, CISM, Datasec, Uruguay
Rupert Dodds, CISA, CISM, CA, FCA, KPMG, New Zealand
Christophe Legrenzi, CISA, Acadys France SA, France
Akira Matsuo, CISA, CPA, ChuoAoyama PricewaterhouseCoopers, Japan
Serge Yablonsky, CISA, CPA, SYC SA, France
Tom Wong, CISA, CIA, CMA, Ernst & Young LLP, Canada
Erik Guldentops, CISA, CISM, Belgium, Advisor
The ITGI Structure Task Force, for its oversight of the project
Everett C. Johnson, CPA, Deloitte & Touche LLP, USA
Georges Ataya, CISA, CISM, Solvay Business School, Belgium
Akira Matsuo, CISA, CPA, ChuoAoyama PricewaterhouseCoopers, Japan
Eddy Schuermans, CISA, PricewaterhouseCoopers LLP, Belgium
Serge Yablonsky, CISA, CPA, SYC SA, France
Tony Hayes, Queensland Government, Australia, ex officio
John W. Lainhart IV, CISA, CISM, IBM Business Consulting Services, USA, ex officio
The 2003-2004 Board of Trustees, for its support of the project
Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP, USA, International President
Abdul Hamid Bin Abdullah, CISA, CPA, Auditor Generals Office, Singapore, Vice President
Ricardo J. Bria, CISA, SAFE Consulting Group, Argentina, Vice President
Everett C. Johnson, CPA, Deloitte & Touche LLP, USA, Vice President
Dean R.E. Kingsley, CISA, CISM, CA, Deloitte Touche Tohmatsu, Australia, Vice President
Eddy Schuermans, CISA, PricewaterhouseCoopers LLP, Belgium, Vice President
Robert S. Roussey, CPA, University of Southern California, USA, Past International President
Paul A. Williams, FCA, MBCS, Paul Williams Consulting, UK, Past International President
Emil G. DAngelo, CISA, CISM, Bank of Tokyo-Mitsubishi, USA, Trustee
Ronald Saull, CSP, The Great-West Life Assurance Company, Canada, Trustee
Erik Guldentops, CISA, CISM, Belgium, Advisor

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

Table of Contents
1

Executive Overview .................................................................................................................5

How to Read This Report ..................................................................................................................7

Survey Approach and Methodology.................................................................................9

2.1
2.2

Survey Results .........................................................................................................................11

3.1
3.2
3.3
3.4

Introduction.............................................................................................................................49
COBIT and Other International Frameworks...........................................................................49
Substitution/Potential Entrants ...............................................................................................54
COBIT as Keystone IT Framework .........................................................................................55

Telephone Survey Sample Description.........................................................................59

5.1
5.2
5.3
5.4
5.5

Introduction.............................................................................................................................11
The Respondents.....................................................................................................................11
Survey Results ........................................................................................................................14
Concept of IT GovernanceFunnel Analysis .......................................................................41

The IT Governance Space...................................................................................................49

4.1
4.2
4.3
4.4

General Approach .....................................................................................................................9

Telephone Survey Approach.....................................................................................................9

Geographic Composition of Sample ......................................................................................59

Industry Sector Composition ..................................................................................................60
Enterprise Size (Number of Employees) Composition ..........................................................61
Profile of Respondents............................................................................................................62
IT Profile of Respondents.......................................................................................................63

Bibliography ...............................................................................................................................67

Appendix IApplying COBIT and COSO to Sarbanes-Oxley ........................................69

Appendix IIQuestions and Figures......................................................................................71

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

1. Executive Overview
In 2003, the IT Governance Institute (ITGI) issued a request for proposal for the purpose of conducting
research into the IT governance environment and marketplace. The motivation for the research was the recent
establishment of the ITGI as a stand-alone entity. Having created the entity, the ITGI Board of Trustees was
eager to learn more about the environment in which the organisation would be working: how IT governance is
perceived, whether the need for it is recognised, how the concept itself is recognised, and which tools or
frameworks are considered leaders in the field.
The ITGI has identified several targeted audiences for its deliverables: chief executive officers (CEOs), chief
information officers (CIOs), chief operating officers (COOs), chief financial officers (CFOs), chief technical
officers (CTOs), board members, IT management and practitioners. However, the research was targeted to
reach members of the C-suite to determine their sense of priority about IT governance and their needs for
tools and services to help assure effective governance.
This high-level objective was translated into the following detailed objectives for the project:
1. Survey and analyse the degree to which the concept of IT governance is recognised, established and
accepted within the boardrooms and especially with the CIO.
2. Research which tools and frameworks would be adopted, in cases where IT governance is accepted, and
determine the sources to which organisations will look for expertise and services in this domain.
PricewaterhouseCoopers Brussels was selected to conduct the research.
A first step was to come to an agreement on a definition of IT governance. Referring to many publications on
this subject, most notably ITGIs own Board Briefing on IT Governance (now in its second edition), a
definition can be summarised very briefly: it is a board or senior management responsibility in relation to IT to
ensure that:
IT is aligned with the business strategy, or in other words, IT delivers the functionality and services in line
with the organisations needs, so the organisation can do what it wants to do.
IT and new technologies enable the organisation to do new things that were never possible before.
IT-related services and functionality are delivered at the maximum economical value or in the most efficient
manner. In other words, resources are used responsibly.
All risks related to IT are known and managed and IT resources are secured.
Moving onward from this definition, there was consensus that IT governance is valuable, and ITGI has the
right tools to handle it. And although IT governance includes things already known and practised, it was
believed that the combination of the concept of governance, the concept of alignment and the known control
framework is indeed the right solution and unique in its kind.
A sample of more than 7,000 respondents1 was developed for the research, to achieve the required number of
completed interviews. In defining the sample, attention was paid to a representative distribution according to
geography, size of organisation, industry sector and job function of the respondent. To boost responses
amongst COBIT2 users, an additional database of COBIT purchasers was used. These respondents were used for
questions relating to COBIT use. To keep the study unbiased, these respondents were not included in the
general sample, unless otherwise mentioned.
The PricewaterhouseCoopers International Survey Unit conducted interviews with 335 CEO-/CIO-level
persons throughout the world. Of those, 276 interviews were conducted from the random sample of companies
and 59 from the COBIT purchasers database. Each interview was conducted in the native language of the
interviewee. Typically, each interview took between 15 and 30 minutes. The interviews were carried out under
the Market Research Society and Marketing Research Association codes of conduct that guarantee complete
anonymity. None of the information obtained in the interviews was attributed to any individual and all
comments were treated in the strictest confidence.
1
2

The sample was based on a number of commercial databases of worldwide companies.

Control Objectives for Information and related Technology, published by IT Governance Institute, now in its third edition
IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

In addition to the survey, desk research was conducted that examined the ITGI and COBIT in relation to
other organisations in the marketplace.
The major findings and messages from the survey and research project can be summarised in nine points.
1. More than 93 percent of business leaders recognise that IT is important for delivering the
organisations strategy.
There is worldwide consensus about the importance of IT for delivering the overall strategy of the
organisation, and this is observed across most industries (IT/telecom, financial services, manufacturing
and public sectoraverage 93 percent). Somewhat paradoxically, general management perceives the
importance of IT for the delivery of overall strategy slightly higher than does IT management.
2. Organisations are suffering from IT operational problems.
Only 7 percent of the respondents experienced no IT problems at all in the previous year. Operational
failures and incidents and an inadequate view on how IT is performing are experienced most often, and
are mentioned by approximately 40 percent of all respondents.
3. CIOs recognise the need for better governance over IT.
A substantial portion of the IT community (75 percent) is aware of the fact that IT has issues that must
be resolved. Surprisingly, an even more substantial part of that community (more than 80 percent)
recognises that IT governance or some (partial) form thereof is required to resolve these issues. This is
where the importance of a definition for IT governance comes into play. When asked if they intend to
do or plan IT governance measures, only 40 percent replied in the affirmative. However, when they
were asked more precise and detailed questions about specific practices, many more replied positively.
In other words, they actually do perform these practices the ITGI considers IT governancethey just
do not characterise them by that name.
4. IT governance frameworks are used to align IT strategy and manage IT operational risks.
IT governance solutions/frameworks are used mostly for aligning the IT strategy with the overall
organisation strategy (57 percent) and to manage IT operational risks (53 percent). To that extent,
however, it should be mentioned that solutions in this domain are not yet readily available. When
looking at the IT governance frameworks known or used, there is no clear winner; internal solutions
or specific vendor solutions are most frequently mentioned, followed by ISO9000 and COBIT.
5. Good IT governance helps organisations provide IT value and manage IT risks. COBIT is the
preferred way to implement effective IT governance.
Process models such as COBIT can substantially help in the realisation of effective value and risk
management. One of the questions that challenge CIOsare IT operations running as smoothly, reliably
and cost-effectively as possible?can therefore be addressed in large part by a process model like COBIT.
COBIT is perceived to be a valuable framework for IT governance by those who are familiar with it
(89 percent report themselves very or quite satisfied). Compared to many other organisations, ISACA
and ITGI rank highly in perception of experience and implementation ability.
6. Whilst COBIT users may not yet be highly numerous, they are very satisfied.
Approximately 18 percent of the responding organisations are aware of COBIT. From a regional
perspective, COBIT is least known in North America. Looking at size and industry sector, very large
organisations and organisations in the financial industry are especially aware of COBIT. Almost 30
percent of the organisations that are aware of COBIT are using it, resulting in an overall rate
of 5 percent of all organisations using COBIT. Appreciation of most ITGI/ISACA deliverables is very
high (between 73 percent and 91 percent indicate they are very or quite satisfied users). Forty-three
percent of COBIT users find it easy to implement, whereas 25 percent find this task somewhat difficult.

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

7. There is little separation amongst those perceived as top providers of expertise and implementation ability.
Large IT consultancy firms and ISACA (COBIT) received the highest ranking in regard to their expertise in
IT governance (3.8 out of 5), but Gartner, the Big 4 accounting firms, local professional organisations and
ITGI are only a few tenths of a point behind. In rating implementation ability (as opposed to expertise), the
respondents placed large IT and consultancy firms at the top of the heap (3.7 out of 5), but ISACA (COBIT),
the Big 4 accounting firms, and local professional organisations were clustered close behind. In summary,
there are no clear winners (yet) in the IT governance area. In fact, an amazing one-quarter of respondents do
not know of any IT governance provider to assist them.

How to Read This Report

The report contains a number of sections:
Section 2 explains the methodology used to conduct the survey.
Section 3 contains the survey results.
Section 4 examines COBIT and other international IT governance frameworks, standards and sets of
best practice.
Section 5 contains further demographic and other survey information.
Section 6 lists references used in preparing the report.
Appendix I touches upon IT governance and the US Sarbanes-Oxley legislation.
Appendix II lists the questions and figures, by number, for easy reference.

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

2. Survey Approach and Methodology

2.1 General Approach
Starting from the overall IT community, and especially the decision makers with regard to IT (CEO, CIO),
the approach began with a step-by-step analysis through numerous questions:
Which part of the IT community is aware that there is a problem in correctly governing IT?
Which part of this group recognises the concept of IT governance as a potential solution to this problem?
Which part of this group is aware of the practical solutions to this problem, and the fact that the adoption of
COBIT may offer a solution to IT governance problems?
Which part of this group actually adopts and implements COBIT?
This approach is illustrated in figure 1.

Figure 1IT Governance Funnel Analysis

Community of IT users and providers

-A%
Awareness

Part of IT community that is aware that IT

has problems that require better governance

-B%
Recognition

Part of aware IT community that recognises

the concept of IT governance as a solution

-C%
Solution
-D%

Part of IT community that knows that

COBIT is a potential solution, amongst
others, for their IT governance
Part of IT community that adopts COBIT
as solution for their IT governance

COBIT

Analyse, understand and remedy reasons for drop-out

IT Community

2.2 Telephone Survey Approach

The PricewaterhouseCoopers International Survey Unit conducted interviews with 335 CEO-/CIO -level
persons throughout the world. Each interview was conducted in the native language of the interviewee.
Typically, each interview took between 15 and 30 minutes. The interviews were carried out under the Market
Research Society and Marketing Research Association codes of conduct that guarantee complete anonymity.
None of the information obtained in the interviews has been attributed to any individual and all comments
have been treated in the strictest confidence.
2.2.1 Sample Selection
A sample of more than 7,000 respondents was developed for this research, to achieve the required number of
completed interviews. In defining the sample, attention was paid to:
A relevant geographic spread amongst Europe, North America, South America and Asia-Pacific
Representative distribution amongst large, small and medium organisations; industry sectors; and job
functions of the respondents (strategic or operational level)
IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

To boost responses amongst COBIT users, an additional database of COBIT purchasers was used. These
respondents were used for questions relating to COBIT use. To keep the study unbiased, these respondents
were not included in the general sample, unless otherwise mentioned. The study and the report were not
intended to focus on COBIT, even though many consider COBIT to be the flagship product of the ITGI.
The survey questionnaire and the research were kept solution-neutral up to the last stage. It was only at
this stage that specific questions were asked and information gathered concerning COBIT.

10

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

3. Survey Results
3.1 Introduction
This section of the report contains the detailed responses to questions asked in the survey. For each question,
the following information is included:
The overall results, i.e., results of the whole sample without any geographical, industry or any other split
Description of the sample upon which the results are based
Comment on the results, if applicable or relevant
A further breakdown of the results by region, industry sector, organisation size or respondent profile. This
information is included only if and when significant, i.e., if there are meaningful differences amongst
different categories and/or if the sample size is meaningful.

3.2 The Respondents

This report is based on 335 interviews completed across a range of business sectors. Of the 335, 276
interviews were conducted from the random sample of companies and 59 from the COBIT purchasers database.
Figures 2, 3, 4, 5 and 6 display demographic characteristics of the responding group.

Figure 2Geographic Distribution Random Sample

104

Achieved
Objective

69
60

67

60

60
36

North America

Europe

30

South America

Asia-Pacific

The following countries were included in the survey:

North AmericaUS, Canada and Mexico
EuropeFrance, UK, Germany, Sweden, Italy, Belgium, The Netherlands and Spain
South AmericaBrazil, Argentina, Chile, Peru and Colombia
Asia-PacificJapan, Hong Kong, Indonesia, Australia and Singapore
Response rates of the random sample outside North America were higher than the response rates within the
US and Canada. Particularly high response rates were received in Japan, France and Italy.

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

11

Figure 3 shows the spread of the booster samplethe COBIT users who were surveyed separately to get a
larger sample for specific COBIT-related questions.

Figure 3Geographic Distribution COBIT Booster Sample

31

16
12
0
North America

Europe

South America

Asia-Pacific

In the random sample, a distinction was made between large (>500 employees) and small organisations
(<500 employees). Small organisations made up 38 percent of the sample, and large organisations
constituted 62 percent.

Figure 4 depicts the distribution of job function amongst the respondents.

Figure 4Respondents' Job Functions Random Sample

Unknown
12%
Audit
2%

General
Management
22%

IT Management
64%

12

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

Noteworthy in this respect is that the original sample (see figure 5) was designed to contain a majority split of
CEOs (general management, 80 percent) as compared to IT management (20 percent). However, a
significant number of the surveyed general managers delegated the survey to the IT manager, because they felt
they were not in a position to adequately answer the survey.

Figure 5Original Job Functions Random Sample

IT Management
20%

General
Management
80%

Observation 1More than two-thirds of the contacted CEOs/general managers declined to answer the
survey and referred to the CIO (or another IT manager) because they did not feel comfortable or in a position
to answer on the subject of IT governance.
The distribution amongst industry sectors represented by the respondents is shown in figure 6.

Figure 6Industry Sectors Random Sample

Other/Unknown
10%

Financial Services
10%

Retail
7%
Government/
Public Sector
21%

Manufacturing
35%

IT GOVERNANCE G

IT/Telecom
17%

LOBAL

S TAT U S R E P O RT

13

3.3 Survey Results

3.3.1 Thinking about your overall strategy/vision, how important do you consider IT to be to
the delivery of this strategy/vision?

Figure 7Importance of IT for Overall Strategy Delivery

52%
39%

7%
1%

1%

Not important at all

Not very important

Not sure

Quite important

Very important

(Based on the random sample of 276 responses)

Observation 2There is worldwide consensus about the importance of IT for delivering the overall
strategy of the organisation. This is observed across most industries (IT/telecom, financial services,
manufacturing and public sector average 93 percent). The retail sector considers IT somewhat less
important for the delivery of its overall strategy (81 percent).
Figures 8, 9 and 10 show further breakdown of these results.

Figure 8Importance of IT for Overall Strategy Delivery, by Geographic Area

33%
48%

45%

66%

Very important
Quite important

56%
42%

Not sure
45%

28%

Not very important

Not important

Europe

North America

South America

Asia-Pacific

(Based on the random sample of 276 responses)

14

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

Figure 9Importance of IT for Overall Strategy Delivery, by Industry Sector

Very important
45%

59%

65%

38%
56%

Quite important
Not sure

45%
28%

38%

IT/Telecom

Financial
Services

Manufacturing

43%

Not very important

40%

Retail

Not important

Public Sector

(Based on the random sample of 276 responses)

Figure 10Importance of IT for Overall Strategy Delivery, by Job Function

Very important
49%

62%

Quite important
Not sure
Not very important

41%

Not important

35%

General Management

IT Management

(Based on 236 responses of the random sample where profile was known)

Observation 3Somewhat paradoxically, general management perceives the importance of IT for the
delivery of the overall strategy slightly higher than does IT management.

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

15

3.3.2 Do you see IT mainly as a means for gaining competitive advantage (i.e., a strategic tool),
or do you see it more as a commodity that needs to be managed in the most efficient
manner?

Figure 11IT Strategic or Commodity

46%

25%

25%

4%
Strategic

Both

Commodity

Do not know

(Based on the random sample of 276 responses)

Observation 4One-quarter of the respondents see IT as purely strategic (gaining competitive

advantage). One-quarter view it as purely a commodity (manage efficiently).3

Figures 12, 13 and 14 show further breakdown of these results.

Figure 12IT Strategic or Commodity, by Geographic Area

64%

Strategic
48%

43%

40%
31%
28%

29%

26%

19%

14%
1%

1%
North America

Europe

22%

Commodity

28%

Do not know

3%
South America

Both

1%
Asia-Pacific

(Based on the random sample of 276 responses)

Observation 5There is a tendency to look upon IT more as a commodity in Europe and Asia-Pacific
as compared to the Americas.

16

One could have expected that the number of organisations that regard IT as purely a strategic issue would have been close
to 0 percent, because normally there are always operational aspects to IT that need to be managed in the most optimal
way (commodity).
IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

Figure 13IT Strategic or Commodity, by Industry Sector

66%
Strategic

50%

43%

47%
38%

35%
14%

IT/Telecom

29%

24%

22%

33%

Manufacturing

Retail

Both
Commodity

20%

19%

14%

Financial Services

33%

Public Sector

(Based on 249 responses out of the random sample of 276 responses where industry was known. Does not include do not know responses.)

Observation 6Not surprisingly, the IT and telecom industries regard IT as more strategic than do other
industries. Retail, and especially the public sector, look upon IT as managing a commodity.

Figure 14IT Strategic or Commodity, by Job Function

48%

Strategic
41%
29%

23%

Both
Commodity

27%

23%

Do not know
5%
General Management

3%
IT Management

(Based on 236 responses out of the random sample of 276 responses where respondent profile was known)

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

17

3.3.3 How frequently is IT included on your organisations board agenda?

Figure 15Frequency of IT on Boards Agenda

37%

36%
22%

5%

Always

Regularly

Sometimes
depends on projects

Never

(Based on the random sample of 276 respondents)

Observation 7Half of the organisations have IT at least regularly on the boards agenda. For those
who see IT as a commodity (25 percent of respondents), 70 percent do not discuss IT at the board level
at all.
Figures 16 and 17 show further breakdown of these results.

Figure 16Frequency of IT on Board's Agenda, by Geographic Area

9%

4%

26%

35%

2%
36%

Never
58%

46%

29%

36%
Regularly
28%

19%
Europe

Sometimesdepends
on projects

32%

Always

28%
12%

North America

South America

Asia-Pacific

(Based on 276 responses from the random sample)

Observation 8In general, IT does not figure on Asia-Pacific boards as often as in the rest of the world,
although those in that area consider IT no less important.

18

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

Figure 17Frequency of IT on Board's Agenda, by Industry Sector

2%
26%

7%
24%

3%
40%

22%
45%

Never

5%

11%

48%

40%

Regularly
42%

24%

24%

16%

24%

Financial

Manufacturing

Retail

39%

50%

IT/Telecom

Sometimesdepends
on projects

Always

11%
Public Sector

(Based on 249 respondents of the random sample of 276)

Observation 9IT does not figure at a high level on board agendas in retail and the public sector. IT/telecom
and financial industries always or regularly discuss IT (in 70 percent of the cases) at the board level.
3.3.4 Which of the following problems have you experienced with IT in the last 12 months?

Figure 18IT Problems in Last 12 Months

Inadequate view on how well IT is performing

41%

Operational failures of IT

40%

IT staffing problems

38%

Number of problems and incidents

38%

High cost of IT with low return on investment

35%

Lack of knowledge of critical systems

35%

Manageability of data

34%
28%

Disconnect between IT strategy and business strategy

27%

Unmanaged dependencies on entities beyond direct control

24%

Number of errors introduced by critical systems

None
Other

7%
5%

(Based on the random sample of 276 responses)

Observation 10Only 7 percent of respondents experienced none of the listed IT problems at all in the
previous year. Operational failures and incidents and an inadequate view on how IT is performing are
experienced the most often and are mentioned by approximately 40 percent of all respondents.

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

19

Observation 11In the next 12 months, the respondents perceive that operational failures and low ROI
will continue to be high on the list of problems to be addressed (figure 19).
Observation 12When asked about the adequacy of the priorities assigned to addressing the problems,
gaps were reported amongst the relatively highly scored priorities for addressing unmanaged
dependencies, errors in critical systems and low ROI, as compared to the preponderance of the actual
reported problems, indicating a higher weight in the prioritisation. On the other hand, inadequate view on
how IT is performing, IT staffing and manageability of data ratings are relatively low on the priority list
as compared to actual problems reported.
3.3.5 How important do you feel it will be to address this problem in the next 12 months?

Figure 19Importance of Addressing IT Problems

Operational failures of IT

4.16

High cost of IT with low return on investment

4.07

Unmanaged dependencies on entities beyond direct control

3.95

IT staffing problems

3.95

Number of errors introduced by critical systems

3.93

Number of problems and incidents

3.91

Lack of knowledge of critical systems

3.84

Manageability of data

3.83

Disconnect between IT strategy and business strategy

3.79

Inadequate view on how well IT is performing

3.68
3

1 = not at all important, 5 = very important

(Based on a varying number of responses per question out of the random sample of 276 responses.
The question about importance was asked only of those who experienced the problem.)

The answers to questions 3.3.4 and 3.3.5 were combined to see whether priorities for IT correspond with
the reported encountered problems. By doing so, the following could be observed:
View on how IT is performing is encountered frequently but is low on the priority list.
Unmanaged dependencies and number of errors introduced by critical systems do not cause too many
problems but are higher on the priority list.

20

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

Figure 20 shows the same relationship, but the data are processed so that over- and underprioritisation are
more easily noted.

Figure 20IT Priorities vs. IT Problems

Number of errors introduced by critical systems

41%

Unmanaged dependencies on entities beyond direct control

28%

Disconnect between IT strategy and business strategy

20%

High cost of IT with low return on investment

Manageability of data
Lack of knowledge of critical systems
Operational failures of IT

1%
-2%
-4%
-10%

Number of problems and incidents

-11%

IT staffing problems

-11%

Inadequate view on how

well IT is performing
-30%

-22%
-20%

-10%

0%

10%

20%

30%

40%

50%

Observation 13Number of errors introduced is not experienced by that many organisations, yet it is
considered to be the highest priority for resolution.

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

21

3.3.6 What organisations are you aware of that provide or implement solutions to these
IT problems (in terms of frameworks and generic governance models)?

Figure 21Recognised IT Governance Providers

8%

ITGI
ISACA (COBIT)

8%

Gartner

16%

Big 4 accounting firms

26%

Large IT and consultancy firms

40%

McKinsey

13%

Boston

7%

International professional organisations (AICPA, CICA, et al)

3%

Government agencies/universities

3%

Smaller IT consultancies

9%

Local professional organisations

Other

19%
7%

Not aware of any

25%

(Based on the random sample of 276 respondents)

Observation 14Proprietary solutions of IT and consultancy providers (whether based on public

standards or not) are recognised as IT governance solution providers by 40 percent of the respondents.
The larger, well-known strategy consultancies such as McKinsey and Boston Consulting Group are
recognised by 13 percent and 7 percent, respectively.

22

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

Figures 22, 23 and 24 show further breakdown of these results.

Figure 22Recognised IT Governance Providers, by Geographic Area

3%
14%

ITGI

6%
3%
7%
14%

ISACA (COBIT)

6%
3%
12%
29%

Gartner

6%
5%
19%

Big 4 accounting firms

39%
36%
8%
15%

Large IT and consultancy firms

54%
69%
22%
3%
27%

McKinsey

19%
0%
1%
16%

Boston

6%
0%
North America

Europe

South America

Asia-Pacific

(Based on the random sample of 276 respondents)

Observation 15Recognition of ISACA and ITGI is nearly twice as high in Europe, compared to the
average (14 percent compared to 8 percent). The same applies for Gartner, McKinsey, Boston and the Big 4
accounting firms. In Latin America and Europe, the large IT consultancies have the highest recognitionwell
over 50 percent.
Respondents who indicated they were aware of IT governance solution providers were asked to name the
organisations with which they were familiar. The interviewer did not prompt the respondent nor provide them
a list from which to choose.

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

23

Figures 23 and 24 show the average number of known organisations per respondent, and the percentage
of respondents who were not aware of any IT governance solution providers.

Figure 23Average Number Recognised IT Governance Providers, by Geographic Area

1.2

North America

2.4

Europe

South America

1.8

Asia-Pacific

0.7

Observation 16In South America and especially Europe, respondents recognise twice as many IT
governance service providers as are recognised in North America and Asia-Pacific.

Figure 24Respondents Not Knowing Any IT Governance Providers, by Geographic Area

23%

North America

13%

Europe

South America

8%

Asia-Pacific

54%

Observation 17In Asia-Pacific, more than half of the respondents are not aware of any IT governance
service provider. North America also scores highly, with 23 percent, whereas in Europe and South
America, only a small proportion of the respondents do not know any provider.

24

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

3.3.7 How would you ratewith regard to its expertise in IT governance solutions/frameworks?
For this question, and question 3.3.8 as well, only the original answering possibilities, as offered in the
questionnaire, were maintained. The other categories mentioned in figure 21 are either too small a sample or
are too diverse in their composition to include in these results.

Figure 25Expertise of IT Governance Providers

ITGI

3.5
3.8

ISACA (COBIT)
Gartner

3.6

Big 4 accounting firms

3.6

Large IT and consultancy firms

3.8

McKinsey

3.0

Boston

3.3

Local professional organisations

3.6

1 = very poor, 2 = poor, 3 = average, 4 = good, 5 = very good

(Based on the respondents with knowledge of IT governance solution providers)

Observation 18Large IT consultancy firms, along with ISACA, are considered to have greatest expertise
in IT governance, whereas strategic consultants (Boston, McKinsey) score lowest. Gartner and the Big 4
accounting firms score in the middle.

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

25

3.3.8 How would you ratewith regard to its ability to implement IT governance
solutions/frameworks?

Figure 26Implementation Ability of IT Governance Providers

3.2

ITGI (*)

3.5

ISACA (C OBIT) (*)

3.3

Gartner

3.5

Big 4 accounting firms

3.7

Large IT and consultancy firms

3.2

McKinsey
3.0

Boston (*)

3.5

Local professional organisations

1 = very poor, 2 = poor, 3 = average, 4 = good, 5 = very good

An (*) indicates a small answer base, i.e., fewer than 30 answers.
(Based on respondents with knowledge of IT governance solution providers.
Responses vary between 19 and 86 answers depending on knowledge of a particular solution.)

Observation 19When asked about implementation ability, the large IT and consultancy practices are
recognised as being most effective.

26

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

It is possible, by taking into account the results of questions 3.3.7 and 3.3.8 and also the variance on the
answers, to position the different solution providers relative to each other, as illustrated in figure 27.

Figure 27Relative Positioning of Expertise/Implementation Ability of IT Governance Providers

ISACA (COBIT)
IT Consultancy
Big 4
Perceived
Expertise

Gartner
Local Professional Org
ITGI

McKinsey
BCG

Perceived Implementation Ability

Figure 27 should be put into the proper perspective, in the sense that the graph is a zoomed-in image of a
larger space. In reality, all market players are relatively close to the middle, and the graph shows how they
relate relative to each other.

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

27

3.3.9 Have you implemented, are you in the process of implementing or are you considering
implementing an IT governance solution/framework?

Figure 28IT Governance Implementation Status

Have already implemented

25%

In the process of
implementing

15%

Considering implementing

18%

Not considering
implementing

42%

(Based on the random sample of 276 respondents)

Observation 20Overall, a fairly large percentage of the respondents are not considering the
implementation of an IT governance solution/framework. On the other end of the spectrum, an almost
equal percentage will have implemented an IT governance solution/framework when all current
implementations are finished successfully, thereby creating an equilibrium between the respondents
choosing to implement an IT governance solution/framework, and those choosing not to do so.
Figures 29 and 30 provide further breakdown of these results.

Figure 29IT Governance Implementation Status, by Geographic Area

75%
Europe
42% 45%

50%
32% 29%
25%

22%
10%

33%

28%
14% 12%

44%
36%

13%

In the process of
implementing

Considering
implementing

Not considering
implementing

(Based on 276 respondents of the random sample)

28

IT G

South America
Asia-Pacific

12% 14% 14%

0%
Have already
implemented

North America

OVERNANCE

G L O BA L S TAT U S R E P O RT

Observation 21There is a significantly lower percentage of implementations in Asia-Pacific than in the

rest of the world. Also, in South America the percentage of implementations is lower than in Europe and
North America. However, again compared to the rest of the world, a substantial 28 percent of South American
companies are in the process of implementation. When these implementations are finished successfully, the
South American region will have caught up with Europe and North America, leaving Asia-Pacific behind as
the only region with a low percentage of implementations.

Figure 30IT Governance Implementation Status, by Organisation Size

60%

30%

53%
34%

29%

Large
19%

20%

17% 20%

Small

8%
0%
Have already
implemented

In the process of
implementing

Considering
implementing

Not considering
implementing

(Based on 272 respondents of the random sample where size of the organisation was known)

Observation 22Larger organisations are more inclined to implement an IT governance solution/framework

than are smaller organisations.

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

29

3.3.10 Have you implemented, are you in the process of implementing or are you considering
implementing other measures to improve?

Figure 31Implementation Status of Partial IT Governance Solutions

Alignment between IT strategy

and overall strategy

IT resource management

IT value delivery

9%

9%

IT risk management

9%

9%

Actual performance
measurement of IT

10%

Active management of ROI of IT

Have implemented

7%

Implementing now

61%

21%

66%

16%

66%

14%

10%

8%

50%

20%

12%

18%

51%

21%

12%

16%

72%

13%

Considering implementation

Not considering implementation

This question was asked of only those respondents who reported (in question 3.3.9) that their organisation
was not considering implementing IT governance. The purpose of the question was to determine whether
selected, partial IT governance-related measures were considered for implementation.
In question 3.3.9, approximately 40 percent of respondents (115 individuals) indicated that their
organisation is not considering implementing an IT governance solution. Amongst that 115, only 46
(40 percent) are not doing any of the above, which means that 60 percent of the organisations claiming
not to do or plan IT governance are in fact doing something that could be categorised as such.
Observation 23By inquiring into the partial IT governance activities of the organisations claiming not
to implement IT governance, it is possible to reduce the total number of organisations claiming not to
implement IT governance from 42 percent (question 3.3.9) to approximately 17 percent. In other words,
83 percent of the organisations surveyed have implemented, are implementing or are considering
implementing some form of IT governance, whether they so characterise it or not.

30

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

3.3.11 If you have implemented, are in the process of implementing or are considering
implementing an IT governance solution, what solutions/frameworks did/do you use or are
you considering using?

Figure 32Selected IT Governance Frameworks

11%

COBIT
6%

BS7799/ISO7799

11%

ISO9000
6%

ITIL
SysTrust

2%

Balanced scorecard

6%

SEI maturity model

6%
16%

Local solutions

15%

International solutions/large IT vendor solutions

16%

Internal solution
Gartner TCO

1%

COSO

1%
28%

Other
9%

Do not know

(Based on the 159 respondents of the random sample who have implemented,
are in the process of implementing or are considering implementing an IT governance solution)

Observation 24A large percentage (30 percent) of the companies who have implemented, are in the
process of implementing or are considering implementing an IT governance solution have no apparent
framework or solution in place. The other organisations are using a variety of frameworks.

