IT Governance Enablers
David Henriques
Master Student, [email protected]
Ruben Pereira
Professor, [email protected] Instituto Universitario de Lisboa, ISCTE-IUL, Av. das Forças Armadas, 1649-026 Lisboa, Portugal
Rafael Almeida
PhD Student, [email protected]
Miguel Mira da Silva
Professor, [email protected] Instituto Superior Tecnico - Universidade de Lisboa, Av. Rovisco Pais 1, 1049-001 Lisboa, Portugal
Abstract
The pace of information technology evolution calls for governance. Control Objectives for Information and Related Technologies (COBIT) is the main framework for information technology governance (ITG) and defines the concept of IT governance enablers as a critical step for any governance decision or path. This investigation aims to clarify the enablers defined by COBIT to help organizations manage their information technology. Clarity on the meaning of enabler is still lacking in the literature. Enablers are somewhat described in COBIT, but space is left for confusion and contradictions among researchers and practitioners. The research question to be answered by this investigation concerns the definition for each enabler and
how it is dictated by the COBIT framework. Further this study proposes a clarification concerning the definition of ITG enablers as addressed by COBIT and several filtration stages and criteria that were used to select high-quality studies. Given the aim of this research, the authors adopted a systematic literature review (SLR) methodology to analyze and synthesize the knowledge about the enablers from COBIT from the literature. Our findings may be used by future researchers to better define the scope of their definitions of enablers, to help future studies regarding the relationship of enablers with any technology or field, and to help future investigations concerning IT governance and its scope within an organization.
Keywords:
COBIT5; enablers; governance; IT; IT governance; systematic literature review
Citation: Henriques D., Pereira R., Almeida R., Mira da Silva M. (2020) IT Governance Enablers. Foresight and STI Governance, vol. 14, no 1, pp. 48-59. DOI: 10.17323/2500-2597.2020.1.48.59
0 I © 2020 by the authors. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.Org/licenses/by/4.0/).
Introduction
IT governance (ITG) is high on the agenda at many organizations and high-level ITG models are being raised within the organizations [de Haes, van Grembergen, 2008; Hardin-Ramanan et al., 2018].
ITG it is defined an important part of corporate governance, it is involved in leadership and organizational structures to ensure that an organization's IT sustains and extends its strategies and objectives [Joshi et al., 2018]. ITG not only encourages desirable behavior in the use of information technology (IT) and has the capabilities to get the business operations aligned with IT [Kude et al., 2017; Hardin-Ramanan et al., 2018], it also defines the roles and responsibilities within information systems (IS) and related technologies to manage and support an organization's functions [Higgins, Sinclair, 2008]. ITG's purpose is to direct and manage IT initiatives to ensure that organization performance meets the goals established by management [Selig, 2018]. Some of the main objectives of ITG are the alignment of IT objectives with the overall business strategy, measures of IT performance, and competitive advantages provided by IT for the organization [Higgins, Sinclair, 2008].
Many ITG frameworks exist to assist organizations [Bernroider, Ivanov, 2011] and Control Objectives for Information and Related Technologies (COBIT) is one of the most complete and most often used ITG frameworks since it assists organizations in achieving their objectives for governance and the management of an organization's IT [ISACA, 2018]. Plus, the COBIT framework conceptually defines the role of enablers in the ITG field. Enablers are described as anything that can help achieve the objectives of the organization, they support the creation of business value through the use of IT and are an important step in achieving good ITG [ISACA, 2018]. However, little information exists about these enablers in COBIT documentation which confuses professionals. Therefore, this research aims to explore the literature and bring some clarity concerning ITG enablers.
Giving the nature of this research, a systematic literature review (SLR) methodology was employed
to analyze the relevant literature, find gaps, synthesize findings, and use those findings in future research. SLR has great importance in fields where little or no consensus exists about a specific concept and helps one find the necessary information to support the research questions [Tranfield, 2003; Okoli, Schabram, 2010].
To sum up, this research aims to clarify and detail each ITG enabler and how they can be useful to an organization. Therefore, the main contribution of this research is to bring clarification on each ITG enabler and deliver a baseline for future research.
The following document is organized as follows, "Introduction", "Research Method", "Results", "Discussion and Insights," and "Conclusions".
Research Method
This research applied an SLR approach to identify and synthetize the literature published about ITG enablers. The SLR aims to identify, evaluate, and interpret all information about research relevant to a specific topic, where the individual studies in a SLR are called primary studies [Kitchenham, 2004]. This is performed in the following distinct stages which were revised following recommendations made by the author [Kitchenham, 2004] namely that the SLR include: the identification of the need for a review, the identification of the research, the selection of primary studies, an assessment of study quality, data extraction, and data synthesis. On this basis we created research stages to help us to deliver the most high-quality study by performing the selection according to our inclusion and exclusion criteria, filtration stages, and finally with an assessment of quality as illustrated by Figure 1.
Stage 1: Inclusion and Exclusion Criteria
The inclusion and exclusion criteria for this review were guided by the following research questions to filter the articles chosen during the search:
RQ1: Was the article published in a journal with a classification of Q1 or Q2?
RQ2: Was the article published in conference proceedings with a classification of A or B?
