IT Governance Global Status Report—Excerpt The following is an excerpt from IT Governance Global Status Report. IT Governance Global Status Report is based on a PricewaterhouseCoopers-conducted market research survey, commissioned by the IT Governance Institute® (ITGI), to gain a better understanding of the IT governance global marketplace, and the opportunities it might contain for the ITGI.

The Full Report The full report of the results of this IT governance survey is available for purchase from the Information Systems Audit and Control Association® (ISACA®) Bookstore (www.isaca.org/bookstore). The report contains: • An explanation of the methodology used to conduct the survey • The survey results • An examination of COBIT® and other international IT governance frameworks, standards and sets of best practice • Demographic and other survey information • References used in preparing the report • A discussion of IT governance and the US Sarbanes-Oxley legislation A list of the questions asked in the survey (minus the demographic questions) follows. 3.3.1 Thinking about your overall strategy/vision, how important do you consider IT to be to the delivery of this strategy/vision? 3.3.2 Do you see IT mainly as a means for gaining competitive advantage (i.e., a strategic tool), or do you see it more as a commodity that needs to be managed in the most efficient manner? 3.3.3 How frequently is IT included on your organisation's board agenda? 3.3.4 Which of the following problems have you experienced with IT in the last 12 months? 3.3.5 How important do you feel it will be to address this problem in the next 12 months? 3.3.6 What organisations are you aware of that provide or implement solutions to these IT problems (in terms of frameworks and generic governance models)? 3.3.7 How would you rate...with regard to its expertise in IT governance solutions/frameworks? 3.3.8 How would you rate...with regard to its ability to implement IT,governance solutions/frameworks? 3.3.9 Have you implemented, are you in the process of implementing or are you considering implementing an IT governance solution/framework? 3.3.10 Have you implemented, are you in the process of implementing or are you considering implementing other measures in order to improve...? 3.3.11 If you have implemented, are in the process of implementing or are considering implementing an IT governance solution, what solutions/frameworks did/do you use or are you considering using? 3.3.12 Which of the following areas do you hope to address using your selected IT governance framework(s)? 3.3.13 At what stage of IT governance implementation are you? 3.3.14 If you are not considering implementation of an IT governance solution, why not? 3.3.15 Are you personally aware of the existence and contents of COBIT? 3.3.16 Is your organisation aware of the existence and contents of COBIT? 3.3.17 If your organisation is aware of COBIT, does the organisation currently use COBIT? 3.3.18 If your organisation is using COBIT, which parts of COBIT does the organisation use? 3.3.19 If you or your organisation uses COBIT, how satisfied are you with the parts you or your organisation uses? 3.3.20 If you or your organisation uses COBIT, how difficult is it to implement the COBIT framework? 3.3.21 What enhancements do you feel could be made to the COBIT framework to improve implementation? 3.3.22 If you or your organisation uses COBIT, how satisfied are you with the COBIT framework with regard to IT governance? 3.3.23 If neither you nor your organisation uses COBIT, are you aware of COBIT as an IT governance solution/framework ? 3.3.24 Are there other issues related to IT governance of which you would like to make us aware? 3.3.25 Amongst those enterprises that are not considering the implementation of an IT governance solution (question 3.3.9), how many are familiar with COBIT (questions 3.3.15 and 3.3.16)?

IT Governance Global Status Report

IT Governance Institute® The IT Governance Institute (ITGI) strives to assist enterprise leaders in their responsibility to make IT successful in supporting their enterprise’s mission and goals. ITGI’s goals are to raise awareness and understanding amongst, and provide guidance and tools to, boards of directors, executive management and chief information officers (CIOs) such that they are able to ensure within their enterprises that IT meets and exceeds expectations, and its risks are mitigated. Information Systems Audit and Control Association® The Information Systems Audit and Control Association (ISACA®) is an international professional, technical and educational organisation dedicated to being a recognised global leader in IT governance, control and assurance. With members in more than 100 countries, ISACA is uniquely positioned to fulfil the role of a central harmonising source of IT control practice standards the world over. Its strategic alliances with other organisations in the financial, accounting, auditing and IT professions ensure an unparalleled level of integration and commitment by business process owners. Disclaimer The IT Governance Institute, Information Systems Audit and Control Association and the authors of IT Governance Global Status Report have designed this product primarily as an educational resource for boards of directors, executive management and information technology control professionals. The IT Governance Institute, Information Systems Audit and Control Association and authors make no claim that use of this product will assure a successful outcome. This product should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, the controls professional should apply his/her own professional judgment to the specific control circumstances presented by the particular systems or information technology environment. Disclosure Copyright © 2004 by the IT Governance Institute. Reproduction of selections of this publication for academic use is permitted and must include full attribution of the material’s source. Reproduction or storage in any form for commercial purpose is not permitted without ITGI’s prior written permission. No other right or permission is granted with respect to this work. All rights reserved. IT Governance Institute 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.590.7491 Fax: +1.847.253.1443 E-mail: [email protected] Web sites: www.itgi.org and www.isaca.org ISBN 1-893209-32-6 IT Governance Global Status Report Printed in the United States of America