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

31

3.3.12 Which of the following areas do you hope to address using your selected IT governance
framework(s)?

Figure 33Use of Selected IT Governance Frameworks

Alignment of IT with enterprise strategy

60%

Delivery of business value through IT

52%

47%

Management of risk in relation to IT investment

56%

Management of risk in relation to IT operations

Management of IT resources against objectives

50%

51%

Management of performance of IT infrastructure

18%

Others

(Based on the responses of 131 respondents who have implemented,

are in the process of or are considering implementing an IT governance solution)

3.3.13 At what stage of IT governance implementation are you?

Figure 34Stage of IT Governance Implementation

43%
35%
22%

Implementation is planned

Possible implementation

No implementation planned

(Based on the responses of 49 respondents who are considering implementing an IT governance solution)

32

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

Observation 25Nearly one-quarter of the respondents considering the implementation of an IT governance

solution/framework have already planned the implementation. If this percentage is added to the percentage of
respondents who have implemented or are in the process of implementing an IT governance
solution/framework (question 3.3.9), the indication is that in the near future 45 percent of respondents will
have implemented an IT governance solution/framework.
3.3.14 If you are not considering implementation of an IT governance solution, why not?

Figure 35Reasons for Not Implementing IT Governance

11%

No IT problems

17%

Formal solutions are not solutions to my problems

IT governance does not work

2%
7%

Too difficult to implement

20%

Lack of required skills

28%

Too expensive
Have own solution

3%

Lack of information

3%
11%

Company too small

Premature

3%
18%

Other

(Based on the responses of the 46 respondents who are not considering any IT governance solutions)

Observation 26The most common reason for not implementing an IT governance solution/framework is
the perceived high cost (mentioned by 28 percent of the respondents). Besides this, companies often do not
have the required skills or feel that their problems will not be solved by the implementation of an IT
governance framework.

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

33

3.3.15
3.3.16

Are you personally aware of the existence and contents of COBIT?

Is your organisation aware of the existence and contents of COBIT?

Figure 36Awareness of COBIT

84%

82%

Yes
18%

No

16%

Personally aware

Organisation is aware

(Based on 276 responses from the random sample)

Observation 27Personal awareness of the existence and contents of COBIT is 18 percent, whilst
awareness amongst organisations is slightly lower (16 percent).
Figures 37, 38 and 39 provide further breakdown of these results.

Figure 37Awareness of COBIT, by Geographic Area

23%

22%
19%

17% 18%

16%
12%

Europe
North America

7%

South America
Asia-Pacific

Personally aware

Organisation is aware

(Based on 276 respondents from the random sample)

Observation 28Personal awareness of COBIT is significantly lower in North America (12 percent) than
in Europe and South America (23 and 22 percent, respectively).

34

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

Figure 38Awareness of COBIT, by Organisation Size

25%
22%
Small
Large

9%
6%

Personally aware

Organisation is aware

(Based on 272 respondents from the random sample)

Observation 29Awareness of COBIT is significantly (three times) higher in large organisations than in
small organisations.

Figure 39Awareness of COBIT, by Industry Sector

45%

41%
IT/Telecom
Financial Services
19%

13%

10% 11%

15%

16%

Manufacturing

10%
5%

Retail
Public Sector

Personally aware

Organisation is aware
(Based on 249 responses from the random sample)

Observation 30Awareness of COBIT is significantly (two times the average) higher in the financial services
industry and relatively low in the IT/telecom sector, compared to the importance of IT in this sector.

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

35

3.3.17 If your organisation is aware of COBIT, does the organisation currently use COBIT?

Figure 40Use of COBIT Amongst Organisations Aware of COBIT

72%

71%
Random sample
COBIT purchaser sample
28%

29%

Yes

No
(Based on the responses of the 55 individuals from the main survey
sample who indicated that their organisation is aware of COBIT)

Observation 31Twenty-nine percent of the organisations from the random sample that are aware of
COBIT are actually using it, whilst 71 percent of COBIT purchasers are using it.
3.3.18 If your organisation is using COBIT, which parts of COBIT does the organisation use?

Figure 41Use of Portions of COBIT

73%

73%

63%

59%

57%

30%

29%
8%

32%

30%
20%

14% 13%

Executive Summary Control Objectives

and Framework

54%

11%

IT Governance
Framework
Yes

No

13%

7%
Audit Guidelines

Management
Guidelines

14%

Board Briefing on
IT Governance

Do not know

(Based on 56 responses: those from the main sample who use C OBIT, plus the COBIT purchasers sample)

Observation 32The most-used COBIT products/services are those that have been available longest, i.e.,
Control Objectives and Audit Guidelines.
36

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

Observation 33There is a gap between the relatively high number of users of the governance framework and
the management guidelines (almost 60 percent), and the fact that only around 40-45 percent of the organisations
use COBIT for those purposes (latter statistic not reflected in this published report).
3.3.19 If you or your organisation uses COBIT, how satisfied are you with the parts you or your
organisation uses?

Figure 42Degree of Satisfaction with COBIT

Board Briefing on IT
Governance (*)

6%

17%

Management Guidelines 3% 6%
Audit Guidelines

IT Governance Framework 3%

Not satisfied at all

32%
56%

15%
9%

44%

59%

17%

Control Objectives
Executive Summary and
Framework

33%

27%

63%
9%

51%

24%

Not very satisfied

22%
31%

48%

Not sure

25%

Quite satisfied

Very satisfied

An (*) indicates a small answer base, i.e., fewer than 30 answers.

(Based on answers from those who have used each component. The number of responses varied between 18 and 41.)

Observation 34In general, between 75 percent and 91 percent of COBIT users are satisfied with the
products they are using. Dissatisfaction ratios are very low and, in all cases, lower than 10 percent.

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

37

3.3.20 If you or your organisation uses COBIT, how difficult is it to implement the COBIT
framework?

Figure 43Difficulty in Implementing COBIT

Very easy

9%

Quite easy

34%

Neither difficult nor easy

32%

Quite difficult
Very difficult

18%
7%

(Based on 54 responses: those from the main sample who use COBIT, plus the COBIT purchasers sample)

Observation 35The majority of the COBIT users find it easy to implement COBIT (43 percent). Only
25 percent find it difficult, and approximately one-third find it neither difficult nor easy.
3.3.21 What enhancements do you feel could be made to the COBIT framework to improve
implementation?
This question was asked only of those respondents who use COBIT, and who find implementation of the
COBIT framework difficult. The responses are represented as a bulleted list.
More alignment between COBIT and other international standards
Even though COBITs development has an international basis, its text is in English only; publication in
other major languages would render it easier and more beneficial.
A policies and procedures handbook with guidelines for large, small and medium-sized companies; a
model that could be adopted for change management
Simpler language or simpler approach
More training
More background literature
More applicability to real situations

38

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

3.3.22 If you or your organisation uses COBIT, how satisfied are you with the COBIT framework
with regard to IT governance?

Figure 44Satisfaction With COBIT as IT Governance Model

27%

Very satisfied

52%

Quite satisfied

Not sure

16%

Not very satisfied

Not satisfied at all

4%

2%

(Based on 56 responses: those from the main sample who use COBIT, plus the COBIT purchasers sample)

Observation 36COBIT generates a very high degree of satisfaction as an IT governance framework

(79 percent).
3.3.24 If neither you nor your organisation uses COBIT, are you aware of COBIT as an IT
governance solution/framework ?

Figure 45Awareness of COBIT as IT Governance Solution/Framework

56%
44%

Yes

No

(Based on the responses of the 39 individuals who are aware of C OBIT but are not using COBIT)

Observation 37Just slightly more than half of those who are aware of COBIT but are not using it recognise
it as an IT governance solution.
IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

39

3.3.24 Are there other issues related to IT governance of which you would like to make us aware?
Sixty percent of the respondents did not report any additional issues with regard to IT governance or this
survey. Amongst the other 40 percent, the following issues were reported:
Frequently mentioned comments:
Security awareness and business controls should be addressed.
There needs to be more information getting out via populist sources, e.g., PC magazines or the press,
to raise awareness of IT governance as an issue. Specialist publications are good, but they are
reaching only those already in the field. They are not generating more awareness on a broader scale.
There were also other comments about communication in general.
The increasing cost of staying current is an issue for local government, in terms of the technical side
of things. The cost of IT in general is an issue.
More training and education are required; more information is needed.
Increased awareness of IT governance and its meaning and contents is required.
To be accepted, ROI in IT governance itself is required.
It is difficult to sell IT governance to the business. A related comment referred to the need to make the
link between IT governance and business value more clear.
Government IT governance is very different from company IT governance.
Selected other comments:
In the past, the board viewed IT as a necessary evil, but the board is slowly becoming aware of ITs
potential impact.
What is the capacity of the board to understand the importance and usefulness of IT governance?
What is the difference between IT governance and other solutions?
3.3.25 Amongst those enterprises that are not considering the implementation of an IT
governance solution (question 3.3.9), how many are familiar with COBIT
(questions 3.3.15 and 3.3.16)?

Figure 46Familiarity With COBIT Amongst IT Governance Nonimplementers

18%
16%
Overall sample
10%
6%

Personally aware of
COBIT

Sample of those who have

not implemented or are not
considering implementing
an IT governance solution

Organisation is aware of
COBIT

Observation 38The awareness of COBIT amongst individuals or organisations that have not
implemented nor are considering implementing any IT governance solution is about half the average
level of awareness.

40

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

3.4 Concept of IT GovernanceFunnel Analysis

Based on the results of the survey, a funnel analysis was created that is slightly modified from the generic
model in figure 1. The difference is that the following has one additional step: Step 4Group that knows
ISACA/ITGI/COBIT as potential IT governance suppliers/framework. See figure 47.
The funnel analysis shows that the majority of IT users are aware of many problems relating to the use of IT
and the need to do something about them. An even larger part of the IT users community group recognises IT
governance as a solution to these problems or as something they should do.
Of the group that does not recognise IT governance as a solution, about 60 percent are taking a number of
actions that in fact could be classified as IT governance. Almost all organisations recognising the concept of IT
governance know at least one potential solution or framework to use.
Amongst those who know at least one IT governance solution, about 16 percent are aware of
ISACA/ITGI/COBIT as solution providers/framework, and from this group, about 40 percent are actually using
COBIT. This number represents some 5 percent of the overall IT community.4
Note: This report does not reflect all of the questions asked in the survey. Some of the statistics used in the
funnel analysis may originate from questions not included in this published report.

Figure 47High-level Result of Funnel Analysis

Step 0IT community

100%

Step 1Awareness that IT has problems

that require better governance

76%

Step 2Recognition that the concept of

IT governance is a solution

83%

Step 3Group that is aware of potential

IT governance suppliers

75%

Step 4Group that knows ITGI/ISACA as potential IT

governance suppliers and/or is aware of COBIT
Step 5Group that actually uses COBIT

12%
5%

When devising the questionnaire, it was decided not to create a one-to-one translation of the funnel into direct
questions. The main reason for that was the desire to treat carefully those respondents who were not
necessarily familiar with the phrase IT governance but who were still doing a number of appropriate
activities. Hence, the questionnaire was elaborated quite comprehensively.
The drawback of this approach is that, to put numbers on the funnel analysis and the drop-out rates in
particular, the results of several questions needed to be combined and interpreted. The detailed steps of the
analysis and the justification of the numbers follow.
4

IT community consists of all IT users and stakeholders, represented in this survey by the people responsible for IT (CEOs and
CIOs, in most instances).