Figure 1. Research Stages
Stage 1 Inclusion and exclusion criteria
►
Stage 2
Selection of data
►
Source: authors
These questions were used to guide our study to synthetize the material found in the journals and conferences via the internet, with the purpose of obtaining the correct information about ITG en-ablers. This review included only articles published in English published between 1999 and 2018. This window provided sufficient coverage to find an appropriate amount of literature on the topic at hand related to the terms that stand out as ITG enablers. The articles that did not provide information for addressing the identified research question(s) were excluded from this review.
Stage 2: Selection of Data Sources
This review included the following well-known four databases for searching the articles and the proceedings included in this review:
• Google Scholar (http://scholar.google.com)
• Elsevier Science Direct (www.sciencedirect.com)
• IEEE Xplore (https://ieeexplore.ieee.org)
• Taylor & Francis Online (https://www.tandfon-line.com)
The selected data sources provided sufficient literature coverage for the review. The search for this review began on July 12, 2018. Data sources were systematically searched using the carefully selected search terms or keywords (see Table 1). For instance, the term IT governance was included along with enablers, as they were found to be complementary to one another. The search was separated by categories ("IT Governance", "IT Governance Enablers", "COBIT Enablers"). Inside these categories several keywords were included and combined using the Boolean term "AND", for example, "IT governance AND principles".
Stage 3: Search Strategy
During the research process a filtration process was used to find the 28 articles selected for this review. In Table 2 below, the filtration stages are described along with the various filters that were used. The first filtration stage filters the search terms described in Table 1 using "" in the academic databases mentioned above. The second filtration stage refines the search using keywords in the title of the articles. The third filtration stage checks the search terms in the abstracts from the search. In the final stage, the relevant articles for the review were chosen by checking the articles that correspond to the aforementioned research questions.
Table 3 shows the filtration stages for each term used to select the relevant articles for the review. Some of the search terms already yielded few results in the first filtration making it difficult to further refine the search, yielding zero results in the following stages, so those search terms were used
for articles found in the first and second stages. One of the motivations of this research was to filter the search as much as possible, because the objective was to find only studies that provided useful information about ITG enablers. This is why during the third filtration stage in Table 3 there are some terms without any result, but in these cases, results were selected from the second filtration stage and then immediately went through the final stage where we obtained valuable information.
Quality Assessment
For the quality assessment, several questions were employed to ensure the relevance and quality of the selected articles. The assessment criteria were developed (Table 4) and applied to ensure the quality, relevance, and credibility of the articles included in this review. The first quality criteria question was used to select studies that were related to ITG so as not to use articles outside the scope of this investigation. The second quality criteria question was used to understand whether or not the article was chosen due to at least one of the ITG enablers being described. The third quality criteria question was applied to verify whether the study itself brings more value into our investigation with regard to useful information about at least one of the ITG enablers to guarantee more accuracy.
Table 5 shows which articles are aligned with the quality criteria questions applied in this literature review. This table shows that all articles were more concentrated on building concepts concerning each IT governance enabler and also shows that some articles are not necessarily related to ITG or to the information technology sector.
Results
This section presents the main findings elicited from the studies selected and reviewed through the SLR.
Table 6 presents the journal and conference each selected article belongs to as well as the respective classification. To increase the scientific rigor of our research study, only journals Q1 and Q2 (according the Scimago classification) were considered. Following the same logic, only conferences A and B (according to the Excellence in Research in Australia (ERA) criteria) were considered in this research.
This section presents the main findings elicited from the selected and reviewed studies through SLR.
Figure 2 shows the distribution of the 28 articles selected for the study according to the selection criteria, by year. The conclusions drawn from this distribution include the fact that in 2007, ITG en-ablers started to hold more interest for the scientific community.
Table 1. Search Terms
Search Category Keywords
IT Governance IT governance definition
IT Governance Enablers IT governance principles, IT governance culture, IT governance ethics, IT governance information, IT governance people, Governance organizational structures, IT governance skills, IT governance competencies, IT governance applications, IT people
COBIT Enablers COBIT processes, COBIT principles, COBIT frameworks.
Source: authors.
Table 7 provides more information about the selected articles. As one can see, there is a considerable number of Q1 journals in the final set, which is a promising indicator. Also, the sum of citations received by the articles for each classification is included. To classify the journals, the authors used the Scimago Journal & Country Rank (www.scima-gojr.com) website. For the conferences, the authors used the ERA rank (www.conferenceranks.com).
Table 8 presents the selected articles allocated to each ITG enabler following the concept-centric approach proposed by [Watson, Webster, 2002]. Therefore, in this study we did not have an author-centric approach based on the point of view of researcher. It is interesting to find that the enabler "Information" is the least studied subject in the literature even though it currently considered one of the most (if not the most) important asset for organizations. On the other hand, "Principles, Policies, and Frameworks" are the more explored enablers among the selected articles.
Table 3. Filtration Stages for Each Search Term
Search Term Filtration Stages
1st 2nd 3rd Final
IT governance 33900 3230 342 2
IT governance behavior 7 4 1 1
IT governance enablers 17 2 0 1
IT governance principles 309 7 4 2
IT governance definition 180 6 1 1
IT governance culture 45 7 0 2
IT governance ethics 6 21 0 2
IT governance information 9 25 5 2
IT governance people 35 0 0 2
Governance organizational structures 125 0 0 2
IT governance skills 14 0 0 1
IT governance competencies 16 0 0 2
IT governance applications 13 0 0 2
COBIT processes 556 17 4 2
COBIT principles 82 2 0 2
COBIT frameworks 232 8 1 1
COBIT enablers 20 2 2 1
Total 35566 3331 360 28
Source: authors.
