Leverage the COBIT 2019 Design Toolkit in an SME Context: A Multiple Case Study


Organizations today exploit IT to achieve business value and competitive advantages; it is the disruptive effect of digital transformation. However, investing in IT without proper control and governance over enterprise IT (GEIT) can expose organizations to cyber-risks and IT project failures. This problem affects both multinationals and small organizations. In particular, small and medium-sized enterprises (SMEs) struggle to implement IT-governance also due to the complexity of the standard IT-governance frameworks. In this study, five case studies were conducted with five manufacturing companies in Italy whose headquarters are located in the Lombardy region to investigate the potential benefits for IT practitioners of using the COBIT 2019 Design Toolkit, an Excel spreadsheet that facilitates the development of a governance system. The results are encouraging, the IT practitioners appreciated the COBIT 2019 Design Toolkit to map the IT resources and issues, prioritize the most important governance and management objectives, and align business and IT strategy. However, some criticalities emerged, for instance, the limited prescriptive power of the tool and the language, which is sometimes difficult to understand for IT practitioners. It should also be noted that current IT-governance implementation in Italian manufacturing SMEs appears to be very limited. Further, it should be highlighted that this study was using COBIT 2019 before ISACA issued “COBIT for Small and Medium Enterprises Using COBIT 2019” which could already have a positive impact on the level of comprehension.

Keywords: COBIT 2019, IT-governance, IT-governance frameworks, multiple case study

[1] Fitzgerald M, Kruschwitz N, Bonnet D, Welch M. Embracing digital technology: A new strategic imperative. MIT Sloan Management Review. 2014;55(2).

[2] Wilson S. The pandemic, the acceleration of digital transformation and the impact on cyber security. Computer Fraud & Security. 2020;2020(12):13–15. https://doi.org/10.1016/S1361-3723(20)30128-7

[3] Gartner. Gartner Forecasts Worldwide IT Spending to Grow 9% in 2021. 2022 [cited 2022 September 21]. Available from: URL: https://www.gartner.com/en/newsroom/press-releases/2021-07-14-gartner-forecastsworldwide- it-spending-to-grow-9-percent-2021

[4] Lallie HS, Shepherd LA, Nurse JR, Erola A, Epiphaniou G, Maple C, et al. Cyber security in the age of COVID-19: A timeline and analysis of cyber-crime and cyber-attacks during the pandemic. Computers & Security. 2021;105:102248. https://doi.org/10.1016/J.COSE.2021.102248

[5] Weil P, Ross JW. IT governance: How top performers manage IT. International Journal of Electronic Government Research. 2005;1(4).

[6] Huang R, Zmud RW, Price RL. IT governance practices in small and medium-sized enterprises: Recommendations from an empirical study. IFIP Advances in Information and Communication Technology. 2009.

[7] Sohal AS, Fitzpatrick P. IT governance and management in large Australian organisations. International Journal of Production Economics. 2002;75(1–2):97–112. https://doi.org/10.1016/S0925-5273(01)00184-0

[8] Othman MFI, Chan T, Foo E, Nelson K, Timbrell G. Barriers to information technology governance adoption: A preliminary empirical investigation. 2010.

[9] Mangalaraj G, Singh A, Taneja A. IT governance frameworks and COBIT - A literature review. 20th Americas Conference on Information Systems, AMCIS. 2014;2014:1–10.

[10] Huygh T, Haes S de. Exploring the research domain of IT governance in the SME context. International Journal of IT/Business Alignment and Governance. 2016;7(1). https://doi.org/10.4018/ijitbag.2016010102

[11] Ayat M, Masrom M, Sahibuddin S, Sharifi M. Issues in implementing IT governance in Small and Medium Enterprises. 2011;197–201.

[12] Devos J, van Landeghem H, Deschoolmeester D. Rethinking IT governance for SMEs. Industrial Management and Data Systems. 2012;112(2):206–223. https://doi.org/10.1108/02635571211204263

[13] Tan K, Teo W, Lai K. The applicability of information technology governance in the Malaysian SMEs. JIMSME. 2011:1–10. https://doi.org/10.5171/2011.220894

[14] IT Governance Institute. Board Briefing on IT Governance. 2nd ed. USA; 2003.

[15] International Federation of Accountants (IFAC). Enterprise governance getting the balance right. 2003.

[16] Cornforth C. The governance of cooperatives and mutual associations: A paradox perspective. Annals of Public and Cooperative Economics. 2004;75(1):11–32. https://doi.org/10.1111/j.1467-8292.2004.00241.x

[17] Hamaker BS, Hutton A. Principles of IT governance. 2004.

