IT Governance – A Quest for Theoretical Underpinnings of Cobit 5

COBIT, as an IT Governance framework is very well known in IS practitioners communities. It would impair the virtues of COBIT to present it only as an IT Governance framework. COBIT and certainly the most recent version COBIT 5 is so much more. COBIT analyses the complete IS function and offers normative support to manage, govern and audit IT in organizations.  However, like most practitioners frameworks and guidelines, critics rises from academic communities pointing at the absence of any theoretical foundation on which COBIT is built on. Here, I give a sneak preview of my current research on IT Governance. This work will be presented in some conference proceedings and also in a journal paper. For now, I would like to catch some comments on the ideas and concepts used in the current research project.

Together with some of my students, I conducted a research project on the theoretical underpinnings of COBIT 5. This may sound a bit awkward, but in IT, academics often lag behind practitioners. The latter cannot always wait for good normative theories to build IT artefact’s. So to say, we implemented a reverse engineering work and try to elucidate as much as possible propositions from COBIT as an empiricism. We followed a qualitative research method to develop an inductively derived theoretical framework. However our approach differs from the originally work on grounded theory by Glaser and Strauss since we have a general idea of where to begin and we make a conceptual descriptions of the empirical statements in COBIT (Glaser et al. 1967). So our data was only restructured to reveal theoretical findings.

First we looked for three theories that could be candidates for underpinning COBIT v5.0: Stakeholder Theory (ST), Principal Agent Theory (PAT) and Technology Acceptance Model (TAM).  These three theories were then classified and spelled out according the scheme of Gregor (Gregor 2006). So from each theory, several testable propositions were deduced. To keep the work controllable, we considered five processes (APO13, BAI06, DSS05, MEA03 en EDM03) and four IT goals (IT01, IT07, IT10 and IT16) from COBIT 5  (ISACA 2012).  The choice of the processes and IT goals are done according to an experienced knowledge of COBIT as well of the theories. The selected theories on the other hand are more than often used in IS research. Then we constructed a mapping table to find matching patterns. The mapping was done separately by several individuals to increase the internal validity.

We can made the following preliminary conclusions.

Although COBIT 5 was not designed in a more academic design science research arrangement, a positive match with theoretical propositions could be found, albeit reversed engineered. The theoretical foundations are there, but certainly not all empirical propositions could be mapped to theoretical ones. It is therefore very difficult to tell which of the three tested theories makes the largest contribution to COBIT. It looks as PAT and ST contributes the most. This is also due to the fact that PAT and ST are clearly other types of theories than TAM. PAT and ST are more explanatory theories while TAM is a more predictive theory. However we still have some work to do to refine the restructuring of COBIT to reveal more ‘atomic’ propositions to perform a more intense mapping.

The mapping was done for the selected processes as well as for some selected IT goals.  We could see that the presence and contribution of a theory is significantly constitute by IT goals as compared to the processes.  So the formulation of IT goals in the framework is a very important practice, that can differ largely on the implicit theoretical assumptions the author(s) took by designing COBIT 5. Since these theoretical assumptions are not well identified, we believe that other IT goals could also contribute the framework.

We can also make some suggestions for further research.

First of all, the work has to be extended to all COBIT 5 processes and IT goals. This effort is currently going on.  We can of course ask ourselves, what other theories could be considered as candidates for this theoretical reverse engineering labor? During our work we listed already some theories with good potential (e.g. Resource Based Theory,  Transaction Economic Theory, Structuration Theory…).

The pattern matching process can be refined by bringing in other assessment models based on maturity models.  An alternative and more theoretic framework could be designed by using design science research methods and starting with the most relevant IS theories. That could lead to an IT artifact that eventually could be reconciled with COBIT 5.

jan devos

Glaser, B., and Strauss, A. 1967. The Discovery of Grounded Theory: Strategies for Qualitative Research, Aldine Transactions: Chicago.

Gregor, S. 2006. “The nature of theory in information systems,” Mis Quarterly (30:3) Sep, pp 611-642.

ISACA 2012. COBIT 5 – A Business Framework for the Governance and Management of Enterprise IT, ISACA: Rolling Meadows, IL, USA.


About jangdevos
I'm an IT/IS professor, a late Baby Boomer, married with Ann and father of Hélène and Willem, a Stones fan and interested in almost everything. I work at the UGent (campus Kortrijk), Belgium. My research domain are: IT Governance in SMEs, IT/IS Security, IT Management, IT Project Management, IT Trends and IT/IS failures.

One Response to IT Governance – A Quest for Theoretical Underpinnings of Cobit 5

  1. Peter Hill says:

    COBIT 5 is not just a governance framework. In fact, COBIT is primarily a process model which has evolved towards being considered a governance framework. COBIT 5 also includes a management system.

    I am surprised that it is assumed that academics think there is no theoretical model on which COBIT is based. You should look at the Principles of Scientific Management, Total Quality Management and ISO 9001.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: