Search results
1 – 10 of 262Alastair Walker, Tom McBride, Gerhard Basson and Robert Oakley
The assessment of COBIT process maturity levels is fraught with a number of problems regarding the objectivity of the assessment results. Unlike ISO/IEC 15504, COBIT does not…
Abstract
Purpose
The assessment of COBIT process maturity levels is fraught with a number of problems regarding the objectivity of the assessment results. Unlike ISO/IEC 15504, COBIT does not define an assessment model. The purpose of this paper is to align the behavioural aspects of the six COBIT process attributes with achievement results defined for the nine process attributes associated with the ISO/IEC 15504‐2 measurement scale. The authors believe that this alignment permits a translation of the ISO/IEC 15504 assessment data into an objective COBIT process maturity rating.
Design/methodology/approach
The tables presented in the paper identify the COBIT process attributes, the applicable ISO/IEC 15504 process attribute achievement results and the aggregated rating that pertains to the selected achievement results. A final table lists the derived COBIT process maturity level in terms of the ratings for the ISO/IEC 15504 process attribute achievement results for an assessed process.
Findings
The objectivity of the aggregated result (COBIT process maturity level) appeals strongly to end‐users of this measurement result, particularly where contractual obligations must be satisfied.
Practical implications
The method is useful where measurement rigour must be demonstrated in the computation of the COBIT process maturity levels.
Originality/value
This assessment and computational method was developed and trialled in the second half of 2010 in the context of the assessment of 13 information technology (IT) service management processes at two different customer sites. The material is of special value to service managers in companies that have outsourced IT service management processes to external IT service providers.
Details
Keywords
Vandana Pramod, Jinghua Li and Ping Gao
The purpose of this paper is to form a new framework for preventing money laundering by mapping COBIT (Control for Information and Related Technology) processes to COSO (Committee…
Abstract
Purpose
The purpose of this paper is to form a new framework for preventing money laundering by mapping COBIT (Control for Information and Related Technology) processes to COSO (Committee of Sponsoring Organisation) components.
Design/methodology/approach
First, a new framework for preventing money laundering in banks is formed by mapping COBIT to COSO. Further, the potential of the mapped framework to comply with the Bank Secrecy Act requirements is analysed.
Findings
The mapped framework effectively supports all the activities of financial sectors through defining efficient information technology‐based processes and control methods. Information systems play a key role for financial sectors in producing financial statements, managing customer databases, detecting frauds, etc.
Research limitations/implications
Case studies of banks of different sizes, and in different countries are needed. It is necessary to improve the mapped framework by considering Basel III regulations.
Practical implications
COBIT‐mapped‐COSO framework is useful for banks to fight money laundering. While adopting the new framework, an organisation should apply the best practices that suit its operations rather than all the control objectives.
Social implications
The new framework can help banks fight money laundering.
Originality/value
For preventing money laundering through banks, a number of policies and intelligence systems are in place. However, there is no efficient framework that could guide banks to follow these policies and use information technologies. This paper proposes a new framework to target these gaps.
Details
Keywords
Michele Rubino and Filippo Vitolla
The purpose of this paper is to illustrate how information technology (IT) governance supports the process of enterprise risk management (ERM). In particular, the paper…
Abstract
Purpose
The purpose of this paper is to illustrate how information technology (IT) governance supports the process of enterprise risk management (ERM). In particular, the paper illustrates how the Control Objectives for Information and related Technology (COBIT) framework helps a company reach its objectives by integrating and supporting the Enterprise Risk Management by the Committee of Sponsoring Organizations (COSO ERM) framework.
Design/methodology/approach
This paper explains how the integration between the two frameworks (COSO ERM and COBIT 5) can represent, for any organization, a good way to achieve the objectives of internal control and risk management and, more generally, corporate governance.
Findings
The paper identifies some gaps in the COSO ERM and illustrates how the COBIT framework facilitates the implementation of an adequate system of internal control.
Originality/value
The originality of the work presented here is in analyzing the COBIT 5 together with the COSO ERM framework. This paper highlights that is not enough to apply only an internal control framework for achieving the risk management and internal control system objectives. An IT governance framework, such as COBIT 5 is proposed as a tool that support risk management in order to develop an adequate system of internal control.
Details
Keywords
Abdelkebir Sahid, Yassine Maleh and Mustapha Belaissaoui
Michele Rubino, Filippo Vitolla and Antonello Garzoni
The purpose of this paper is to analyze how an IT governance framework [Control Objectives for Information and related Technology (COBIT)] influences the control environment and…
Abstract
Purpose
The purpose of this paper is to analyze how an IT governance framework [Control Objectives for Information and related Technology (COBIT)] influences the control environment and the internal control system. In particular, it aims to illustrate how the COBIT’s structure and processes impact on the seven categories of factors that compose the control environment.
Design/methodology/approach
This paper aims to highlight how an IT governance framework with its processes enables to improve the control environment assessment and implementation.
Findings
The analysis indicates that the implementation of the COBIT framework provides some indications for managers and auditors, which must implement or assess internal control system.
Practical implications
The adoption of the framework allows managers to focus effectively on integrating, aligning and linking processes. This improves the understanding of the key aspects connected to the control environment. In addition, the adoption of the framework allows overcoming some limitations regarding the Committee of Sponsoring Organizations framework.
Originality/value
This paper addresses an area of relevance to both practitioners and academics. This analysis focuses on Accounting Information Systems themes and, through the examination of an IT governance framework, suggests solutions and tools than can help managers and auditors to address the control environment assessment.
Details
Keywords
Hussain M. Alfaraj and Shaowen Qin
The use of capability maturity model integration (CMMI) on its own can be problematic for the organisation because it does not provide a roadmap to implementation or…
Abstract
Purpose
The use of capability maturity model integration (CMMI) on its own can be problematic for the organisation because it does not provide a roadmap to implementation or identification of key process improvement areas, but instead only provides the goals for each level of implementation. Addition of another framework such as control objectives for information and related technology (CoBIT) can add the required operational data, but poses some unique challenges for implementation. However, the integration of Information Technology Infrastructure Library (ITIL), CoBIT, and ISO/IEC 22007 provides a roadmap to the integration of CMMI and CoBIT. The purpose of this paper is to discuss this co‐implementation and integration of the two frameworks, as well as the underlying framework of a new proposed integration model.
Design/methodology/approach
A literature review approach is used to address issues that have evolved from the empirical literature regarding the integration of CMMI and ITIL with other standards and determining whether this approach can be applied to the integration of CMMI and CoBIT as well. This literature review also provides insight into roadblocks to the implementation and structural improvements for CMMI.
Findings
The literature review demonstrated that the integration of CMMI and CoBIT could potentially be performed using the same techniques used in integrating ITIL and CoBIT, which provides a valuable guideline for further research into this area. However, further work will be required in order to determine the specifics of integration.
Originality/value
The paper adds to the existing literature by discussing the integration of CMMI and CoBIT and examining how these two frameworks can work together in order to create the basis for a new integration model.
Details
Keywords
Suree Funilkul and Wichian Chutimaskul
The aim of this paper is to create the framework for sustainable eDemocracy development which is used as a guideline for building tools for supporting democracy system. To…
Abstract
Purpose
The aim of this paper is to create the framework for sustainable eDemocracy development which is used as a guideline for building tools for supporting democracy system. To consolidate this framework, the quality model of eDemocracy system is constructed in order to support the efficient and effective eDemocracy.
Design/methodology/approach
This work begins with collecting and analyzing the existing approaches of eDemocracy development, especially the governance development standard called COBIT 4.1. Next, the principles of democracy based on United Nations Information Services and the Bureau of International Information Programs: IIP of the US Department of State's are studied. To support such principle, the intrinsic eDemocracy applications are explored. In addition, the quality model of an eDemocracy system is built by integrating the concepts of technology acceptance model (TAM) and the eGovernment web quality assessment model (eGovernment WebQAM).
Findings
The 4 + 1 main constructs of eDemocracy development framework is introduced. They are stakeholder and policy, information and communication technology, development methodology containing process management and project management, environment, and eDemocracy components. Such a framework is claimed to support sustainable development. Furthermore, the five basic eDemocracy applications which support democratic principles are illustrated. They are eInformation, eService, eVoting, eComplaint, and eForum. The quality aspects, i.e. knowledge quality, process quality, communication quality and TAM are embedded to consolidate the authors framework.
Research limitations/implications
Most existing approaches of eDemocracy development emphasize different eDemocracy development aspect depending on their interests and constraints. No approaches support all issues related in the fundamental aspects of eDemocracy development. Therefore, a sustainable framework is then created. Additional key aspect that has been embedded to this work is the eDemocracy qualities introduce in order to achieve citizens' acceptance in eDemocracy development.
Originality/value
This paper presents the framework for sustainable eDemocracy development to support the desirable and workable eDemocracy system. The information system quality and TAM are embedded into the authors framework for building better eDemocracy that meets the citizens' needs and information technology standard.