Discussion and Insights
After analyzing the selected articles and given the research objective of this study, it is important to detail what has been done and argued among the scientific community regarding each ITG enabler. Therefore, the following section presents a deeper description of each ITG enabler in the eyes of the scientific community.
Principles, Policies, and Frameworks
Principles are the channel to translate a desired behavior into practical guidance for day-to-day management [Garsoux, 2013] and they serve as the platform for developing governance monitoring and evaluation instruments [Weill, Ross, 2005]. Principles for [Spremic, 2009] and [Bin-Abbas, Bakry, 2014] consist of the high-level decisions
Table 2. Filtration Stages
Filtration Stages Description Assessment criteria Count
1st Filtration Identification of relevant studies from the selected databases Search Category and keywords using the filter "" 35559
2nd Filtration Exclude studies based on titles Title = Search terms Yes = Accepted No = Rejected 3327
3rd Filtration Exclude studies based on abstracts Keywords inside the abstract Yes= Accepted No = Rejected 359
Final Filtration Obtain selected relevant articles Address the research questions. Yes = Accepted No = Rejected 28
Source: authors.
Table 4. Quality Criteria
Criteria Definition
QC1 Is the context of the article related to IT governance?
QC2 Is the description of the article related to the context of the research?
QC3 Do the findings found in the articles bring value to the formulation of concepts?
I Source: authors.
Figure 2. Histogram of the Articles Selected by Year
5
4
3
2
1
o' W <n' m' m' ^-o' W co' o^' o' W <n' en m' ^-o' W co'
ooooooooooooooooooo 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2
as o" ^ <N ro in cd oC o" ^ <N ro in
'''''''''''''''''''
^<(N(N(N(N(N(N(N(N(N(N(N(N(N(N(N(N(N(N
Source: authors
1 1
1 III 1
II III 1111111111
about the strategic role of IT in the business. ITG principles must emphasize the sharing and reuse of processes, systems, technologies, and data [Spremic, 2009]. Fink and Ploder [Fink, Ploder, 2008] say that principles may aim to provide an alignment between IT and business objectives. The application of principles demonstrates that governance and management are two separate subjects while ITG principles are based on common sense and goals [Othman et al., 2014].
For Weill and Ross [Weill, Ross, 2005], the principles are normative statements that claim how governance or steering should happen and in which direction. When they refer to direction, they have in mind how governance actors should exercise their powers in meeting objectives. Another researcher [Spremic, 2009] says that principles are associated with six basic issues: "responsibility, strategy, acquisition, performance, conformance, and human behavior" and five main principles ex-
ist in ITG: "continuous development, integration of key requirements, simplification, knowledge management, and assessment measures".
A governance framework is designed to suit an organization's goal or mission, size, context, people, and traditions and therefore must emphasize the evaluation of needs, directing decision-making and monitoring performance-based organization business objectives [Othman et al., 2014]. A good ITG framework helps manage IT controls [Kerr, Murthy, 2013], IT resources, and IT processes to achieve business-IT alignment [Higgins, Sinclair, 2008]. This framework must therefore be motivated by the content and context in which it is employed [Othman et al., 2014]. Frameworks should be used as a guide for the formation of domains, objectives, processes, information resources, and decision-making rights [Bernroider, Ivanov, 2011].
According to [Bernroider, Ivanov, 2011], an ITG framework is driven by IT objectives which play an
Table 5. References Аccording the Quality Criteria
Question Article
QC 1 [Garsoux, 2013; ISACA, 2013; De Haes, Van Grembergen, 2008; Kude et al., 2017; Higgins, Sinclair, 2008; Othman et al., 2014; Bernroider, Ivanov, 2011; Kerr, Murthy, 2013; Prasad et al., 2012; Bowen et al., 2007; Spremic, 2009; Bernroider, 2008; Tsoukas, Vladimirou, 2001; Heier et al., 2007; Tallon et al., 2013; Lockwood et al., 2010; Bin-Abbas, Bakry, 2014; Simonsson et al., 2010; Wu et al., 2015; Beyer, Nin, 1999; Heier et al., 2008; Simonsson, Ekstedt, 2006; Huygh et al., 2018; de Haes, van Grembergen, 2008; Fink, Ploder, 2008]
QC 2 [Garsoux, 2013; ISACA, 2013; de Haes, van Grembergen, 2008; Kude et al., 2017; Higgins, Sinclair, 2008; Bernroider, Ivanov, 2011; Kerr, Murthy, 2013; Prasad et al., 2012; Bowen et al., 2007; Spremic, 2009; Bernroider, 2008; Tsoukas, Vladimirou, 2001; Heier et al., 2007; Tallon et al., 2013; Lockwood et al., 2010; Bin-Abbas, Bakry, 2014; Simonsson et al., 2010; Beyer, Nin, 1999; Heier et al., 2008; Simon et al., 2007; Simonsson, Ekstedt, 2006; Huygh et al., 2018; de Haes, van Grembergen, 2008; Fink, Ploder, 2008]
QC 3 [Garsoux, 2013; ISACA, 2013; Cram et al., 2016; de Haes, van Grembergen, 2008; Kude et al., 2017; Higgins, Sinclair, 2008; Othman et al., 2014; Bernroider, Ivanov, 2011; Kerr, Murthy, 2013; Prasad et al., 2012; Bowen et al., 2007; Weill, Ross, 2005; Spremic, 2009; Bernroider, 2008; Tsoukas, Vladimirou, 2001; Heier et al., 2007; Huang et al., 2010; Tallon et al., 2013; Lockwood et al., 2010; Bin-Abbas, Bakry, 2014; Simonsson et al., 2010; Wu et al., 2015; Ali, Green, 2012; Beyer, Nin, 1999; Heier et al., 2008; Simon et al., 2007; Queiroz et al., 2018; Simonsson, Ekstedt, 2006; Huygh et al., 2018; de Haes, van Grembergen, 2008; Fink, Ploder, 2008]
Source: authors.