[18] Deloitte. Developing an effective governance operating model: A guide for financial services boards and management teams. 2013:16.

[19] Hamaker BS, Hutton A. Enterprise governance and the role of IT. System. 2005:10– 13.

[20] Hoogervorst JAP. Enterprise governance and enterprise engineering. Springer; 2009.

[21] Symons C, Cecere M, Young GO, Lambert N. IT governance framework - Best practices. Forrester. 2005;1–17.

[22] Webb P, Pollard C, Ridley G. Attempting to define IT governance: Wisdom or folly? Proceedings of the Annual Hawaii International Conference on System Sciences. 2006;8(C):1–10. https://doi.org/10.1109/HICSS.2006.68

[23] Chong JL, Tan FB. IT governance in collaborative networks: A socio-technical perspective. PAJAIS. 2012;4(2):3. https://doi.org/10.17705/1pais.04202

[24] Haes S de, van Grembergen W, Joshi A, Huygh T. Enterprise governance of IT, alignment, and value. Enterprise Governance of Information Technology. 2020:1–13.

[25] Plant OH, van Hillegersberg J, Aldea A. Rethinking IT governance: Designing a framework for mitigating risk and fostering internal control in a DevOps environment. International Journal of Accounting Information Systems. 2022;45:100560. https://doi.org/10.1016/j.accinf.2022.100560

[26] Henderson JC, Venkatraman N. Strategic alignment: Leveraging information technology for transforming organizations. IBM Systems Journal. 1993;38(2):472– 484. https://doi.org/10.1147/SJ.1999.5387096

[27] Taşkin N, Verville J, Yu M. An empirical study on strategic alignment of enterprise systems. acin. 2019;0(0):0. https://doi.org/10.26650/acin.1079619

[28] Gellweiler C. IT architects and IT-business alignment: A theoretical review. Procedia Computer Science. 2022;196:13–20. https://doi.org/10.1016/j.procs.2021.11.067

[29] Sieber MR, Malý M, Liška R. Conceptualizing organizational culture and business- IT alignment: A systematic literature review. SN Bus Econ. 2022;2(9):1–25. https://doi.org/10.1007/s43546-022-00282-7

[30] Lazic M, Schillinger C, Groth M, Heinzl A. The impact of IT governance on business performance. 2011.

[31] Zhang S, Le Fever H. An examination of the practicability of COBIT framework and the proposal of a COBIT-BSC model. Journal of Economics, Business and Management. 2013;1(4):391–395. https://doi.org/10.7763/joebm.2013.v1.84

[32] Buchwald A, Urbach N, Ahlemann F. Toward an integrated model of IT governance success and its impact. Journal of Information Technology. 2014;29(2):128–147.

[33] Gregory RW, Kaganer E, Henfridsson O, Ruch TJ. IT consumerization and the transformation of IT governance. MIS Quarterly. 2018;42(4):1225–1253.

[34] Joshi A, Benitez J, Huygh T, Ruiz L, Haes S de. Impact of IT governance process capability on business performance: Theory and empirical evidence. Decision Support Systems. 2022;153:113668.https://doi.org/10.1016/j.dss.2021.113668

[35] Llamzon RB, Tan FTC, Carter L. Toward an information systems alignment framework in the wake of exogenous shocks: Insights from a literature review. International Journal of Information Management. 2022;63:102450. https://doi.org/10.1016/j.ijinfomgt.2021.102450

[36] Peterson RR. Configurations and coordination for global information technology governance: Complex designs in a transnational European context. IEEE Computer Society. 2001;10.

[37] Haes S de, van Grembergen W. IT governance and its mechanisms. Information Systems Control Journal. 2004;1.

[38] Peterson R. Crafting information technology governance. Information Systems Management. 2004;21(4):7–22. https://doi.org/10.1201/1078/44705.21.4.20040901/84183.2

[39] Almeida R, Filipe R, Pereira S, Da Mira Silva M. IT governance mechanisms: A literature review. Lecture Notes in Business Information Processing. 2013;143. https://doi.org/10.1007/978-3-642-36356-6_14

[40] Levstek A, Hovelja T, Pucihar A. IT governance mechanisms and contingency factors: Towards an adaptive IT governance model. Organizacija. 2018;51(4):286– 310. https://doi.org/10.2478/orga-2018-0024

[41] Bianchi IS, Sousa RD. IT governance mechanisms in higher education. Procedia Computer Science. 2016;100:941–946. https://doi.org/10.1016/j.procs.2016.09.253

[42] Brown AE, Grant GG. Framing the frameworks: A review of it governance research. Communications of the Association for Information Systems. 2005;15:696–712.

