Academic Bibliography

 Search 200 years of publications by Ghent University researchers.
Advanced search
1 file | 30.97 MB
Add to list
  1. Search results
  2. A critical look at an IT governance f...

A critical look at an IT governance framework, the COBIT case

Dirk Steuperaert (UGent)
(2025)
Author
Promoter
(UGent) , (UGent) and Steven De Haes
Organization
Abstract
The starting point of our research was the somewhat contradictory observation that in today’s society—highly dependent on Information and Technology (IT)—small and large IT-related problems continue to occur daily, despite the existence of numerous IT governance and management frameworks. Outages, security incidents, and failed projects remain widespread, even though many ‘good practices’ are described in these standards and frameworks. This led us to suspect that these frameworks and so-called ‘good practices’ are either not genuinely good, or they are not being properly practised. To explore this further, we selected one such framework—COBIT (Control Objectives for Information & Related Technology), developed by ISACA (Information Systems Audit and Control Association)—and subjected it to closer investigation. Our focus was primarily on the intrinsic quality of the framework: in other words, are the ‘good practices’ it promotes actually sound? This focus was partly inspired by calls from academic IT governance specialists for more research into the quality of COBIT as an artefact itself, as well as by the observation that very little such research has been conducted over the past 15 years. The first problem we faced in studying COBIT was that, in its current form, it is barely researchable—certainly not in a scientifically structured way. COBIT consists of various publications totalling over a thousand pages, without a clear and accessible model. Our first task, therefore, was to distil the key concepts from the COBIT publications and describe the relationships between those concepts in a clear and concise UML diagram. We developed this conceptual model for both COBIT 5 (the version in use when our research began) and COBIT 2019 (the version released during our study in 2018). This conceptual model made COBIT researchable, representing a first major contribution of our work. It also enabled us to construct a well-structured research agenda for COBIT, which should help facilitate and encourage further academic study. In a next step in our research into the intrinsic quality of COBIT we compared the COBIT conceptual model with a selection of other widely used Information Systems theories, in order to identify potential improvements to COBIT. This comparison with seven other theories yielded a significant number of suggestions for improving COBIT, all of which were incorporated into the research agenda and in a proposed conceptual model for a potential future COBIT version. Subsequently, we investigated a (small) selection of topics from the research agenda. This produced mixed results. A prioritization mechanism from COBIT 5 proved inadequate; a new concept—design factors—from COBIT 2019 was found to be sound. But the most significant finding was that the performance measurement system in COBIT was inconsistent with its own design principles. According to COBIT, an IT Governance System consists of a holistic set of interrelated components, including processes, structures, information, procedures, and more. However, the performance measurement system only evaluated the performance of processes, ignoring the other components of the governance system. In the most substantial part of our research, we then addressed this gap by designing a maturity model for organisational structures, a reference model for information quality, and a maturity model for information quality. These models were developed using the Design Science methodology, involving iterative refinement through expert panels. We then complemented these artefacts with a set of reflections on how, based on the method used, the remaining missing components of a holistic measurement system might be designed. Additionally, we created a prototype tool to support the practical application of the artefacts we developed. In a final chapter, we reflected on the nature of COBIT itself—specifically, whether COBIT can be considered an Information Systems theory according to Shirley Gregor’s criteria for Information Systems theories. Our conclusion is that it can indeed be regarded as such, which should elevate the status of COBIT and serve as an encouragement for further and deeper academic inquiry.

Downloads

  • Download
    (...).pdf
    • full text (Published version)
    • |
    • UGent only (changes to open access on 2030-07-01)
    • |
    • PDF
    • |
    • 30.97 MB

Citation

Please use this url to cite or link to this publication:

MLA
Steuperaert, Dirk. A Critical Look at an IT Governance Framework, the COBIT Case. Ghent University. Faculty of Economics and Business Administration ; University of Antwerp. Faculty of Business and Economics, 2025.
APA
Steuperaert, D. (2025). A critical look at an IT governance framework, the COBIT case. Ghent University. Faculty of Economics and Business Administration ; University of Antwerp. Faculty of Business and Economics, Ghent, Belgium ; Antwerp, Belgium.
Chicago author-date
Steuperaert, Dirk. 2025. “A Critical Look at an IT Governance Framework, the COBIT Case.” Ghent, Belgium ; Antwerp, Belgium: Ghent University. Faculty of Economics and Business Administration ; University of Antwerp. Faculty of Business and Economics.
Chicago author-date (all authors)
Steuperaert, Dirk. 2025. “A Critical Look at an IT Governance Framework, the COBIT Case.” Ghent, Belgium ; Antwerp, Belgium: Ghent University. Faculty of Economics and Business Administration ; University of Antwerp. Faculty of Business and Economics.
Vancouver
1.
Steuperaert D. A critical look at an IT governance framework, the COBIT case. [Ghent, Belgium ; Antwerp, Belgium]: Ghent University. Faculty of Economics and Business Administration ; University of Antwerp. Faculty of Business and Economics; 2025.
IEEE
[1]
D. Steuperaert, “A critical look at an IT governance framework, the COBIT case,” Ghent University. Faculty of Economics and Business Administration ; University of Antwerp. Faculty of Business and Economics, Ghent, Belgium ; Antwerp, Belgium, 2025.
@phdthesis{01JZ58E9948MH1XZTGN3A5B6NY,
  abstract     = {{The starting point of our research was the somewhat contradictory observation that in today’s society—highly dependent on Information and Technology (IT)—small and large IT-related problems continue to occur daily, despite the existence of numerous IT governance and management frameworks. Outages, security incidents, and failed projects remain widespread, even though many ‘good practices’ are described in these standards and frameworks. This led us to suspect that these frameworks and so-called ‘good practices’ are either not genuinely good, or they are not being properly practised. To explore this further, we selected one such framework—COBIT (Control Objectives for Information & Related Technology), developed by ISACA (Information Systems Audit and Control Association)—and subjected it to closer investigation. Our focus was primarily on the intrinsic quality of the framework: in other words, are the ‘good practices’ it promotes actually sound? This focus was partly inspired by calls from academic IT governance specialists for more research into the quality of COBIT as an artefact itself, as well as by the observation that very little such research has been conducted over the past 15 years. The first problem we faced in studying COBIT was that, in its current form, it is barely researchable—certainly not in a scientifically structured way. COBIT consists of various publications totalling over a thousand pages, without a clear and accessible model. Our first task, therefore, was to distil the key concepts from the COBIT publications and describe the relationships between those concepts in a clear and concise UML diagram. We developed this conceptual model for both COBIT 5 (the version in use when our research began) and COBIT 2019 (the version released during our study in 2018). This conceptual model made COBIT researchable, representing a first major contribution of our work. It also enabled us to construct a well-structured research agenda for COBIT, which should help facilitate and encourage further academic study. In a next step in our research into the intrinsic quality of COBIT we compared the COBIT conceptual model with a selection of other widely used Information Systems theories, in order to identify potential improvements to COBIT. This comparison with seven other theories yielded a significant number of suggestions for improving COBIT, all of which were incorporated into the research agenda and in a proposed conceptual model for a potential future COBIT version. Subsequently, we investigated a (small) selection of topics from the research agenda. This produced mixed results. A prioritization mechanism from COBIT 5 proved inadequate; a new concept—design factors—from COBIT 2019 was found to be sound. But the most significant finding was that the performance measurement system in COBIT was inconsistent with its own design principles. According to COBIT, an IT Governance System consists of a holistic set of interrelated components, including processes, structures, information, procedures, and more. However, the performance measurement system only evaluated the performance of processes, ignoring the other components of the governance system. In the most substantial part of our research, we then addressed this gap by designing a maturity model for organisational structures, a reference model for information quality, and a maturity model for information quality. These models were developed using the Design Science methodology, involving iterative refinement through expert panels. We then complemented these artefacts with a set of reflections on how, based on the method used, the remaining missing components of a holistic measurement system might be designed. Additionally, we created a prototype tool to support the practical application of the artefacts we developed. In a final chapter, we reflected on the nature of COBIT itself—specifically, whether COBIT can be considered an Information Systems theory according to Shirley Gregor’s criteria for Information Systems theories. Our conclusion is that it can indeed be regarded as such, which should elevate the status of COBIT and serve as an encouragement for further and deeper academic inquiry.}},
  author       = {{Steuperaert, Dirk}},
  language     = {{eng}},
  pages        = {{XXII, 398}},
  publisher    = {{Ghent University. Faculty of Economics and Business Administration ; University of Antwerp. Faculty of Business and Economics}},
  school       = {{Ghent University}},
  title        = {{A critical look at an IT governance framework, the COBIT case}},
  year         = {{2025}},
}