Table 6. Selection of Journals and Conferences
Journal & Conference References Classification
Information Systems [Cram et al., 2016; Kude et al., 2017] Ql
The Journal of Corporate Accounting & Finance [Higgins, Sinclair, 2008] Ql
International Journal of Disaster Risk Reduction [Othman et al., 2014] Ql
International Journal of Project Management [Bernroider, Ivanov, 2011] Ql
Information and Management [Kerr, Murthy, 2013; Ali, Green, 2012] Ql
European Journal of Information Systems [Prasad et al., 2012] Ql
Journal of Management Information Systems [Bowen et al., 2007] Ql
Society and Natural Resources [Weill, Ross, 2005] Ql
Computers in Human Behavior [Spremic, 2009] Ql
Information Systems Management [Bernroider, 2008; Simon et al., 2007] Q2
MIS Quaterly [Tsoukas, Vladimirou, 2001] Ql
Information Systems Frontiers [Heier et al., 2007] Ql
Journal of Management Inquiry [Huang et al., 2010] Ql
International Journal of Accounting Information Systems [Tallon et al., 2013; Lockwood et al., 2010] Q2
MIT Sloan Management Review [Bin-Abbas, Bakry, 2014] Ql
Corporate Governance [Simonsson et al., 2010] Ql
Journal of Management Studies [Wu et al., 2015] Ql
Hawaii International Conference on System Sciences [de Haes, van Grembergen, 2008; Beyer, Nin, 1999; Heier et al., 2008; Huygh et al., 2018; Fink, Ploder, 2008] A
Strategic Information Systems [Queiroz et al., 2018] Ql
Portland International Center for Management of Engineering and Technology Conference [Simonsson, Ekstedt, 2006] A
Communications of the Association for Information Systems [de Haes, van Grembergen, 2008] Q2
Source: authors.
Table 7. Reference Classification and Citations
References Citations Classification Count
[Ali, Green, 2012; Bernroider, Ivanov, 2011; Bin-Abbas, Bakry, 2014; Bowen et al., 2007; Cram et al., 2016; Heier et al., 2007; Huang et al., 2010; Kerr, Murthy, 2013; Kude et al., 2017; Higgins, Sinclair, 2008; Othman et al., 2014; Prasad et al., 2012; Queiroz et al., 2018; Spremic, 2009; Simonsson et al., 2010; Tsoukas, Vladimirou, 2001; Weill, Ross, 2005; Wu et al., 2015] 3507 Ql 18
[Bernroider, 2008; Lockwood et al., 2010; Tallon et al., 2013; Simon et al., 2007] 51б Q2 4
[Beyer, Nin, 1999; de Haes, van Grembergen, 2008; Fink, Ploder, 2008; Heier et al., 2008; Huygh et al., 2018; Simonsson, Ekstedt, 2006] 222 A б
None 0 B 0
Source: authors.
Table 8. References Selected for Each ITG Enabler
IT Governance Enablers References Total
Principles, Policies, and Frameworks [Bernroider, Ivanov, 2011; Bin-Abbas, Bakry, 2014; Bowen et al., 2007; Fink, Ploder, 2008; Garsoux, 2013; Kerr, Murthy, 2013; Kude et al., 2017; Lockwood et al., 2010; Higgins, Sinclair, 2008; Othman et al., 2014; Prasad et al., 2012; Spremic, 2009; Simonsson et al., 2010; Weill, Ross, 2005] 14
Processes [Bernroider, 2008; Cram et al., 2016; Garsoux, 2013; Kude et al., 2017; Higgins, Sinclair, 2008; Spremic, 2009; Tallon et al., 2013; Tsoukas, Vladimirou, 2001] 8
Culture, Ethics, and Behavior [Garsoux, 2013; Heier et al., 2007; Huang et al., 2010; ISACA, 2013; Higgins, Sinclair, 2008; Othman et al., 2014; Tallon et al., 2013; Tsoukas, Vladimirou, 2001] 8
Services, Infrastructure, and Applications [Beyer, Nin, 1999; Bin-Abbas, Bakry, 2014; Garsoux, 2013; Heier et al., 2008; ISACA, 2013; Simonsson et al., 2010; Wu et al., 2015] 7
People, Skills, and Competencies [Garsoux, 2013; Huygh et al., 2018; ISACA, 2013; Kude et al., 2017; Queiroz et al., 2018; Simon et al., 2007; Simonsson, Ekstedt, 2006] 7
Organizational Structures [de Haes, van Grembergen, 2008; Garsoux, 2013; Higgins, Sinclair, 2008; Tallon et al., 2013; Tsoukas, Vladimirou, 2001] 5
Information [Ali, Green, 2012; Garsoux, 2013; ISACA, 2013; Higgins, Sinclair, 2008] 4
Source: authors.
important role for the success of an IT project, but if an organization adopts frameworks without investing a substantial amount of time and resources to verify the validity of the constructs and dimensions, they may decrease the rate of success for the project. In the end, frameworks provide structures and metrics to measure the performance and control of the systems and provide information about the effectiveness and efficiency of management processes [Bernroider, Ivanov, 2011]. A framework should offer templates that can guide the people in designing ITG structures and processes, and they must rely upon industry practices and should not aim to explain antecedents or the implication of ITG [Kude et al., 2017]. Finally, policies in ITG provide direction, stability, control, flexibility, and business alignment [Lockwood et al., 2010].