[43] Devos J, van Landeghem H, Deschoolmeester D. IT governance in SMEs: Trust or control? IFIP Advances in Information and Communication Technology. 2009;135– 149.

[44] Bergeron F, Croteau A-M, Uwizeyemungu S, Raymond L. IT governance theories and the reality of SMEs: Bridging the gap. 2015;4544–4553.

[45] Vogt M, Küller P, Hertweck D, Hales K. Adapting IT governance frameworks using domain specific requirements methods: Examples from small & medium enterprises and emergency management. 17th Americas Conference on Information Systems 2011, AMCIS 2011. 2011;5:4205–4214.

[46] Pereira R, Da Silva M. IT governance implementation: The determinant factors. Communications of the IBIMA. 2012;2012:1–16. https://doi.org/10.5171/2012.970363

[47] Setiawan A. Possibility of Cobit Quickstart utilization for small and medium enterprises to assess it control objectives. International Conference on Information Systems For Business Competitiveness. 2011:81–85.

[48] Olutoyin O, Flowerday S. Successful IT governance in SMES: An application of the Technology–Organisation–Environment theory. SA Journal of Information Management. 2016;18(1):a696. https://doi.org/10.4102/sajim.v18i1.696

[49] Bartens Y, Haes S de, Lamoen Y, Schulte F, Voss S. On the way to a minimum baseline in IT governance: Using expert views for selective implementation of COBIT 5. Proceedings of the Annual Hawaii International Conference on System Sciences. 2015;2015-March:4554–4563. https://doi.org/10.1109/HICSS.2015.543

[50] Lee MC. IT governance implementation framework in small and medium enterprise. International Journal of Management and Enterprise Development. 2013;12(4/5/6):425. https://doi.org/10.1504/IJMED.2013.056445

[51] Bergeron F, Croteau A-M, Uwizeyemungu S, Raymond L. A framework for research on information technology governance in SMEs. Strategic IT Governance and Alignment in Business Settings. 2017;53–81.

[52] Steuperaert D. Cobit 2019: A significant update. Edpacs. 2019;59(1):14–18. https://doi.org/10.1080/07366981.2019.1578474

[53] Svata V. COBIT 2019: Should we care? COBIT 2019: Should We Care? 2019.

[54] Kordel L. IT governance hands-on: Using COBIT to implement IT governance. Information Systems Control Journal. 2004;2:8.

[55] Liu Q, Ridley G. IT control in the Australian public sector: An international comparison. ECIS 2005 Proceedings. 2005:91.

[56] Nicho M. Information technology audit: Systems alignment and effectiveness measures. 2008.

[57] ISACA. COBIT 2019 framework: Introduction and methodology.

[58] ISACA. Governance and management objectives. 2018.

[59] ISACA. COBIT2019 design guide: Designing an information and technology governance solution. 2018.

[60] Yin RK. Case study research and applications. 6th ed. COSMOS Corporation; 2018.

[61] Beverland M, Lindgreen A. What makes a good case study? A positivist review of qualitative case research published in Industrial Marketing Management, 1971–2006. Industrial Marketing Management. 2010;39(1):56–63. https://doi.org/10.1016/j.indmarman.2008.09.005

[62] Confindustria, Cerved. Rapporto regionale PMI 2021; 2021.

[63] Haes S de, van Grembergen W. An exploratory study into the design of an IT governance minimum baseline through Delphi research. Communications of the Association for Information Systems. 2008;22. https://doi.org/10.17705/1cais.02224

[64] Savtschenko M, Schulte F, Voß S. It governance for cyber-physical systems: The case of industry 4.0. 2017.

[65] Ponelis SR. Using interpretive qualitative case studies for exploratory research in doctoral studies: A case of information systems research in small and medium enterprises. International Journal of Doctoral Studies. 2015;10. https://doi.org/10.28945/2339

[66] Spence LJ, Schmidpeter R. SMEs, social capital and the common good. Journal of Business Ethics. 2003;45(1–2):93–108. https://doi.org/10.1023/A:1024176613469

[67] Ivanova E, Gibcus P. The decision-making entrepreneur. Recuperado junio. 2003;23.

[68] Salerno LM, McFarlan EW, McKenney JL. Corporate information systems management: The issues facing senior executives. Harvard Business Review. 1983;61(3).

[69] Miyamoto M, Kudo S. Five domains of information technology governance in Japanese SMEs; An empirical study. 2013;964–969.