I T G OV E R NA N C E G L O BA L S TAT U S R E P O RT

Acknowledgements The IT Governance Institute wishes to recognise: The PricewaterhouseCoopers Research Team, for its leadership of the project Floris Ampe, CISA, CIA, Belgium Dirk Steuperaert, CISA, Belgium Pieter Van Den Bulck, Belgium Jill Hassan, Northern Ireland, UK Claire Peacocke, Northern Ireland, UK Geraldine O’Connor, Northern Ireland, UK Christopher Fox, USA Ton Dohmen, CISA, RE, The Netherlands The ITGI Steering Committee, for its guidance on the project Tony Hayes, Queensland Government, Australia, Co-chair John W. Lainhart IV, CISA, CISM, IBM Business Consulting Services, USA, Co-chair Georges Ataya, CISA, CISM, Solvay Business School, Belgium Reynaldo de la Fuente, CISA, CISM, Datasec, Uruguay Rupert Dodds, CISA, CISM, CA, FCA, KPMG, New Zealand Christophe Legrenzi, CISA, Acadys France SA, France Akira Matsuo, CISA, CPA, ChuoAoyama PricewaterhouseCoopers, Japan Serge Yablonsky, CISA, CPA, SYC SA, France Tom Wong, CISA, CIA, CMA, Ernst & Young LLP, Canada Erik Guldentops, CISA, CISM, Belgium, Advisor The ITGI Structure Task Force, for its oversight of the project Everett C. Johnson, CPA, Deloitte & Touche LLP, USA Georges Ataya, CISA, CISM, Solvay Business School, Belgium Akira Matsuo, CISA, CPA, ChuoAoyama PricewaterhouseCoopers, Japan Eddy Schuermans, CISA, PricewaterhouseCoopers LLP, Belgium Serge Yablonsky, CISA, CPA, SYC SA, France Tony Hayes, Queensland Government, Australia, ex officio John W. Lainhart IV, CISA, CISM, IBM Business Consulting Services, USA, ex officio The 2003-2004 Board of Trustees, for its support of the project Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP, USA, International President Abdul Hamid Bin Abdullah, CISA, CPA, Auditor General’s Office, Singapore, Vice President Ricardo J. Bria, CISA, SAFE Consulting Group, Argentina, Vice President Everett C. Johnson, CPA, Deloitte & Touche LLP, USA, Vice President Dean R.E. Kingsley, CISA, CISM, CA, Deloitte Touche Tohmatsu, Australia, Vice President Eddy Schuermans, CISA, PricewaterhouseCoopers LLP, Belgium, Vice President Robert S. Roussey, CPA, University of Southern California, USA, Past International President Paul A. Williams, FCA, MBCS, Paul Williams Consulting, UK, Past International President Emil G. D’Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi, USA, Trustee Ronald Saull, CSP, The Great-West Life Assurance Company, Canada, Trustee Erik Guldentops, CISA, CISM, Belgium, Advisor

I T G OV E R NA N C E G L O BA L S TAT U S R E P O RT

1. Executive Overview In 2003, the IT Governance Institute (ITGI) issued a request for proposal for the purpose of conducting research into the IT governance environment and marketplace. The motivation for the research was the recent establishment of the ITGI as a stand-alone entity. Having created the entity, the ITGI Board of Trustees was eager to learn more about the environment in which the organisation would be working: how IT governance is perceived, whether the need for it is recognised, how the concept itself is recognised, and which tools or frameworks are considered leaders in the field. The ITGI has identified several targeted audiences for its deliverables: chief executive officers (CEOs), chief information officers (CIOs), chief operating officers (COOs), chief financial officers (CFOs), chief technical officers (CTOs), board members, IT management and practitioners. However, the research was targeted to reach members of the C-suite to determine their sense of priority about IT governance and their needs for tools and services to help assure effective governance. This high-level objective was translated into the following detailed objectives for the project: 1. Survey and analyse the degree to which the concept of IT governance is recognised, established and accepted within the boardrooms and especially with the CIO. 2. Research which tools and frameworks would be adopted, in cases where IT governance is accepted, and determine the sources to which organisations will look for expertise and services in this domain. PricewaterhouseCoopers Brussels was selected to conduct the research. A first step was to come to an agreement on a definition of IT governance. Referring to many publications on this subject, most notably ITGI’s own Board Briefing on IT Governance (now in its second edition), a definition can be summarised very briefly: it is a board or senior management responsibility in relation to IT to ensure that:  IT is aligned with the business strategy, or in other words, IT delivers the functionality and services in line with the organisation’s needs, so the organisation can do what it wants to do.  IT and new technologies enable the organisation to do new things that were never possible before.  IT-related services and functionality are delivered at the maximum economical value or in the most efficient manner. In other words, resources are used responsibly.  All risks related to IT are known and managed and IT resources are secured. Moving onward from this definition, there was consensus that IT governance is valuable, and ITGI has the right tools to handle it. And although IT governance includes things already known and practised, it was believed that the combination of the concept of governance, the concept of alignment and the known control framework is indeed the right solution and unique in its kind. A sample of more than 7,000 respondents1 was developed for the research, to achieve the required number of completed interviews. In defining the sample, attention was paid to a representative distribution according to geography, size of organisation, industry sector and job function of the respondent. To boost responses amongst COBIT®2 users, an additional database of COBIT purchasers was used. These respondents were used for questions relating to COBIT use. To keep the study unbiased, these respondents were not included in the general sample, unless otherwise mentioned. The PricewaterhouseCoopers International Survey Unit conducted interviews with 335 CEO-/CIO-level persons throughout the world. Of those, 276 interviews were conducted from the random sample of companies and 59 from the COBIT purchasers database. Each interview was conducted in the native language of the interviewee. Typically, each interview took between 15 and 30 minutes. The interviews were carried out under the Market Research Society and Marketing Research Association codes of conduct that guarantee complete anonymity. None of the information obtained in the interviews was attributed to any individual and all comments were treated in the strictest confidence. 1 2