Policy documents how information from the post-implementation review is passed on to decision makers while their feedback is essential for improving the business processes [Lockwood et al., 2010]. For [Prasad et al., 2012], policies must be put into place to guide the decision processes, while for [Bowen et al., 2007] policies are viewed as a means to produce mutually agreeable outcomes. Lockwood et al. [Lockwood et al., 2010] see policies as being used to implement specific applications and monitor the outcomes, since they provide a connection between corporate and business unit governance. According to [Simonsson et al., 2010], policies also provide a method to calculate the IT risk level, which must be defined to help high-level staff approve it.
Processes
Processes are defined as a collection of practices influenced by the organization's policies and procedures where inputs are taken, manipulated, and outputs produced [Cram et al., 2016] to achieve objectives [Garsoux, 2013] aimed at directing and controling an organization and helping it achieve its goals by adding value while balancing risks for IT and its processes [Higgins, Sinclair, 2008].
Another study [Kude et al., 2017] considers processes the "formalization and institutionalization of strategic IT decision-making or monitoring procedures", since processes clarify accountability, decision rights, and decision procedures to encourage desirable behaviors in the use of IT. Yet, Higgins and Sinclair [Higgins, Sinclair, 2008] argue that processes must be consistent across applications, so they can be reused and should employ technologies that can meet growth demands.
The COBIT framework is a continuous development process and it associates its governance directions with the basic needs and management requirements [Spremic, 2009]. Bernroider [Bernroider,
2008] points out that a process contains a few ITG maturity indicators, such as activities, documents, metrics, and support for role and responsibility assignment. Processes are referred to as formal processes of strategic decision making, planning, and monitoring to ensure that IT policies are consistent with business needs [Tsoukas, Vladimirou, 2001]. Processes are factors that can help determine an organization's distinctive competence and dynamic capabilities as well as the internal process coordination that may contribute to firm-level business value [Tallon et al., Ramirez, Short, 2013].
Organizational Structures
Organizational structures are the key decision-making entities at an organization [Garsoux, 2013] that contribute to a standout performance through IT-related capabilities improving the effectiveness and efficiency of the internal business processes [Tsoukas, Vladimirou, 2001]. The implementation of these structures enables business and IT people to execute their responsibilities regarding the business-IT alignment and produce desirable behaviors that support the organization's strategy and objectives [Tsoukas, Vladimirou, 2001; de Haes, van Grembergen, 2005].
ITG organizational structures provide a better platform for understanding and the effective use of the acquired IT resources, in addition they define the roles, responsibilities, and a set of IT-business committees such as IT steering committees and business strategy committees [Huang et al., 2010; Tsoukas, Vladimirou, 2001]. Organizational structures also contain formal structures and mechanisms to find and enable contacts between business and IT management functions [de Haes, van Grembergen, 2008]. Another study [Higgins, Sinclair, 2008] states that the organizational structures are forms of IT methods of governance to ensure that information flows well and establishes control objectives to promote business-IT strategy alignment. Such a statement is reinforced by [Tallon et al., 2013].
Culture, Ethics, and Behavior
The culture of individuals and organizations is very often underestimated as a success factor in governance and management activities [Garsoux, 2013]. It holds great preponderance in the individual dimensions of ITG mechanisms [Tsoukas, Vladimirou, 2001] and should support the transparency concerning risk and risk awareness [ISACA, 2013]. Culture can shape ITG decisions in the form of IT function [Bowen et al., 2007]. According to [Bowen et al., 2007], the level of IT knowledge found in a culture has great significance during the exchange of IT visions or ideas, it is influential in making key decision and promoting IT use at an organization.
Having a culture that is transparent and participative is an important focal point in an organization [ISACA, 2013]. Bowen, Cheung and Rohde [Bowen et al., 2007] also recommend that an IT culture should promote the strategic use of information to bring about the adoption of ITG at an organization. According to Huang et al. [Huang et al., 2010] managers should not consciously shape cultures, but rather must instill a culture of ethics focusing on goals and values.
The acceptance of governance by managers and workers will enable the identification of threats and reduce risk, which can be a critical success factor for the organization thus making the adoption of a risk culture an asset [Higgins, Sinclair, 2008]. Ethics refers to the concepts of "all the beliefs, values, rituals, and behavior patterns that people in an organization share" [Heier et al., 2007]. An organization that has a sustained pattern of ethical behavior engenders trust among employees and customers, which in turn leads to commitment, innovation, and business success in the long term [Huang et al., 2010].
Organizations should promote ethical practices and managers must have ethical convictions and behave ethically [Huang et al., 2010]. ITG tends to promote ethics or a culture of compliance within an organization to achieve a high level of governance effectiveness [Heier et al., 2007]. That top management has a sense of leadership when promoting ethical awareness to achieve compliance requirements inside the organization is essential [Heier et al., 2007]. The behavior may enhance the business-IT strategic alignment at an organization [Tsoukas, Vladimirou, 2001].