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

41

3.4.1 Step 1. Awareness

Figure 48Step 1. Awareness

All Industries
IT Community

100%

Community of IT users

-24%

Awareness
Part of IT community that is aware that
IT has problems that require better
governance

76%
+10%

Recognition
Part of aware IT community that recognises
the concept of IT governance as a solution

83%
-9%

SolutionGeneral
Group that is aware of potential
IT governance solutions/providers

75%
-85%

SolutionISACA/ITGI/COBIT
Group that is aware of ISACA/ITGI/COBIT as
potential IT governance providers/solution

12%
-57%

COBIT Users
Group that adopts COBIT as the
solution for its IT governance problems

5%

Justification
Only 7 percent of the respondents reported no problems with IT during last 12 months, hence 93
percent did experience problems. (Question 3.3.4)
When asked how they would prioritise resolution of the problems experienced, the result was an average
score of 3.9 out of 5 (1 = not at all important; 5 = very important), with a minimum score of 3.7 and a
maximum of 4.2. The researchers interpreted this as the proportion that found that the problems
required better governance.
The two results combined (multiplication of results) gave a score of approximately 76 percent of the IT
community that had problems and found that these problems required more attention to be solved.
These results also correspond with the results of other related questions:
Ninety-one percent of the respondents find IT important.
At least 70 percent of the respondents find IT of strategic importance, and 96 percent find IT of
strategic or tactical importance.
There is general recognition that IT investments help achieve important goals for the organisation
(average score of 4 out of 5).
Conclusion
A substantial part (76 percent) of the IT community is aware that IT has issues that require resolution.
42

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

3.4.2 Step 2. Recognition

Figure 49Step 2. Recognition

All Industries
IT Community

100%

Community of IT users

-24%

Awareness
Part of IT community that is aware that
IT has problems that require better
governance

76%
+10%

Recognition
Part of aware IT community that recognises
the concept of IT governance as a solution

83%
-9%

SolutionGeneral

75%

Group that is aware of potential

IT governance solutions/providers

-85%

SolutionISACA/ITGI/COBIT
Group that is aware of ISACA/ITGI/COBIT as
potential IT governance providers/solution

12%
-57%

COBIT Users
Group that adopts COBIT as the
solution for its IT governance problems

5%

Justification
In question 3.3.9, 42 percent of the respondents reported no intention to implement IT governance.
Of that 42 percent, based on the results of question 3.3.10, it is possible to conclude that approximately 60
percent of those organisations claiming not to do or plan any IT governance solutions are implementing at
least some partial IT governance measures, even if they are not labeled such.
Combining these two results, the overall number of respondents that recognise the IT governance concept
(by the term or by their actions) is relatively high83 percent.
In addition, respondents reported that IT governance measures are found or expected to be effective to
address problems experienced (score of 3.9 out of 5).
Conclusion
Surprisingly, an even more substantial part (more than 80 percent) of the IT community recognises that IT
governance, or some (partial) form thereof, is required to resolve the issues they face.

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

43

3.4.3 Step 3. Knowledge of Solutions

Figure 50Step 3. Knowledge of Solutions

All Industries
IT Community

100%

Community of IT users

-24%

Awareness
Part of IT community that is aware that
IT has problems that require better
governance

76%
+10%

Recognition
Part of aware IT community that recognises
the concept of IT governance as a solution

83%
-9%

SolutionGeneral
Group that is aware of potential
IT governance solutions/providers

75%
-85%

SolutionISACA/ITGI/COBIT
Group that is aware of ISACA/ITGI/COBIT as
potential IT governance providers/solution

12%
-57%

COBIT Users
Group that adopts COBIT as the
solution for its IT governance problems

5%

Justification
In response to question 3.3.6, 25 percent of the respondents reported that they were unaware of any IT
governance solution provider; hence, 75 percent know at least one provider or solution.
Conclusion
More than 90 percent (75 percent divided by 83 percent) of those in the IT community that recognise IT
governance as a solution claim to know a solution/framework and/or a provider of that solution.

44

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

3.4.4. Step 4. Knowledge of ISACA/ITGI/COBIT

Figure 51Step 4. Knowledge of ISACA/ITGI/COBIT

All Industries
IT Community

100%

Community of IT users

-24%

Awareness
Part of IT community that is aware that
IT has problems that require better
governance

76%
+10%

Recognition
Part of aware IT community that recognises
the concept of IT governance as a solution

83%
-9%

SolutionGeneral

75%

Group that is aware of potential

IT governance solutions/providers

-85%

SolutionISACA/ITGI/COBIT
Group that is aware of ISACA/ITGI/COBIT as
potential IT governance providers/solution

12%
-57%

COBIT Users
Group that adopts COBIT as the
solution for its IT governance problems

5%

Justification
In question 3.3.6, 8 percent of the respondents reported that they knew either ITGI or ISACA (COBIT) as an
IT governance solution provider.
The responses to question 3.3.11 reveal that 11 percent of the respondents are using (or plan to use) the
COBIT framework as (part of) their IT governance solution.
The results of both answers combined render an approximate 12 percent of the IT community that is aware
of COBIT as a potential IT governance solution.
Conclusion
As can be seen in figure 51, this step in the funnel is the most significant drop-out point, i.e., the majority of
the IT community is aware of problems and recognises the concept of IT governance, but 85 percent of them
do not recognise ITGI/ISACA and their solution as approaches to resolve their IT governance issue(s).

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

45

3.4.5 Step 5. Usage of COBIT

Figure 52Step 5. Usage of COBIT

All Industries
IT Community

100%

Community of IT users

-24%

Awareness
Part of IT community that is aware that
IT has problems that require better
governance

76%
+10%

Recognition
Part of aware IT community that recognises
the concept of IT governance as a solution

83%
-9%

SolutionGeneral
Group that is aware of potential
IT governance solutions/providers

75%
-85%

SolutionISACA/ITGI/COBIT
Group that is aware of ISACA/ITGI/COBIT as
potential IT governance providers/solution

12%
-57%

COBIT Users
Group that adopts COBIT as the
solution for its IT governance problems

5%

Justification
The results to question 3.3.17 provide the ratio of COBIT users amongst those who know of it,
i.e., 29 percent.
It is furthermore worth noting that:
The degree of satisfaction with COBIT and the COBIT suite of products is very high amongst their
users (question 3.3.19), i.e., an average score of 4.1 out of 5.
COBIT is found to be relatively easy to implement (question 3.3.20). Only 25 percent of the users
found it difficult.
Conclusion
A little bit less than half of those in the IT community who know about COBIT use it. However, they do
not necessarily use it for IT governance.

46

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

3.4.6 Conclusions of Funnel Analysis

From the preceding analysis, two major conclusions could be that:
The IT community is reasonably well aware that there is an issue with IT, that it is important to resolve it
with some priority, and that the concept of IT governance (or parts thereof) is established and accepted as a
valid solution.
Relative to the ITGI, its offerings in this area are not as well known as others, and focus should be placed on
expanding brand recognition. This would be especially useful, taking into account:
The relatively high proportion of actual COBIT users amongst those who know it
The high degree of satisfaction of those who use COBIT
The relative ease of implementation

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

47

48

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

4. The IT Governance Space

4.1 Introduction
As part of the research for the IT Governance Global Status Report, some limited research was performed to
describe the current IT governance space and the major players in it. This section reflects the primary results
from this part of the study.

4.2 COBIT and Other International Frameworks

4.2.1 The Governance Space
When COSO, the landmark corporate governance framework, was originally issued, there were very few other
IT management and control frameworks. In subsequent years, several frameworks were published and then
evolved over time.
COBIT was originally viewed as an IT audit tool. Other standards, such as BS7799,5 addressed specific
aspects of IT control, e.g., security, and other best practice guidelines, such as IT Infrastructure Library (ITIL),
appeared. However, none of these standards was designed to be part of an integrated approach to IT
management and control or IT governance, simply because that concept was virtually unknown at that time.
The following sections describe COBIT and other major international frameworks touching on aspects of IT
governance.
4.2.2 Control Objectives for Information and related Technology (COBIT)
COBIT is described by its publisher, the IT Governance Institute, and the institutes affiliated Information
Systems Audit and Control Association (ISACA) as the framework for IT governance and control. COBIT
began to receive greatly increased international attention in 2000, when the Management Guidelines
component was published and COBIT was offered as an open standard. This development can be clearly seen
by way of various discussion groups on the Internet covering related topics.6
COBIT is based on the conviction that organisations must satisfy the quality, fiduciary and security
requirements for their information, as they do for all assets. Management must also optimise the use of
available resources, including data, application systems, technology, facilities and people. To discharge these
responsibilities and to achieve their objectives, management must understand the status of their own IT
systems and decide what security and control they should provide.
The COBIT framework helps meet the multiple needs of management by bridging the gaps amongst business
risks, control needs and technical issues. It provides good practices across a domain and process framework
and presents activities in a manageable and logical structure. COBITs good practices reflect consensus of the
experts, help optimise information investments and provide a measure to judge against if things do go wrong.
COBIT starts from the premise that IT needs to deliver the information the enterprise needs to achieve its
objectives. In addition to promoting process focus and process ownership, COBIT looks at fiduciary, quality
and security needs of enterprises and provides seven information criteria that can be used to define generically
what the business requires from IT: effectiveness, efficiency, availability, integrity, confidentiality, reliability
and compliance.
COBIT further divides IT into 34 processes belonging to four domains (Plan and Organise, Acquire and
Implement, Deliver and Support, and Monitor and Evaluate). For each of these processes, a high-level control
objective is defined:
Identifying which information criteria are most important in that IT process
Listing which resources will usually be leveraged
Providing considerations on what is important for controlling that IT process
5
6

Now also known as ISO17799

For example, the ITIL-L mailing list
IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