The sample was based on a number of commercial databases of worldwide companies. Control Objectives for Information and related Technology, published by IT Governance Institute, now in its third edition I T G OV E R NA N C E G L O BA L S TAT U S R E P O RT

In addition to the survey, desk research was conducted that examined the ITGI and COBIT in relation to other organisations in the marketplace. The major findings and messages from the survey and research project can be summarised in nine points. 1. More than 93 percent of business leaders recognise that IT is important for delivering the organisation’s strategy. There is worldwide consensus about the importance of IT for delivering the overall strategy of the organisation, and this is observed across most industries (IT/telecom, financial services, manufacturing and public sector—average 93 percent). Somewhat paradoxically, general management perceives the importance of IT for the delivery of overall strategy slightly higher than does IT management. 2. Organisations are suffering from IT operational problems. Only 7 percent of the respondents experienced no IT problems at all in the previous year. Operational failures and incidents and an inadequate view on how IT is performing are experienced most often, and are mentioned by approximately 40 percent of all respondents. 3. CIOs recognise the need for better governance over IT. A substantial portion of the IT community (75 percent) is aware of the fact that IT has issues that must be resolved. Surprisingly, an even more substantial part of that community (more than 80 percent) recognises that IT governance or some (partial) form thereof is required to resolve these issues. This is where the importance of a definition for IT governance comes into play. When asked if they intend to do or plan IT governance measures, only 40 percent replied in the affirmative. However, when they were asked more precise and detailed questions about specific practices, many more replied positively. In other words, they actually do perform these practices the ITGI considers IT governance—they just do not characterise them by that name. 4. IT governance frameworks are used to align IT strategy and manage IT operational risks. IT governance solutions/frameworks are used mostly for aligning the IT strategy with the overall organisation strategy (57 percent) and to manage IT operational risks (53 percent). To that extent, however, it should be mentioned that solutions in this domain are not yet readily available. When looking at the IT governance frameworks known or used, there is no clear winner; internal solutions or specific vendor solutions are most frequently mentioned, followed by ISO9000 and COBIT. 5. Good IT governance helps organisations provide IT value and manage IT risks. COBIT is the preferred way to implement effective IT governance. Process models such as COBIT can substantially help in the realisation of effective value and risk management. One of the questions that challenge CIOs—are IT operations running as smoothly, reliably and cost-effectively as possible?—can therefore be addressed in large part by a process model like COBIT. COBIT is perceived to be a valuable framework for IT governance by those who are familiar with it (89 percent report themselves very or quite satisfied). Compared to many other organisations, ISACA and ITGI rank highly in perception of experience and implementation ability. 6. Whilst COBIT users may not yet be highly numerous, they are very satisfied. Approximately 18 percent of the responding organisations are aware of COBIT. From a regional perspective, COBIT is least known in North America. Looking at size and industry sector, very large organisations and organisations in the financial industry are especially aware of COBIT. Almost 30 percent of the organisations that are aware of COBIT are using it, resulting in an overall rate of 5 percent of all organisations using COBIT. Appreciation of most ITGI/ISACA deliverables is very high (between 73 percent and 91 percent indicate they are very or quite satisfied users). Forty-three percent of COBIT users find it easy to implement, whereas 25 percent find this task somewhat difficult.

I T G OV E R NA N C E G L O BA L S TAT U S R E P O RT

7. There is little separation amongst those perceived as top providers of expertise and implementation ability. Large IT consultancy firms and ISACA (COBIT) received the highest ranking in regard to their expertise in IT governance (3.8 out of 5), but Gartner, the Big 4 accounting firms, local professional organisations and ITGI are only a few tenths of a point behind. In rating implementation ability (as opposed to expertise), the respondents placed large IT and consultancy firms at the top of the heap (3.7 out of 5), but ISACA (COBIT), the Big 4 accounting firms, and local professional organisations were clustered close behind. In summary, there are no clear winners (yet) in the IT governance area. In fact, an amazing one-quarter of respondents do not know of any IT governance provider to assist them.

I T G OV E R NA N C E G L O BA L S TAT U S R E P O RT