According to [Bowen et al., 2007], behavior can inhibit or undermine the adoption of ITG practices as organizations may first need to educate their employees. Behavior is an important component for improving the relationship between IT and business and it promotes and executes continuous improvement in business and IT activities [ISACA, 2013]. For [Tallon et al., 2013] behavior relates to the form of leadership that ensures that organization's IT sustains and extends its strategies and objectives. In that sense, ITG has the goal of encouraging a desirable use of IT within an organization [Kude et al., 2017].
Information
Information is a key resource for all organizations [Garsoux, 2013]. According to [Ali, Green, 2012] information is a flow of messages and is a context-based arrangement of items whereby relations between them are shown (e.g. the subject index of a book). Information is created, used, retained, disclosed, and destroyed, but it is pervasive through-
out any organization [Garsoux, 2013] (e.g.: deals with all information produced and used and information is required for keeping the organization running and well governed, but at the operational level, information is very often the key product of the organization itself).
In the ITG field, information items are essential for improving the relationship between IT and business, for example: documented requirements, documented change requests, business expectations, satisfaction analysis, and information strategy [ISACA, 2013]. The authors [Higgins, Sinclair, 2008] state that in COBIT, extending information is a necessary step for investments in IT assets and procedures and should be used to evaluate the benefits of these assets. Further, they say that information should hold predictive or feedback value regarding the organization's goals. Information contributes to achieving overall organization objectives using the information at every level of the organization for instance, at operational, management, and governance levels [ISACA, 2013].
Services, Infrastructures, and Applications
Services include the infrastructure, technology and applications that provide the organization with IT processing [Garsoux, 2013]. According to [ISACA,
2013] services are relevant in overcoming the mismatch between IT and business. The organizations for [Simonsson et al., 2010] must actively identify the services where the customers need something and focus on planning and delivering those services to meet availability, performance, and security requirements.
IT infrastructure consists of hardware, software, databases, networks, and the people that perform operations within these layers [Higgins, Sinclair, 2008]. Infrastructure consists of coordinating and sharing IT services that provide the foundation of the organization's IT capability [Bin-Abbas, Bakry,
2014]. Infrastructure management is associated with maximizing return on computing assets and taking control of the infrastructure [Simonsson et al., 2010]. For [Higgins, Sinclair, 2008], an organization must have an IT infrastructure with capabilities of planning, security, and risk control together with ITG to encourage diligence in the management of information resources.
ITG infrastructure must transform the services into a very well-defined business output to facilitate the future business models [Wu et al., 2015]. To develop IT applications, there must be business application needs in place which are determined by the business requirements [Bin-Abbas, Bakry, 2014]. For [Beyer, Nin, 1999], the applications have an effect upon ITG processes because they create busi-
Table 9. ITG Enabler Definition
IT Governance Enablers Definition
Principles, Policies, and Frameworks Principles are a tool to obtain the best practices to help high-level management make better decisions according to the business strategy. The principles are intended to share processes, systems, technologies, and data between the people at an organization and help guide people in meetings or steering sessions to follow the correct path for meeting business objectives. A framework provides a focus upon management and control of IT and provides standards for the organization. It uses IT resources to manage the processes in order to achieve business goals. Also, it provides a link between the other enablers and is driven by the content and context. Policies provide direction, control, and business alignment for the organization and documents how information should be delivered and transmitted to decision makers. Also, they provide guidance for process decisions and a connection between corporate and business unit governance.
Processes Processes are a set of practices and activities to achieve objectives and they produce a set of outputs to support the achievement of IT goals. They direct and control an organization in the pursuit of business goals. The processes are used to monitor decision procedures and should be influenced by the policies and principles of the organization. Processes must verify whether or not IT policies meet business needs. They are also considered factors that help the organizations have dynamic capabilities and so achieve business value.
Organizational Structures The organizational structures are a basis for decision-making entities at an organization and they improve the effectiveness and efficiency of internal processes. The organizational structures must be aligned to the organization's strategy and objectives, they define the roles, responsibilities, and set the IT-business committees. They must ensure that information flows smoothly inside an organization.
Culture, Ethics, and Behavior Culture should establish a set of ideas and a vision to influence key decision-making and promote IT use. An organization should have a transparent and participative culture where one can promote the strategic use of the information to bring about the adoption of IT governance. Ethics are a set of concepts that include values, beliefs, and behavior patterns to increase the commitment, innovation, and business success of the organization. Ethics should promote good practices among the employees. Behavior enhances business-IT strategic alignment and the adoption of ITG practices at an organization. Behavior promotes and executes a continuous improvement of the business and encourages a desirable use of IT.
Information Information is created, used, retained, destroyed, and passed on by a flow of messages. Information contains value and is one of the important assets of a business. Information should be predictive and provide feedback value about an organization's goals.
Services, Infrastructure, and Applications Services include the infrastructure, technology, and applications that provide business value at an organization. They should focus on planning and delivering availability, performance, and security to customers. The infrastructure is all hardware, software, databases, networks, and the people that perform operations as part of these structures. Applications should meet business needs and they have the aim of enforcing ITG processes. Applications should focus on automation and digitization to deliver outcomes of strategic business value.
People, Skills, and Competencies People at an organization have their own role and responsibilities and they are responsible for creating business value given that ITG people are at the tactical or strategic level of an organization. Skills are the capabilities used to create value and play an important role for people. There is a link between people skills and competencies, where organizations tend to pick people with a mix of business-centric and technical skills and an entrepreneurial, adaptive, and agile mindset.