49

The more detailed elements of COBIT provide some 300 detailed control objectives for management and
IT practitioners who are looking for best practices in control implementation, and extensive audit
guidelines building on these objectives. The latter are geared toward those needing to evaluate and audit
the degree of control and governance over IT processes.
The COBIT components include:
Executive SummaryProvides a thorough awareness and understanding of COBITs key concepts and
principles. Also included is a synopsis of the framework, which provides a more detailed understanding
of these concepts and principles, whilst identifying COBITs four domains and 34 IT processes.
FrameworkCovers the basic structure of COBIT and explains how each of its components leads to
control over IT
Control ObjectivesIncludes statements of desired results or purposes to be achieved by implementing
the 318 specific, detailed control objectives throughout the 34 IT processes
Audit GuidelinesOutlines and suggests activities to be performed corresponding to each of the 34
high-level IT control objectives, whilst substantiating the risk of control objectives not being met
Implementation Tool SetContains management awareness and IT control diagnostics, implementation
guide, FAQs, case studies from organisations using COBIT, and slide presentations that can be used to
introduce COBIT into organisations
Management GuidelinesProvides guidelines that are action-oriented and generic and offers
management direction for getting the enterprises information and related processes under control,
monitoring achievement of organisational goals, monitoring and improving performance within each IT
process, and benchmarking organisational achievement
The depth and comprehensive nature of the audit guidance provided in COBIT may be responsible for the
perception amongst many organisations that COBIT is an IT auditors tool. This implies that business and
IT management may see COBIT as a threat rather than an opportunity.
4.2.3 Capability Maturity Model (CMM)
CMMs help organisations mature their people, process and technology assets to improve long-term
business performance. The US-based Software Engineering Institute (SEI) developed CMMs for software,
people and software acquisition, and assisted in the development of CMMs for systems engineering and
integrated product development.
The Capability Maturity Model for Software (CMMS or SW-CMM) is a model for judging the maturity
of the software processes of an organisation and for identifying the key practices that are required to
increase the maturity of these processes. SW-CMM has become a de facto standard for assessing and
improving software processes. Through SW-CMM, the SEI and community have put in place a means for
modeling, defining and measuring the maturity of the processes used by software professionals.
The purpose of Capability Maturity Model Integration (CMM IntegrationSM) is to provide guidance for
improving an organisations processes and its ability to manage the development, acquisition and
maintenance of products and services. CMM Integration places practices into a structure that helps an
organisation assess its organisational maturity and process area capability, establish priorities for
improvement, and guide the implementation of these improvements.
The latest development in this initiative is the CMMI Product Suite, resulting from SEIs decision to focus
on developing an integrated framework for maturity models and associated products. The CMMI project
was formed to improve the usability of CMM technology for a set of disciplines beyond software
engineering. It called for use of common terminology, common components and common rules for
constructing CMMI models. These models would be available in a form that would reduce the amount of
training necessary and reduce the process improvement effort required by users improving processes in
multiple disciplines, thus resulting in a savings of time, effort and cost to the organisation pursuing
enterprisewide process improvement.
50

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

As the CMMI concept developed, it became clear that the initial scope of the CMMI project should be
restricted to a few of the disciplines most needed by government and industry, until the concept was proven.
The selection of software engineering, systems engineering and integrated product development CMMs was
made by industry and government participants for the initial proof-of-concept phase. However, the CMMI
Product Suite was designed to accommodate expansion of its discipline coverage and product and project life
cycle coverage. The first such expansion was the inclusion of supplier sourcing in the March 2002 release of
Version 1.1.
Expansion decisions will be made based on the success of the initial release, user community needs and
support, and the availability of funding and participants to support development activities.
The CMMI models cover the same life cycles as the source models: Software CMM, EIA/IS 731 (the Systems
Engineering Capability Model) and Integrated Product Development CMM.
4.2.4 IT Infrastructure Library (ITIL)7
ITIL is an established approach to IT service management virtually worldwide, though adoption levels differ
regionally. ITIL provides a cohesive set of best practices, drawn from the public and private sectors
internationally. It is supported by a comprehensive qualification scheme, accredited training organisations, and
implementation and assessment tools. The best practice processes promoted in ITIL support and are supported
by the British Standards Institutions Standard for IT Service Management (BS 15000).
There are seven core ITIL titles, of which Service Support and Service Delivery can be considered the most
important for implementing IT service management:
Service SupportConsists of disciplines that enable IT services to be provided. Issues covered include
service desk, incident management, problem management, configuration management, change management
and release management.
Service DeliveryCovers the management of the IT services themselves. Issues covered include capacity
management, financial management for IT services, availability management, service level management and
IT service continuity management.
Planning to Implement Service ManagementAnswers the question: Where do I start with ITIL?
Application ManagementProvides an outline of the application management life cycle and is a guide for
business users, developers and service managers on how applications can be managed from a service
management perspective
ICT Infrastructure ManagementIs concerned with the processes, organisation and tools needed to provide
a stable IT and communications infrastructure, and is the foundation for ITIL service management processes
Security ManagementLooks at security from the service provider standpoint, identifying how security
management relates to the IT security officer and how it provides the level of security necessary for the
provision of the total service to the organisation
Software Asset ManagementDeveloped to assist with understanding software asset management (SAM)
and explain what is required to perform it effectively and efficiently in accordance with industry best practice
The Business Perspective (due third quarter 2004)Is concerned with helping business managers understand
IT service provision
Professional qualifications based on ITIL are offered by the Information Systems Examination Board (ISEB),
a wholly owned subsidiary of the British Computer Society, and others, including accredited trainers. ITIL
accreditation demonstrates that an individual has met standards in service management as set by an
examination certification board consisting of representatives from Office of Government Commerce (OGC), IT
Service Management Forum (itSMF) and the examination institutes.8

ITIL was originally developed by CCTA, now called Office of Government Commerce (OGC) in the UK, as a best practice for IT service
management.
The qualifications are: Foundation Certificate (basic knowledge about the framework), Practitioners Certificate (for those responsible for
designing specific processes within the IT service management discipline) and Managers Certificate.
IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

51

4.2.5 BS15000
BS15000 is the first standard specifically aimed at IT service management. BS15000 is increasingly seen
as the quality standard for IT service management and many companies are striving to adopt BS15000 not
only for their own benefit, but also to help qualify and choose suppliers and partner organisations. It
describes an integrated set of management processes for the effective delivery of services to the business
and its customers. It consists of two parts:
BS15000-1 is the formal specification and defines the requirements for an organisation to deliver
managed services of an acceptable quality for its customers.9
BS15000-2 is the code of practice and describes the best practices for service management processes
within the scope of BS15000-1. The code of practice is of particular use to organisations preparing to
be audited against BS15000-1 or planning service improvements.
In March 2002, Gartner published a paper titled The Effects of the British Standard for IT Service
Management.10 Gartner believed BS15000 to be a major step towards IT service delivery becoming
mature and stable with a level of cross enterprise consistency. The paper identified many benefits to
industry, end-user enterprises and external service providers. Gartner predicts that BS15000 will move
into an International Organisation for Standardisation (ISO) standard by 2006. The final Gartner
recommendations are: Enterprises should adopt ITIL service management as a discipline. All
improvements should be based on ITIL and BS15000 so that future certification is possible.
ItSMF created and now manages the BS15000-1:2002 IT Service Management Certification Scheme that
provides independent verification against BS15000. Operation of the scheme is closely monitored by
itSMF to ensure consistency of implementation. Any organisation wishing to be formally certified against
the scheme needs to be assessed by an itSMF registered certification body.
4.2.6 Project Management Institute (PMI)
Whilst project management may not be in exactly the same space as the ITGI and COBIT, it is often
viewed as an integral part of IT.
PMI provides global leadership in the development of standards for the practice of the project
management profession throughout the world. PMIs leading standards document, A Guide to the Project
Management Body of Knowledge (PMBOK Guide), is a globally recognised standard for managing
projects in todays marketplace. The PMBOK Guide is approved as an American National Standard
(ANS) by the American National Standards Institute (ANSI).
There are no signs to date that PMI is considering expanding its offering into other parts of the IT
governance market.
4.2.7 PRINCE2
Since its introduction, PRINCE has become widely used in both the public and private sectors and is now
the UKs de facto standard for project management. Although PRINCE was originally developed for the
needs of IT projects, the method has also been used on many non-IT projects.
The latest version of the method, PRINCE2, is designed to incorporate the requirements of existing users
and enhance the method toward a generic, best practice approach for the management of all types of
projects. PRINCE was designed as the sibling of ITIL.

10

52

It includes requirements for a management system, planning and implementing service management, planning and implementing
new or changed services, service delivery process, relationship processes, resolution processes, control processes and release
processes.
Gartner reference SPA-13-3434
IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

PRINCE2 is a process-based approach for project management, providing an easily tailored and scaleable
method for the management of all types of projects. Each process is defined with its key inputs and outputs
together with the specific objectives to be achieved and activities to be carried out.
There are currently no signs that OGC is considering expanding PRINCE2 into other parts of the IT
governance market.
4.2.8 Six Sigma
Six Sigma is a disciplined, data-driven approach and methodology for eliminating defects (driving toward six
standard deviations between the mean and the nearest specification limit) in any process, from manufacturing
to transactional and from product to service.
The statistical representation of Six Sigma describes quantitatively how a process is performing. To achieve
Six Sigma, a process must not produce more than 3.4 defects per million opportunities. A Six Sigma defect is
defined as anything outside of customer specifications. A Six Sigma opportunity is the total quantity of
chances for a defect.
The fundamental objective of the Six Sigma methodology is the implementation of a measurement-based
strategy that focuses on process improvement and variation reduction through the application of Six Sigma
improvement projects. This is accomplished through the use of two Six Sigma submethodologies:
The Six Sigma DMAIC process (define, measure, analyse, improve, control) is an improvement system for
existing processes falling below specification. It targets incremental improvement.
The Six Sigma DMADV process (define, measure, analyse, design, verify) is an improvement system used
to develop new processes or products at Six Sigma quality levels. It can also be employed if a current
process requires more than just incremental improvement.
Both Six Sigma processes are executed by so-called Six Sigma Green Belts and Six Sigma Black Belts, and
are overseen by Six Sigma Master Black Belts. Green Belts are project leaders who receive two weeks of
training on the Six Sigma road map and essential elements of statistical methodologies supporting Six Sigma
projects, whilst Black Belts receive four weeks of training.11
Many frameworks exist for implementing the Six Sigma methodology. Six Sigma consultants all over the
world have developed proprietary methodologies for implementing Six Sigma quality, based on similar
change management philosophies and applications of tools. This is remarkable, as Six Sigma has a strong
quantitative origin.
4.2.9 BS7799/ISO17799
BS7799/ISO17799 is a standard that sets out the requirements for an information security management system
(ISMS). It helps identify, manage and minimise the range of threats to which information is regularly
subjected. Annex A of BS7799 identifies 10 controls:
1. Security policyProvides management direction and support for information security
2. Organisation of assets and resourcesHelp manage information security within the organisation
3. Asset classification and controlHelp identify assets and appropriately protect them
4. Personnel securityReduces the risks of human error, theft, fraud or misuse of facilities
5. Physical and environmental securityPrevents unauthorised access, damage and interference to business
premises and information
6. Communications and operations managementEnsure the correct and secure operation of information
processing facilities
7. Access controlControls access to information
11

According to the Six Sigma Academy, Black Belts save companies approximately US $230,000 per project and can complete four
to six projects per year. General Electric, one of the most successful companies implementing Six Sigma, has estimated benefits
on the order of US $10 billion during the first five years of implementation.
IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

53

8. Systems development and maintenanceEnsure that security is built into information systems
9. Business continuity managementCounteracts interruptions to business activities and protects critical
business processes from the effects of major failures or disasters
10. ComplianceAvoids breaches of any criminal and civil law; statutory, regulatory or contractual
obligations; and any security requirement
An organisation using BS7799 as the basis for its ISMS can become registered by British Standards
Institute (BSI), thus demonstrating to stakeholders that the ISMS meets the requirements of the standard.
4.2.10 Balanced Scorecard
Fortune magazine estimates that fewer than 10 percent of strategies formulated are effectively executed.
The (IT) balanced scorecard (BSC) is a framework to help organisations rapidly implement strategy by
translating the vision and strategy into a set of operational objectives that can drive behaviour and,
therefore, performance.
Strategy-driven performance measures provide the essential feedback mechanism required to dynamically
adjust and refine the organisation's strategy over time. The BSC concept is built upon the premise that
what is measured is what motivates organisational stakeholders to act. Ultimately, all of the organisations
activities, resources and initiatives should be aligned to the strategy. The BSC achieves this goal by
explicitly defining the cause-and-effect relationships amongst objectives, measures and initiatives across
each of four perspectives (customer, financial, internal and learning/growth) and down through all levels
of the organisation.
The BSC was not developed to support IT. However, IT professionals have been active in
adapting/building this idea into IT balanced scorecards, with isolated success. It is not a strong player in
the IT alignment portion of the IT governance market, not because of its inherent weakness, but because it
is not marketed in a significant way.
The inability to effectively formulate strategies (let alone IT strategies) of many organisations by
definition renders the IT balanced scorecard useless as a strategy implementation tool.