Details
Keywords
The frequent and increasingly potent cyber-attacks because of lack of an optimal mix of technical as well as non-technical IT controls has led to increased adoption of security…
Abstract
Purpose
The frequent and increasingly potent cyber-attacks because of lack of an optimal mix of technical as well as non-technical IT controls has led to increased adoption of security governance controls by organizations. The purpose of this paper, thus, is to construct and empirically validate an information security governance (ISG) process model through the plan–do–check–act (PDCA) cycle model of Deming.
Design/methodology/approach
This descriptive research using an interpretive paradigm follows a qualitative methodology using expert interviews of five respondents working in the ISG domain in United Arab Emirates (UAE) to validate the theoretical model.
Findings
The findings of this paper suggest the primacy of the PDCA Deming cycle for initiating ISG through a risk-based approach assisted by industry-wide best practices in ISG. Regarding selection of ISG frameworks, respondents preferred to have ISO 27K supported by NIST as the core framework with other relevant ISG frameworks/standards forming the peripheral layer. The implementation focus of the ISG model is on mapping ISO 27K/NIST IT controls relevant IT controls selected from ISG frameworks from a horizontal and vertical perspective. Respondents asserted the automation of measurement and control mechanism through automation to assist in the feedback loop of the PDCA cycle.
Originality/value
The validated model helps academics and practitioners gain insight into the methodology of the phased implementation of an information systems governance process through the PDCA model, as well as the positioning of ITG and ITG frameworks in ISG. Practitioners can glean valuable insights from the empirical section of the research where experts detail the success factors, the sequential steps and justification of these factors in the ISG implementation process.
Details
Keywords
Seval Kardes Selimoglu and Mustafa Hakan Saldi
Purpose: The study is designed to investigate internal audit functions in banks’ cyber security governance processes by assessing the pros and cons of blockchain technology…
Abstract
Purpose: The study is designed to investigate internal audit functions in banks’ cyber security governance processes by assessing the pros and cons of blockchain technology through swot analysis.
Need of the Study: The study is needed to clarify the complexities in internal audit fields integrated into cyber security governance and explore the blockchain application opportunities.
Methodology: Blockchain technology is explored from the point of technical concepts and policy framework by swot analysis to propose a set of solutions for continuous audit methods in cyber security governance.
Limitations: The sample of this study is limited to the personal ideas and evaluations of academicians, experts in the banking sector and legal regulators of Türkiye, with the data received between March and December 2021.
Findings: Blockchain technology can be applied as an alternative to conventional risk control methods as a mechanism of continuous audit methods to reduce human mistakes and special causes.
Practical Implications: The control of risk management operations for cyber security processes should be performed with the support of audit units of the banks. Therefore, innovations are being implemented to cyber-risk controls to drop the defects that cause technical and ethical issues with blockchain technology as a way of using automation. So, this advancement can be applied in audit operations practically for unanticipated events which can emerge in cyberspace to mitigate inherent risk to residual levels. However, there is ample room to adapt this technology for cyber security management and audit practices from the point of view of the labour force, regulations and environmental issues.
Details
Keywords
Eli Rohn, Gilad Sabari and Guy Leshem
This study aims to investigate information technology security practices of very small enterprises.
Abstract
Purpose
This study aims to investigate information technology security practices of very small enterprises.
Design/methodology/approach
The authors perform a formal information security field study using a representative sample. Using the Control Objectives for IT (COBIT) framework, the authors evaluate 67 information security controls and perform 206 related tests. The authors state six hypotheses about the findings and accept or reject those using inferential statistics. The authors explain findings using the social comparison theory and the rare events bias theory.
Findings
Only one-third of all the controls examined were designed properly and operated as expected. About half of the controls were either ill-designed or did not operate as intended. The social comparison theory and the rare events bias theory explain managers’s reliance on small experience samples which in turn leads to erroneous comprehension of their business environment, which relates to information security.
Practical implications
This information is valuable to executive branch policy makers striving to reduce information security vulnerability on local and national levels and small business organizations providing information and advice to their members.
Originality/value
Information security surveys are usually over-optimistic and avoid self-incrimination, yielding results that are less accurate than field work. To obtain grounded facts, the authors used the field research approach to gather qualitative and quantitative data by physically visiting active organizations, interviewing managers and staff, observing processes and reviewing written materials such as policies, procedure and logs, in accordance to common practices of security audits.
Details