Source: authors.
ness value through IT and their responsibilities are often split between IT domains. A business application in ITG is deployed by an individual business unit and these ITG applications have the aim of enforcing the ITG processes [Beyer, Nin, 1999].
In ITG, the applications must offer automation and digitization. Further, they have an impact upon the operational processes and the outcomes of strategic business value [Beyer, Nin, 1999]. According to [Heier et al., 2008], the ITG applications offer monitoring features to ensure agreed-upon mechanisms are followed and the study suggests that ITG applications should be more investigated to decrease the rate of failure during implementation.
People, Skills and Competencies
People are required for the successful completion of an organization's activities, for making correct decisions, and taking corrective actions [Garsoux, 2013]. According to [Simonsson, Ekstedt, 2006], the people involved in ITG are included in the relational architecture (tactical or strategic level) of an organization where their roles and responsibilities are defined.
Nevertheless, people tend to receive less attention compared to processes and goals. Huygh et al. [Huygh et al., 2018] also add that IT people execute their responsibilities in support of the business-IT alignment and they are responsible for the creation
of business value. On the other hand, skills are necessary to improve the relationship between IT and business [ISACA, 2013]. Kude et al. [Kude et al., 2017] say that skills and capabilities are needed to make use of assets to create value. Moreover, Simon et al. [Simon et al., 2007] add that skills in IT are essential to meet the needs of the organization and are critical to retain in-house. That is why most organizations tend to choose people with a mix of business-centric and technical skills [Simon et al., 2007].
Finally, competencies tend to focus on the implementation success and use of ITG [Beyer, Nin, 1999]. According to [Queiroz et al., 2018], competencies in IT have an entrepreneurial, adaptive, and agility effect and they facilitate the relationship between agility and performance at an organization.
ITG Enabler Synthesis
To synthesize our findings regarding ITG enablers, Table 9 was built and presents a brief description of the definition of each enabler. It must be stated that this is not supposed to be a proposal of a formal definition for each ITG enabler, but a brief summarization of what the main literature understands about each ITG enabler. By doing so, the authors argue that this study adds some clarification about ITG enablers to the body of knowledge. This is something that was absent in the COBIT documentation and fairly improved in COBIT 2019 documentation.
Conclusion
This research presented a SLR regarding ITG en-ablers proposed by the COBIT framework. Along the SLR process, 28 high-quality articles were selected from scientific databases and analyzed. To improve the value of our research and the relevance of our findings, the concept-centric approach rec-
ommended by [Watson, Webster, 2002] was followed. From the analysis of the articles, several conclusions can be drawn:
• The enablers "processes, principles, frameworks, and policies" is the most investigated subject in the literature. This makes sense given that many researchers have focused their efforts on investigating and evolving the existing ITG frameworks as well as their possible variations within different organizational contexts.
• The enablers "people, skills, and competencies" and "information" are the least explored. Grounded on the fact that information is currently considered one of the main organizational assets and employees are one of the main sources of security breaches, this finding is worrisome.
• The body of knowledge about ITG is now enhanced by a more detailed description of each ITG enabler which may help future researchers and practitioners.
This study aimed to provide clarity about ITG en-ablers given the scarce information provided in the COBIT official documentation despite their relevance. The authors conclude that the research objective was achieved and ITG enablers are now easier to understand. During this study some limitations were uncovered that make it difficult for us provide stronger results, including the following: the lack of studies related to ITG enablers under the classification used for the study helped us draw the conclusion that this theme is not as often approached or talked about within the research community.
This identified research limitation also brought up the opportunity to start creating a basis for further research where our findings may help future researchers define their scope, problems, or even proposals in relation to ITG enablers.
References
Ali S., Green P. (2Q12) Effective information technology (IT) governance mechanisms: An IT outsourcing perspective. Information Systems Frontiers, vol. 14, no 2, pp. pp. 179-193. DOI: 10.1007Ы0796-009-9183-у.
Bernroider E.W.N. (2QQ8) IT governance for enterprise resource planning supported by the DeLone-McLean model of information systems success. Information and Management, vol. 45, no 5, pp. 257-2б9. DOI: 1Q.1Q16/j.im.2QQ7.11.QQ4.
Bernroider E.W.N., Ivanov M. (2Q11) IT project management control and the Control Objectives for IT and related Technology (CobiT) framework. International Journal of Project Management, vol. 29, no 3, pp. 325-33б. DOI: 10.1016/j'. ijproman.2010.03.002.
Beyer J.M., Niñ D.O. (1999) Ethics and cultures in international business. Journal of Management Inquiry, vol. 8, no 3, pp. 287-297. DOI: 10.1177/105б492б998300б.
Bin-Abbas H., Bakry S.H. (2014) Assessment of IT governance in organizations: A simple integrated approach. Computers in Human Behavior, vol. 32, pp. 261-267. DOI: 10.1016/j.chb.2013.12.019.
Bowen P.L., Cheung M.Y.D., Rohde F.H. (2007) Enhancing IT governance practices: A model and case study of an organization's efforts. International Journal of Accounting Information Systems, vol. 8, no 3, pp. 191-221. DOI: 10.1016/j.accinf.2007.07.002.
Cram W.A., Brohman M.K., Gallupe R.B. (2016) Hitting a moving target: A process model of information systems control change. Information Systems Journal, vol. 26, no 3, pp. 195-226. DOI: 10.1111/isj.12059.