4.3 Substitution/Potential Entrants

The IT governance framework (and COBIT) most likely will not be challenged by only one single
framework, standard or set of best practices. The IT governance framework and COBIT are the only (by
definition perhaps12) frameworks covering all aspects of IT governance. Other frameworks cover aspects
of IT governance in greater detail, so the question ariseswhy should an organisation use COBIT when it
already uses ITIL, PRINCE2, balanced scorecards, CMM, etc.?
ITIL is probably the closest substitute for COBIT. But the fact that COBIT and ITIL are getting closer does
not mean that they are able to substitute for each other now or in the near future. There remain too many
differences in terms of coverage and level of detail. ITILs focus on improving operational and tactical
delivery and support processes by providing practical best practices cannot be compared to COBITs unique
comprehensiveness and focus on controls. Although COBIT is evolving toward ITILs level of detail, the
control practice statements are no substitute for ITILs descriptions of activities. One could summarise that
COBIT focuses on what and ITIL focuses on how.13 Also, substitution is very unrealistic as a result of the
mature market that has already been created around ITIL. Note, however, that regional differences may exist,
e.g., ITIL may be more widely implemented in Europe than in other regions.
12
13

54

See section 4.4, COBIT as Keystone IT Framework.

Gartner reference TG16-1849

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

Looking at the fundamental building blocks of IT governance, IT governance frameworks need to address at
least one or more of the following areas:
Strategic alignment
Performance measurement
Value delivery
Resource management
Risk management
Figure 53 illustrates, for all the frameworks discussed, the extent to which they cover these IT governance
components.

Figure 53Frameworks Mapped Against IT Governance Components

Overview

COBIT

ITIL

CMM

BS
7799/
ISO
17799

PRINCE
2

PMBOK

(IT)
BSC

Strategic alignment
Performance measurement
Value delivery
Resource management
Risk management

LEGEND
Coverage

Level of Detail

Full coverage

Detailed

Full coverage

High-level

Some aspects

Detailed

Some aspects

High-level
No coverage

4.4 COBIT as Keystone IT Framework

As a first step to determining whether COBIT could become a keystone IT framework, four generally
accepted IT frameworks were selected and analysed to determine if they could be reconciled to COBIT. The
preliminary reconciliation is shown in figure 54.

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

55

Figure 54COBITs Relationship to IT Frameworks

56

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

ISO
9000:2000

SW-CMM

Plan and Organise

Define a strategic IT plan
Define the information architecture
Determine technological direction
Define the IT organisation and relationships
Manage the IT investment
Communicate management aims and direction
Manage human resources
Ensure compliance with external requirements
Assess risks
Manage projects
Manage quality
Acquire and Implement
Identify automated solutions
Acquire and maintain application software
Acquire and maintain technology infrastructure
Develop and maintain procedures
Install and accredit systems
Manage changes
Deliver and Support
Define and manage service levels
Manage third-party services
Manage performance and capacity
Ensure continuous service
Ensure systems security
Identify and allocate costs
Educate and train users
Assist and advise customers
Manage the configuration
Manage problems and incidents
Manage data
Manage facilities
Manage operations
Monitor and Evaluate
Monitor the processes
Assess internal control adequacy
Obtain independent assurance
Provide for independent audit

ITIL/BS15000

COBIT Control Objectives

ISO17799

International IT Framework

All of the IT frameworks selected can be reconciled to COBITs high-level control objectives. The extent of
integration at the detailed control level varies significantly. For example, ISO17799 has much more depth than
COBIT for the Ensure systems security objective, ITIL significantly less so and ISO9000 only briefly touches
on security.
As figure 54 shows, most components of other frameworks map in most instances to COBIT processes. Since
COBIT is the integrating framework, it is not necessary for COBIT to reach the same level of detail as the other
frameworks, but it is required to:
Ensure that at a high level all components of other frameworks can be mapped against COBIT components
(not necessarily IT processes only)
Maintain this mapping as other frameworks evolve over time
Leverage the elements that make COBIT unique, i.e., the elements that are in no other frameworks and that
help position COBIT as the unifying framework
Provide a migration path for those that have implemented other frameworks already
An additional reason why COBIT is so suitable as an umbrella model is the fact that it maps quite well to the
general corporate governance model, COSO, and thus it can help many organisations meet the regulatory
requirements they currently face.

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

57

58

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

5. Telephone Survey Sample Description

This section contains a more complete description of the sample surveyed. Some data contained in this section
are also included in the survey results section of the report.

5.1 Geographic Composition of Sample

Figure 55Geographic Composition of Random Sample
104

69

60

67

60
36

North America

Europe

Interviews

60

Initially targeted
number of
interviews

30

South America

Asia-Pacific

The response rates in North America, especially US and Canada, were substantially lower than in other
regions. Hence, it required many more contacts to achieve the required number of interviews.

Figure 56Geographic Composition of COBIT Purchaser Sample

31

16
12
0
North America

Europe

IT GOVERNANCE G

South America

LOBAL

S TAT U S R E P O RT

Asia-Pacific

59

When taking into account all responses received, the geographic spread is shown in figure 57.

Figure 57Geographic Composition of Overall Sample

Asia-Pacific
25%

North America
30%

South America
11%
Europe
34%

5.2 Industry Sector Composition

Figure 58Industry Sector Composition of Overall Sample
Other/Unknown
10%

Financial Services
10%

Retail
7%
Government/
Public Sector
21%

Manufacturing
35%

60

IT/Telecom
17%

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

5.3 Enterprise Size (Number of Employees) Composition

Figure 59Enterprise Size (Number of Employees) Composition of Overall Sample

Fewer than 100

15%

101-200

7%

201-300

6%

301-400

5%

401-500

5%

501-600

4%

601-700

3%

701-800

3%

801-900

0%

901-1000

3%

More than 1,000

Do not know/refused

47%
1%

Large organisations were characterised as more than 500 employees and small organisations were characterised
as fewer than 500 employees. The split between the two is shown in figure 60.

Figure 60Distribution Between Large and Small Organisations in Overall Sample

Small
39%

Large
61%

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

61

5.4 Profile of Respondents

Figures 61 and 62 show the composition of the profiles of:
The individuals contacted
The actual respondents, which were not necessarily the people contacted (e.g., in case of referral from
the CEO to the CIO)

Figure 61Profile of Individuals Contacted

IT Management
20%

General
Management
80%

Figure 62Profile of Respondents

Audit
2%
Unknown
12%

IT Management
64%
General
Management
22%

62

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

5.5 IT Profile of Respondents

5.5.1 IT Budget (Overall)

Figure 63IT Budget of Random Sample Respondents

28%

Less than US $1 million

US $1-10 million

25%

US $11-20 million

4%
2%

US $21-30 million
US $31-40 million

1%

US $41-50 million

1%
5%

More than US $50 million

Do not know

20%

Refused

15%

5.5.2 IT Budget Evolution

Figure 64IT Budget Evolution in Last Three Years

47%

Increased

24%

Stayed same

26%

Decreased

3%

Do not know

Refused

1%

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

63

Observation 39IT budgets have increased during the last three years at nearly half of all organisations,
whilst they have decreased in only about one-quarter.

Figure 65IT Budget Evolution in Last Three Years, by Industry Sector

41%
31%
43%

Increased

52%
61%

Financial Services

22%
21%

Manufacturing
30%
29%

Stayed same

IT/Telecom

Retail

23%

Public Sector
35%
41%

25%

Decreased
19%
12%

Observation 40IT budgets have increased more in the public sector, retail and manufacturing (on
average, 53 percent) than they have in IT/telecom and financial services (on average, 36 percent) during
the last three years. IT/telecom and financial services budgets have decreased in that same period (on
average, 38 percent).

64

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

5.5.2.1 IT Budget EvolutionLevel of Decrease

Figure 66IT Budget Evolution in Last Three Years (Those That Decreased), Amount of Decrease

Less than 10%

22%
31%

11-20%
21-30%
31-40%

24%
3%

41-50%
More than 50%

5%
3%

Do not know/refused

12%

5.5.2.2 IT Budget EvolutionLevel of Increase

Figure 67IT Budget Evolution in Last Three Years (Those That Increased), Amount of Increase

22%

Less than 10%

36%

11-20%
16%

21-30%
6%

31-40%
41-50%

3%
10%

More than 50%

Do not know/refused

6%

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

65

66

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

6. Bibliography
The following sources (articles, standards, books and surveys) were consulted during the research project.
Applegate, Lynda M.; Robert D. Austin; F. Warren McFarlan; Corporate Information Strategy and
Management, 6th Edition
Board Briefing on IT Governance, 2nd Edition, IT Governance Institute, Rolling Meadows, Illinois, USA,
October 2003
Carr, Nicholas G.; IT Doesnt Matter, Harvard Business Review, May 2003
COBIT 3rd Edition, IT Governance Institute, Rolling Meadows, Illinois, USA, July 2000
Committee of Sponsoring Organisations of the Treadway Commission (COSO), www.coso.org
Common Criteria and Methodology for Information Technology Security Evaluation, CSE (Canada), SCSSI
(France), BSII (Germany), NLNCSA (Netherlands), CESG (UK), NIST (USA) and NSA (USA), 1999
Evans, Philip; Thomas Wuster; Strategy and the New Economics, Harvard Business Review,
September-October 1997
Exposure Draft Enterprise Risk Management Framework, Committee of Sponsoring Organisations of the
Treadway Commission (COSO), USA, July 2003
Final Rule: Managements Reports on Internal Control Over Financial Reporting and Certification of
Disclosure in Exchange Act Periodic Reports, Release Nos. 33-8238; 34-47986; IC-26068;
File Nos. S7-40-02; S7-06-03, US Securities and Exchange Commission, USA, June 2003,
www.sec.gov/rules/final/33-8238.htm
Hegarty, John; Five Things IT Needs to Know About Sarbanes-Oxley Compliance, AMR Research,
Alert Highlight, April 2003
IT Governance Framework Quadrants, Canada Interior Health Authority, 2002
McFarlan, F. Warren; Perspectives, PricewaterhouseCoopers Technology Forecast 2002-2003,
Volume 1, 2002
Mingay, S.; S. Bittinger; Combine COBIT and ITIL for Powerful IT Governance, Gartner, Ref. TG16-1849,
June 2002
Mintzberg, Henry; The Rise and Fall of Strategic Planning, Harvard Business Review, 1994
Porter, Michael E.; Competitive Strategy: Techniques for Analyzing Industries and Competitors, 1998
Porter, Michael E.; How Competitive Forces Shape Strategies, Harvard Business Review, March 1979
Porter, Michael E.; What Is Strategy?, Harvard Business Review, 1996
Spafford, George; The Benefits of Standard IT Governance Frameworks, itmanagement.earthweb.com,
April 2003
Strassman, Paul; IT Value Chain ManagementMaximizing the ROI from IT Investments, 2003
The Effects of the British Standard for IT Service Management, Gartner, Ref. SPA13-3434, March 2002
What YOU Have to Say, The State of the CIO, April 2003
Various authors; Does IT Matter? An HBR Debate, Harvard Business Review, June 2003