Fink K., Ploder C. (2008) Decision support framework for the implementation of IT-governance. Proceedings of the 41th Annual Hawaii International Conference on System Sciences, Waikoloa, HI: IEEE, pp. 1-10. DOI: 10.1109/HICSS.2008.113.
Garsoux M. (2013) COBIT 5 ISACAs New Framework for IT Governance, Risk, Security and Auditing. An Overview (ISACA Whitepaper 39), Schaumburg, Illinois: ISACA.
de Haes S., van Grembergen W. (2005) IT Governance Structures, Processes and Relational Mechanisms: Achieving IT/ Business Alignment in a Major Belgian Financial Group. Proceedings of the 38th Hawaii International Conference on System Sciences, Waikoloa, HI: IEEE, pp. 1-10.
de Haes S., van Grembergen W. (2008) Analysing the relationship between IT governance and business/IT alignment maturity. Proceedings of the 41th Annual Hawaii International Conference on System Sciences, Waikoloa, HI: IEEE, pp. 1-10. DOI: 10.1109/HICSS.2008.66.
Hardin-Ramanan S., Chang V., Issa T. (2018) A Green Information Technology governance model for large Mauritian companies. Journal of Cleaner Production, no 198, pp. 488-497. DOI: 10.1016/j.jclepro.2018.07.047.
Heier H., Borgman H.P., Hofbauer T.H. (2008) Making the most of IT governance software: Understanding implementation processes. Proceedings of the 41th Hawaii International Conference on System Sciences, Waikoloa, HI: IEEE, pp. 1-11. DOI: 10.1109/HICSS.2008.239.
Heier H., Borgman H.P., Maistry M.G. (2007) Examining the relationship between IT governance software and business value of IT: Evidence from four case studies. Proceedings of the 40th Annual Hawaii International Conference on System Sciences, Waikoloa, HI: IEEE, pp. 1-11. DOI: 10.1109/HICSS.2007.216.
Higgins L., Sinclair D. (2008) A new look at IT governance. Journal of Corporate Accounting & Finance, vol. 19, no 5, pp. 31-36. DOI: 10.1002/jcaf.20415.
Huang R., Zmud R.W., Price R.L. (2010) Influencing the effectiveness of IT governance practices through steering committees and communication policies. European Journal of Information Systems, vol. 19, no 3, pp. 288-302. DOI: 10.1057/ejis.2010.16.
Huygh T., de Haes S., Joshi A., van Grembergen W. (2018) Answering Key Global IT Management Concerns Through IT Governance and Management Processes: A COBIT 5 View. Proceedings of the 51st Hawaii International Conference on System Sciences, vol. 9, Waikoloa, HI: IEEE, pp. 5335-5344.
ISACA (2013) COBIT5: Enabling Information, Schaumburg, Illinois: ISACA.
ISACA (2018) COBIT2019 Framework: Introduction and Methodology, Schaumburg, Illinois: ISACA.
Joshi A., Bollen L., Hassink H., de Haes S., van Grembergen W. (2018) Explaining IT governance disclosure through the constructs of IT governance maturity and IT strategic role. Information and Management, vol. 55, no 3, pp. 368-380. DOI: 10.1016/j.im.2017.09.003.
Kerr D.S., Murthy U.S. (2013) The importance of the CobiT framework IT processes for effective internal control over financial reporting in organizations: An international survey. Information and Management, vol. 50, no 7, pp. 590-597. DOI: 10.1016/j.im.2013.07.012.
Kitchenham B. (2004) Procedures for performing systematic reviews, Keele, UK: Keele University.
Kude T., Lazic M., Heinzl A., Neff A. (2017) Achieving IT-based synergies through regulation-oriented and consensus-oriented IT governance capabilities. Information Systems Journal, vol. 28, no 2, pp. 1-31. DOI: 10.1111/isj.12159.
Lockwood M., Davidson J., Curtis A., Stratford E. (2010) Governance principles for natural resource management. Society and Natural Resources, vol. 23, no 10, pp. 986-1001. DOI: 10.1080/08941920802178214.
Okoli C., Schabram K. (2010) A Guide to Conducting a Systematic Literature Review of Information Systems Research. Sprouts: Working Papers on Information Systems, vol. 10, no 26, pp. 1-51. DOI: 10.2139/ssrn.1954824.
Othman M. Nazir-Ahmad M., Suliman A., Arshad N.H., Maidin S.S. (2014) COBIT principles to govern flood management. International Journal of Disaster Risk Reduction, vol. 9, pp. 212-223. DOI: 10.1016/j.ijdrr.2014.05.012.
Prasad A., Green P., Heales J. (2012) On IT governance structures and their effectiveness in collaborative organizational structures. International Journal of Accounting Information Systems, vol. 13, no 3, pp. 199-220. DOI: 10.1016/j.accinf.2012.06.005.
Queiroz M., Tallon P.P., Sharma R., Coltman T. (2018) The role of IT application orchestration capability in improving agility and performance. Journal of Strategic Information Systems, vol. 27, no 1, pp. 4-21. DOI: 10.1016/j.jsis.2017.10.002.
Selig G.J. (2018) IT Governance - An Integrated Framework and Roadmap for Planning, Deploying & Sustaining for Competitive Advantage. Paper presented at the 2018 PICMET Conference "Managing Technological Entrepreneurship: The Engine for Economic Growth", Honolulu, Hawaii, USA.