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

67

68

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT

Appendix IApplying COBIT and

COSO to Sarbanes-Oxley
Until recently, assertions on control by an organisation were mostly voluntary and based on a wide variety
of internal control frameworks.14 However, IT and compliance will have to work together from now on,
thanks to increased regulation.
With the passing of the US Sarbanes-Oxley Act, heavily based on COSO, and subsequent interpretations
and discussions of the Act by the US Public Company Accounting Oversight Board (PCAOB), there is
some support for suggesting that COSO Internal ControlIntegrated Framework is the de facto
international control framework for financial reporting. Notwithstanding the results of this survey of US
companies, the implementation of IT corporate governance for US Securities and Exchange Commission
(SEC) registrants is becoming mandatory. The impact is global.
COSO does not adequately address IT control requirements within the framework. Sarbanes-Oxley
provides an opportunity to position COBIT as the keystone framework for IT management and control.
Figure 68 presents a detailed mapping of COSO and COBIT. However, whilst intellectually stimulating, it
could be argued that the existing mapping is too complex to have a clear impact on executives and boards.
A more directed mapping should be linear and, wherever possible, one-dimensional. COSO compliance
means that the mapping between an IT governance tool/framework and COSO must be simple:
The role of the IT governance framework should be clear. It should be the keystone to other frameworks
in achieving COSO compliance, supplementing other frameworks only where there are gaps.
It should have a standard level of detail. A balance should be achieved between identifying clear control
objectives and having too much detail.
It should be clear enough to implement.
It should be reconcilable with other recognised control frameworks and should not seek to replace them.
Investments in other frameworks should be able to be used in assessing compliance with the keystone
framework and with the COSO framework.
Whilst IT executives are required to state that they have implemented a control framework that is
compatible with COSO, there is no guidance on what framework they should use. The ITGI recognised
this problem and, to address it, in April 2004 issued a paper titled IT Control Objectives for SarbanesOxley: The Importance of IT in the Design, Implementation and Sustainability of Internal Control Over
Disclosure and Financial Reporting. The publication constitutes the first practical guidance on how to
deal with the new regulatory requirements, and section 404 in particular.
In the paper, the ITGI defined a set of IT control objectives to be considered for financial reporting. The
control objectives were based on the guidance provided in COBIT, although they were not presented
exactly as they are in COBIT. The end result is a series of IT controls, designed specifically for COSO and
Sarbanes-Oxley compliance.
Figure 68 shows the relationship between the COSO financial reporting objective and COBIT. COBIT is a
comprehensive framework for managing risk and control of information technology. In developing the
mapping, the approach started with reviewing the detailed COBIT control objectives, reconciling the
objectives to COSO, determining if the objectives relate to financial reporting objectives, extracting the IT
general control objectives, and rewriting objectives, as appropriate, so they focus on financial reporting
objectivesthe requirement of Sarbanes-Oxley. The resulting general control objectives framework has
four domains, 27 IT processes and 136 detailed control objectives.

14

Various regulatory bodies, such as the Bank for International Settlements and the Organisation for Economic Co-operation and
Development, have issued reports on corporate governance since the early 1990s. Cadbury in the UK and CoCo in Canada are
other examples. Each of these reports makes recommendations on good practice for effective governance for boards and executive
management. Stakeholder value, transparency of risk and internal control are common themes emphasised by all.
IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

69

Figure 68COBITs Relationship to COSO

70

IT G

OVERNANCE

Monitoring

Information and
Communication

Plan and Organise

Define a strategic IT plan
Define the information architecture
Determine technological direction
Define the IT organisation and relationships
Manage the IT investment
Communicate management aims and direction
Manage human resources
Ensure compliance with external requirements
Assess risks
Manage projects
Manage quality
Acquire and Implement
Identify automated solutions
Acquire and maintain application software
Acquire and maintain technology infrastructure
Develop and maintain procedures
Install and accredit systems
Manage changes
Deliver and Support
Define and manage service levels
Manage third-party services
Manage performance and capacity
Ensure continuous service
Ensure systems security
Identify and allocate costs
Educate and train users
Assist and advise customers
Manage the configuration
Manage problems and incidents
Manage data
Manage facilities
Manage operations
Monitor and Evaluate
Monitor the processes
Assess internal control adequacy
Obtain independent assurance
Provide for independent audit

Control
Activities

COBIT Control Objectives

Risk
Assessment

Control
Environment

COSO Component

G L O BA L S TAT U S R E P O RT

Appendix IIQuestions and Figures

Questions (Excluding Demographic Questions)
3.3.1 Thinking about your overall strategy/vision, how important do you consider IT to be to the delivery
of this strategy/vision?
3.3.2 Do you see IT mainly as a means for gaining competitive advantage (i.e., a strategic tool), or do
you see it more as a commodity that needs to be managed in the most efficient manner?
3.3.3 How frequently is IT included on your organisations board agenda?
3.3.4 Which of the following problems have you experienced with IT in the last 12 months?
3.3.5 How important do you feel it will be to address this problem in the next 12 months?
3.3.6 What organisations are you aware of that provide or implement solutions to these IT problems (in
terms of frameworks and generic governance models)?
3.3.7 How would you ratewith regard to its expertise in IT governance solutions/frameworks?
3.3.8 How would you ratewith regard to its ability to implement IT governance solutions/frameworks?
3.3.9 Have you implemented, are you in the process of implementing or are you considering
implementing an IT governance solution/framework?
3.3.10 Have you implemented, are you in the process of implementing or are you considering
implementing other measures in order to improve?
3.3.11 If you have implemented, are in the process of implementing or are considering implementing an
IT governance solution, what solutions/frameworks did/do you use or are you considering using?
3.3.12 Which of the following areas do you hope to address using your selected IT governance
framework(s)?
3.3.13 At what stage of IT governance implementation are you?
3.3.14 If you are not considering implementation of an IT governance solution, why not?
3.3.15 Are you personally aware of the existence and contents of COBIT?
3.3.16 Is your organisation aware of the existence and contents of COBIT?
3.3.17 If your organisation is aware of COBIT, does the organisation currently use COBIT?
3.3.18 If your organisation is using COBIT, which parts of COBIT does the organisation use?
3.3.19 If you or your organisation uses COBIT, how satisfied are you with the parts you or your
organisation uses?
3.3.20 If you or your organisation uses COBIT, how difficult is it to implement the COBIT framework?
3.3.21 What enhancements do you feel could be made to the COBIT framework to improve
implementation?
3.3.22 If you or your organisation uses COBIT, how satisfied are you with the COBIT framework with
regard to IT governance?
3.3.23 If neither you nor your organisation uses COBIT, are you aware of COBIT as an IT governance
solution/framework ?
3.3.24 Are there other issues related to IT governance of which you would like to make us aware?
3.3.25 Amongst those enterprises that are not considering the implementation of an IT governance
solution (question 3.3.9), how many are familiar with COBIT (questions 3.3.15 and 3.3.16)?

Figures
1 IT Governance Funnel Analysis
2 Geographic Distribution Random Sample
3 Geographic Distribution COBIT Booster Sample
4 Respondents Job Functions Random Sample
5 Original Job Functions Random Sample
6 Industry Sectors Random Sample
7 Importance of IT for Overall Strategy Delivery
8 Importance of IT for Overall Strategy Delivery, by Geographic Area
9 Importance of IT for Overall Strategy Delivery, by Industry Sector
10 Importance of IT for Overall Strategy Delivery, by Job Function
11 IT Strategic or Commodity
12 IT Strategic or Commodity, by Geographic Area
13 IT Strategic or Commodity, by Industry Sector

IT GOVERNANCE G

LOBAL

S TAT U S R E P O RT

71

14 IT Strategic or Commodity, by Job Function

15 Frequency of IT on Boards Agenda
16 Frequency of IT on Boards Agenda, by Geographic Area
17 Frequency of IT on Boards Agenda, by Industry Sector
18 IT Problems in Last 12 Months
19 Importance of Addressing IT Problems
20 IT Priorities vs. IT Problems
21 Recognised IT Governance Providers
22 Recognised IT Governance Providers, by Geographic Area
23 Average Number Recognised IT Governance Providers, by Geographic Area
24 Respondents Not Knowing Any IT Governance Providers, by Geographic Area
25 Expertise of IT Governance Providers
26 Implementation Ability of IT Governance Providers
27 Relative Positioning of Expertise/Implementation Ability of IT Governance Providers
28 IT Governance Implementation Status
29 IT Governance Implementation Status, by Geographic Area
30 IT Governance Implementation Status, by Organisation Size
31 Implementation Status of Partial IT Governance Solutions
32 Selected IT Governance Frameworks
33 Use of Selected IT Governance Frameworks
34 Stage of IT Governance Implementation
35 Reasons for Not Implementing IT Governance
36 Awareness of COBIT
37 Awareness of COBIT, by Geographic Area
38 Awareness of COBIT, by Organisation Size
39 Awareness of COBIT, by Industry Sector
40 Use of COBIT Amongst Organisations Aware of COBIT
41 Use of Portions of COBIT
42 Degree of Satisfaction with COBIT
43 Difficulty in Implementing COBIT
44 Satisfaction With COBIT as IT Governance Model
45 Awareness of COBIT as IT Governance Solution/Framework
46 Familiarity With COBIT Amongst IT Governance Nonimplementers
47 High-level Result of Funnel Analysis
48 Step 1. Awareness
49 Step 2. Recognition
50 Step 3. Knowledge of Solutions
51 Step 4. Knowledge of ISACA/ITGI/COBIT
52 Step 5. Usage of COBIT
53 Frameworks Mapped Against IT Governance Components
54 COBITs Relationship to IT Frameworks
55 Geographic Composition of Random Sample
56 Geographic Composition of COBIT Purchaser Sample
57 Geographic Composition of Overall Sample
58 Industry Sector Composition of Overall Sample
59 Enterprise Size (Number of Employees) Composition of Overall Sample
60 Distribution Between Large and Small Organisations in Overall Sample
61 Profile of Individuals Contacted
62 Profile of Respondents
63 IT Budget of Random Sample Respondents
64 IT Budget Evolution in Last Three Years
65 IT Budget Evolution in Last Three Years, by Industry Sector
66 IT Budget Evolution in Last Three Years (Those That Decreased), Amount of Decrease
67 IT Budget Evolution in Last Three Years (Those That Increased), Amount of Increase
68 COBITs Relationship to COSO

72

IT G

OVERNANCE

G L O BA L S TAT U S R E P O RT